Malware Analysis Report

2024-09-09 16:43

Sample ID 240614-1l47xaxcjf
Target ab9ab1973395c886b5ff706df7d1eb7c_JaffaCakes118
SHA256 ed1867e8b770fd53dbac6586770c0de0640a192d18869978c7db4388c917f007
Tags
ramnit banker spyware stealer trojan upx worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ed1867e8b770fd53dbac6586770c0de0640a192d18869978c7db4388c917f007

Threat Level: Known bad

The file ab9ab1973395c886b5ff706df7d1eb7c_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

ramnit banker spyware stealer trojan upx worm

Ramnit

Loads dropped DLL

Executes dropped EXE

UPX packed file

Drops file in Program Files directory

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Enumerates system info in registry

Suspicious use of SendNotifyMessage

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-14 21:45

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 21:45

Reported

2024-06-14 21:47

Platform

win7-20240611-en

Max time kernel

133s

Max time network

127s

Command Line

wininit.exe

Signatures

Ramnit

trojan spyware stealer worm banker ramnit

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\px1111.tmp C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{61F410A1-2A97-11EF-BA09-6ACBDECABE1A} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c091d336a4beda01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000b2968c6cf60b74b94229c882944fb810000000002000000000010660000000100002000000034281ad11125cd1dbc3dae6282ad27e354ec9e867b4c1fc12bb931b76aa2cf13000000000e8000000002000020000000a06d677ed0055592df1b1e8d1910e5c5a47900dfd2df6ad5f8e7fd52e79fdaf09000000035290264adb998bf41577ec1883e7ff1369fc21090d6d4ef49bafa6d9f8fc419f8d8a8600447fa9a031a33f7f951014970bc230ebb6c8d6cfa04d538f8cb46841e70219de1d9591e24453cda0484e89c334e365153056402c5c39656059420e90b93c3ad6c41d7651a19c3f722b96312c4b2169e4c72aa5a3c93c45cff7eb491b4dd30e48d174901aa797a05b0073807400000009c455712e74a7af65346add777a6be75f1c4feb44417cde5e7d33efe9519596aa3fcdece68e7407e1124d88756e696f3a9ba4fff6ca84721d67c224bac9685f4 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000b2968c6cf60b74b94229c882944fb81000000000200000000001066000000010000200000001b8b3b89b8182e6b1e6e6da0ed25734abccfa31b69b40f094edfa4d69894d8ad000000000e8000000002000020000000b8c641bed3648854fe1fec64077b33263da7d32ed5e21c3f351299e19ae0658e20000000bfb99de28044fd75a1708047adea100c3386acb87409944aba9773555716b40840000000cbd0dfae46222fbab65922875e9e4a6503a445643889016041fede616d05e2de7478394d9acd3d8247417105f366ef90d29b53177a4816afe433c35f78c35e3d C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424563381" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2160 wrote to memory of 2616 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2160 wrote to memory of 2616 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2160 wrote to memory of 2616 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2160 wrote to memory of 2616 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2616 wrote to memory of 2648 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2616 wrote to memory of 2648 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2616 wrote to memory of 2648 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2616 wrote to memory of 2648 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2648 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\wininit.exe
PID 2648 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\wininit.exe
PID 2648 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\wininit.exe
PID 2648 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\wininit.exe
PID 2648 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\wininit.exe
PID 2648 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\wininit.exe
PID 2648 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\wininit.exe
PID 2648 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\csrss.exe
PID 2648 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\csrss.exe
PID 2648 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\csrss.exe
PID 2648 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\csrss.exe
PID 2648 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\csrss.exe
PID 2648 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\csrss.exe
PID 2648 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\csrss.exe
PID 2648 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\winlogon.exe
PID 2648 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\winlogon.exe
PID 2648 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\winlogon.exe
PID 2648 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\winlogon.exe
PID 2648 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\winlogon.exe
PID 2648 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\winlogon.exe
PID 2648 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\winlogon.exe
PID 2648 wrote to memory of 480 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\services.exe
PID 2648 wrote to memory of 480 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\services.exe
PID 2648 wrote to memory of 480 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\services.exe
PID 2648 wrote to memory of 480 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\services.exe
PID 2648 wrote to memory of 480 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\services.exe
PID 2648 wrote to memory of 480 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\services.exe
PID 2648 wrote to memory of 480 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\services.exe
PID 2648 wrote to memory of 488 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\lsass.exe
PID 2648 wrote to memory of 488 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\lsass.exe
PID 2648 wrote to memory of 488 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\lsass.exe
PID 2648 wrote to memory of 488 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\lsass.exe
PID 2648 wrote to memory of 488 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\lsass.exe
PID 2648 wrote to memory of 488 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\lsass.exe
PID 2648 wrote to memory of 488 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\lsass.exe
PID 2648 wrote to memory of 496 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\lsm.exe
PID 2648 wrote to memory of 496 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\lsm.exe
PID 2648 wrote to memory of 496 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\lsm.exe
PID 2648 wrote to memory of 496 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\lsm.exe
PID 2648 wrote to memory of 496 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\lsm.exe
PID 2648 wrote to memory of 496 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\lsm.exe
PID 2648 wrote to memory of 496 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\lsm.exe
PID 2648 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\svchost.exe
PID 2648 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\svchost.exe
PID 2648 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\svchost.exe
PID 2648 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\svchost.exe
PID 2648 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\svchost.exe
PID 2648 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\svchost.exe
PID 2648 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\svchost.exe
PID 2648 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\svchost.exe
PID 2648 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\svchost.exe
PID 2648 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\svchost.exe
PID 2648 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\svchost.exe
PID 2648 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\svchost.exe
PID 2648 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\svchost.exe
PID 2648 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\svchost.exe

Processes

C:\Windows\system32\wininit.exe

wininit.exe

C:\Windows\system32\csrss.exe

%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\services.exe

C:\Windows\system32\services.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\system32\sppsvc.exe

C:\Windows\system32\sppsvc.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\ab9ab1973395c886b5ff706df7d1eb7c_JaffaCakes118.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2160 CREDAT:275457 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\svchost.exe"

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

\Users\Admin\AppData\Local\Temp\svchost.exe

MD5 df455f0fa8fb3fa4e6699ad57ef54db6
SHA1 51a06248c251d614d3a81ac9d842ba807204d17c
SHA256 15068b86edc0473a4f96f109830318e0540af348197e2b65f2e90ff32cfb14a1
SHA512 f69dea5b68e4fc8737fc0e6ef48476d3ed0a5ebd2f9dccc9d966df137f9ffdbb51e413a0852c22399afab53ea8a2755664afdcee6897a1cf387a9a620481b2a6

memory/2648-6-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2648-11-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2648-10-0x0000000000280000-0x000000000028F000-memory.dmp

memory/2648-9-0x0000000077070000-0x0000000077071000-memory.dmp

memory/2648-8-0x000000007706F000-0x0000000077070000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab26A6.tmp

MD5 2d3dcf90f6c99f47e7593ea250c9e749
SHA1 51be82be4a272669983313565b4940d4b1385237
SHA256 8714e7be9f9b6de26673d9d09bd4c9f41b1b27ae10b1d56a7ad83abd7430ebd4
SHA512 9c11dd7d448ffebe2167acde37be77d42175edacf5aaf6fb31d3bdfe6bb1f63f5fdbc9a0a2125ed9d5ce0529b6b548818c8021532e1ea6b324717cc9bec0aaa5

C:\Users\Admin\AppData\Local\Temp\Tar2759.tmp

MD5 7186ad693b8ad9444401bd9bcd2217c2
SHA1 5c28ca10a650f6026b0df4737078fa4197f3bac1
SHA256 9a71fa0cb44aa51412b16a0bf83a275977ba4e807d022f78364338b99b3a3eed
SHA512 135be0e6370fd057762c56149526f46bf6a62fb65ef5b3b26ae01fa07b4c4e37188e203bd3812f31e260ec5cccff5924633dd55ab17e9fa106479783c2fb212b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1fc2bc6e91d333e8070f01628caadb65
SHA1 621de1c82df2ea89aeb0869c515cc91c7bc98828
SHA256 1ceb6aac10f24b1d4a58a47cb901501bcb320a7453cec1618b7b03ae232e70db
SHA512 c1fb43101f19df46151d8bb422c36a4a6f5c5ed83298e6362921dd511f715e14abb0e78fd87cf31cacd1f24b1c2b063135a327a6a491a13fdee9ca55e942ef92

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 22c5812eb8aea5323874edf16e672c04
SHA1 4959fceb4b437250c2083fbf5c715008948e9a80
SHA256 ea540a99d559e9a22464fbe82173319cde35a376a0b3bbb5f9afd030b4d8c61d
SHA512 b312f5664335a23b9eacedcf518a614897d82d4924996f439f0f2fafe9d1a13d5d99dd5b3dfcef26d3fcf11e409c00954f80d20b0997ec3ca93a92ce3a5e0ca0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fbc038e149807c67f470e836222c16b1
SHA1 681f5815f17b6ec6d8f9a409098040919fa95df1
SHA256 cac696e44a2684e3f164ded13f92946c70249b100c3b0386aa1be56fc8e0b59a
SHA512 d42c1eaa89bbf15a466c0ee0e7d2cd1c03c4ce76c02872d4b17297faf461652a77319f20435efc114e0483f359680c8a6010463706801192809d357d4cf1b53e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e89f550aaded212f67420532d92bbc3d
SHA1 f03ba1f5d601ed734e4d61280f659c316021faf1
SHA256 d6bc2837af439e664600394fac69d83b74e2e5e680415d37ab0cee260c92186c
SHA512 7064e01eb131b0205ad391220319f81670ce470f9ab6a3ca5ed6690696af834c932a7c4f61df615490f6171b294a8e5af863285ccf95d3b9deba458952a24033

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 77eeeb3c25753aaae728ac246aafe6b4
SHA1 1c158d83f5e0b93b8bc8a8cf0a99021fc9a5f80d
SHA256 05dc29c969e11cc75e5884166650675bd467a3c4efc98f86d53e0d6ebb00ef20
SHA512 dfe5a9015bf85816696cf5cb532a3e3321e22a34bc9f95cc1e1157458c5250610573945caa838a151ae75736a65dd9a293644746eff5d0fbcac868181f898176

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 057684272024dc870b57b0ce966dce02
SHA1 fda7468fb167dedf767e318ec3276041a3524fa4
SHA256 cf4f85eb342780d09dda8f488764f9f7d2be21865af29ed517151a12d7a57e3c
SHA512 05a2e333ece08796d0c1a36d45425ddae3927f9902a38e6b7220f004a3ef3e062b279bc88e4b51b34cbb7858d56db292683cb20c48167f33877af550c7c07ceb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a3043d88268cc0897c1853cb3a026a1e
SHA1 be45c77d92c1f4e5bfa74c1722dd0319730bb375
SHA256 721be0a4e622b99f9edc7e3d5d8c925b3ccf50bfc04f36438fcdee0c419613e1
SHA512 9d83f7391b81750444c4beb052defeaf411ac069b557489dbc4cf4609685741663d4e85a5fc8504fe40a4c0b506d44f116ccaee23f764ce7aeb73cbb6c571597

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e25f790d8b331206b0f10e718ef5d659
SHA1 b44a187408d2410733194c7866f9407b7b742c03
SHA256 9b4431737fe3c77d599a6bf7e9403ce9a84592b877a2246e8f7d28a58bac7aeb
SHA512 35c88dccc169dbce6596efa03f5c2f184428184c8c8f607646d65a55e228f65fba9f2ca4c130eb175ca6ce61d0ac92e63c8a5ab5b901d6540f8cd789eafddbb5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8e78fae7132589137781f999df7141ef
SHA1 631d4bcbc3aa029aafc104ddd92fba66ea984473
SHA256 16ece6bb64e4cd2c7a253ba3f36caa81419ddd5e6c27065d6dde0a0a7eef3874
SHA512 9597043a0f15d0380c1e7a5f3d3e7baa54a3cc6674bcfe320f041cc31a8287b0c6ba4bcd14b0a72d73469caa68f7db0a8b3220e14b25a6ce4e39571db0a1cd55

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 52075df5ab0873b76559bc709c4c3b4a
SHA1 1ee54218c0c1f4a414978d511c9b7cd43bab655a
SHA256 fe77188d89a1b167fdde0e72535503c14d4293d7463fb45024b9d2b4791956df
SHA512 36d1761635c742ab30c9085ee57a1fdc87a23b839c69594837f7ec92103c1fef218553774b4b8eb90f25fa76b82368969bd3c1e51ed412cd311f4228e38e6d36

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0a13c4df42c50b8ffed8fdecc09de355
SHA1 cb88676026689ac1bbdcec27ecbec86825691bbd
SHA256 ee5aca1eb8116d5f1cb35fe8fc4727ff4fa730d25d1f79dc1e3fb7de33b7e6e4
SHA512 208afc45df2be101f13ab6ad1847712494796554eeb329b412f1b0fcfac721e5e3a4169523fa10e25e20b4a0da555064524ad10f5156c4fa373746cc91808d14

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4f73ad0e46835f097382c4991c21776b
SHA1 836367456baaf63a1600569f102dbafe3375928b
SHA256 7390016a2b923e14c339985b9e2e8b93005a52f04395312c43ebe7b50652f3f2
SHA512 5d2a26c10488a693e99838205319324f4278de61a34ba375076d31930b01b9fdaae188a9009f2683feb6b42d423df023b6fbf5637a4989600bccb48278bcdca9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a1a13198d9edde9b10f1ebb775676c8d
SHA1 07481a101b67bc80a663fdd3cf8a1ab03d5a5484
SHA256 34669a545cdab23c8216f3b5968be9313ed98077e5621f5224a4219fa92d17dd
SHA512 fd7a1d6699940d4431dfb6187e510c2fdf97610f0b111dfd5ce87a70c736b8d226f6cc436fc7824a4b86f59aa4df1cd61c647cce2de5e1760dc1da9edab71584

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6695e2e398333c256a69ab17f7b29665
SHA1 63f5f022436e782d35ad3398fd4beb8d6026388e
SHA256 94043b49e869a3a08b0aad35a2a4d5dfa5eb5b3d49518a070526e51adf9323d7
SHA512 4b7f68676b52b86804d1bf5ec236889f046c37afb6f39e8f7ec34befa4a91061f6e81de1d7fcee1f84a35ce1f736166bd76388f66e27a8eeff6a589ca7154eae

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 43a0d3d6dac3f00a975c434ffc512580
SHA1 5eebf6eb667222222a78d775b562b2c568d6d38b
SHA256 14ee7cf17fd4d4ae7678ae35abbf246690dfd9ad16be79b8ef1d3135ee7dd3ea
SHA512 6439c430a06eb107574bec143240807c9546a21705f8c73d3e8402f94158d4bd252d3cf4ef32979cccc091accfb27cfcc15a6d74c3dc96b776fe6434e1b95886

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bfd0a6595c89f5512f08f19fd1cf9892
SHA1 8cbf58eddb1ff968b1ac3ab5be773e03374cebd1
SHA256 8ff95283e7af3e67df4623f0311312d1d061b891bebd5f68fe8b3622bd759f5f
SHA512 0e3828a3fb9d618e6e11ebbbf11e224a9376dfd299d1f0e3bf9fcf3c9030d17fcdae2022f068674843d6af439f36210378bf70437e32d6d3d5aa436f14b2b2cc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5e05d381872c8d3569d1a87383b56139
SHA1 fc468ec96d9b341297ae6e6c32c010811a66d789
SHA256 bd76d898cd0a058fcf4f4ca054d4ea246e7e53f1eddceb91c50998b07c915d81
SHA512 08ed170e494549bd71ed98f3021a4d3af775664cb72f9dac03a4b0024f102c8c796522b9017813f1a593d3501410af76f6bbdc346893e7d4f481f42df43bddf2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6f050cbd9848e34ecda87dd955522639
SHA1 825d89c1e210f2e9ae826fedb161d3a5743d8491
SHA256 20213979e15c1bb4705c072bd4c306064b1d89b75eb6b86d9d5341c1b3d6655d
SHA512 2184f6e931eda6c4bc76be55fad6244084b4196351d9c9f94d9319a640db8b3c73336bf57940253686351334bb524cf1ae1420039bee87ef3613b0cbf4e65f7e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 80b2c73dc3b23816fc0b6d56562ff558
SHA1 1f6b86ecbd8c76811aba3fbf85fe0cb8a030f32d
SHA256 b4b3b7288942a787f41d7ea8db4e5ccff4578de304cf3168d9edc9d4ac361934
SHA512 f012a38a6b755a8846abdb2ff5631d0d4b88d3e6d378977c1c08c512800b59e78addee3f68f6d3d927be133baedcd36062645b44223f2f0115ad356ab300533c

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 21:45

Reported

2024-06-14 21:47

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\ab9ab1973395c886b5ff706df7d1eb7c_JaffaCakes118.html

Signatures

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4996 wrote to memory of 116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 4752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 4752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 4752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 4752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 4752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 4752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 4752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 4752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 4752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 4752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 4752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 4752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 4752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 4752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 4752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 4752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 4752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 4752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 4752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 4752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 4752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 4752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 4752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 4752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 4752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 4752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 4752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 4752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 4752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 4752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 4752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 4752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 4752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 4752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 4752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 4752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 4752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 4752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 4752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 4752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 5028 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 5028 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 3976 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 3976 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 3976 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 3976 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 3976 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 3976 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 3976 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 3976 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 3976 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 3976 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 3976 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 3976 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 3976 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 3976 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 3976 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 3976 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 3976 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 3976 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 3976 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 3976 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\ab9ab1973395c886b5ff706df7d1eb7c_JaffaCakes118.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa228f46f8,0x7ffa228f4708,0x7ffa228f4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,8417783820678134789,15233980854910655509,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,8417783820678134789,15233980854910655509,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,8417783820678134789,15233980854910655509,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2736 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8417783820678134789,15233980854910655509,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8417783820678134789,15233980854910655509,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,8417783820678134789,15233980854910655509,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5116 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,8417783820678134789,15233980854910655509,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5116 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8417783820678134789,15233980854910655509,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8417783820678134789,15233980854910655509,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8417783820678134789,15233980854910655509,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5708 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8417783820678134789,15233980854910655509,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5648 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,8417783820678134789,15233980854910655509,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1292 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 c39b3aa574c0c938c80eb263bb450311
SHA1 f4d11275b63f4f906be7a55ec6ca050c62c18c88
SHA256 66f8d413a30451055d4b6fa40e007197a4bb93a66a28ca4112967ec417ffab6c
SHA512 eeca2e21cd4d66835beb9812e26344c8695584253af397b06f378536ca797c3906a670ed239631729c96ebb93acfb16327cf58d517e83fb8923881c5fdb6d232

\??\pipe\LOCAL\crashpad_4996_FQEAQURWRMNENPUF

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 dabfafd78687947a9de64dd5b776d25f
SHA1 16084c74980dbad713f9d332091985808b436dea
SHA256 c7658f407cbe799282ef202e78319e489ed4e48e23f6d056b505bc0d73e34201
SHA512 dae1de5245cd9b72117c430250aa2029eb8df1b85dc414ac50152d8eba4d100bcf0320ac18446f865dc96949f8b06a5b9e7a0c84f9c1b0eada318e80f99f9d2b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 5c0ab204ae407650c31639ffe8d74c48
SHA1 ce5426a9e8a5b38139303b239f92db39928dee5c
SHA256 b321ded13e2d2ddeb3d2256e6bbf32d6df7b8fc9b28101aeb23614910c296b5d
SHA512 2649e13922b8dfc8668b700d28c963c59ea1568110591bfe3a0643e7b06fe06e515017ab79a088ed1dd32089014b4fe6b404674265fb9e8361e8beab8aa63417

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 2f64a6484e6f905a5d7c8f1634702afe
SHA1 c3184d948206fceb37bcfb167ea06ed43fba8480
SHA256 9db372477c4916fde52add33ec243616c042adfb6fae508ad7b021c794f7022f
SHA512 fb8d97313850498aeb2cae939c5bf6e960729e224b1a54f49c9935e079bd051e6901bab3f106d3d8bd9191c6308b96d5f9c2517fedabf05eea631c8253be64ee

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 e13d23c0d480a961d0a70f8ad3d57533
SHA1 ea2ace33a100aeb5116c36337e0d068c77a6ff81
SHA256 38d2b79afdb6e984473cab0659a35bf638812feb44cee81d6895254ce20d116f
SHA512 2618a34e68e56dfc6b271b4780560bd11e386827d2274f7fd489c8d39799c71bcab39a54895c2f69cea8637bac1b63339a83531989cef2e6cb33bd5492621546