Malware Analysis Report

2024-10-19 13:20

Sample ID 240616-kqf3wa1dkp
Target b2a456c0d18c8969f41edfa3dd0f1228_JaffaCakes118
SHA256 9ec301e2affabe4a4ccb7e63a61020f35a21b6aa558c4f1f02d2e083b60565e4
Tags
ramnit banker spyware stealer trojan upx worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9ec301e2affabe4a4ccb7e63a61020f35a21b6aa558c4f1f02d2e083b60565e4

Threat Level: Known bad

The file b2a456c0d18c8969f41edfa3dd0f1228_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

ramnit banker spyware stealer trojan upx worm

Ramnit

UPX packed file

Executes dropped EXE

Loads dropped DLL

Drops file in Program Files directory

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-16 08:48

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-16 08:48

Reported

2024-06-16 08:50

Platform

win7-20240221-en

Max time kernel

130s

Max time network

131s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\b2a456c0d18c8969f41edfa3dd0f1228_JaffaCakes118.html

Signatures

Ramnit

trojan spyware stealer worm banker ramnit

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\pxFCA7.tmp C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424689556" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{27867801-2BBD-11EF-A30C-E60682B688C9} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1728 wrote to memory of 2552 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1728 wrote to memory of 2552 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1728 wrote to memory of 2552 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1728 wrote to memory of 2552 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2552 wrote to memory of 1116 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2552 wrote to memory of 1116 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2552 wrote to memory of 1116 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2552 wrote to memory of 1116 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 1116 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 1116 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 1116 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 1116 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 628 wrote to memory of 1952 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 628 wrote to memory of 1952 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 628 wrote to memory of 1952 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 628 wrote to memory of 1952 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1728 wrote to memory of 2336 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1728 wrote to memory of 2336 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1728 wrote to memory of 2336 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1728 wrote to memory of 2336 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\b2a456c0d18c8969f41edfa3dd0f1228_JaffaCakes118.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1728 CREDAT:275457 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\svchost.exe"

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1728 CREDAT:275477 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.ol3gax.top udp
US 8.8.8.8:53 news.share.baidu.com udp
CN 182.61.201.93:80 news.share.baidu.com tcp
CN 182.61.201.93:80 news.share.baidu.com tcp
CN 182.61.244.229:80 news.share.baidu.com tcp
CN 182.61.244.229:80 news.share.baidu.com tcp
CN 39.156.68.163:80 news.share.baidu.com tcp
CN 39.156.68.163:80 news.share.baidu.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
CN 180.101.212.103:80 news.share.baidu.com tcp
CN 180.101.212.103:80 news.share.baidu.com tcp
CN 182.61.201.94:80 news.share.baidu.com tcp
CN 182.61.201.94:80 news.share.baidu.com tcp
US 8.8.8.8:53 api.bing.com udp

Files

C:\Users\Admin\AppData\Local\Temp\Cab1E1D.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar1F0E.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 053c7903623f2f5d63bb0fd100e2d68b
SHA1 3cd9e65a9102166743bbbe2282e1699b2863d144
SHA256 4f56e9a92dbd3449efebd8ca4a0fcc9b95b4de909f2baf2f0f6238a98e61f0f2
SHA512 9ae6a43cabb79fcc5646904927d37c234652675e78d7d496bc7efdef0b975d7b9ddf2d5a0ba940fe41d928bd2e816962b3801f6cd962fdfd40c7f81fec15b535

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7fc09cf09a72796a6612855d8a6a5a11
SHA1 d630c95ae4fe6af2f5f8ce01c6b2e670af2a0d69
SHA256 de1cab79bbc11f93d9eea7d47267322323aafd411d229c914351d538b2162dcd
SHA512 d20090d7e75e14658ed117db7fd61cb26e0a0863646a895c24359a17265be98fa073b1c9323f66932228d84293ade870f5c27a79707b6b53c718661f8af146f1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2e6cd537249b9a22db00f7df730965fa
SHA1 3ffb3878d1b1ec2bb413be035b7b085e89d10280
SHA256 9765c73b1a84e016713671db987488bfb5dd21ae7ab19aafd9b5aa5ac25fe45c
SHA512 803604c526fa0c00277f83a7ecd45452c1ccfb144f94b1a5c15aa581e5a06aa52d579c5a52afff9c16daf8c1a13dc47d2f9aa206a4e839b96e64628c86defe03

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 48e4396f29e0ed5298fc0bd6600b82bf
SHA1 bd9f5e0d171bd0f6e7645c58f027db4c1795cca1
SHA256 461e6c5f8553917106c2240bbb95265b4d5b8156848c555b1b72f32e5a702ddd
SHA512 116c6b610a43065e205828aeccb52631b1f722e946272ad79c2757887a1981882f7b4f8ede0f7d605322629f7a3ffc1e4c3f2cdfbb4d4d101c9c7fb74f98a13f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 87b656e619a9b6a086ae1d435ddfa95e
SHA1 723506c271f248949877248d9753e72beae73f74
SHA256 5b553b7cbf74cd0cdd59a08673370a39e137953efb4183000e4afa4bfe2213a5
SHA512 6ee29f0df18716ee49d5e580f48df1ef235cfa8722301f8a6d57e39a2febf3b510ce32f8c626fccb228eaa3fef98fdf4e26b8e3f4e533b72a9c088500002c4b9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0089570a447cb9abbdd95481e13030b5
SHA1 46dea3b8e143ab595f1ab3e4f680727768df81d9
SHA256 d2924be31b80d8bf27768cb2f54a7a6c43032e3d224653008752568fe6909366
SHA512 26c5a20567690c2e66d7ed60caaf4d5a0fffd93830eb0dbb91c8a82f061151d77d05c12dc8131597c554537500c00e271695e06ccd74fdbb33d586aa85fee553

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 643ba971680a155cb66ea516225ac14d
SHA1 bc11eedce3e531ab2c7e138a10c1fbb9a90b4e56
SHA256 791136c6faed39bd125da26e72f542238ebc423382deda76f344603f1cc58fda
SHA512 2e68a79521daefd000660f40dcbc4cc88ddd5a9d523e1277319cea51885039a93d03f3e623293b72d00b2fc6c58d6b2d32322ddc84d0b302e52ca4e62ca4a4c4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9c31d113d841e0c4cfb5eb944219bdd1
SHA1 6ed3f1adfc70a7ffab01dea8eba0d0bcec20758e
SHA256 9cc45152128b6d00f33eccbed222a3ba60887ae9908353b4c0f5cb8baf6cdf43
SHA512 26b4d9583021df2abef1b81cd884061af8b9c3b72a0c3646005d71935d8e536a7c179629552187a033fc7beb7e8f17c2e93eaec67f6d9eadca59fa7e78f9a6db

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 75f999034e2cd6954676cb4b28f82ebd
SHA1 32b5969cb697332eaec9677175f7edd4c7f8042e
SHA256 eac254f6aef922551f6613da2323c0569e56b84c16fa743324ef76bf90b80193
SHA512 90072adfb89392570c7b90088458871a54fbf83cdda6e8d308fde80eb1cc86c30d93a65572d57d4524091546765f21440e9c738d9b6a85bd1e833cc78153d266

memory/628-489-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

MD5 ff5e1f27193ce51eec318714ef038bef
SHA1 b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256 fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512 c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

memory/1116-483-0x0000000000400000-0x000000000042E000-memory.dmp

memory/1116-482-0x0000000000400000-0x000000000042E000-memory.dmp

memory/628-491-0x0000000000240000-0x0000000000241000-memory.dmp

memory/628-493-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 36e3724d9132903757450730f57a126c
SHA1 330dafc67118a52f59b17334c71885ff95b4799c
SHA256 4bae14e14d5de1dd1f7f7190f0080e53c7d349ff553fd369de35d68fa66c5c45
SHA512 64490b6d3c59729389db5748704bc28cfdb11d1c094e2a395a6a3b2b76b307f9bc90dfd621a1ea87a05a14a4ccbe860266080e467b21560f592c41fd46b17d5d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 25b070f7e74f0866e9c9136de962183e
SHA1 8b8192cb7bef4b1a5f7e14db692a13e21addd428
SHA256 e7c1d70ffb92a65b0f40b2d75f0ce157cf5023c400a74c0ff8c83094c094df02
SHA512 a0d67887b39a77f33038cc71739ba8c99c3de633de0eaa31ac90049f8999690c13e3b5be0ae985131b10a3dc389f0265499f8b33fe95a3aeec0284c6b6f7b859

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 689a75a6855253dfcb19bc9a6f372dd9
SHA1 64c209aa1d0ca07ad0132ef825cc9b6dd787a1c7
SHA256 060237af3bb5d6ee1b8c1c454598c6ebacca47053253a72495ea7724f6398ccc
SHA512 b1078f390b45e95f6543c67f2c4275af6990929de6933bfb61ebbb78381c9ff32cd12a5e1d228b14641331c4469a55274caeb44af56d02153580325287d428dd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6160e8df32de7c2c5f3a1dc4a4d98d60
SHA1 cf574290bd2546107bf089ba212a29e1af50014b
SHA256 4bcf856fe3134af03b9a3d2610a4651d5d5cb1ed555fdef33709fc9e711fd32d
SHA512 706375c26a0181625476d6d8635629bb7dc47fe3cac5bdaae29afea8671fd68e5cf566762444592969aff2c4d5399e2e926cbedabdf6b9f175f0a2eacbe14c9a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0d1e376a34bc4728cf1f6b924b22548a
SHA1 70b447ac2473f41b78c85d807ccfdd2215bc863f
SHA256 0529a911b6061bc8ab5ba716fe10cf47b04715e28ce5624e1e66aced6525d6ed
SHA512 2030dce8c81db3de366d37e9fd2aee25ccb98d3b494f54ebb8e804daf1a55f3b53b0fe324ea347267457307e70bfaf7a1254026f57de83ce548759cae4aa5aa3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d41ee2eb73e7d5635358ae77f1f37328
SHA1 7bab0d033321eb5c01270fee44a1c061272e0c58
SHA256 a96e8c5f7566179f61d141d426e301a382a234a2c5df53cdfe4c74d1a5a56253
SHA512 8afc913d43f04a70bd0e51b774034fdadba05fdf44b84ff9690dc812cfab8a07bf995870f664a50b866b2437c1c934758031d291cd2fc78c8f8adcf20c93b93d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d5f34e0ace544d8782c7fccbd80f026b
SHA1 49a850c0442ccb231baf270ce948ab8fcb32e67f
SHA256 e17f1a55579ff40e4f536241b7f11f4ad6a61f446a3190c8edb7dec034f9c135
SHA512 356a79bc6ddf1873e27fe739e0deb1f6fa7a8bad062e5fb6c67ff176a6bd0e06f903437f6fab48ff488460c2d0a5be3cbb6bc94ba3041d79a0e1f99173fd2f19

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b7b25a544759882226f3af4dce7fed12
SHA1 1b688c874346bb1e8f65cb54abe1886e159ef945
SHA256 d670103947280efe1b95bdb3b9ce469e5b0f1d61414c4186fcd7052357fcf624
SHA512 b79bbfc6bdba222062dd4ee43e5abd3849e8079d439796338353f5466ca5556f2444e39da7a25fd730c770fdc6d3c003137ece98bf36b81355ec2d7378f08be2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a773cd84e165f784772ed75e3a7b1626
SHA1 5f2a6e1ff49e8d9cef5fecc4db192c4c5de680f0
SHA256 816003f9d70c037a4fe215b426f013823764740bd93c9d65dd507ae8d3e5870f
SHA512 3eb8d0da8abfde2f85e0fb8c3241dc4d39736984c6aee3bc6321e092a2a9bb7436d9a16a82156aed27fa21ee78cd784705ca5f99f024016cc8b7843951ba2d4a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9e6d360434321dd6796e352113d09c6c
SHA1 aea8070672f82d439dc198df4e4ae0af45d8b7ce
SHA256 38470a9f519a4613a46093dea1fc9d5ae45f6f88bcf3490e7500c19761067d69
SHA512 55fc68152c2dae1dff404934eaec47dba2e1bbf8b586847e7d93aa2bbcb42c77bfc22fbfe53a9f9511aba0b9671708b31c01a25af7c5ac295f6d87775d2379b9

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-16 08:48

Reported

2024-06-16 08:50

Platform

win10v2004-20240611-en

Max time kernel

138s

Max time network

134s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\b2a456c0d18c8969f41edfa3dd0f1228_JaffaCakes118.html

Signatures

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2976 wrote to memory of 4432 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2976 wrote to memory of 4432 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2976 wrote to memory of 2272 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2976 wrote to memory of 2272 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2976 wrote to memory of 2272 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2976 wrote to memory of 2272 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2976 wrote to memory of 2272 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2976 wrote to memory of 2272 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2976 wrote to memory of 2272 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2976 wrote to memory of 2272 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2976 wrote to memory of 2272 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2976 wrote to memory of 2272 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2976 wrote to memory of 2272 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2976 wrote to memory of 2272 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2976 wrote to memory of 2272 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2976 wrote to memory of 2272 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2976 wrote to memory of 2272 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2976 wrote to memory of 2272 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2976 wrote to memory of 2272 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2976 wrote to memory of 2272 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2976 wrote to memory of 2272 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2976 wrote to memory of 2272 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2976 wrote to memory of 2272 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2976 wrote to memory of 2272 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2976 wrote to memory of 2272 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2976 wrote to memory of 2272 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2976 wrote to memory of 2272 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2976 wrote to memory of 2272 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2976 wrote to memory of 2272 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2976 wrote to memory of 2272 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2976 wrote to memory of 2272 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2976 wrote to memory of 2272 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2976 wrote to memory of 2272 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2976 wrote to memory of 2272 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2976 wrote to memory of 2272 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2976 wrote to memory of 2272 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2976 wrote to memory of 2272 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2976 wrote to memory of 2272 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2976 wrote to memory of 2272 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2976 wrote to memory of 2272 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2976 wrote to memory of 2272 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2976 wrote to memory of 2272 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2976 wrote to memory of 60 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2976 wrote to memory of 60 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2976 wrote to memory of 4840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2976 wrote to memory of 4840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2976 wrote to memory of 4840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2976 wrote to memory of 4840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2976 wrote to memory of 4840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2976 wrote to memory of 4840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2976 wrote to memory of 4840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2976 wrote to memory of 4840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2976 wrote to memory of 4840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2976 wrote to memory of 4840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2976 wrote to memory of 4840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2976 wrote to memory of 4840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2976 wrote to memory of 4840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2976 wrote to memory of 4840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2976 wrote to memory of 4840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2976 wrote to memory of 4840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2976 wrote to memory of 4840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2976 wrote to memory of 4840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2976 wrote to memory of 4840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2976 wrote to memory of 4840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\b2a456c0d18c8969f41edfa3dd0f1228_JaffaCakes118.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdcac446f8,0x7ffdcac44708,0x7ffdcac44718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2192,9251577208514838283,5550451864394596475,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2200 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2192,9251577208514838283,5550451864394596475,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2192,9251577208514838283,5550451864394596475,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2924 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,9251577208514838283,5550451864394596475,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,9251577208514838283,5550451864394596475,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2192,9251577208514838283,5550451864394596475,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2768 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2192,9251577208514838283,5550451864394596475,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2064 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2192,9251577208514838283,5550451864394596475,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2064 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,9251577208514838283,5550451864394596475,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5124 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,9251577208514838283,5550451864394596475,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5128 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,9251577208514838283,5550451864394596475,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4212 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,9251577208514838283,5550451864394596475,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:1

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.ol3gax.top udp
US 8.8.8.8:53 news.share.baidu.com udp
CN 39.156.68.163:80 news.share.baidu.com tcp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
CN 39.156.68.163:80 news.share.baidu.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
CN 182.61.201.94:80 news.share.baidu.com tcp
CN 182.61.201.94:80 news.share.baidu.com tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
CN 182.61.201.93:80 news.share.baidu.com tcp
CN 182.61.201.93:80 news.share.baidu.com tcp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
CN 112.34.113.148:80 news.share.baidu.com tcp
CN 112.34.113.148:80 news.share.baidu.com tcp
CN 182.61.244.229:80 news.share.baidu.com tcp
CN 182.61.244.229:80 news.share.baidu.com tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
CN 180.101.212.103:80 news.share.baidu.com tcp
CN 180.101.212.103:80 news.share.baidu.com tcp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 c39b3aa574c0c938c80eb263bb450311
SHA1 f4d11275b63f4f906be7a55ec6ca050c62c18c88
SHA256 66f8d413a30451055d4b6fa40e007197a4bb93a66a28ca4112967ec417ffab6c
SHA512 eeca2e21cd4d66835beb9812e26344c8695584253af397b06f378536ca797c3906a670ed239631729c96ebb93acfb16327cf58d517e83fb8923881c5fdb6d232

\??\pipe\LOCAL\crashpad_2976_CSLSHPCJVPDDFLMC

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 dabfafd78687947a9de64dd5b776d25f
SHA1 16084c74980dbad713f9d332091985808b436dea
SHA256 c7658f407cbe799282ef202e78319e489ed4e48e23f6d056b505bc0d73e34201
SHA512 dae1de5245cd9b72117c430250aa2029eb8df1b85dc414ac50152d8eba4d100bcf0320ac18446f865dc96949f8b06a5b9e7a0c84f9c1b0eada318e80f99f9d2b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 15d7c951d2ebc6e3763743854ee6c627
SHA1 3365ee21771ebd70b8a69a3372d293f2e276a825
SHA256 d64fd00585063c409b354fb151d1177e4fef4d6245be6093889646d4aff31d91
SHA512 2df9632de4f620f4cac640872e2eb918bf15cb56da40913cbd89672b8e12b0f7ca8cba5572dccf0a49aa694495434f65b433fca63dc15e393bca07a18556dcda

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 aa96a1d284810d50d7b3005e31ee8bf8
SHA1 3569529690224bf3dd93cbff207e6faf6583da28
SHA256 690293be0e4a1be2602b49eb04ab7b1478b3967cbd824937a84ce8c9a7be4ed0
SHA512 44a1303bf619569ea5086a332de8a81bc2f5f595b899b3830a8ea3fcc70cc14f8e05d2829b5faa4f1a5a1511ee8d8285d37e13e1cb860d002b12cd7a0201355b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 a837828ce8159528fa52576acd95ff74
SHA1 63d2f14a6f6ec1b5546046a31ba473a5ed3c363f
SHA256 a677bd56d1064eb6e1046bb375c63dad0948fb2e3feba32cdebf937f709439f9
SHA512 22c13e6734412192dff2bf956728eae6e2c420467b1e13d4e10f24415eba3c230cc988f1dcc4ca1c9890a5ec110d3603fc342bfb8db9db6e96ee6a78de5842d0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389