Malware Analysis Report

2024-10-19 07:00

Sample ID 240620-s5e35avfmf
Target 07665c23ca68173f7490e11482c898ae_JaffaCakes118
SHA256 a6de0c5b37fde764b88464df279ebef8f98dcb55e2972240be32327837987555
Tags
modiloader trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a6de0c5b37fde764b88464df279ebef8f98dcb55e2972240be32327837987555

Threat Level: Known bad

The file 07665c23ca68173f7490e11482c898ae_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

modiloader trojan

ModiLoader, DBatLoader

ModiLoader Second Stage

Executes dropped EXE

Deletes itself

Drops file in System32 directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of SetWindowsHookEx

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Uses Volume Shadow Copy WMI provider

Modifies data under HKEY_USERS

Uses Volume Shadow Copy service COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-20 15:42

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 15:42

Reported

2024-06-20 15:44

Platform

win7-20231129-en

Max time kernel

121s

Max time network

129s

Command Line

"C:\Users\Admin\AppData\Local\Temp\07665c23ca68173f7490e11482c898ae_JaffaCakes118.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\07665c23ca68173f7490e11482c898ae_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low C:\Program Files\Internet Explorer\iexplore.exe N/A
File opened for modification C:\Windows\SysWOW64\07665c23ca68173f7490e11482c898ae_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\07665c23ca68173f7490e11482c898ae_JaffaCakes118.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\Favorites\desktop.ini C:\Program Files\Internet Explorer\iexplore.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\Low C:\Program Files\Internet Explorer\iexplore.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml C:\Program Files\Internet Explorer\iexplore.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms C:\Program Files\Internet Explorer\iexplore.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{AC20B5B1-2F1B-11EF-BDEB-D6E40795ECBF}.dat C:\Program Files\Internet Explorer\iexplore.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico C:\Program Files\Internet Explorer\iexplore.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat C:\Program Files\Internet Explorer\iexplore.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized C:\Program Files\Internet Explorer\iexplore.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low C:\Program Files\Internet Explorer\iexplore.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{AC20B5B3-2F1B-11EF-BDEB-D6E40795ECBF}.dat C:\Program Files\Internet Explorer\iexplore.exe N/A
File created C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url C:\Program Files\Internet Explorer\iexplore.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~ C:\Program Files\Internet Explorer\iexplore.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~ C:\Program Files\Internet Explorer\iexplore.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 C:\Program Files\Internet Explorer\iexplore.exe N/A
File created C:\Windows\SysWOW64\07665c23ca68173f7490e11482c898ae_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\07665c23ca68173f7490e11482c898ae_JaffaCakes118.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\TabRoaming C:\Program Files\Internet Explorer\iexplore.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\PrivacIE\Low C:\Program Files\Internet Explorer\iexplore.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico C:\Program Files\Internet Explorer\iexplore.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\Favorites\Links C:\Program Files\Internet Explorer\iexplore.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml C:\Program Files\Internet Explorer\iexplore.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms C:\Program Files\Internet Explorer\iexplore.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC C:\Program Files\Internet Explorer\iexplore.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357 C:\Program Files\Internet Explorer\iexplore.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk C:\Windows\System32\ie4uinit.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Windows\System32\ie4uinit.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{AC20B5B1-2F1B-11EF-BDEB-D6E40795ECBF}.dat C:\Program Files\Internet Explorer\iexplore.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357 C:\Program Files\Internet Explorer\iexplore.exe N/A
File created C:\Windows\SysWOW64\Bank.dll C:\Windows\SysWOW64\07665c23ca68173f7490e11482c898ae_JaffaCakes118.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\Favorites C:\Program Files\Internet Explorer\iexplore.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
File opened for modification C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url C:\Program Files\Internet Explorer\iexplore.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 C:\Program Files\Internet Explorer\iexplore.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\favicon[1].ico C:\Program Files\Internet Explorer\iexplore.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini C:\Program Files\Internet Explorer\iexplore.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms C:\Program Files\Internet Explorer\iexplore.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch C:\Windows\System32\ie4uinit.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low C:\Program Files\Internet Explorer\iexplore.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatCache\Low C:\Program Files\Internet Explorer\iexplore.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ieonline.microsoft[1] C:\Program Files\Internet Explorer\iexplore.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC C:\Program Files\Internet Explorer\iexplore.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\Low C:\Program Files\Internet Explorer\iexplore.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\DNTException\Low C:\Program Files\Internet Explorer\iexplore.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms C:\Program Files\Internet Explorer\iexplore.exe N/A

Enumerates physical storage devices

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\BrowserEmulation\TLDUpdates = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Zones C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\System32\ie4uinit.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Count = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Setup\HaveCreatedQuickLaunchItems = "1" C:\Windows\System32\ie4uinit.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Type = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Count = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF} C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Type = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Setup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%windir%\System32\ie4uinit.exe",-732 = "Finds and displays information and Web sites on the Internet." C:\Windows\System32\ie4uinit.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6B858B10-E090-44C0-8173-6A979A1DA93F}\WpadNetworkName = "Network 3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Setup C:\Windows\System32\ie4uinit.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Windows\SysWOW64\07665c23ca68173f7490e11482c898ae_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{72853161-30C5-4D22-B7F9-0BBC1D38A37E} C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021493-0000-0000-C000-000000000046}\Enum C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021493-0000-0000-C000-000000000046}\Enum C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}\Version = "*" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@ieframe.dll,-12512 = "Bing" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Blocked = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5a-24-0f-a9-df-c2 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconURLFallback = "http://www.bing.com/favicon.ico" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\KnownProvidersUpgradeTime = b0eab27128c3da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{2A541AE1-5BF6-4665-A8A3-CFA9672E4291} C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\MAO Settings\DiscardLoadTimes = b01c936e28c3da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main\ImageStoreRandomFolder = "zijnj4w" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\LinksBar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\User Preferences\2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007339c301faab814795228f5d82ec6e51000000000200000000001066000000010000200000007cf526deb5217b73a628131ec37727e8f9cdb648c00e43c4e51a5773ec46d163000000000e80000000020000200000004f0e4b641b75fa8ddec94c0d2935b8a33a81ea2176811152675a29fd1587b347100000005c33fd9b172ab31c5bbbf356e5d887eb40000000e3d945f245148c7b2eb1b6a2dca8a48ccbfc3301c4fcd93da81efbcb27b3f10560cbbb70ff0b08db20f447dec1f3dcf9c50f47d97c6f19f0ea4067968894c529 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021493-0000-0000-C000-000000000046} C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Flags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021493-0000-0000-C000-000000000046}\Enum\Implementing = 1c00000001000000e8070600040014000f002a0015002a0102000000e11a542af65b6546a8a3cfa9672e4291644ea2ef78b0d01189e400c04fc9e26e C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021493-0000-0000-C000-000000000046}\Enum C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\07665c23ca68173f7490e11482c898ae_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\07665c23ca68173f7490e11482c898ae_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2180 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\07665c23ca68173f7490e11482c898ae_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2180 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\07665c23ca68173f7490e11482c898ae_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2180 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\07665c23ca68173f7490e11482c898ae_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2180 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\07665c23ca68173f7490e11482c898ae_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2288 wrote to memory of 2804 N/A C:\Windows\SysWOW64\07665c23ca68173f7490e11482c898ae_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2288 wrote to memory of 2804 N/A C:\Windows\SysWOW64\07665c23ca68173f7490e11482c898ae_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2288 wrote to memory of 2804 N/A C:\Windows\SysWOW64\07665c23ca68173f7490e11482c898ae_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2288 wrote to memory of 2804 N/A C:\Windows\SysWOW64\07665c23ca68173f7490e11482c898ae_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2288 wrote to memory of 2804 N/A C:\Windows\SysWOW64\07665c23ca68173f7490e11482c898ae_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2804 wrote to memory of 2068 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Windows\System32\ie4uinit.exe
PID 2804 wrote to memory of 2068 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Windows\System32\ie4uinit.exe
PID 2804 wrote to memory of 2068 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Windows\System32\ie4uinit.exe
PID 2804 wrote to memory of 2384 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2804 wrote to memory of 2384 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2804 wrote to memory of 2384 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2804 wrote to memory of 2384 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\07665c23ca68173f7490e11482c898ae_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\07665c23ca68173f7490e11482c898ae_JaffaCakes118.exe"

C:\Windows\SysWOW64\07665c23ca68173f7490e11482c898ae_JaffaCakes118.exe

C:\Windows\SysWOW64\07665c23ca68173f7490e11482c898ae_JaffaCakes118.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\07665C~1.EXE > nul

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\System32\ie4uinit.exe

"C:\Windows\System32\ie4uinit.exe" -ShowQLIcon

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2804 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
NL 23.62.61.97:80 www.bing.com tcp
NL 23.62.61.97:80 www.bing.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/2180-0-0x0000000000400000-0x000000000040B000-memory.dmp

memory/2180-1-0x0000000000400000-0x000000000040B000-memory.dmp

C:\Windows\SysWOW64\07665c23ca68173f7490e11482c898ae_JaffaCakes118.exe

MD5 07665c23ca68173f7490e11482c898ae
SHA1 358bfb2d3f364d99b7a0699e07a763d4b06ccfb5
SHA256 a6de0c5b37fde764b88464df279ebef8f98dcb55e2972240be32327837987555
SHA512 086387998f5345121e1bece26e93e33381dde4a39bac3ee5dae561d822d5a9d860aba5b2572d957fa84a3960a00448c06f0a67cd57acaaf39d66042ea3160ef5

memory/2288-5-0x0000000000400000-0x000000000040B000-memory.dmp

memory/2180-6-0x0000000000400000-0x000000000040B000-memory.dmp

memory/2288-9-0x0000000000400000-0x000000000040B000-memory.dmp

C:\Windows\System32\config\systemprofile\Favorites\desktop.ini

MD5 881dfac93652edb0a8228029ba92d0f5
SHA1 5b317253a63fecb167bf07befa05c5ed09c4ccea
SHA256 a45e345556901cd98b9bf8700b2a263f1da2b2e53dbdf69b9e6cfab6e0bd3464
SHA512 592b24deb837d6b82c692da781b8a69d9fa20bbaa3041d6c651839e72f45ac075a86cb967ea2df08fa0635ae28d6064a900f5d15180b9037bb8ba02f9e8e1810

C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini

MD5 3c106f431417240da12fd827323b7724
SHA1 2345cc77576f666b812b55ea7420b8d2c4d2a0b5
SHA256 e469ed17b4b54595b335dc51817a52b81fcf13aad7b7b994626f84ec097c5d57
SHA512 c7391b6b9c4e00494910303e8a6c4dca5a5fc0c461047ef95e3be1c8764928af344a29e2e7c92819174894b51ae0e69b5e11a9dc7cb093f984553d34d5e737bb

C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url

MD5 2578ef0db08f1e1e7578068186a1be0f
SHA1 87dca2f554fa51a98726f0a7a9ac0120be0c4572
SHA256 bdc63d9fd191114227a6e0ac32aaf4de85b91fc602fcb8555c0f3816ac8620b3
SHA512 b42be0e6f438362d107f0f3a7e4809753cf3491ab15145f9ffa4def413606243f4dfffc0449687bd1bb01c653e9339e26b97c286382743d14a2f0ed52e72f7ee

C:\Windows\Temp\wwwBD4.tmp

MD5 2ce792bc1394673282b741a25d6148a2
SHA1 5835c389ea0f0c1423fa26f98b84a875a11d19b1
SHA256 992031e95ad1e0f4305479e8d132c1ff14ed0eb913da33f23c576cd89f14fa48
SHA512 cdcc4d9967570018ec7dc3d825ff96b4817fecfbd424d30b74ba9ab6cc16cb035434f680b3d035f7959ceb0cc9e3c56f8dc78b06adb1dd2289930cc9acc87749

C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url

MD5 11cede0563d1d61930e433cd638d6419
SHA1 366b26547292482b871404b33930cefca8810dbd
SHA256 e3ab045d746a0821cfb0c34aee9f98ce658caab2c99841464c68d49ab2cd85d9
SHA512 d9a4cdd3d3970d1f3812f7b5d21bb9ae1f1347d0ddfe079a1b5ef15ec1367778056b64b865b21dd52692134771655461760db75309c78dc6f372cc4d0ab7c752

C:\Windows\Temp\wwwBC4.tmp

MD5 a1fd5255ed62e10721ac426cd139aa83
SHA1 98a11bdd942bb66e9c829ae0685239212e966b9e
SHA256 d3b6eea852bacee54fbf4f3d77c6ec6d198bd59258968528a0231589f01b32f4
SHA512 51399b4eac1883f0e52279f6b9943d5a626de378105cadff2b3c17473edf0835d67437ae8e8d0e25e5d4b88f924fa3ac74d808123ec2b7f98eff1b248a1ab370

C:\Windows\Temp\Cab174D.tmp

MD5 d59a6b36c5a94916241a3ead50222b6f
SHA1 e274e9486d318c383bc4b9812844ba56f0cff3c6
SHA256 a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53
SHA512 17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

C:\Windows\Temp\Tar1760.tmp

MD5 b13f51572f55a2d31ed9f266d581e9ea
SHA1 7eef3111b878e159e520f34410ad87adecf0ca92
SHA256 725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15
SHA512 f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Windows\Temp\Tar19A7.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5a763ec06f392716b03a6422db1749af
SHA1 afdcc0efa2583b21126cb2f509017a732b014662
SHA256 f65349ed9e04ffa4d64294bd6a5c91d1a39e976711f156043c14ad29b2af3e4f
SHA512 7f0834a10ae634fe8c9c319437033d9b0e5fc89e1c9e7dd380145a95b18d63148deeedccf77e3bbf9732b6bfc96739b85aeb1e4d016ff6baed1a54a5b87d816a

C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 23f3bc940741d204efa026146b4d13da
SHA1 3787ec2f224297448cc0a7c6a01ee280189bcc97
SHA256 b0da38e30f8727078117c435294dee8c282357583724c90e395df4ae29c6abca
SHA512 bc0c431e478ecd885a5d77881a01d4b1b8cb671ee39cfd378d282c4b3ffefb45a47caa56049e038da7fa2f83fd5fec599e81976c35752107732103c9524718f3

C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 cd651f3d663b018d69355d4b6be53fa2
SHA1 0d885b239680230c1588ae6a11c73765302fdda8
SHA256 fd18ac07f0e666167c6abae5dff2c23c306b358012ffe8b666992d7227ff7d18
SHA512 0a364b857d0ff77d0231c459e22b5e48820ff69c23b669637f78340964fc7bf155d6bbb261220b63744ed8de32eaf6fdbd11bc91f7c48a7b78877d421b3db2e1

C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e6d7226d8b0645fa6c2d896f8dbfd6ee
SHA1 04948d9c74d3a2bc9f0fcfb59d5b5142440ecba7
SHA256 90875fdea636c4c96453d4f7ed805132a10b2f1be8c0e8ed5205eaaf7c444a8d
SHA512 e32ab74ff8d906e5a2dd7f33198bce5606f2c29d5b89a877f4f301c55555b22b281ca69a37775ad0889215b8f8800dd00f5642e453d5dc084f6a5c8e43555f37

C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 909534b5b147993eb7add3ba951e8bc7
SHA1 83ea3d33ab12d8c784977f266dd4f92fb96fe73f
SHA256 bcfd90156e7fce7c965141633a8d4aa240ff6eb5b55a7782cfb0ea13b5105723
SHA512 91e7f897f2865e65ebbdf66b15c5ddbcdfa12107e010e8481a39112344b3ceef48087348e52518b9eb06b24b9386be981e41ac4e6af3663d27bcc52bcbba0f50

C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2a3700ca763912b586c241dd64ee03d8
SHA1 fca28205b32543d35bf90bc06e83534e9f743c8a
SHA256 bc5eb91f1bde13fa34128ab67e8e1a5f74c0b7f4213ed70023e6cdcc3db48c6f
SHA512 f439e86ea3aa60275f2b43d7048d04b365136b0d472b24e676df61e2cc6597e6ae9c9bc1af56bc86309426b8d0b11b497111a26bcf119ecf8cf5ac48f08ec2d4

C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 acc55d30b38b8602ec34de3ea387d9ef
SHA1 7f7d6616d1a574cdc5d7b263bd230b18041be533
SHA256 382bed5c9b5cd1b446e2024abcc0e0de9c95b6fedb07bb988aec5c9f6e35867d
SHA512 f851403be6ebf9ab4cc758eeb906b67b3306220543a095599ba4245b572e540076c9b9e5f6e2a099862e0f22ecf211067558655cf3ad416d4885541edded3db4

C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 33c9392704a82dd23a530227cd6c538f
SHA1 7028505e004af7ad27574da1c9f2fb3e44a5ec30
SHA256 fa0f03e8022ce2bc8452d637d4063a2edab933511e8005e56fe96f9862982bb4
SHA512 be3997f4baebcc7229231ba9e28612feef0a584831fc60952241649526bcde007d1facc36c0a123f1aadaf20c14541af6396f460c35531c14a994da68a05a1e0

C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c2bebbe33799721c1bfadcf9f5aafb52
SHA1 e1a4618687e03023098015f96569818302b6b743
SHA256 3d5915c2e50b423bfcc0c51c4b3e7e8934c3b77b08c1d84dc2fbed4a7ab4e45b
SHA512 6e270fde3e9379ba24a0d7dc155dc326366b89c1b20361a28a3e0e0d383ae562b4e023da8bee175bc51ea68e3482c3cdb3d8ef218a839d1bc07fd4f9b038e228

C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 31780e9a1d5f39d7256583eae208f8f2
SHA1 9de5bc1e75bf3742bf6dab696c716661c95b6318
SHA256 ec03f9e7dc6b267df1b57404f151f5554426797a6ae41c31d73c137fd8eff719
SHA512 25aa45e2d65fa01dc2d772e30fb3121e70bd554acf7cced8ed11ce111159f88b6b331d8790b9b923d5f23d1a643c662606748c5eb6ab1239ecc2596240d061d8

C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f9ca163643116719e0be5a8f59f3aa1c
SHA1 5a6b18414db386ed39eea624526b1981d36214fd
SHA256 53f7e0dc1fcd6aa969f70586fd54c12110a93e43059ea7d8835ce4565922010a
SHA512 6011e9553a9d07d34dd14e91ff390de91bc6577b93124fdc847cff3ccc447c4ed50789d0ef62e6a10b4f26de2f76421833394839f01b1d1732a281ce9f1d2fb1

C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

MD5 da597791be3b6e732f0bc8b20e38ee62
SHA1 1125c45d285c360542027d7554a5c442288974de
SHA256 5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07
SHA512 d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 443f7edc3380df31faee27e4b969bbb4
SHA1 d8d32c05a79ef07fc77d9451ddb81e5222e8e53c
SHA256 33883136262189c8435aeefd8a00b850b825bdccb3019c369f6238e6154a0caf
SHA512 2b9a474bd26740bd9100134fec8eee62bb7679d139fb0fdd29bcc71d9143f816ea0d7ed8d258c91798b4363d114dd3c2ebb5f4636a2332e955801616edc37279

C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 371423b224dca6dbaf5af51354b7aa40
SHA1 60630728b9977151f366f641fc588ff17efa8684
SHA256 f55acf1146d0c58fda3dae96825cd3f33bab08953e6960a23589f514d0fce396
SHA512 b39e9d33e8d9e78707fac9708e37c5fdc286e31de3ebe9d6360f38943785a81918a1ca3799115cb3c1a747d71a749a4bd9c013d8992517af1de7e4e5a7e99251

C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ae20fd84aeb886d25e95b6e416f8a4c7
SHA1 ff682380e1e495ee9a4e34b57c453902c1b181bd
SHA256 84402e7ada62b7303edbbf8fef848429f0802485b08938e24b8d4f02a8815b9f
SHA512 11ab1efc9777e016e62db08381ac1a51da7d70b63b2bcc7be64d7cc077790fc404be7ec517ad648397329d44dc34d5fb70d8fc0343e5045a0138aa12e7fef7f2

C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 00d5aee12a679294972bbd5a559d6a70
SHA1 ed8bd2a53f4cd7203c2d0f0fa5a01dace8fb987b
SHA256 583ae6372a0e60c2c894af8931e04307a576eaf78c01ff62f6709dff9f04b277
SHA512 972997d22848f47fc90828ca14270ce186d6b24e051da323a6c5224d7e263cbdb082a8367ea19006cf24d16c2c85aeb1eac328f875903e444e54d9eeda979e83

C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1ea5515773ac1967307501b44067ebab
SHA1 b29f5d2ed787474692f7766bf5db610a0804a124
SHA256 70d1ad754183b9b168e86ee2817aaa9457c262bacf8a61f3a1ae993d13c02aa0
SHA512 0b8e6e2a512e04b7f98817fb6ff6de484c3b7bb5e23670d6c8b9a4ff8276cca3b0b7408bcc197fc0748db11da5f675ee1bdd3679ffddb127bf34d4573e23460b

C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 572cf098c6d7f815cc0352e9998cb588
SHA1 bd5134fc9da096b701290825cfffe29932c32f71
SHA256 d82a88023ae04d24e46b4fb44b5bcd86ef00116b791f7ac7c8c476dc7ada3817
SHA512 9c03136eda02ae661e7153911cd337cef88068ec43955c658be4534daf7edc2d9ea800b3d800e737f57c0322037df3ad070bf3b33a81fc68cf57c0fe16282cc5

C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8ad7186912a8369b6330e87748223ef1
SHA1 2c2676d6f495cf6b0dc9e12758790c5411178299
SHA256 519d435450649d68365f71f660735b1ea4ba1b1dfefa7fcd15ff5d7e4b06f7b7
SHA512 fae0f6930caeea2d436ebdc780fe20dbe4affd46677c5d9e1cb3d0eff35ff8d0e8638800264c5b2d7e09372ebfb713114228bce186f0d12cdf89c464add04a83

C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 013f96198e9738310aad7da61c115553
SHA1 186323016afc06a0fcf934860b78cac0b48d359e
SHA256 69eb74c7efd819aa84ca7b5475434b31980cf4b5feced64693a1111cef0aff29
SHA512 e83950582503f1971176718cd3a56898345bd84d832305ed0f277882e5ce32f42af57967d652d740025b6f96b9f9e0e94365da3424a0b51d6f59ad41ae1a6370

C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8e0433e31f770cbc50fb5fda6d471123
SHA1 49d4baa897a45ea529b61c4f5cde8f37466caba4
SHA256 13b93163bdbfc69c52361a0b495b8620a46c6836a0ce714d9de8864a0c085b65
SHA512 7d6bb77c187cdbef959ea47415958ec355b6283485a2bc216a37ddb0c6eb8cdb6bcd4c4cb430b5159c01e0df97a2fb54dfeeac099f50f0071d3642a664898282

C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0d371575c8692f5c1bd37dff67cc007e
SHA1 aa2ce93f7ceb3acdb995147f4da906cda91d1710
SHA256 0efa1ba283d1fd51e3e30c29173bef3f0a8fcda0dc0b3d1420e876980c09e05b
SHA512 5ec4515e238007669aca039624712f1087a4e28b52dbc3a5e229bdb9499813db6362c1f4feca9ed2bc1baf7345de4f42c04ae0c9c689f45b8af58fdfe7ab3cd0

C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4065e7aecf917e27ea778cfb7f35b3ac
SHA1 e3022c5a54b90bb3e1e3adf2166119258dba25f4
SHA256 2878e122a769054b4f47a5c6f41c864e4ce03ff6b99b7f294215533b3506400f
SHA512 048bd77a0b5703be01844a6a15781a99f893ad1610acca66e5085dd97fb1eff0f4d666f85c9a14a786186b1fa5cd39e8f8adc98d40fc0725bca9a76c0532ba01

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 15:42

Reported

2024-06-20 15:44

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\07665c23ca68173f7490e11482c898ae_JaffaCakes118.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\07665c23ca68173f7490e11482c898ae_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb\LOCK C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage\000001.dbtmp C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage\MANIFEST-000001 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\DomainSuggestions\en-US.1 C:\Program Files\Internet Explorer\iexplore.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\DNTException\Low C:\Program Files\Internet Explorer\iexplore.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\wasm\index C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Download Service\EntryDB\LOG C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Preferences~RFe576810.TMP C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\History-journal C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\MANIFEST-000001 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\b8877e8b-bc25-4a49-8ef2-65b42e2b7aa8.tmp C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_3 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db-journal C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold\000001.dbtmp C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold\CURRENT C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A C:\Program Files\Internet Explorer\iexplore.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\47fd8c1c-9d8e-4889-b73a-15835e732174.tmp C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\lockfile C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_2 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\2d8c2cb0-e3ac-4a55-9b5e-a27a1ba78e1c.tmp C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EAF8AA29A62AB29E614331747385D816_F9E4DC0B9D5C777357D7DB8DEF51118A C:\Program Files\Internet Explorer\iexplore.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\d7c2cbe9-2c4e-4cb2-8e1f-89c0beb4aaec.tmp C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage\LOCK C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Crashpad\throttle_store.dat C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_2 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\wasm\index-dir\temp-index C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000001.dbtmp C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico~RFe5740a3.TMP C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db-shm C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SysWOW64\07665c23ca68173f7490e11482c898ae_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\07665c23ca68173f7490e11482c898ae_JaffaCakes118.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\js C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico C:\Program Files\Internet Explorer\iexplore.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{ADE1580F-2F1B-11EF-8383-56995CF5AA0C}.dat C:\Program Files\Internet Explorer\iexplore.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Last Version C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Web Data-journal C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold\LOG C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb\000003.log C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\index C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Last Browser C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\85bda22e-94e1-4132-bc2c-87524e0d73e2.tmp C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\000001.dbtmp C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\favicon[2].ico C:\Program Files\Internet Explorer\iexplore.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State~RFe577b0c.TMP C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\MANIFEST-000001 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\js\index C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\0d06abd5-b47a-413c-81d1-bcf6e4463dca.tmp C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\MANIFEST-000001 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\Favorites C:\Program Files\Internet Explorer\iexplore.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\IECompatCache\Low C:\Program Files\Internet Explorer\iexplore.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\SmartScreen\local\warnStateCache C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_0 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb\LOG C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\000003.log C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOCK C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Microsoft Edge.lnk C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000001.dbtmp C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\33cc8cd9-22ae-4a8d-9b0f-5a54c08b9ecb.tmp C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20240620154225.pma C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Flags = "1024" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\AppDataLow\Software\Microsoft\RepService C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\UserChoice\ProgId = "MSEdgeHTM" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge\StabilityMetrics C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge\PreferenceMACs\Default\extensions.settings\jdiccldimpdaibmpdkjnbmckianbfold = "DC53006DC9942F5C49197C7B6ADC691461EF1D3293142836BDBE2A0518D2A7FA" C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\MAO Settings\DiscardLoadTimes = 3c49120569bcda01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge\PreferenceMACs\Default\settings_reset_prompt.last_triggered_for_startup_urls = "A919955997DB30C8FDC662B9797EBC6AC61B582B61351971E5DD093C4C394D07" C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts\AppXvepbp3z66accmsd0x877zbbxjctkpr6t_.epub = "0" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge\PreferenceMACs\Default\extensions.settings\ihmafllikibpmigkcoadcmckbfhibefp = "9020AEA020B652FBA61E92AC9541839718CEB0E6DF2177C9606D4710DBCE6133" C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge\PreferenceMACs\Default\homepage = "67140D3FA18E8732D85FEBF25A7145F55DBA71E189F52E3937FCAE16AF33ED57" C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge\Extensions C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Setup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021493-0000-0000-C000-000000000046}\Enum\Implementing = 1c00000001000000e8070600040014000f002a001800e80101000000644ea2ef78b0d01189e400c04fc9e26e C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021493-0000-0000-C000-000000000046}\Enum C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge\PreferenceMACs\Default\extensions.settings\fikbjbembnmfhppjfnmfkahdhfohhjmg = "873FA5B1A60E3BDB5E78873AF32756DE7C1CA587B9889931FDA390439A3350EE" C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Setup\UrlHistoryMigrationTime = 3c49120569bcda01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge\PreferenceMACs\Default\extensions.settings C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts\MSEdgeHTM_.mht = "0" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithProgids\mhtmlfile = "0" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\User Preferences\2BB20B33B4171CDAAB6469225AE6A582ED33D7B488 = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000063d9fdfe1838ef42916d3a9ac478c5f300000000020000000000106600000001000020000000a644b4867257bcce0e6a513174fc23773543585f911a5da2df3dc136ea549e25000000000e800000000200002000000022f3558c787bb11c7d881dc04deeaa1347ee5924dcdddb8cf2585e6e9e0f7a4210000000d2e02689d689eeb2e553a4ba7298c8be400000003902e1860dfa876fdc461ce50757b151f191050c5b5f00f01510c41c6a4c3a0f63214717739b5e959c602254511a76b16ee454bbab4e9129f43d8f88aa86fa8c C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{2B379600-B42B-4FE9-A59C-A312FB934935}\DeviceTicket = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb0100000063d9fdfe1838ef42916d3a9ac478c5f3000000000200000000001066000000010000200000000822f30a88b1644955906ec4809bdfdd1ba8158d70095f8db76cb717a039f8bd000000000e80000000020000200000004142207718b53fc393e74399220e3bec7e25bc0385d58b47a1a321020795dd43f003000038f7ecd13d5a6426816f4b22eb6ce92f113af1e05de11d78a357bd1f4539e2c1d33b9d7a4ea8a5596b4d814180781a2998699229788a81bad8691bc646cb268871a020f162ca239e81b75776be09f56857fc3c212003814a193a0feb41af3432ff1a2ecdbc38b28b7889b9d30a0c312bb069ba0972265720e8c5fb7399ac5109e291296918a83fb0d3576943bf9214704842e5809adfd50580e8c0e138ccbbab27c0d1b71c8c3c6438df183aff459c0d2a19152b16a491355e433e7257da7207a1d41045caa7786c6212cbdb4614481a506b0a12661277969cfb826a861281155f28882cb2764954b6e270dd60e77e4d31c3659a1d8b4c34641c10a82cdbcda2ca2aea700c39cd1495027a43f52cd2f9002a8cda9e2085744921c488f94a1aa410a7a10d84aa9a8100f427a276606cc7879c1145ab874598edea621fc5250d1af36e8ecbdfa5c3142168aca8a20b233cf3fc28894cfd6f91d869d5aebade5079d1f2c8c6ba8b9d2d975cedc7a8fd8e9cd34a381cf3d09600a264094a85bbd5130a7eea47848fe05467022ae17e7c77fd8db06eaa678d3b4129d1616e34c9a90ba5c28c8801ca0253f76b687d32aa481a4a781b8965c3b0ddedc7fcb07d09851b864247c34194af16eac666302e0d6cffa864087d3bea8ffb150c00ebff7d0555670a613e7010490ad7be5b4aad563079692834fff3b77d4d6a93640f0e179458b7d774c6729c27c6601603752760c482dd082c89b2096574a25cede52c7b261bd5a445a07d406a615a175209985017db8606fb570977630df6729c71ce24f2caa9de71e0cdedec7c3cabdd5feaaa49c4c025e02ad8684d19e42ddc25a4622b50211685415dc8355fa6de76c17bca93e0367d64d37def55a1765816e71371d1a9cc7ea08e7ae947b4582a7d8396b96b0b1f238e1839b3d1007bf1e18c65cf76caaf909ec3d207dcbb69e9718713f2a50d1cbce46609264e1a2f6a27938216c278e892d2d6a12e7f2c02994d5b1d3a5aceae98d3df916007c419629d678952204b027514af996258f9cbbaed12b4290bdf34498b63f3217c54a8bd6e63e4b75829cd768145e9884ea6f381b3dba298d6d7488e8461100b1a7c34864c9bcf2bdd3904fbef4a1831c3b8cd9549a4d0c5d5f05880eb220abd246fc78cebc2244a1a0e2f8ee6ba5c042e11f54c874ca08ef91c34be5b71b6ecb4454915aed5dab5774dc15b87abf72ee133d1ba1c5c034344f65aaee2e78a1f58fdad1deac64cff0249f6d037e7b2f809c02a09bcc207421e5670e084963fd392bcbd886a58736ab7cf12e335b1d2580a4a9f1fc677186fb20fdf30c69511daac71afc84f1d7c4a8b7298cf4f6537a411a4005e3d568cbb2517506363fc5796b05a5836b0dd3ebcd9ecc4187d3ce1e116839b71f60101828a37400000007584d071bfcfcfe45ced3426fcfc755c1e337c84d3d471e7e037e94574f684fe9003430b38a03e368e7ac72d7ea8f46695a7e5a07fd941d5839e49b445175449 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge\BLBeacon C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE11SR" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\system32\shell32.dll,-50176 = "File Operation" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\.DEFAULT C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge\UsageStatsInSample = "1" C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge\BLBeacon\state = "1" C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Suggested Sites C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\UserChoice\ProgId = "MSEdgeHTM" C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IE11SS&market={language}" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Feeds\MUID C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Property\0018400FA672BAF6 = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb0100000063d9fdfe1838ef42916d3a9ac478c5f3000000000200000000001066000000010000200000008950262bcfb4bf035c587241199846a2f6c5ea2683b342819438208440b0ca80000000000e8000000002000020000000c89c8aded3c4f3d9115ab10bd1d45ec6f5a66a1813b1df5f9639d64c283d5017800000002a15fd5b6ca1037308cf798c08440be3ebad3de21093311972d143c6e4660196345778fd61ace51584961d41c71ce66426dd90a88c0cd6b607243a26fcf1c9459b7c2579cd1a241ac819c615a9bf86a54900d0c3733b58473782ca63f3649ec2201ad969f172740c417fa68df475289f23758ab4bd3a3829a019167335d96509400000007511fb0c42ae1e3e3d3b1871e5f497c28a6d7ccb0308a107b18f1851b37e3233dada6514d8e0a7477922de3052e1665790b14b865a97b1af7e5ab399568d274e C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\AppDataLow\Software\Microsoft C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge\PreferenceMACs\Default\media.storage_id_salt = "D66B7F6414D343DDC039C39B52CDC5C5A5F84A26DA382A3B3F33385BBD995DA0" C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021494-0000-0000-C000-000000000046}\Enum C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\Flags = "1024" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\UserChoice C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\07665c23ca68173f7490e11482c898ae_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2444 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\07665c23ca68173f7490e11482c898ae_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2444 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\07665c23ca68173f7490e11482c898ae_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2444 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\07665c23ca68173f7490e11482c898ae_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 4268 wrote to memory of 4912 N/A C:\Windows\SysWOW64\07665c23ca68173f7490e11482c898ae_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4268 wrote to memory of 4912 N/A C:\Windows\SysWOW64\07665c23ca68173f7490e11482c898ae_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4268 wrote to memory of 4912 N/A C:\Windows\SysWOW64\07665c23ca68173f7490e11482c898ae_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4912 wrote to memory of 3268 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4912 wrote to memory of 3268 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4912 wrote to memory of 3268 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3268 wrote to memory of 3128 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\ie_to_edge_stub.exe
PID 3268 wrote to memory of 3128 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\ie_to_edge_stub.exe
PID 3128 wrote to memory of 668 N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\ie_to_edge_stub.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3128 wrote to memory of 668 N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\ie_to_edge_stub.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 668 wrote to memory of 2736 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 668 wrote to memory of 2736 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 668 wrote to memory of 3720 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 668 wrote to memory of 3720 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 668 wrote to memory of 3720 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 668 wrote to memory of 3720 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 668 wrote to memory of 3720 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 668 wrote to memory of 3720 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 668 wrote to memory of 3720 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 668 wrote to memory of 3720 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 668 wrote to memory of 3720 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 668 wrote to memory of 3720 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 668 wrote to memory of 3720 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 668 wrote to memory of 3720 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 668 wrote to memory of 3720 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 668 wrote to memory of 3720 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 668 wrote to memory of 3720 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 668 wrote to memory of 3720 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 668 wrote to memory of 3720 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 668 wrote to memory of 3720 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 668 wrote to memory of 3720 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 668 wrote to memory of 3720 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 668 wrote to memory of 3720 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 668 wrote to memory of 3720 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 668 wrote to memory of 3720 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 668 wrote to memory of 3720 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 668 wrote to memory of 3720 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 668 wrote to memory of 3720 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 668 wrote to memory of 3720 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 668 wrote to memory of 3720 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 668 wrote to memory of 3720 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 668 wrote to memory of 3720 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 668 wrote to memory of 3720 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 668 wrote to memory of 3720 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 668 wrote to memory of 3720 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 668 wrote to memory of 3720 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 668 wrote to memory of 3720 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 668 wrote to memory of 3720 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 668 wrote to memory of 3720 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 668 wrote to memory of 3720 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 668 wrote to memory of 3720 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 668 wrote to memory of 3720 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 668 wrote to memory of 1376 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 668 wrote to memory of 1376 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 668 wrote to memory of 1828 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 668 wrote to memory of 1828 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 668 wrote to memory of 1828 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 668 wrote to memory of 1828 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 668 wrote to memory of 1828 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 668 wrote to memory of 1828 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 668 wrote to memory of 1828 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\07665c23ca68173f7490e11482c898ae_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\07665c23ca68173f7490e11482c898ae_JaffaCakes118.exe"

C:\Windows\SysWOW64\07665c23ca68173f7490e11482c898ae_JaffaCakes118.exe

C:\Windows\SysWOW64\07665c23ca68173f7490e11482c898ae_JaffaCakes118.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\07665C~1.EXE > nul

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4912 CREDAT:17410 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\ie_to_edge_stub.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\ie_to_edge_stub.exe" --from-ie-to-edge=3 --ie-frame-hwnd=40002c

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --from-ie-to-edge=3 --ie-frame-hwnd=40002c

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcea8846f8,0x7ffcea884708,0x7ffcea884718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,17448208704631318961,6786661758045891213,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2076 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,17448208704631318961,6786661758045891213,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2452 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2060,17448208704631318961,6786661758045891213,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2792 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,17448208704631318961,6786661758045891213,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2972 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,17448208704631318961,6786661758045891213,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2992 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,17448208704631318961,6786661758045891213,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,17448208704631318961,6786661758045891213,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3608 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,17448208704631318961,6786661758045891213,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2920 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,17448208704631318961,6786661758045891213,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3848 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,17448208704631318961,6786661758045891213,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3880 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,17448208704631318961,6786661758045891213,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5560 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x228,0x22c,0x230,0x204,0x234,0x7ff7a0a95460,0x7ff7a0a95470,0x7ff7a0a95480

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 97.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
NL 23.62.61.194:443 www.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 164.189.21.2.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/2444-0-0x0000000000400000-0x000000000040B000-memory.dmp

memory/2444-1-0x0000000000400000-0x000000000040B000-memory.dmp

C:\Windows\SysWOW64\07665c23ca68173f7490e11482c898ae_JaffaCakes118.exe

MD5 07665c23ca68173f7490e11482c898ae
SHA1 358bfb2d3f364d99b7a0699e07a763d4b06ccfb5
SHA256 a6de0c5b37fde764b88464df279ebef8f98dcb55e2972240be32327837987555
SHA512 086387998f5345121e1bece26e93e33381dde4a39bac3ee5dae561d822d5a9d860aba5b2572d957fa84a3960a00448c06f0a67cd57acaaf39d66042ea3160ef5

memory/4268-6-0x0000000000400000-0x000000000040B000-memory.dmp

memory/2444-7-0x0000000000400000-0x000000000040B000-memory.dmp

memory/4268-9-0x0000000000400000-0x000000000040B000-memory.dmp

C:\Windows\System32\config\systemprofile\Favorites\desktop.ini

MD5 881dfac93652edb0a8228029ba92d0f5
SHA1 5b317253a63fecb167bf07befa05c5ed09c4ccea
SHA256 a45e345556901cd98b9bf8700b2a263f1da2b2e53dbdf69b9e6cfab6e0bd3464
SHA512 592b24deb837d6b82c692da781b8a69d9fa20bbaa3041d6c651839e72f45ac075a86cb967ea2df08fa0635ae28d6064a900f5d15180b9037bb8ba02f9e8e1810

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 65f36e1b733209b8d1f191fd3c70d17e
SHA1 099156da7d0ceee0bac2a49d87b9e17c9f6d1072
SHA256 f3696ccf536edc86edc26e47aa4743b37567ef422123406e9e699849e3486369
SHA512 9dcca52f6387a2b6a27677a9651bf96f025fbd17287ec70a722d1f0ae5f11a4fda09e7815de2bd3e78256286d9a2f20a56deeced31daefc052f8994782a9e7cb

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Crashpad\throttle_store.dat

MD5 9e4e94633b73f4a7680240a0ffd6cd2c
SHA1 e68e02453ce22736169a56fdb59043d33668368f
SHA256 41c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304
SHA512 193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 b4380d25ba92d04d3d83cea8d211db07
SHA1 e3170311d3b47b7a98f0694766bc531fefcfe13d
SHA256 04f90ff9c778213cd270f1d3d148763262758a6dba82e64f995aa5c076e93626
SHA512 6b2cd861d62c5a57f1c101d98b362bd03418694dfdab09ae06e7282cf696877c930a9297034fe89954a92809cab20e04bb1dd81e4bfe19d21c8a043df629442b

\??\pipe\LOCAL\crashpad_668_OUDMOSSJHNGTHJWD

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\b8877e8b-bc25-4a49-8ef2-65b42e2b7aa8.tmp

MD5 e5e3377341056643b0494b6842c0b544
SHA1 d53fd8e256ec9d5cef8ef5387872e544a2df9108
SHA256 e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25
SHA512 83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\000001.dbtmp

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 98a7a5253c0a573a62ec4637c987f5fb
SHA1 0a941eb8a31809fc5a3b4b516388173c16fbeda2
SHA256 9e2c35bb9ad55f306d607eea7522873b687592091f5e53c4d3a487d1bf8c902b
SHA512 7559696390e4799a36ad497a855aa2f0c092e760ffaf24adf064fa5816686aa38274ad8668e650363cffc2a607ae257fc020a3cef5f86c121635376f1daa9670

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Preferences~RFe57420a.TMP

MD5 dbc0e7a9424f0de6cf86310cc6deb99f
SHA1 c8cbb87e8d51e17cff6b2950599eab947d39b556
SHA256 179e0a013af6ce46ebd2cb4b31ac3dcded13503b2668489f2c5972f3873548e1
SHA512 99978206f789adcac6169ba8938c671dc809f1762368eee2dd008df99f5b41fe8a9de81c7da481aebba176aa14478e4d7937a01e05ab18348ced0e3a7909c0a9

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

MD5 da597791be3b6e732f0bc8b20e38ee62
SHA1 1125c45d285c360542027d7554a5c442288974de
SHA256 5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07
SHA512 d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

C:\Windows\Temp\Kno5311.tmp

MD5 002d5646771d31d1e7c57990cc020150
SHA1 a28ec731f9106c252f313cca349a68ef94ee3de9
SHA256 1e2e25bf730ff20c89d57aa38f7f34be7690820e8279b20127d0014dd27b743f
SHA512 689e90e7d83eef054a168b98ba2b8d05ab6ff8564e199d4089215ad3fe33440908e687aa9ad7d94468f9f57a4cc19842d53a9cd2f17758bdadf0503df63629c6

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 b793dbc2a5d5e415f4416ce8b39a75f9
SHA1 e1ffc2eabe8b7e40bc660a0a626e9b96902a3183
SHA256 b8335d3f587da6454cb506527e4e660eed70314b079f93c9583fbca89f784849
SHA512 1d59de0a8b455977cf8696c82309cf03780a50148e14a0b64f9a1647ddbd43b8f1c3c5259a63f56d3209b96b417585b217c6fad761f35a26ab7d688781631510

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences~RFe5768dc.TMP

MD5 6d65dcb7e17a87c48bbb379cb86c5782
SHA1 d56134e8fbdad569b6ee0b783b65b99f67652940
SHA256 d896482ca56181683bade681ce531259cada0cc74e9920986110eb61cfa8b940
SHA512 8d851c393986004117d88c5569ca3a7970ccaddaa606d6c4d86cc223de60d25703528d0933f4b6d7899bf329704c5f6c3994a6b49b008bc3df11e4e52eca9384

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 2e1df851a916befe05318eac0767836f
SHA1 7c10d3f8c52e5adc118a0c03795677c61795b10c
SHA256 f3d6144e9fe82e09b3d5c1a80e196c79a0ccc23e9c8a3d1a03fd2cf3b8a0b83c
SHA512 b97f599c9927619e5b13439c6d1c9c16e94c0d56fd22c6238180adb4a5685346e3480012a0e84d9e94334e9135337d86e14cbad5503342f03a97a2d341606621

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\ec02f14e-61eb-489a-a7a7-fa1263257936.tmp

MD5 83257fe3af2a1ceb085685bda7f0f052
SHA1 6eddb536951dbddbacaabc56dbc20dbe5bda14a5
SHA256 8b6bd44afa9b9366b72f827291d455d18f7f81fb2bc8ac0e77d596e605727754
SHA512 c3debf10e2dd0eba7ce7afd386b37c13b0f956d46d9d7d87e03c1e0caf810b51892f777a93e12931f18ede3fbdafaa9440ca3f6b0957525b42314c6c14e80ee1

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 84f6628a1309303648ac7358619c145f
SHA1 e51051b6975c80fc76f69b9c2467c2007ff68feb
SHA256 2742e23dcce0db5c16d13ddd7fd648daf7402795f5e7eb016b049ef56d956b8e
SHA512 04d68acc83039dbce75c7621a1adb1f291035efea930aa9cd38f526c405c31486a9ec3baeef39a34c9f1182a2ea03cfcc6839faed322476bd5b5cbbbd3f88f8b

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\8f2f316d-a2c0-4579-8144-97a3ee1babf3.tmp

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network Persistent State

MD5 2800881c775077e1c4b6e06bf4676de4
SHA1 2873631068c8b3b9495638c865915be822442c8b
SHA256 226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974
SHA512 e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0

MD5 cf89d16bb9107c631daabf0c0ee58efb
SHA1 3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256 d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA512 8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_2

MD5 0962291d6d367570bee5454721c17e11
SHA1 59d10a893ef321a706a9255176761366115bedcb
SHA256 ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512 f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_3

MD5 41876349cb12d6db992f1309f22df3f0
SHA1 5cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256 e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512 e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee