Analysis Overview
SHA256
583e16e5a6d356025b2289aaa6a1cc244cde8992856154891a2b89c1f540d53d
Threat Level: Likely malicious
The file 023ffc154d694dad62ae6c98b5d5f327_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Loads dropped DLL
Identifies Wine through registry keys
Executes dropped EXE
Checks computer location settings
Installs/modifies Browser Helper Object
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Modifies registry class
Suspicious use of FindShellTrayWindow
Enumerates system info in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-22 13:01
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-22 13:01
Reported
2024-06-22 13:04
Platform
win7-20240611-en
Max time kernel
121s
Max time network
128s
Command Line
Signatures
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Windows\install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\install.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Wine | C:\Windows\install.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Wine | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{361B2978-88FF-11D2-8D96-E7ACAC95951F} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{361B2978-88FF-11D2-8D96-E7ACAC95951F}\NoExplorer = "1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\install.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | \??\c:\windows\protesto1.pdf | C:\Users\Admin\AppData\Local\Temp\023ffc154d694dad62ae6c98b5d5f327_JaffaCakes118.exe | N/A |
| File created | C:\Windows\jsp062201.dll | C:\Windows\install.exe | N/A |
| File opened for modification | C:\Windows\jsp062201.dll | C:\Windows\install.exe | N/A |
| File created | \??\c:\windows\install.exe | C:\Users\Admin\AppData\Local\Temp\023ffc154d694dad62ae6c98b5d5f327_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{99AD0A01-3097-11EF-8E7F-CE8752B95906} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000b2968c6cf60b74b94229c882944fb8100000000020000000000106600000001000020000000cfb3a04c9802cfea86b5abab0092a94197b7f34e9dbc3fab754a24ab3d1af18a000000000e800000000200002000000027680f7ce9c8a0589411dcf1788a7a584dfde290c60414ce6cfd30fe7904d351200000001b17f9917ed2cc019d696382f07cdef4bce50b7f5d7ec42e5cc1a69931de493c40000000758af949a6ebae845458fa66af79c887277f2499bf606246d2b98b339e3698b4a68cea532f8c31ca37ab24e3517df606ba1ecbcd80503eddf9a7789717c79ffb | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60e2c471a4c4da01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425223182" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000b2968c6cf60b74b94229c882944fb8100000000020000000000106600000001000020000000bff1a86c0ff2839924d2afc8b6c9d7855c1c7fcf63873326f2e06dcb88e8b08f000000000e8000000002000020000000778230b52fa2e2a58868d8d15be93ed60998bb60e154df429d1257ebac5dbdcf90000000f3be490ae7f6f63408d6424b6cdd287ce144aa001a69481996edd5102cf0dfaab7f20914fa928b3d2fa842b182356642dd2a3b7868a96a2bf1813a549ff1481dd199e4dbb5f8439c0635f383e9aec049cf328a05041c487558ae156131028922f08d0ee62f2e27a13abfb61399014143307f0ef711e92401cd0fd41762f0577d4735eef40e242b746f0ca75e1a40d12840000000a547c46e8a6f546b8dc0fdd4b66067a38e572372b97113c0a4731f0bf46a1af00954dbf29ce2b185e70f0e3c9da67b10b823db4b63bd6c42bc62982a7b9eaeeb | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{361B2978-88FF-11D2-8D96-E7ACAC95951F}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{361B2978-88FF-11D2-8D96-E7ACAC95951F} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{361B2978-88FF-11D2-8D96-E7ACAC95951F}\ | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{361B2978-88FF-11D2-8D96-E7ACAC95951F}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{361B2978-88FF-11D2-8D96-E7ACAC95951F}\InprocServer32\ = "C:\\Windows\\jsp062201.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\install.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\install.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\023ffc154d694dad62ae6c98b5d5f327_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\023ffc154d694dad62ae6c98b5d5f327_JaffaCakes118.exe"
C:\Windows\install.exe
"C:\Windows\install.exe"
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s C:\Windows\jsp062201.dll
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://www.correiosonline.com.br/pt_telegrama_sel.asp
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2576 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.correiosonline.com.br | udp |
| US | 8.8.8.8:53 | www.correiosonline.com.br | udp |
| BR | 201.48.198.80:80 | www.correiosonline.com.br | tcp |
| BR | 201.48.198.80:80 | www.correiosonline.com.br | tcp |
| BR | 201.48.198.80:443 | www.correiosonline.com.br | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
memory/1912-4-0x0000000003440000-0x00000000035B3000-memory.dmp
C:\Windows\install.exe
| MD5 | 3bcf1d552a3f5ca5e641df52c572418e |
| SHA1 | d3b193b3adb12e4bc5ab29bae76105dc47941ee9 |
| SHA256 | ee2f91eb69ac18b9c057dd9e5716eb26fef37501e941f8b781e610477b76bb51 |
| SHA512 | 593d0a09305709ba8a318ebb94f9bd3db2798f865bc9b3b8a7d8191f0abaaf50be11dfead9f2b75e7c431de827d8a4416187aeece56396bee55ad63e686f99a0 |
memory/2168-7-0x0000000000400000-0x0000000000573000-memory.dmp
memory/2168-8-0x00000000775A0000-0x00000000775A2000-memory.dmp
C:\Windows\protesto1.pdf
| MD5 | 4756efeab0b28a6284ad7b07699615c5 |
| SHA1 | d0da2ffc0c5a6ab4236e28ebcc0828af3c91f475 |
| SHA256 | 8983faca41c1ed196f82ed2e4fd0927c69008e733e16b673b2b295c00f89ce56 |
| SHA512 | fbf3c22a3a0c88bbab3c4e626ba69451fa3ce51e265416f47e0272fcc86380c5e073a8fd40afac3f3b53317dbbd0dae5ab20096ce4a4949aef6f38c20a8f0539 |
memory/2168-12-0x0000000000401000-0x0000000000402000-memory.dmp
memory/2168-13-0x0000000000400000-0x0000000000573000-memory.dmp
memory/2920-17-0x00000000021F0000-0x00000000024A8000-memory.dmp
memory/2168-22-0x0000000000400000-0x0000000000573000-memory.dmp
memory/2168-21-0x0000000004590000-0x00000000045A0000-memory.dmp
memory/2168-20-0x0000000000400000-0x0000000000573000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ba16a14c533c1ece23d00bd9326f5138 |
| SHA1 | d8844dd8fa75dae4e3111d606ea41110e5646f64 |
| SHA256 | 7afdcaddffc0cbc6a5fccd03a9e4fb873bef168e6d7648a41ab27509faeb94b5 |
| SHA512 | f310d0aba235525eacc219e52e402fa7c09726cc24a689a656fe121db9cc0fe4e5a304b53606d608fa271dafab085d07a42e94d455158c212796ff89715c3512 |
C:\Users\Admin\AppData\Local\Temp\Cab4701.tmp
| MD5 | 2d3dcf90f6c99f47e7593ea250c9e749 |
| SHA1 | 51be82be4a272669983313565b4940d4b1385237 |
| SHA256 | 8714e7be9f9b6de26673d9d09bd4c9f41b1b27ae10b1d56a7ad83abd7430ebd4 |
| SHA512 | 9c11dd7d448ffebe2167acde37be77d42175edacf5aaf6fb31d3bdfe6bb1f63f5fdbc9a0a2125ed9d5ce0529b6b548818c8021532e1ea6b324717cc9bec0aaa5 |
C:\Users\Admin\AppData\Local\Temp\Tar4784.tmp
| MD5 | 7186ad693b8ad9444401bd9bcd2217c2 |
| SHA1 | 5c28ca10a650f6026b0df4737078fa4197f3bac1 |
| SHA256 | 9a71fa0cb44aa51412b16a0bf83a275977ba4e807d022f78364338b99b3a3eed |
| SHA512 | 135be0e6370fd057762c56149526f46bf6a62fb65ef5b3b26ae01fa07b4c4e37188e203bd3812f31e260ec5cccff5924633dd55ab17e9fa106479783c2fb212b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e6a8a0f137e0057bfacbcdea4f9f8306 |
| SHA1 | fc5b1f8c8e3a1aabaf065eb19b571349f73a41d7 |
| SHA256 | 967d01981a3d1faf8e9fd7c6bbbb5bf655d97a70eeb3717aaf1ef3ad44851694 |
| SHA512 | 1064e13af6950712d8677a3816494376ee2fea006e2de0b94f534b328520153718a35a3dec6f4743cfe1c4567885b3dad04cd6582f00fbaf51b3c25c5ac4e18c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 82ad1f14766162df9876ddec6fb1e6b1 |
| SHA1 | 8a270d5099d6c4b1907248ebb421d69d6e457c59 |
| SHA256 | c8ff3583404a61f2c680eba7a55523214d95a1eb4ffc0325714311284d0094f2 |
| SHA512 | 634aacb98cf9d5877bba122de14b0b6d498fc84598b95534c7974f412465bcc4a1fb3be61c9ee07e14e97b1b984b061550a8160f8f86aa0da3510b7f06c94967 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1b0ff6993d5468467ed4ad27aa455891 |
| SHA1 | 7aadb902f0351efdb1820122007d79cdb2207592 |
| SHA256 | 1fa79c1e567c75515a2ffb7dd0c50bc2fd8a38f187b01e25a5d4670335d14432 |
| SHA512 | 8ddf7026a04dc2975407365809488502a2431bc2ce1f0ca12cde98316f34745e6a4b71678d6849117820cc7c62c5c3e3fee62c2f8c77c3e9415e36fd15785f83 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d97f423225550e6ebce14c2b8af9fc63 |
| SHA1 | 9f9dbd6c625dfdc920b013e3cd792bafc24e1a11 |
| SHA256 | 77e5fd6d13bb5cb228431de7fd5969476e4a2d804dba2d5cc2171bc92ae1bdf7 |
| SHA512 | 0d6bf1c7c3673d63d3017b26caa8c1b6ddc8ec5a05cf635e6aba1865c566870d3d3b16fef59450a443c2f6d479018cf8a701e3b0a95c8336739d09ba5bd2cd4b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c94072d047375562cd33419e8b2bf04b |
| SHA1 | cc151aefbad5c2a7eb11387af5ac4d1448da7e18 |
| SHA256 | 880bd1969ae73ec8096daf4243231c5e5dd40c29c0b5c2d51b7c438ebe7712eb |
| SHA512 | f5957f7f1c09d0c521051d2a6cf87b9a09beaafddd443f95a25b4bd8bb5bba2a96c9515222e57d3232181a18452953b27f8d5fd136ad8c8b36de96abc6e25aa7 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8b064595d1ce40e1cceccb414190d21a |
| SHA1 | 4cfde82df9800ec58203ec818c191a8d017f1554 |
| SHA256 | 198b7b0b5de24549ef49a6ab7a682d68afee67d77ff94567ada9886bea88cc76 |
| SHA512 | 49edc59dda5ff4f8f864f45c57a76f43ae9d7f8f08103ce58b1da0a75b0e616190e42c6b058771d68522e602edec04d2f7de2ae3153607789c008d8263279635 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 249c526e69a4e73e25c26fdb0dd21bc5 |
| SHA1 | 32db7e77c50a20d505e74f3ac2b3f62f07810c90 |
| SHA256 | 5c74277ed4af8ee2b9c2b516ad356ef8e3bfc09c0411d8233ba4fdf9ef504092 |
| SHA512 | e165243b4750866ee23ac6f3ab5b56d1f42eb36892e84cdb5863ccbedef8b7dbf9a51ca447774df859c5d104b79d40da75f78ddedc7764c5eab6f2c51c086985 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | db3c90496896df0506155f00377551e2 |
| SHA1 | 06809c69b370ea87a387249a88c0ff5b90c1049a |
| SHA256 | a4f42ecdaef4eb09f9e7d71e55c28b9f91cd6a07f7cbd565d63dad1f0fc52e12 |
| SHA512 | 2cba69885161e451b02548c0388249df4f0025a1165389e76473ff54383b937ecf006c61c54f5e8fdeeede30095c9a7ff0a0cd49c625b4ebc8a8397f4914a050 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 42dd8de1781c334532de04a2e7689f40 |
| SHA1 | fbb93be4b9724df93154b8a3e77d154f54f65df1 |
| SHA256 | 7b58fc37dac5875edee7b306d56f158149c8345db19f40ce9bfaa503fb1e57ea |
| SHA512 | 27b9131916b3dc20ab78c5c35c5cfa179899392ecc0a1989e50a0ef8907bb198f85ef29a0c81b81f9e409d7f35659a42d65c71cdffdc4d89387dcbef7f3dee49 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2fde8c2918b0168647654fffa7d06124 |
| SHA1 | 244115edf2472479b7affb2dc96a994d9680e15f |
| SHA256 | 5d0eab68a967ed4e726cb960095f69a6dbaae5fe613bd34168fc562ffc29624d |
| SHA512 | 9de7ada1dd416cb3e035a8ac804e7bd6cb06ff44a08561a2a3b642cdd2fab6bda9de2db579d774c15b456a200d11ccf4c26cfd823aac8cffbc7b3103aba86089 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 16aec7e7f993a505426b49601b59ba58 |
| SHA1 | 00d1c4b80b98146234a5f560769aa9fbe4cdc2aa |
| SHA256 | 3bd5d62c9d121f2edc16acf3b8e49c590b330925eadd9f714e518e96056dfb12 |
| SHA512 | 84c4f6a163ae5b496a71472363a448efdd567e491be99303c510954587c39afed04f4bb4728ee500903d306c0a94fdf8a8afebf6d45ffe7adc599f9851486213 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e6cf31cc9f1705b8b1dde2c1776cc99a |
| SHA1 | 8c120f40cf47ee5380dd485c935321880d4f5a20 |
| SHA256 | 77d2a379596832ee8d6da66ebc6e1f3c9476fa85aa415b0ecda6d42a48626269 |
| SHA512 | 7309d5cc31e958e33eec1f873e10cdf28385e3c265c834c56ab3934a2827f551b59e0b8cc665e771bed0a8413743b373ee5da09221bc26f6ce1a882c2ac94692 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4eb55cce6c9f838eea204541c411505d |
| SHA1 | e416fcc6e506acbc2197c54ba15e1f0e50f86680 |
| SHA256 | 0774fea74e7c12d224b861263db11b7a427414bc413d2bd7d935ce13b3d5deb4 |
| SHA512 | 8d277c5cf2a468f2a430262b9619a8d7ac4abb717664a21f0d8660f0db4f8a932925b7dbda7f99c02e43dce58e56efdf9510ac7fa75cb7a99a94025d67fb4425 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 689846116e24c78bd5458aff1705c3b4 |
| SHA1 | bc60dc4f40671c20c54705d52425726e33c63bc6 |
| SHA256 | 8706901c8e1a72e87e36ccccd8749bcfc690af8dfa61ee32f0797bb5234b6d49 |
| SHA512 | 3c4f5b0db5f7e1b58bc70d6f5c98278d1908be1124b984c95f07756f064f9bfb94bfa41a312fd5baa5a56caf55b5a8e6f147f8bedee0f99dc9f28dd85bd69f0e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c9db96df8f2c3d05bf18a7275a3e2363 |
| SHA1 | b89eae5c939eaa54ac698b9b2d24931ecc81bc57 |
| SHA256 | 4f92af68942ccc11ce0d7c5cf30318b04d840100981a184d729b644250f51bc0 |
| SHA512 | 5cfca76a40f58cf83b1b5f114054389021d02538f802649687fbf3d09d90416bf6f01654565a76e5061c4145dd2908fb632f0b29b92f828fab8e2a8076c3250f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c7152b64586b5b77e4daf2c5a7ed2b63 |
| SHA1 | fda40d6c529ccc3523b117409172e5a8e852e71a |
| SHA256 | 1b321314a89195f2c906740d662fdbad9441db448cad51f90bc5ae18f3dc48e4 |
| SHA512 | c61335f33d399e2cb5352c5ded8b9011a7657b61241e5076414b569682185e708dbb73fa1b39841a56f3b219ea30c63c60b850aa6f0b850d113cb082dd8db717 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b7e3dd48f8e5b2bc059052f814ca0358 |
| SHA1 | 3defe235752ea3c6328e4a8f686ec29e2a2fae3f |
| SHA256 | da3f3760fb0e3c856c8b397c0b366a1ee0b440796f68186f2f167b5f582f3829 |
| SHA512 | 27cf68c9148402003911bb8eb14401b8fabbf387551d2d9abd86c87b5e88bcc24e49ac9fd699d740450667018ba7e791b3add9ae35ab37ed98929858d105e5a4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7c84a2339f8f5de8dc90d8d314534210 |
| SHA1 | a2b8a2f96c7742336baa51bb2c70b3802c3da392 |
| SHA256 | 1a5e3645db50e44dfc684a7ed6db0655b7a397733b66de40a22f212bc4c5c27e |
| SHA512 | c58c535b0ce82b8f2c04ffb2065b8d9e86f1e91ff1db1b67afb1cf6786209c899a706abe8080c44e2bf513ef59d048758638896d95b2f368651a53b1b5b2609a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 86b8f5f2d48cc7ef40b0ad749a2992eb |
| SHA1 | 0eb185f404b0a528f825efe3d019504e1eb1a9d7 |
| SHA256 | e80a1fb67353c52b1513185628ce6932c9a4bb6485c7d9401adcabfb4392449b |
| SHA512 | 535c3c162b054a859558e286c698dbb5af523ff625f7fdf913ad70a8608aa411b95a43aeb8dca98444e88d6455fc4c7d360fcf6711735955b18de670bf76470f |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-22 13:01
Reported
2024-06-22 13:04
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
148s
Command Line
Signatures
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Windows\install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\023ffc154d694dad62ae6c98b5d5f327_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\install.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Wine | C:\Windows\install.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Wine | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\install.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\jsp062201.dll | C:\Windows\install.exe | N/A |
| File opened for modification | C:\Windows\jsp062201.dll | C:\Windows\install.exe | N/A |
| File created | \??\c:\windows\install.exe | C:\Users\Admin\AppData\Local\Temp\023ffc154d694dad62ae6c98b5d5f327_JaffaCakes118.exe | N/A |
| File created | \??\c:\windows\protesto1.pdf | C:\Users\Admin\AppData\Local\Temp\023ffc154d694dad62ae6c98b5d5f327_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{361B2978-88FF-11D2-8D96-E7ACAC95951F} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{361B2978-88FF-11D2-8D96-E7ACAC95951F}\ | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\install.exe | N/A |
| N/A | N/A | C:\Windows\install.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\install.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\023ffc154d694dad62ae6c98b5d5f327_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\023ffc154d694dad62ae6c98b5d5f327_JaffaCakes118.exe"
C:\Windows\install.exe
"C:\Windows\install.exe"
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s C:\Windows\jsp062201.dll
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.correiosonline.com.br/pt_telegrama_sel.asp
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9050646f8,0x7ff905064708,0x7ff905064718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,14168432008386025664,17739900720352126366,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2064,14168432008386025664,17739900720352126366,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2564 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2064,14168432008386025664,17739900720352126366,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2976 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14168432008386025664,17739900720352126366,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14168432008386025664,17739900720352126366,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,14168432008386025664,17739900720352126366,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4992 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,14168432008386025664,17739900720352126366,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4992 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14168432008386025664,17739900720352126366,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4188 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14168432008386025664,17739900720352126366,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5116 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14168432008386025664,17739900720352126366,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4648 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14168432008386025664,17739900720352126366,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14168432008386025664,17739900720352126366,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14168432008386025664,17739900720352126366,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4192 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14168432008386025664,17739900720352126366,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4156 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14168432008386025664,17739900720352126366,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2684 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,14168432008386025664,17739900720352126366,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4692 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14168432008386025664,17739900720352126366,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4468 /prefetch:1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.correiosonline.com.br | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | google.com | udp |
| US | 8.8.8.8:53 | google.com | udp |
| US | 8.8.4.4:53 | google.com | udp |
| US | 8.8.8.8:53 | www.correiosonline.com.br | udp |
| US | 8.8.8.8:53 | 4.4.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.correiosonline.com.br | udp |
| US | 8.8.8.8:53 | www.correiosonline.com.br | udp |
Files
C:\Windows\install.exe
| MD5 | 3bcf1d552a3f5ca5e641df52c572418e |
| SHA1 | d3b193b3adb12e4bc5ab29bae76105dc47941ee9 |
| SHA256 | ee2f91eb69ac18b9c057dd9e5716eb26fef37501e941f8b781e610477b76bb51 |
| SHA512 | 593d0a09305709ba8a318ebb94f9bd3db2798f865bc9b3b8a7d8191f0abaaf50be11dfead9f2b75e7c431de827d8a4416187aeece56396bee55ad63e686f99a0 |
memory/4264-11-0x0000000000400000-0x0000000000573000-memory.dmp
memory/4264-13-0x0000000077564000-0x0000000077566000-memory.dmp
memory/4264-15-0x0000000000401000-0x0000000000402000-memory.dmp
C:\Windows\protesto1.pdf
| MD5 | 4756efeab0b28a6284ad7b07699615c5 |
| SHA1 | d0da2ffc0c5a6ab4236e28ebcc0828af3c91f475 |
| SHA256 | 8983faca41c1ed196f82ed2e4fd0927c69008e733e16b673b2b295c00f89ce56 |
| SHA512 | fbf3c22a3a0c88bbab3c4e626ba69451fa3ce51e265416f47e0272fcc86380c5e073a8fd40afac3f3b53317dbbd0dae5ab20096ce4a4949aef6f38c20a8f0539 |
memory/4264-20-0x0000000000400000-0x0000000000573000-memory.dmp
memory/4740-24-0x0000000002E70000-0x0000000003128000-memory.dmp
memory/4740-25-0x0000000002E70000-0x0000000003128000-memory.dmp
memory/4740-26-0x0000000001540000-0x00000000015DD000-memory.dmp
memory/4740-27-0x0000000002E71000-0x0000000002EE9000-memory.dmp
memory/4740-28-0x0000000002E70000-0x0000000003128000-memory.dmp
memory/4264-29-0x0000000000400000-0x0000000000573000-memory.dmp
memory/4264-30-0x0000000000400000-0x0000000000573000-memory.dmp
memory/4264-32-0x0000000000400000-0x0000000000573000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 4158365912175436289496136e7912c2 |
| SHA1 | 813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59 |
| SHA256 | 354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1 |
| SHA512 | 74b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b |
\??\pipe\LOCAL\crashpad_1780_RUNHPOXJSRWUCLLY
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | ce4c898f8fc7601e2fbc252fdadb5115 |
| SHA1 | 01bf06badc5da353e539c7c07527d30dccc55a91 |
| SHA256 | bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa |
| SHA512 | 80fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | a286cf5222c93ccc8234217b196a3ce1 |
| SHA1 | 412c0e5ab8ef2e3e1f3ba6abeda5c80ca88da051 |
| SHA256 | 1e25dde3f2106cc8547198736b85d7a293946a3df8014bdfccf469c8cb2d0e9e |
| SHA512 | 989fde1bdf93400f61bf7f509578470adf94a6af901d04fe86d7fb40456d050285c1aff79672cab52a22d9046093fe7fc8f8c91acaf15d671a4e05484438769b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 206702161f94c5cd39fadd03f4014d98 |
| SHA1 | bd8bfc144fb5326d21bd1531523d9fb50e1b600a |
| SHA256 | 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167 |
| SHA512 | 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 60c413158f45800c739a647951afe2c1 |
| SHA1 | 5f41df4aa2d50605bbdf9901d63f6d68280d099d |
| SHA256 | 2cc739545466e2172ae32dc109932b9a8ef7187f36fb438144b0fff6fbee4846 |
| SHA512 | 7cbd66baf5eaac4d43ba51c8c08f8ac03ec17652b4710db5b310c7f2a11e72b1211924e34835666552760d241ec88771550f61c759eabc0b5cf9afc728e5f1eb |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 5826ea6cbad0100958310861101f30b8 |
| SHA1 | 6bf5385fb99981dad1950d11797b39c67d84d8de |
| SHA256 | e96436567b447488f4b3de4bbb85abecfc612ed0b82a956567f660d11d51706f |
| SHA512 | c4bbc964739c1355ed16bfc46bf02ace196e8346371ba572fb7f9a37ed259602674bb8fb8069506b291ffd17209ac1394439bd6ee2e91a1607a9f1742c627b4f |