Malware Analysis Report

2024-10-19 02:45

Sample ID 240826-nbkpaszhld
Target c2e06514d87b4caf961ee2520a42b4d2_JaffaCakes118
SHA256 6be9ec8ebee0a8c5fdc1b2aceb624684a5bbaba1d5961cb3f4428147300428ed
Tags
discovery ramnit socgholish banker downloader spyware stealer trojan upx worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6be9ec8ebee0a8c5fdc1b2aceb624684a5bbaba1d5961cb3f4428147300428ed

Threat Level: Known bad

The file c2e06514d87b4caf961ee2520a42b4d2_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

discovery ramnit socgholish banker downloader spyware stealer trojan upx worm

SocGholish

Ramnit

UPX packed file

Loads dropped DLL

Executes dropped EXE

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Browser Information Discovery

System Location Discovery: System Language Discovery

Enumerates system info in registry

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

Suspicious use of SetWindowsHookEx

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-26 11:13

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-26 11:13

Reported

2024-08-26 11:15

Platform

win10v2004-20240802-en

Max time kernel

145s

Max time network

149s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\c2e06514d87b4caf961ee2520a42b4d2_JaffaCakes118.html

Signatures

Browser Information Discovery

discovery

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2604 wrote to memory of 2628 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2604 wrote to memory of 2628 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2604 wrote to memory of 2116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2604 wrote to memory of 2116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2604 wrote to memory of 2116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2604 wrote to memory of 2116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2604 wrote to memory of 2116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2604 wrote to memory of 2116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2604 wrote to memory of 2116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2604 wrote to memory of 2116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2604 wrote to memory of 2116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2604 wrote to memory of 2116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2604 wrote to memory of 2116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2604 wrote to memory of 2116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2604 wrote to memory of 2116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2604 wrote to memory of 2116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2604 wrote to memory of 2116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2604 wrote to memory of 2116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2604 wrote to memory of 2116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2604 wrote to memory of 2116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2604 wrote to memory of 2116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2604 wrote to memory of 2116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2604 wrote to memory of 2116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2604 wrote to memory of 2116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2604 wrote to memory of 2116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2604 wrote to memory of 2116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2604 wrote to memory of 2116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2604 wrote to memory of 2116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2604 wrote to memory of 2116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2604 wrote to memory of 2116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2604 wrote to memory of 2116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2604 wrote to memory of 2116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2604 wrote to memory of 2116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2604 wrote to memory of 2116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2604 wrote to memory of 2116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2604 wrote to memory of 2116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2604 wrote to memory of 2116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2604 wrote to memory of 2116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2604 wrote to memory of 2116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2604 wrote to memory of 2116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2604 wrote to memory of 2116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2604 wrote to memory of 2116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2604 wrote to memory of 228 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2604 wrote to memory of 228 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2604 wrote to memory of 2100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2604 wrote to memory of 2100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2604 wrote to memory of 2100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2604 wrote to memory of 2100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2604 wrote to memory of 2100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2604 wrote to memory of 2100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2604 wrote to memory of 2100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2604 wrote to memory of 2100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2604 wrote to memory of 2100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2604 wrote to memory of 2100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2604 wrote to memory of 2100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2604 wrote to memory of 2100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2604 wrote to memory of 2100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2604 wrote to memory of 2100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2604 wrote to memory of 2100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2604 wrote to memory of 2100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2604 wrote to memory of 2100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2604 wrote to memory of 2100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2604 wrote to memory of 2100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2604 wrote to memory of 2100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\c2e06514d87b4caf961ee2520a42b4d2_JaffaCakes118.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffeadb946f8,0x7ffeadb94708,0x7ffeadb94718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,14680722494177008062,7206834472200766389,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2052 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2064,14680722494177008062,7206834472200766389,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1784 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2064,14680722494177008062,7206834472200766389,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2856 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14680722494177008062,7206834472200766389,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14680722494177008062,7206834472200766389,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14680722494177008062,7206834472200766389,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5152 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14680722494177008062,7206834472200766389,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14680722494177008062,7206834472200766389,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5816 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,14680722494177008062,7206834472200766389,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5480 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,14680722494177008062,7206834472200766389,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5480 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14680722494177008062,7206834472200766389,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6096 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14680722494177008062,7206834472200766389,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6088 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14680722494177008062,7206834472200766389,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4128 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14680722494177008062,7206834472200766389,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5744 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,14680722494177008062,7206834472200766389,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1300 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 tjs.sjs.sinajs.cn udp
US 8.8.8.8:53 cpro.baidustatic.com udp
CN 220.169.152.38:80 cpro.baidustatic.com tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 23.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
GB 163.181.57.233:80 tjs.sjs.sinajs.cn tcp
GB 163.181.57.233:80 tjs.sjs.sinajs.cn tcp
CN 220.169.152.38:80 cpro.baidustatic.com tcp
CN 220.169.152.38:80 cpro.baidustatic.com tcp
CN 220.169.152.38:80 cpro.baidustatic.com tcp
US 8.8.8.8:53 dup.baidustatic.com udp
US 8.8.8.8:53 v2.uyan.cc udp
US 8.8.8.8:53 v1.ujian.cc udp
US 8.8.8.8:53 quanjianhuoliao.net udp
US 8.8.8.8:53 img.ujian.cc udp
US 8.8.8.8:53 imageplus.baidu.com udp
US 47.88.10.96:80 img.ujian.cc tcp
CN 119.188.176.49:80 dup.baidustatic.com tcp
US 47.88.10.96:80 img.ujian.cc tcp
US 47.88.10.96:80 img.ujian.cc tcp
HK 156.225.153.25:80 quanjianhuoliao.net tcp
HK 156.225.153.25:80 quanjianhuoliao.net tcp
HK 156.225.153.25:80 quanjianhuoliao.net tcp
HK 156.225.153.25:80 quanjianhuoliao.net tcp
CN 119.188.176.49:80 dup.baidustatic.com tcp
US 47.88.10.96:80 img.ujian.cc tcp
US 47.88.10.96:80 img.ujian.cc tcp
HK 156.225.153.25:80 quanjianhuoliao.net tcp
US 8.8.8.8:53 www.quanjianhuoliao.net udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 233.57.181.163.in-addr.arpa udp
US 8.8.8.8:53 38.152.169.220.in-addr.arpa udp
US 8.8.8.8:53 96.10.88.47.in-addr.arpa udp
US 8.8.8.8:53 49.176.188.119.in-addr.arpa udp
US 8.8.8.8:53 25.153.225.156.in-addr.arpa udp
HK 156.225.153.25:80 www.quanjianhuoliao.net tcp
HK 156.225.153.25:80 www.quanjianhuoliao.net tcp
HK 156.225.153.25:443 www.quanjianhuoliao.net tcp
HK 156.225.153.25:443 www.quanjianhuoliao.net tcp
HK 156.225.153.25:443 www.quanjianhuoliao.net tcp
HK 156.225.153.25:443 www.quanjianhuoliao.net tcp
HK 156.225.153.25:443 www.quanjianhuoliao.net tcp
US 8.8.8.8:53 pos.baidu.com udp
HK 156.225.153.25:443 www.quanjianhuoliao.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 www.ktsj.com.cn udp
CN 115.29.171.193:80 www.ktsj.com.cn tcp
CN 115.29.171.193:80 www.ktsj.com.cn tcp
HK 103.235.46.94:443 pos.baidu.com tcp
HK 103.235.46.94:443 pos.baidu.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 193.171.29.115.in-addr.arpa udp
US 8.8.8.8:53 94.46.235.103.in-addr.arpa udp
US 8.8.8.8:53 unmc.cdn.bcebos.com udp
HK 103.235.46.94:443 pos.baidu.com tcp
US 8.8.8.8:53 bdimg.share.baidu.com udp
CN 182.61.201.93:80 bdimg.share.baidu.com tcp
CN 182.61.201.93:80 bdimg.share.baidu.com tcp
HK 103.235.46.94:443 pos.baidu.com tcp
CN 124.239.243.38:443 unmc.cdn.bcebos.com tcp
HK 103.235.46.94:443 pos.baidu.com tcp
US 8.8.8.8:53 s4.cnzz.com udp
US 8.8.8.8:53 93.201.61.182.in-addr.arpa udp
CN 124.239.243.38:443 unmc.cdn.bcebos.com tcp
CN 220.169.152.38:443 cpro.baidustatic.com tcp
CN 220.169.152.38:443 cpro.baidustatic.com tcp
CN 119.188.176.49:443 dup.baidustatic.com tcp
CN 106.225.241.95:80 s4.cnzz.com tcp
CN 106.225.241.95:80 s4.cnzz.com tcp
CN 220.169.152.38:443 cpro.baidustatic.com tcp
CN 119.188.176.49:443 dup.baidustatic.com tcp
US 8.8.8.8:53 push.zhanzhang.baidu.com udp
US 8.8.8.8:53 38.243.239.124.in-addr.arpa udp
CN 182.61.201.93:80 push.zhanzhang.baidu.com tcp
CN 182.61.201.93:80 push.zhanzhang.baidu.com tcp
CN 182.61.201.93:80 push.zhanzhang.baidu.com tcp
CN 182.61.201.93:80 push.zhanzhang.baidu.com tcp
US 8.8.8.8:53 95.241.225.106.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 wn.pos.baidu.com udp
US 8.8.8.8:53 unmc.bj.bcebos.com udp
US 8.8.8.8:53 js.t.sinajs.cn udp
US 8.8.8.8:53 timg.sjs.sinajs.cn udp
CN 182.61.200.11:443 wn.pos.baidu.com tcp
CN 182.61.200.11:443 wn.pos.baidu.com tcp
CN 182.61.200.11:443 wn.pos.baidu.com tcp
CN 182.61.201.93:445 push.zhanzhang.baidu.com tcp
HK 103.235.47.176:443 unmc.bj.bcebos.com tcp
HK 103.235.47.176:443 unmc.bj.bcebos.com tcp
GB 163.181.57.236:443 timg.sjs.sinajs.cn tcp
GB 163.181.57.235:443 timg.sjs.sinajs.cn tcp
HK 103.235.47.176:443 unmc.bj.bcebos.com tcp
US 8.8.8.8:53 11.200.61.182.in-addr.arpa udp
US 8.8.8.8:53 eclick.baidu.com udp
US 8.8.8.8:53 open.weibo.com udp
US 8.8.8.8:53 widget.weibo.com udp
CN 36.51.224.123:80 widget.weibo.com tcp
CN 111.206.208.190:443 eclick.baidu.com tcp
CN 36.51.224.123:80 widget.weibo.com tcp
CN 111.206.208.190:443 eclick.baidu.com tcp
CN 36.51.224.123:80 widget.weibo.com tcp
CN 36.51.224.123:80 widget.weibo.com tcp
US 8.8.8.8:53 236.57.181.163.in-addr.arpa udp
US 8.8.8.8:53 235.57.181.163.in-addr.arpa udp
US 8.8.8.8:53 176.47.235.103.in-addr.arpa udp
CN 36.51.224.123:443 widget.weibo.com tcp
CN 36.51.224.123:443 widget.weibo.com tcp
CN 39.156.68.163:445 push.zhanzhang.baidu.com tcp
CN 182.61.201.94:445 push.zhanzhang.baidu.com tcp
CN 14.215.182.161:445 push.zhanzhang.baidu.com tcp
CN 180.101.212.103:445 push.zhanzhang.baidu.com tcp
CN 182.61.244.229:445 push.zhanzhang.baidu.com tcp
CN 163.177.17.97:445 push.zhanzhang.baidu.com tcp
CN 112.34.113.148:445 push.zhanzhang.baidu.com tcp
CN 36.51.224.123:443 widget.weibo.com tcp
CN 36.51.224.123:443 widget.weibo.com tcp
US 8.8.8.8:53 190.208.206.111.in-addr.arpa udp
US 8.8.8.8:53 123.224.51.36.in-addr.arpa udp
US 8.8.8.8:53 nsclick.baidu.com udp
US 8.8.8.8:53 api.share.baidu.com udp
CN 182.61.244.229:80 api.share.baidu.com tcp
CN 182.61.244.229:80 api.share.baidu.com tcp
CN 182.61.200.83:80 nsclick.baidu.com tcp
CN 182.61.200.83:80 nsclick.baidu.com tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 229.244.61.182.in-addr.arpa udp
US 8.8.8.8:53 83.200.61.182.in-addr.arpa udp
US 8.8.8.8:53 img.t.sinajs.cn udp
US 8.8.8.8:53 rs.sinajs.cn udp
CN 49.7.37.33:443 rs.sinajs.cn tcp
CN 49.7.37.33:443 rs.sinajs.cn tcp
US 8.8.8.8:53 push.zhanzhang.baidu.com udp
CN 39.156.68.163:139 push.zhanzhang.baidu.com tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
CN 111.206.208.190:443 eclick.baidu.com tcp
CN 111.206.208.190:443 eclick.baidu.com tcp
CN 111.206.208.190:443 eclick.baidu.com tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
NL 52.111.243.31:443 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 2783c40400a8912a79cfd383da731086
SHA1 001a131fe399c30973089e18358818090ca81789
SHA256 331fa67da5f67bbb42794c3aeab8f7819f35347460ffb352ccc914e0373a22c5
SHA512 b7c7d3aa966ad39a86aae02479649d74dcbf29d9cb3a7ff8b9b2354ea60704da55f5c0df803fd0a7191170a8e72fdd5eacfa1a739d7a74e390a7b74bdced1685

\??\pipe\LOCAL\crashpad_2604_DDKIADZOWQXIUJRO

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 ff63763eedb406987ced076e36ec9acf
SHA1 16365aa97cd1a115412f8ae436d5d4e9be5f7b5d
SHA256 8f460e8b7a67f0c65b7248961a7c71146c9e7a19772b193972b486dbf05b8e4c
SHA512 ce90336169c8b2de249d4faea2519bf7c3df48ae9d77cdf471dd5dbd8e8542d47d9348080a098074aa63c255890850ee3b80ddb8eef8384919fdca3bb9371d9f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 5223a1b96c05b60d049c0de27a27572c
SHA1 45080e3afd60185da5c1838ff5842431ed07e39f
SHA256 34e6f9f1f967fe20a8481cec2bbbd70c41f897b09c6c856b89fe78ae791f6934
SHA512 b5fa2f3c5c6ba5cb34b5915afaeaeca5167563c20d187421e15e593989d88bead10f6f50cc206988acb86773a7904134b5892f98e809b01778a668a324e11c3a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

MD5 65a35b6f9bbaa29de89dd102cb488f1f
SHA1 199cc22640236d69e947a002e6a5926c144c4653
SHA256 027e7ed25a2cfd98dfb47435e961cbe7fba58040990cf6583f9a389fbdee32eb
SHA512 3ec46edd8674d66e84309f2ad7480e93d6f1920333acec4b4818cedc31febb4eb9f79e02e8fd0c669c77a30e80eeb2485e712220288b99401fd1e3758bbfbd6c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 63d2882b9cb1e2c8d128d91a053c6646
SHA1 191cd956ece8696b39fa7001b56409775ceb9aaf
SHA256 3bc9069da281fd8951ff68b33beff860527bcbab9e180f78426f257ebac32a20
SHA512 e3d82c354f233897f941446c28a7fbb369c74f60cba46e47ae09e4647e9e631cc4b69c9d37df803f3f8f09a2d9dd6c2d29c6c627ed9bee4db073cfd349d8c960

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 eb2f927941d10cd38a52b6a067001e20
SHA1 e06e0ceffd818b7f23dd8d8b7dfb26bf83fc2494
SHA256 439acc8652a62b3aa04f8147354798d0ff8c6489190e0e6c2a1fbff1b76131bd
SHA512 b647f6bfa544af7812381a938409210065997a9f41a943c1116b2c59d46d44751782c065247662c7b05a7dd8b364455a00cb52416e7172872b3d4eb26ff0afc8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 807419ca9a4734feaf8d8563a003b048
SHA1 a723c7d60a65886ffa068711f1e900ccc85922a6
SHA256 aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631
SHA512 f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 6527d21213e12221cb0edef124c2b3c6
SHA1 fbd01a107f5e4cb962cfa766240f053514ae8a30
SHA256 e68097b2d81d223663194ce39dc5be724823fb7d7d92b0206740c6e70a4ed7da
SHA512 2bca78b8781546e05b0b2ad3356df4da919c56a7f3d6526055f66bc5ae9fec2f5a24313be29b46d9ef33c5fea3ca97994fb38ddd0f1ed0a1a0d464163a99cd9f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 76ec17301e4b1150d5ecbf7389c6fa2e
SHA1 d5784ff7f7d65475c79e0ed81ef0a7cbff66eb43
SHA256 88fe804e98b4739fd80d9e203e6b38260a1f0a66760a01ca8b8f3965e795ab6d
SHA512 2d8793a1817add16c92d8f86b1ee1c644440a0d4a53817fbc0d726d266fca284f6d9ef2a1d49c1367500f1f98948af00f6d89922863261ab69be6790db79f4f4

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-26 11:13

Reported

2024-08-26 11:15

Platform

win7-20240708-en

Max time kernel

121s

Max time network

149s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\c2e06514d87b4caf961ee2520a42b4d2_JaffaCakes118.html

Signatures

Ramnit

trojan spyware stealer worm banker ramnit

SocGholish

downloader socgholish

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft\px6D34.tmp C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\INF\setupapi.app.log C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
File opened for modification C:\Windows\Downloaded Program Files\SET5A40.tmp C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
File created C:\Windows\Downloaded Program Files\SET5A40.tmp C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
File opened for modification C:\Windows\Downloaded Program Files\swflash64.inf C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\FP_AX_CAB_INSTALLER64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20b13800a9f7da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\DOMStorage\weibo.com\NumberOfSubdomains = "1" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{35F29101-639C-11EF-B254-46D787DB8171} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000062974e5b5f804e45b98349be16bffb78000000000200000000001066000000010000200000008b5b5239dff3a7af7c69c1f5641faf5439053d7da1427ff26f26b91c4f7eeaed000000000e800000000200002000000053544fb96048df0e3843c5af8119cb6e4e38787b21e50cbb779a11d94986499920000000da685fdb7b0142e86ef4361a3519bc4b2493f1d5c7cd76fbc23beef44fd480ca4000000015836f90c54b5a36981d7717ae4880bd5b6b7a69af2d298c65a9ba73000c2f5be827702eb7c0a2d3ccea33d5049595bc491d1faf80e1acac2ff458d657dfaf78 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000062974e5b5f804e45b98349be16bffb78000000000200000000001066000000010000200000006930231856db2cd9e73fe6c87fa755653356bfa1ed62f38dd93faf7e3a132970000000000e800000000200002000000083e637f3da2fce2c0453779712aa6f0574b507c6d597d133720a205e1960263a90000000ecc2c28c99ce25106777190bc1b9d446600d0d5e283379fca9dc25c06c78f9410b47ee5e690c0a5b03fe2bc7f5af74a17e78daaacd81dcbb284e763fb60a8901592a583dee40676765c181b9ac7f0fd3c0dae1cf8e3cf114d1216241faeb1d8fcdac41d2290041f2950debb3942c2046347da72187b9e83cfbae1971c463d406aa4ed65318ff98f5026b07c8da8581f840000000547416db67898d6001ad4abf6b4cac6b61df9730c3e028b3faa77da89369efa87d4cf5a19edb87bde306a74e1f2de6fddb632cf7938e9b4a17411a403a401548 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\DOMStorage C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\DOMStorage\weibo.com C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "430832672" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2652 wrote to memory of 2852 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2652 wrote to memory of 2852 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2652 wrote to memory of 2852 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2652 wrote to memory of 2852 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2852 wrote to memory of 2136 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\FP_AX_CAB_INSTALLER64.exe
PID 2852 wrote to memory of 2136 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\FP_AX_CAB_INSTALLER64.exe
PID 2852 wrote to memory of 2136 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\FP_AX_CAB_INSTALLER64.exe
PID 2852 wrote to memory of 2136 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\FP_AX_CAB_INSTALLER64.exe
PID 2852 wrote to memory of 2136 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\FP_AX_CAB_INSTALLER64.exe
PID 2852 wrote to memory of 2136 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\FP_AX_CAB_INSTALLER64.exe
PID 2852 wrote to memory of 2136 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\FP_AX_CAB_INSTALLER64.exe
PID 2136 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\FP_AX_CAB_INSTALLER64.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2136 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\FP_AX_CAB_INSTALLER64.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2136 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\FP_AX_CAB_INSTALLER64.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2136 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\FP_AX_CAB_INSTALLER64.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2652 wrote to memory of 2152 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2652 wrote to memory of 2152 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2652 wrote to memory of 2152 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2652 wrote to memory of 2152 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2852 wrote to memory of 1680 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2852 wrote to memory of 1680 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2852 wrote to memory of 1680 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2852 wrote to memory of 1680 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 1680 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 1680 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 1680 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 1680 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 932 wrote to memory of 1976 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 932 wrote to memory of 1976 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 932 wrote to memory of 1976 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 932 wrote to memory of 1976 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2652 wrote to memory of 1792 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2652 wrote to memory of 1792 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2652 wrote to memory of 1792 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2652 wrote to memory of 1792 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\c2e06514d87b4caf961ee2520a42b4d2_JaffaCakes118.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2652 CREDAT:275457 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\FP_AX_CAB_INSTALLER64.exe

C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\FP_AX_CAB_INSTALLER64.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://get3.adobe.com/flashplayer/update/activex

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2652 CREDAT:275465 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\svchost.exe"

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2652 CREDAT:603148 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 cpro.baidustatic.com udp
US 8.8.8.8:53 dup.baidustatic.com udp
US 8.8.8.8:53 quanjianhuoliao.net udp
US 8.8.8.8:53 tjs.sjs.sinajs.cn udp
HK 156.225.153.25:80 quanjianhuoliao.net tcp
HK 156.225.153.25:80 quanjianhuoliao.net tcp
CN 119.188.176.49:80 dup.baidustatic.com tcp
CN 119.188.176.49:80 dup.baidustatic.com tcp
CN 220.169.152.38:80 cpro.baidustatic.com tcp
CN 220.169.152.38:80 cpro.baidustatic.com tcp
GB 163.181.57.231:80 tjs.sjs.sinajs.cn tcp
GB 163.181.57.231:80 tjs.sjs.sinajs.cn tcp
HK 156.225.153.25:80 quanjianhuoliao.net tcp
US 8.8.8.8:53 www.quanjianhuoliao.net udp
US 8.8.8.8:53 download.macromedia.com udp
GB 23.214.152.196:80 download.macromedia.com tcp
GB 23.214.152.196:80 download.macromedia.com tcp
US 8.8.8.8:53 fpdownload2.macromedia.com udp
HK 156.225.153.25:443 www.quanjianhuoliao.net tcp
HK 156.225.153.25:443 www.quanjianhuoliao.net tcp
HK 156.225.153.25:443 www.quanjianhuoliao.net tcp
HK 156.225.153.25:443 www.quanjianhuoliao.net tcp
US 8.8.8.8:53 r10.o.lencr.org udp
US 8.8.8.8:53 r10.o.lencr.org udp
US 8.8.8.8:53 r10.o.lencr.org udp
US 8.8.8.8:53 r10.o.lencr.org udp
GB 173.222.211.43:80 r10.o.lencr.org tcp
GB 173.222.211.9:80 r10.o.lencr.org tcp
GB 173.222.211.9:80 r10.o.lencr.org tcp
GB 92.123.143.240:80 fpdownload2.macromedia.com tcp
GB 92.123.143.240:80 fpdownload2.macromedia.com tcp
GB 173.222.211.9:80 r10.o.lencr.org tcp
US 8.8.8.8:53 get3.adobe.com udp
GB 23.40.43.26:443 get3.adobe.com tcp
GB 23.40.43.26:443 get3.adobe.com tcp
HK 156.225.153.25:80 www.quanjianhuoliao.net tcp
US 8.8.8.8:53 v2.uyan.cc udp
US 8.8.8.8:53 img.ujian.cc udp
US 8.8.8.8:53 v1.ujian.cc udp
US 8.8.8.8:53 pos.baidu.com udp
US 47.88.10.96:80 v1.ujian.cc tcp
US 47.88.10.96:80 v1.ujian.cc tcp
US 47.88.10.96:80 v1.ujian.cc tcp
US 47.88.10.96:80 v1.ujian.cc tcp
HK 103.235.46.94:443 pos.baidu.com tcp
HK 103.235.46.94:443 pos.baidu.com tcp
US 47.88.10.96:80 v1.ujian.cc tcp
US 47.88.10.96:80 v1.ujian.cc tcp
US 8.8.8.8:53 www.ktsj.com.cn udp
GB 23.40.43.26:443 get3.adobe.com tcp
CN 115.29.171.193:80 www.ktsj.com.cn tcp
CN 115.29.171.193:80 www.ktsj.com.cn tcp
HK 103.235.46.94:443 pos.baidu.com tcp
US 8.8.8.8:53 unmc.cdn.bcebos.com udp
US 8.8.8.8:53 bdimg.share.baidu.com udp
HK 103.235.46.94:443 pos.baidu.com tcp
HK 103.235.46.94:443 pos.baidu.com tcp
CN 220.169.152.38:443 cpro.baidustatic.com tcp
CN 220.169.152.38:443 cpro.baidustatic.com tcp
CN 119.188.176.49:443 dup.baidustatic.com tcp
CN 124.239.243.38:443 unmc.cdn.bcebos.com tcp
CN 124.239.243.38:443 unmc.cdn.bcebos.com tcp
CN 180.101.212.103:80 bdimg.share.baidu.com tcp
CN 180.101.212.103:80 bdimg.share.baidu.com tcp
US 8.8.8.8:53 s4.cnzz.com udp
US 8.8.8.8:53 wn.pos.baidu.com udp
US 8.8.8.8:53 unmc.bj.bcebos.com udp
US 8.8.8.8:53 ocsp.sectigochina.com udp
US 8.8.8.8:53 ocsp.sectigochina.com udp
CN 182.61.200.11:443 wn.pos.baidu.com tcp
CN 182.61.200.11:443 wn.pos.baidu.com tcp
CN 106.225.241.95:80 s4.cnzz.com tcp
CN 106.225.241.95:80 s4.cnzz.com tcp
US 104.18.38.66:80 ocsp.sectigochina.com tcp
US 104.18.38.66:80 ocsp.sectigochina.com tcp
HK 103.235.47.176:443 unmc.bj.bcebos.com tcp
HK 103.235.47.176:443 unmc.bj.bcebos.com tcp
US 8.8.8.8:53 eclick.baidu.com udp
CN 180.101.212.103:80 bdimg.share.baidu.com tcp
CN 180.101.212.103:80 bdimg.share.baidu.com tcp
CN 180.101.212.103:80 bdimg.share.baidu.com tcp
CN 180.101.212.103:80 bdimg.share.baidu.com tcp
CN 110.242.68.137:443 eclick.baidu.com tcp
CN 110.242.68.137:443 eclick.baidu.com tcp
US 8.8.8.8:53 api.bing.com udp
US 8.8.8.8:53 ocsp.digicert.cn udp
US 8.8.8.8:53 ocsp.digicert.cn udp
GB 79.133.176.224:80 ocsp.digicert.cn tcp
GB 163.181.57.232:80 ocsp.digicert.cn tcp
US 8.8.8.8:53 nsclick.baidu.com udp
US 8.8.8.8:53 api.share.baidu.com udp
US 8.8.8.8:53 js.t.sinajs.cn udp
US 8.8.8.8:53 timg.sjs.sinajs.cn udp
CN 182.61.200.83:80 nsclick.baidu.com tcp
CN 182.61.200.83:80 nsclick.baidu.com tcp
CN 180.101.212.103:80 api.share.baidu.com tcp
CN 180.101.212.103:80 api.share.baidu.com tcp
CN 110.242.68.137:443 eclick.baidu.com tcp
CN 110.242.68.137:443 eclick.baidu.com tcp
GB 163.181.57.236:443 timg.sjs.sinajs.cn tcp
GB 163.181.57.236:443 timg.sjs.sinajs.cn tcp
GB 163.181.57.236:443 timg.sjs.sinajs.cn tcp
GB 163.181.57.236:443 timg.sjs.sinajs.cn tcp
GB 163.181.57.236:443 timg.sjs.sinajs.cn tcp
GB 163.181.57.236:443 timg.sjs.sinajs.cn tcp
GB 163.181.57.236:443 timg.sjs.sinajs.cn tcp
GB 163.181.57.236:443 timg.sjs.sinajs.cn tcp
GB 163.181.57.237:443 timg.sjs.sinajs.cn tcp
GB 163.181.57.237:443 timg.sjs.sinajs.cn tcp
US 8.8.8.8:53 ocsp.dcocsp.cn udp
US 8.8.8.8:53 ocsp.dcocsp.cn udp
GB 163.181.57.236:80 ocsp.dcocsp.cn tcp
GB 163.181.57.232:80 ocsp.dcocsp.cn tcp
US 8.8.8.8:53 widget.weibo.com udp
US 8.8.8.8:53 open.weibo.com udp
CN 36.51.224.123:80 open.weibo.com tcp
CN 36.51.224.123:80 open.weibo.com tcp
CN 36.51.224.126:80 open.weibo.com tcp
CN 36.51.224.126:80 open.weibo.com tcp
CN 36.51.224.123:443 open.weibo.com tcp
CN 36.51.224.126:443 open.weibo.com tcp
GB 163.181.57.231:443 ocsp.dcocsp.cn tcp
GB 163.181.57.231:443 ocsp.dcocsp.cn tcp
US 8.8.8.8:53 img.t.sinajs.cn udp
GB 163.181.57.232:443 img.t.sinajs.cn tcp
GB 163.181.57.232:443 img.t.sinajs.cn tcp
US 8.8.8.8:53 rs.sinajs.cn udp
CN 49.7.37.33:443 rs.sinajs.cn tcp
CN 49.7.37.33:443 rs.sinajs.cn tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 104.77.160.144:80 crl.microsoft.com tcp
CN 49.7.37.33:443 rs.sinajs.cn tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab54B7.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar54C9.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4a9340cb7f4e6970e2973a6a04590e6c
SHA1 2dcfc6373d36f73c23ee3be0761e8e8889601317
SHA256 1bc488a98f37fb8ab5b9fb813f6103466c381f790e61eea883356105dfa969ec
SHA512 aea9649a6285e46f530e2b510e1116dd39b0c236b9290db4cd0380ff62366792108bbeb4d2b7430c28a1897e042e3813c69337d28716625bfec7889c1b57c0c9

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X761FPIN\swflash[1].cab

MD5 b3e138191eeca0adcc05cb90bb4c76ff
SHA1 2d83b50b5992540e2150dfcaddd10f7c67633d2c
SHA256 eea074db3f86fed73a36d9e6c734af8080a4d2364e817eecd5cb37cb9ec9dc0b
SHA512 82b4c76201697d7d25f2e4f454aa0dd8d548cdfd3ebfa0dd91845536f74f470e57d66a73750c56409510d787ee2483839f799fef5d5a77972cd4435a157a21a4

C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\swflash64.inf

MD5 60c0b6143a14467a24e31e887954763f
SHA1 77644b4640740ac85fbb201dbc14e5dccdad33ed
SHA256 97ac49c33b06efc45061441a392a55f04548ee47dc48aa8a916de8d13dabec58
SHA512 7032669715c068de67d85d5d00f201ee84bb6edac895559b2a248509024d6ce07c0494835c8ee802dbdbe1bc0b1fb7f4a07417ef864c04ebfaa556663dfd7c7f

\Users\Admin\AppData\Local\Temp\ICD1.tmp\FP_AX_CAB_INSTALLER64.exe

MD5 47f240e7f969bc507334f79b42b3b718
SHA1 8ec5c3294b3854a32636529d73a5f070d5bcf627
SHA256 c8c8cff5dc0a3f205e59f0bbfe30b6ade490c10b9ecc7043f264ec67ef9b6a11
SHA512 10999161970b874db326becd51d5917f17fece7021e27b2c2dfbee42cb4e992c4d5dbeac41093a345ad098c884f6937aa941ec76fb0c9587e9470405ecb67161

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9bccde8d8438f6455417abe36d797abe
SHA1 616a822ebec23a5ab1dbdbda97b785a182c22c67
SHA256 1c2efac1dfe1b30c60f35cd0e99d45fc244f42106cacb6be05e1a8321a6491b3
SHA512 37498c163af7846b7e11cc8baa8e518dcb00484b3ac9e49c598fe1bbbce9eb84f5a37d84287837b1b70a1269a616f693b89e3381e4dbbd303d8a3c26674c993c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fd56b6fff9d385f4e53e6f6fdc27e780
SHA1 6f3baddfc55286aad4cbd452800a07369a284509
SHA256 b5f040b526d979708e9d743f0de5297deda5a2efded83758ef545db6972d95ce
SHA512 3a1d44242e4ae7d58d0e59aef337bb011d7917c90bd37fd10d46d6a06035549c92a7463215b975460057c948c00b98beb1ff63e2f4b266db32c2b6b49ea2132c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8eec1048980249e213dfe42336f4e0ee
SHA1 9643d2f5d5047de2d8e9d7f9552f2f12ce1e3eb0
SHA256 0dfc2b63567ad2c2839dc27e1e6e7ae02a0126de4830480868f0908dfe697344
SHA512 20b19299f08d0cacb376e2224b00c339083cc3b1bf7016a071dcb1dc85fed8b4582fa4209120d8d357013bfe50125e015b1a572709db16d107954f56cf9b43f6

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2UK8J8K8\gls1[1].htm

MD5 4f8e702cc244ec5d4de32740c0ecbd97
SHA1 3adb1f02d5b6054de0046e367c1d687b6cdf7aff
SHA256 9e17cb15dd75bbbd5dbb984eda674863c3b10ab72613cf8a39a00c3e11a8492a
SHA512 21047fea5269fee75a2a187aa09316519e35068cb2f2f76cfaf371e5224445e9d5c98497bd76fb9608d2b73e9dac1a3f5bfadfdc4623c479d53ecf93d81d3c9f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ded825e3e7cac1e58ac32b221ef536bc
SHA1 fefa0d9235956dbc9abddde89d1aa44f2f7208b0
SHA256 775103922eaa9f7a985e97f9448fc108ea8d446443a9aba54d3237b0ad40ae9f
SHA512 41686800b899192ddcbbf704b4f632eb64ba6b0cc07d9823853b1679134ac28a6b3cbe5e49b73f0c36806c57f081e19da1a6cbb512f71ddcd98053d29b3ff3de

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ec6b2c06c78ef1b361cd37dcb99230c2
SHA1 1d5359558a8b50bb2f9ff3ed8ac2ab9e967685d8
SHA256 ff5295d0292c7393383d84222e73f0fb8abe42a92f6c368e57e1ebc64d10ad9f
SHA512 ffa0f7bb1e20cbb51ad7853df444d95ce391295570532744d9a24c150f23bfaff37c390054f5264b5014fdfda4e339b2be9952d75590b977f40b8540f9ac14fc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f99b27ca025c44b5cca7fe6c6386d7a5
SHA1 368ddc144c9664d1d72e4df7accccf04d4f008f3
SHA256 87aaa489e2f62084e3df5545ee91cb79ebf391d3e4c2739bf3836f7f03a668b0
SHA512 1164b5d1cd82522b0624d47508dc162ed1bb46e49c1d869e3f6a7d8a0717d4b3273ac7745653be4d9e2d573c8ae2d210b04e672ccb0c07d53bbf83420c4f1a98

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c814df31564f5903f859a3bbfda1b056
SHA1 713ea76ba4ee2cfbb2eb8d68cef3fa76c17ef2a4
SHA256 8b2d61374adbc20b8d197486f970bcd020d5dfdc587572f82b33d28d4651d06e
SHA512 85459ee5b0b090cc93c639c040ee4e17dcaaacdf62f00a08edfb641617640ecdc9126f4ad530af0d385e0782f3b5164ad56d4340a358a61c3d51598e077a7dbf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f45e19fcc31b731cc1f71af086d0a945
SHA1 ff6534508d8be07ecaa08eda2526a54fdbc8f1bf
SHA256 eba2ac85cbffd5ae652bf44f2101deae4b5a65b73ddca2077543268abf526c39
SHA512 7ae468f560e60873e3d1f11cf298c989822e03c3d5a317648d09d959d46431a534e9459cb307cf0160c83d02fd43e7ded27314a3378049dd14c26b93af38035b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6e1f557803b0a34a84883c861f8a855c
SHA1 12a31e47c73e46f032005a5c48a85a2ce5a191ef
SHA256 98d13be499febd06b472da1c0c9689698693b23d74a52efefb0fb85ae9adc42e
SHA512 b70ef3f8049e981507ef08f1fc20b11b51c5f1624922430ce9292c036ca99ece41731e70f595bbc229fb49271ab83775d9806546a0241beed4ad4923f271da45

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 74ab00a7d1c94c395e7aac232142a13f
SHA1 f27625dc7b45ec89c8acee5de5a0130074f3fed8
SHA256 af0aa2079c9eeaaa2204f7e19446e1e3f153656a4c155c3e86db586609ffcdf7
SHA512 f2a8ac764bdc6ad7f129c5b2c6b919cf8daf48bffeb1e6696b9ef7f689bd0068b90d5777a9737ff1595576b1fd93ef290195723c3eccd3a8978560fa52254135

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3H1FOMV1\c[1].js

MD5 bbdb059e7eff950cc35149f7849391db
SHA1 5285411944090fd33a51575efe4dfac6d8ab404e
SHA256 186e1acc18704ec7d3a4ab31bd98ff18d42b55cbcf4d72f5a3a7094ea8ff2616
SHA512 6bbce7aa40fe5aa50263021995dbb20adb624869f480750922550efb14857a0e23b35e5f1d04267d1866f2a7836b70f83f9d7ed7ee2cbcd83982a74845c55dea

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 763fb44c47eedbc977daf1bd59d7d050
SHA1 9d0e16f527d9748023a70f8d7801182a708ab7b1
SHA256 d04cb1ff158d6def9e90c1d4d524e6a35c30ea5f7eda531bb13fadc1f8fbffc6
SHA512 23b7dd8c2f52b69e0a68350eeb5dc92209672f8e41c1ded4ce29f954b8c406b3c78ee888392e1b8fb495c46feb44a5bcfe4b49cbf661d078824afed3c00df7f9

\Users\Admin\AppData\Local\Temp\svchost.exe

MD5 572052b656fcf301d062d4a08afcda8a
SHA1 83b772dbb572db4e4a4c084d08ee3dacc4745bcb
SHA256 d57cb87af2c717fdbd410d59eb644657b61cdd790c13e7350060d90d89ed252a
SHA512 8f5d162a08a9b8665cbb52e4e8286c850d1921dba61380dda2c9b6b31551cd2e6f35ca247851cf22a27a1e122d7e4af54ec29ceadced8af4f6edcfb4c380d9a5

memory/1680-687-0x0000000000230000-0x000000000023F000-memory.dmp

memory/1680-686-0x0000000000400000-0x0000000000435000-memory.dmp

memory/932-694-0x0000000000400000-0x0000000000435000-memory.dmp

memory/932-697-0x0000000000400000-0x0000000000435000-memory.dmp

memory/932-695-0x0000000000400000-0x0000000000435000-memory.dmp

memory/932-699-0x0000000000240000-0x0000000000241000-memory.dmp

memory/932-702-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HTBGGANG\se[1].gif

MD5 ad4b0f606e0f8465bc4c4c170b37e1a3
SHA1 50b30fd5f87c85fe5cba2635cb83316ca71250d7
SHA256 cf4724b2f736ed1a0ae6bc28f1ead963d9cd2c1fd87b6ef32e7799fc1c5c8bda
SHA512 ebfe0c0df4bcc167d5cb6ebdd379f9083df62bef63a23818e1c6adf0f64b65467ea58b7cd4d03cf0a1b1a2b07fb7b969bf35f25f1f8538cc65cf3eebdf8a0910

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6ab67fd68e26bce2dee9eda9c8484475
SHA1 23c7c2d86a88ca9803c2462155a831f07f92bae2
SHA256 88dc4601f0913483ac8bbd2b48127a56fab9dbf1c7e004a79c2bb87a98b98ceb
SHA512 00b083cf42adca6354d418b8380dd7e4db727585b53812393dbebe47447542ef09e91658b3e84ba6a08ecc1849d322b90c4212b93adcc82a47830c25413e1c48

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 c63dfb0ae1b6281cfb641757966aa8ba
SHA1 395738a4d31505068fc48b975d2388e378042cbb
SHA256 3a3b215a72e6c394d521a9ab03ebfd825f08be48187fe1d20af026f84c958b92
SHA512 aae068d8085836664d7a06dddaf453fcc4b266418523afe657ae681c8425bf31f3df1d7e6221349ee9c19c34ff3a9b7744695f8b3b057167bbb3468b7d9a77b2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 1ab60b14cb1fec9a812129bc199f9be5
SHA1 2ae3e919dff4ee1830d5948018d6a33db15bf978
SHA256 07ea1e9af86962fe6388cf57ccf0534de7172a0406d6c3d765c6098663b59a53
SHA512 760de08a1fa0d5b70f6f460f7c4ef089c60f49e0b5f7c4e7fe98e77fad1a2446ee4e6f78c00821046fca87821447441bdf94dc6ac699274f65fb0a95ba5a80ac

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3775071244b711f42c1c8e8239706602
SHA1 6d52b6681434e441a4eb98a7c302c20562e576ef
SHA256 db46e2a4d3eef1c89264e01754fddfce870a8496c8f098a8ff388abc1d633127
SHA512 b22efa13e364cfebc25350fdf6baa7728ab3c82468685f94f9592f5f8dafebb810aebca51ed277715130da67297666c881007202461fcc245b60d53fbccc0f44

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 0ee524c33ad9eff2b978aa366ec41471
SHA1 9129b112ea3b6ca005243e21e3ddd929b196a804
SHA256 7b3030341c8096b72bf5c261224b000635e61ec4f09ae737b81b86bd4cd9662d
SHA512 f2dbc8f4b52fbcb0c7edaec333281840023867af378e4b79ddf76483896548880e1164248df499278d44bf3c0c1b434467c07ee3abfc513ba8db00ce9dbf22d1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 846d4f0359007e63671dd8ba58e84503
SHA1 f89854769e97cdacf7a1eeb72b678f58171aaaa5
SHA256 6f1b585247662e26b04592fb48f1ef8970f3f3349d9a8c53a9bc978424d22ed6
SHA512 4388afe61354d3bf44710bb8360409fa34fa0436cbf2a0d51ce95de74655dc3ba668aff22f24e7bcf3db4a6a9d4fb0e4ddbdeae804e6e7fd41f38e4acee34083