Malware Analysis Report

2025-01-22 13:50

Sample ID 240907-rk6jxazepc
Target d2208a80c24abd0ccfcaf45dd9d332ab_JaffaCakes118
SHA256 a9dfed16b30cfef2106e4d1626e4cb7cffdacbdcbf2fc13865be64a918e0f255
Tags
njrat hacked discovery evasion trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a9dfed16b30cfef2106e4d1626e4cb7cffdacbdcbf2fc13865be64a918e0f255

Threat Level: Known bad

The file d2208a80c24abd0ccfcaf45dd9d332ab_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

njrat hacked discovery evasion trojan

UAC bypass

njRAT/Bladabindi

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Checks whether UAC is enabled

AutoIT Executable

Suspicious use of SetThreadContext

Browser Information Discovery

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of SendNotifyMessage

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

System policy modification

Modifies Internet Explorer settings

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-07 14:16

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-07 14:16

Reported

2024-09-07 14:18

Platform

win7-20240903-en

Max time kernel

119s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d2208a80c24abd0ccfcaf45dd9d332ab_JaffaCakes118.exe"

Signatures

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\d2208a80c24abd0ccfcaf45dd9d332ab_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\d2208a80c24abd0ccfcaf45dd9d332ab_JaffaCakes118.exe N/A

njRAT/Bladabindi

trojan njrat

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\d2208a80c24abd0ccfcaf45dd9d332ab_JaffaCakes118.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2684 set thread context of 2996 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe C:\Users\Admin\AppData\Local\Temp\Server.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d2208a80c24abd0ccfcaf45dd9d332ab_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7366\7366.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cat2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Server.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{BF74A3B1-6D23-11EF-9E32-4A174794FC88} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "431880449" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80af5da53001db01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000953bd8210872ea40aad5946cc0771cd3000000000200000000001066000000010000200000000895506a961aed03cbef197ed7b1a3b7967a1ee0e8a167fc320ccab435c97c12000000000e80000000020000200000009706d1e6f42d5fcb933dd3ffabbba92bd35baa2cc96af9cbccace157acf0fba32000000019fa06c5d7661812ffa814ba3371fce19042448edc90b14a377be2c8e26fa62940000000c4e3cc38dc74f480814300190a1ff8e301a826456040065e29e594e25648d0059ffeb0e15d677c48ec49e10b8cff44f09b3e059b4e6e37b6ddf7e27379a4464e C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000953bd8210872ea40aad5946cc0771cd300000000020000000000106600000001000020000000343160feb910615cf346655f1827ffa47121d173526f71c886aa867bdf4fadfa000000000e8000000002000020000000d2866f07ce7a7300ccef3ac5538df6cd270cac2c8f3fd8325fb264cdfb06829c90000000f376fcbd4540dfef7c29a86954cbd93bd583fcc0e490d0c644cacf4a2a852bfae33cc75de556425e2cc1fec3a156f7428ab99225cdfa2101efa1d50966147d2802f88d62b7ba21ea28d1f84e32474964565935c3991c8d424db33284bfa565a9d61d2affdb3300d4bfaf60b772b02e627613efe4f5f345bd918ae72b65d103db9942b4bfaf205008a15c26d1ed6411a3400000008eb548024b32936ba7f4566a47de9a362b00f27c1988ed62f5ecf759ccb05e0e3e28ad4432bc960a139493fa4a54051a0a99912e0c5a1976f669476aca53fdf7 C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1796 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\d2208a80c24abd0ccfcaf45dd9d332ab_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\7366\7366.exe
PID 1796 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\d2208a80c24abd0ccfcaf45dd9d332ab_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\7366\7366.exe
PID 1796 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\d2208a80c24abd0ccfcaf45dd9d332ab_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\7366\7366.exe
PID 1796 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\d2208a80c24abd0ccfcaf45dd9d332ab_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\7366\7366.exe
PID 1560 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\7366\7366.exe C:\Users\Admin\AppData\Local\Temp\Server.exe
PID 1560 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\7366\7366.exe C:\Users\Admin\AppData\Local\Temp\Server.exe
PID 1560 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\7366\7366.exe C:\Users\Admin\AppData\Local\Temp\Server.exe
PID 1560 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\7366\7366.exe C:\Users\Admin\AppData\Local\Temp\Server.exe
PID 1560 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\7366\7366.exe C:\Users\Admin\AppData\Local\Temp\cat2.exe
PID 1560 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\7366\7366.exe C:\Users\Admin\AppData\Local\Temp\cat2.exe
PID 1560 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\7366\7366.exe C:\Users\Admin\AppData\Local\Temp\cat2.exe
PID 1560 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\7366\7366.exe C:\Users\Admin\AppData\Local\Temp\cat2.exe
PID 2684 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe C:\Users\Admin\AppData\Local\Temp\Server.exe
PID 2684 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe C:\Users\Admin\AppData\Local\Temp\Server.exe
PID 2684 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe C:\Users\Admin\AppData\Local\Temp\Server.exe
PID 2684 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe C:\Users\Admin\AppData\Local\Temp\Server.exe
PID 2684 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe C:\Users\Admin\AppData\Local\Temp\Server.exe
PID 2684 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe C:\Users\Admin\AppData\Local\Temp\Server.exe
PID 2684 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe C:\Users\Admin\AppData\Local\Temp\Server.exe
PID 2684 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe C:\Users\Admin\AppData\Local\Temp\Server.exe
PID 2684 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe C:\Users\Admin\AppData\Local\Temp\Server.exe
PID 2996 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2996 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2996 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2996 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2552 wrote to memory of 2128 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2552 wrote to memory of 2128 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2552 wrote to memory of 2128 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2552 wrote to memory of 2128 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\d2208a80c24abd0ccfcaf45dd9d332ab_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\d2208a80c24abd0ccfcaf45dd9d332ab_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\d2208a80c24abd0ccfcaf45dd9d332ab_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\d2208a80c24abd0ccfcaf45dd9d332ab_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\d2208a80c24abd0ccfcaf45dd9d332ab_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\7366\7366.exe

"C:\Users\Admin\AppData\Local\Temp\7366\7366.exe"

C:\Users\Admin\AppData\Local\Temp\Server.exe

"C:\Users\Admin\AppData\Local\Temp\Server.exe"

C:\Users\Admin\AppData\Local\Temp\cat2.exe

"C:\Users\Admin\AppData\Local\Temp\cat2.exe"

C:\Users\Admin\AppData\Local\Temp\Server.exe

C:\Users\Admin\AppData\Local\Temp\Server.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=Server.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2552 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 learn.microsoft.com udp
GB 95.100.246.21:443 learn.microsoft.com tcp
GB 95.100.246.21:443 learn.microsoft.com tcp
GB 95.100.246.21:443 learn.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

\Users\Admin\AppData\Local\Temp\7366\7366.exe

MD5 8434e4174c6477cf4f53c667d8403ab1
SHA1 cd33e7822c591d85225c07217c78189c25b5f75b
SHA256 662b4f9336665edd36208b48c94f61bdcf32df0c6e5f92f03e34c662c0c09be4
SHA512 540bb033b2099138a1498554ea2f5216236d56db106ba07589e6842a2272a1ee468e2e894a2b4d214ab6f614bad9added522950d319de899a39ebc46f1a9cdd1

memory/1796-4-0x0000000000B00000-0x0000000000B33000-memory.dmp

memory/1796-17-0x0000000000B00000-0x0000000000B33000-memory.dmp

memory/1796-16-0x0000000000B00000-0x0000000000B33000-memory.dmp

memory/1560-20-0x0000000000400000-0x000000000043299E-memory.dmp

\Users\Admin\AppData\Local\Temp\Server.exe

MD5 e3d8ec29da5489a16a5e9630bafb4a40
SHA1 298c51871b537951eadf69f13d3b3c61e1e8e55c
SHA256 18b0624fbc10e1732b69a6e87dbe4b09f13368119a7085153b7f12d6802a1c81
SHA512 4fb4b54729dcaf8d53c998fa18ebeaff743be20df30f49a153f5c2e366302a42c32011fc3a0fa350748490e2cc069333ba3b1e28f3f9a831fec2c27792a34369

\Users\Admin\AppData\Local\Temp\cat2.exe

MD5 cdf4fedcd923d85043598b7f5232a794
SHA1 35043dec26dd11862797ffeb87611e0a6e466b2a
SHA256 540e5a66a4241fb7a2a68a007abb96c2cb6b49755a3482e796a98ca93d654b8a
SHA512 4685560f46c32c170c850e686f7c504d5800caf005428ba145c54ab0cdc429f5ef361db2f0a114a0054085be80bcf3d74393e59fbb6402efc89a5d159bb70359

memory/1560-39-0x0000000000400000-0x000000000043299E-memory.dmp

memory/2996-45-0x0000000000400000-0x000000000040C000-memory.dmp

memory/2996-47-0x0000000000400000-0x000000000040C000-memory.dmp

memory/2996-50-0x0000000000400000-0x000000000040C000-memory.dmp

memory/2996-49-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2996-48-0x0000000000400000-0x000000000040C000-memory.dmp

memory/2996-46-0x0000000000400000-0x000000000040C000-memory.dmp

memory/2996-53-0x0000000000400000-0x000000000040C000-memory.dmp

memory/2996-55-0x0000000000400000-0x000000000040C000-memory.dmp

memory/1796-57-0x0000000000B00000-0x0000000000B33000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab5580.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar55F2.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d7bd2c4f350e7e9ab82a458600c582ad
SHA1 9d4ab3f233c1c7ed04b0d0c7756a9de9aff995d1
SHA256 d667ce40904eb0ffaccfcc3267084367076a481f4bb567f7d1ff105671e70989
SHA512 3b40ba04453aaf9e1a36990b952e74d43d192876ead542c2908837cf6792ecdc3c3297e4feeb8d9eb66666d7a9115c37a901ffe2ae7279b9748a975ada9b847b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1334c5b8369585c3f6bdcfe56991b6c6
SHA1 be34d6af4849fe4ead7aa50f2b9632b261826ab1
SHA256 4baf4859376c39b92b7e70cb26862e72c354c9ac0727374b03c8ff9149e3be4b
SHA512 f8a0fb198ec210345b3cb53e55ff4d615d9b8eea1cff9ae5d1c65e7e8aeed87ba2381ac1d899e749114855e9d271985198df183bfdc5eb638ded93f47cec139a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 90494320c665b104339f5945172f55f2
SHA1 35551d65722cea57b035ca18477e8cf7076f67bb
SHA256 94e939d292e8c9c449aecdcd983abb8ae66bda47f0ecc8c8b384879a117878d3
SHA512 26bc0430b4eb2b379970e73f15f6bf6ac0be725b0747b6029552eb58e9ef693073cac1fd351fe6f69825bb038dffd116bf5d0e932241895456514ef1115ebd93

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ea0506455d995d029586961a7e8970e6
SHA1 a656b47ddd28ca3f3a8d4791b13e500f055fc96c
SHA256 226c6cc0f811e6f35f7286dbb3aea24b126c2f356b9a3cdd0ef448d74377a1ce
SHA512 3aeca910c6b94e4f4916a2d1f25a09349d9274b23b7be30682ab7cb6b236aca492f8dd84352ceb446420f145c9cdbee43dc55749ffea7b12025350eefb78de3e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1e59ce04ddd8300dc8e1033fbcc5cd52
SHA1 3cc81b5f8d5bb0a139a4ad1b13534f6e02019f19
SHA256 07efeb720ee8d14daa0a1f027e816aa87c35a696782c51e696a7e996e8b04e50
SHA512 d926f116bd8a41c0b2c62205ac089d3456dfb42269b909da39b18125ec4bf1850bebb5450e6ae9e036255a02e487572e2e8b2f83ce23a951774921c9aa1c9629

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6B2043001D270792DFFD725518EAFE2C

MD5 f55da450a5fb287e1e0f0dcc965756ca
SHA1 7e04de896a3e666d00e687d33ffad93be83d349e
SHA256 31ad6648f8104138c738f39ea4320133393e3a18cc02296ef97c2ac9ef6731d0
SHA512 19bd9a319dfdaad7c13a6b085e51c67c0f9cb1eb4babc4c2b5cdf921c13002ca324e62dfa05f344e340d0d100aa4d6fac0683552162ccc7c0321a8d146da0630

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 73a9ca22addfbddb7529f1d96a081414
SHA1 18c38a7f0cb7450794e4a86531202bb366529e1d
SHA256 bd1c9a2c38a0174b737ab0c9a8e604cbd5cdfcf910e68ace6893372c3d01e26c
SHA512 051ee6719f013ee5a9bf1b806ea6d815a32c19320e0c16f98cc5ac1e85a06c7334b6db9bf26131544a7baf5fc7ad09d8bb0e74d20493b02440d89d534ca0d6c2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6B2043001D270792DFFD725518EAFE2C

MD5 67e11ac2b5a4f2fd80730f02c81c944c
SHA1 ebad1d542cf7f49b6f68c0342491ed940f4503a7
SHA256 f27e6257fc1849aa0acb0767ad67a71f6876186467d1b7860671d1055816cd24
SHA512 fa37c2d6400154869405e26f90195768536403cd0b64426a97861824a5eb0eca78a4997a22b3f9c3825a7ac54e2c783cf498e48e3da0c871f6650c79e75ad57f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 229f9a14494184ff5e66063c263af635
SHA1 569b7d0b4469a40f148c559262af6347c65f4fc3
SHA256 73310b115bafbc341d85313dbffcdbf5810d2342bebbfd324847f1b11df3b6b3
SHA512 94d50b271121e44bba996c5bc3a1cafb918f0e62a95187c2a47d4504e7297e6c94a0dc0575ceb93ec929cc87a2057a451d61a3e9d0ac7f0769d32628b0addd80

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 09df50afe526bf534096c4b1e9e5a7ae
SHA1 850c64b96832f6fe6be139a8c350f94f1d809037
SHA256 b79f93d12a59bf06a71e637eabecb2e7287b95bf14022d5e7a1833304dc11479
SHA512 257cac56a32672c639e562f19a6b85d0c5100d48c5d69a3bc8fcd0063e8bff17ffd25ed763cf3e6c0466fd15de1a39f8688514d541f17b5eb6c6cd808b789f61

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7b168c1d5cfcf7a5087278985172ca9f
SHA1 ddd3d0243d83b05be2a4284da3de98704c587674
SHA256 fa36158c6b5e592642ae5ed84c3ffb295ee2c5fe8fab2de5689a032493354355
SHA512 ddb327841b37c0dc8cab401caeaf933ab8fe510afeeec64c1f0c2ed125096f0826b4e4e0fe574af05a9f7841708d15126ae56f06ae48800e753f71560f680caf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0c51a83dbbc64175f5533b76d5c70639
SHA1 2eb916fd0ea85c749bfb9b0ffcda0811d655f5c3
SHA256 f5991d50b84bad9ebe86270ea3254fb96212ce2806f8621f48e1e8f227e99a0c
SHA512 fefd83219b1072fda2be685540d4df6a35cda09c003da17f39f4bfce481fc3eb32f5af846dcca67d0c032c7fba1ce8b209bd173e009cee0c2b2bc6c65df08fca

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4e4550cea3a7bd0313566cec8536e425
SHA1 28a5d8089d8e1dbe31a12845857ca1e0a87bb3ec
SHA256 12990ae3a5e4604fbe2179871fc3597e2c1d9a4b8235203efc5711c47b70b302
SHA512 0cb2152fe00aec73d84fd5c7f11718588adb3de285e28b1f2d85e6d0bcf56cc6038190ab0f13bfef538e5ecba3fb7d4e86aa9464e26c0434c864025d24992ed0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ce4bd29ce5784daa09945904612f223c
SHA1 1a51e293f4cd66935ba7ffed6f16d3ad453433ec
SHA256 75bb182beaa0bc535fb1a8dd471e6a690985d7a6b30d9792dd30923a7abf71dc
SHA512 4aad8ebce694eda9f2d3beab3d6abb7a979e4536a78fbf2995fab4e3ad17504ab95710e863174ec579945ceb8a474f7c8f156acdbb5e900118f47bb67afa79d6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 191455f9cad91263b79dacd9c3f9f32f
SHA1 704c0109424b49947f79690e866b004fbaefa1ac
SHA256 098dd29da56f3c64eef5a33c769aa7339c843e6c80815311287bd3ddccc7277e
SHA512 3a6f87eceac70454c298064cf388453df4af10bb128ffb1a7f4f4011392ef53df8847a697e2df83ec0220940a6cfc25f1abc5457164816ebe2cfe68ad92224bd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 82116a04315b2c5a6e99723038e4dc12
SHA1 cfd725fa4295f4d2994d7816e37dbddbc92d25cb
SHA256 81e2aa9a9f6d55f3a8f13c472aad3fd8382f164390d45d2df270b5c68645d4ff
SHA512 e15bc3cb676992469029c38b704ea6a9fa9e98c4952cec1168a498e37587034ec0fb9ae8d0da8aa48873c775eb590fb05533ce9f0bea2ea74c84f2c1b47646db

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0e8c243d3ddafd313027dcaf2c2806b2
SHA1 0672ee409ff8f2734f3e0f63b890594cdb7d7e61
SHA256 1eeb1dd7cff0573f9c3d5f98d0b215023d781e12694ba1a7d6184933f0c0e271
SHA512 0efbc13bb757b695c5f9057f85239158001fbe1bfdb4bf2257e0074355f96106a85ba85efbe9aca4cc82e7b784e6d71fd640bfb09b1d7d1f647684f5ab5f8a6d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 53ec59fdfeb74ae54f97621a2b9daafc
SHA1 06e9652fca7cea8c11cf355a7bceb8bc44dc768c
SHA256 134d9c1f43e20f15972a0eafbe041b81536a2631d5710782fa7898c0b93f00c8
SHA512 c68e42921b09e9730af043086097197ab71bd7fa579ee334913ad6e00be9dd8e10d1204eebd0d812da9e6d2619379fcfb1b38f1d0f0eb720fc16de78a2a074be

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0afe859782a05c74a2a78d97d7174d15
SHA1 427d4285f902920b5278b8e93da2b7c1fe58d679
SHA256 3d71b4a21745124c30dac771be2b791c549d6af46ad82db29d7b626d1957b1e9
SHA512 7ebebd88775a719503a477896972d363ea9972237561edbdade2ab1f13aa6be9c42fe477ad6787b9f973450b1c7a50a52c30ee7ccfe54f51b1e5ab6e420a9017

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cd00892765770ae9238edb6683ce1237
SHA1 74dc3544e88a9f00913ca439e59b901e6d7e1fbc
SHA256 5701daff0fb44204ab673d37b8b6f3fa672bb6152031b2ab6ca9ef0b6ba51777
SHA512 c96d5666d1ef1490261f988e9700c667712ae96e6847138bb490eb078575c418a76b3c0ff5fe6b3702c4d5b9f5801e5aa8f80b6a6fd0e0163738f4a757520b6b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e2ce908d10887c6c7c1dab013510c44f
SHA1 b3b42d16307d58169cf160b6451c9f85e096664b
SHA256 bf51388a51cfefe9a0a55cff8fc1e3c138134fa438afb8801f617fd3177d4596
SHA512 66aa502746158707b2e4e0a7496ceab60aabed7c3cc398c3c7f22d209944b3188382a3455ebb62eabe74e2d89ec2b72a40be1bf3af9243f4f32dce745d8290c3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c863c5b4cc5e5dba6520fabe128524e0
SHA1 07340b8958005a02b011afbbaa29b02e2b0c089d
SHA256 85ee3335f4d51eee6c419d6231e7c3026e8f3ee8c03847d906bf9ec093afe8cf
SHA512 315db839f8da37fc95f0e2fe7eefa2304488996a7f4bfda18ff8dbb184183094300fec03b54c96f93b623897eaa3307c82d5aef73259e7e5be8c910e410b9d23

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8631ff89fa13030889076aeaa90547a7
SHA1 4eb6afd8bbf4c1561915a86837e6d0891e93c3d4
SHA256 80d81902a250b16ba8d7d9a79a726434f7083b501f6d5255b1216a16212c296c
SHA512 b47a08d1cc5b2cc1c3fe9d9451c8df139e22876ccce3a2f8fd245914595f893d0131650ada5254237fe7eb8130f208a9c6fb09196eb5e9936583a06c2f8f2b46

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1d781eb1483939e3cac593c52200830f
SHA1 e1cea36a15869cc29795c7fa4fa62f3d9a066903
SHA256 d1c1bdcdc71d84bce391ae88d1d527cdc893960b63f0a13b42a475d71b1896ca
SHA512 c507eb1deccae5a1ee425a97374b8fe3b5803b1ac84c7d9f40919575851a326b0039a7344bb79796b2a30b1330c9254ca0871c2bfd819c902add161307753910

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3f92e54d7a079ce00c4026d7976bdfd2
SHA1 9578bddd00574dbac6f82a57c81582ea404d9238
SHA256 b66250ddf7f05beed6a94ad18ca82559f7fc663d83030912598709b6d5c1f15e
SHA512 5f0ac43f93963c7c5a8ebb08a2cbff2c918d188833ba4888842db1122889e76bd1d09ed76728bccae43313fd0cc4a8419ff3d1d67139023b263c07ae1fcc2781

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 05728f3327893d62e5bc120fa6151296
SHA1 47c64226a36e5e01086b10cf99cd961f4bac42af
SHA256 4155c439d221e2771076728b71b97c5609a1f7eb1f4e7f5a1ab8a77fa8f3b540
SHA512 82c8a95826b5e715990c6010abadc95b8b1dc4eabed508293ff9a109b4c41a48845ccacdd63e2b5e6800dafbad41977efbb05c22fbbe2d32dda4dca20b29d8e9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cd32fd351e881426518a02cd4cd0d431
SHA1 32a8cf5794b948636410fa8262f506050456764d
SHA256 b5caa011f06c3431d3b58ac957513570cecac04efa3402db4a19e2ee5473c6e8
SHA512 9cc05deeaad08c6bebffab638663b13074a6aaafc95d3afe3ed9a9e7f2752a93824c4e649adda7c2227091481b1a7574ecfed8ca3b13fb1fad9972e6a4b268c1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d692ecf721ab0d468e663b916197a880
SHA1 42969546e8affa902b7d4d3b33344581fa2abc4a
SHA256 d0555972d0dc531eb754eca7236258beea5f4b0d836e2e7ee9a78c5787e881e9
SHA512 4e9fcc7c4f2e99583e5046aaed7683e55e91bff79eaf1b8aa7fb598c04cc2680243cba1470007908c4417bb7a756af5f2f38c30430032b7bd0744038519bc5b2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 331f501f5eac6090617a8d445862c27a
SHA1 a2f889ab7b0745db615b5cce4c5af34bd685482c
SHA256 2bc6427bd35db922c18f7456a9a2213333b244391fec001fac565017af2de2ea
SHA512 5cd230a6825d5a5722b14a736130a1d7ce3b08cd049e8ceb0bc8ae456c0fc0c0662d4d5d386189e74f7f82b0eebd081fc9d3c3e0b75f073e9edcc3e3a4149d92

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 11772f922cf9a7a085df29fa99b60f1b
SHA1 77a5d7c2c496829393a765612b86507471668c84
SHA256 acb45627470cfe0beb6967c522800014d35220ea4a30e5004013f7e53080c139
SHA512 9db2b01aaf61c19eb097c96312a32938b028da8cbee04a7908b6b82793e2ede357e9c4d189b58121622a3c6193944bc661465d7465a8195f6122a1f31a99b5d4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 93988cc1f03e3fcb2277edf0325ef160
SHA1 28eb21148a63e7659adae7aa59cc97fc502202ca
SHA256 8a3e6535ff7526c1f069d7d2195a22025163127b89d93ea8c7602312a50c2f5a
SHA512 f7db92eab1cf2a10407247f79dc3385857f61ff56696478108c4ccd10cd98206808cd1be174b9289dfd98483121a6c21d2a0fbb7362e0e687790018be92a04c7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fd24fe06825b1bb42e99dd099a8c22a0
SHA1 46d104e7b4ade6d856af4003d7ccc1ed4e160e44
SHA256 2b6f9f7b4c0334595723552636c32e00e9c9dc89ba1dbfc1e2549b267fe24da5
SHA512 a33c8b68d6859b79e030a869d724a93422077b24cf8be1357889f5a3d2aaaf8c3b6dbef387d01221aa61712e4ba431fa230c00a082b2527744424ea209df0543

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ed77c52b557cb6f19c351cb02a85e5f3
SHA1 d01ce00c98d721da16ac1d5bf430f5580cd6b9d9
SHA256 b0d144e776619cd667e960649c4aef2b293d5f210bcf418fd7a7001d6dd4f2ff
SHA512 ff2c5a8d95b8036d8449f1e62621ee51aa06d03fdf4de2b2c04c565fcd660f0c0d795758c29dc990a7d664536ff22d2b92cc1b6c2495bb02670c3138d9d93012

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-07 14:16

Reported

2024-09-07 14:18

Platform

win10v2004-20240802-en

Max time kernel

138s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d2208a80c24abd0ccfcaf45dd9d332ab_JaffaCakes118.exe"

Signatures

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\d2208a80c24abd0ccfcaf45dd9d332ab_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\d2208a80c24abd0ccfcaf45dd9d332ab_JaffaCakes118.exe N/A

njRAT/Bladabindi

trojan njrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\d2208a80c24abd0ccfcaf45dd9d332ab_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7366\7366.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\d2208a80c24abd0ccfcaf45dd9d332ab_JaffaCakes118.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4728 set thread context of 3296 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe C:\Users\Admin\AppData\Local\Temp\Server.exe

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d2208a80c24abd0ccfcaf45dd9d332ab_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7366\7366.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cat2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Server.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2456 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\d2208a80c24abd0ccfcaf45dd9d332ab_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\7366\7366.exe
PID 2456 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\d2208a80c24abd0ccfcaf45dd9d332ab_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\7366\7366.exe
PID 2456 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\d2208a80c24abd0ccfcaf45dd9d332ab_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\7366\7366.exe
PID 4532 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\7366\7366.exe C:\Users\Admin\AppData\Local\Temp\Server.exe
PID 4532 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\7366\7366.exe C:\Users\Admin\AppData\Local\Temp\Server.exe
PID 4532 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\7366\7366.exe C:\Users\Admin\AppData\Local\Temp\Server.exe
PID 4532 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\7366\7366.exe C:\Users\Admin\AppData\Local\Temp\cat2.exe
PID 4532 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\7366\7366.exe C:\Users\Admin\AppData\Local\Temp\cat2.exe
PID 4532 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\7366\7366.exe C:\Users\Admin\AppData\Local\Temp\cat2.exe
PID 4728 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe C:\Users\Admin\AppData\Local\Temp\Server.exe
PID 4728 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe C:\Users\Admin\AppData\Local\Temp\Server.exe
PID 4728 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe C:\Users\Admin\AppData\Local\Temp\Server.exe
PID 4728 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe C:\Users\Admin\AppData\Local\Temp\Server.exe
PID 4728 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe C:\Users\Admin\AppData\Local\Temp\Server.exe
PID 4728 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe C:\Users\Admin\AppData\Local\Temp\Server.exe
PID 4728 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe C:\Users\Admin\AppData\Local\Temp\Server.exe
PID 4728 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe C:\Users\Admin\AppData\Local\Temp\Server.exe
PID 3296 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3296 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1324 wrote to memory of 2712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1324 wrote to memory of 2712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1324 wrote to memory of 464 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1324 wrote to memory of 464 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1324 wrote to memory of 464 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1324 wrote to memory of 464 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1324 wrote to memory of 464 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1324 wrote to memory of 464 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1324 wrote to memory of 464 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1324 wrote to memory of 464 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1324 wrote to memory of 464 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1324 wrote to memory of 464 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1324 wrote to memory of 464 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1324 wrote to memory of 464 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1324 wrote to memory of 464 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1324 wrote to memory of 464 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1324 wrote to memory of 464 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1324 wrote to memory of 464 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1324 wrote to memory of 464 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1324 wrote to memory of 464 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1324 wrote to memory of 464 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1324 wrote to memory of 464 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1324 wrote to memory of 464 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1324 wrote to memory of 464 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1324 wrote to memory of 464 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1324 wrote to memory of 464 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1324 wrote to memory of 464 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1324 wrote to memory of 464 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1324 wrote to memory of 464 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1324 wrote to memory of 464 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1324 wrote to memory of 464 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1324 wrote to memory of 464 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1324 wrote to memory of 464 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1324 wrote to memory of 464 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1324 wrote to memory of 464 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1324 wrote to memory of 464 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1324 wrote to memory of 464 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1324 wrote to memory of 464 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1324 wrote to memory of 464 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1324 wrote to memory of 464 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1324 wrote to memory of 464 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1324 wrote to memory of 464 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1324 wrote to memory of 4384 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1324 wrote to memory of 4384 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1324 wrote to memory of 2300 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\d2208a80c24abd0ccfcaf45dd9d332ab_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\d2208a80c24abd0ccfcaf45dd9d332ab_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\d2208a80c24abd0ccfcaf45dd9d332ab_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\d2208a80c24abd0ccfcaf45dd9d332ab_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\d2208a80c24abd0ccfcaf45dd9d332ab_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\7366\7366.exe

"C:\Users\Admin\AppData\Local\Temp\7366\7366.exe"

C:\Users\Admin\AppData\Local\Temp\Server.exe

"C:\Users\Admin\AppData\Local\Temp\Server.exe"

C:\Users\Admin\AppData\Local\Temp\cat2.exe

"C:\Users\Admin\AppData\Local\Temp\cat2.exe"

C:\Users\Admin\AppData\Local\Temp\Server.exe

C:\Users\Admin\AppData\Local\Temp\Server.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=Server.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xb4,0x110,0x7ff9651f46f8,0x7ff9651f4708,0x7ff9651f4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2204,7624574582645024711,7430669469171060900,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2212 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2204,7624574582645024711,7430669469171060900,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2204,7624574582645024711,7430669469171060900,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2952 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,7624574582645024711,7430669469171060900,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,7624574582645024711,7430669469171060900,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2204,7624574582645024711,7430669469171060900,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4772 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2204,7624574582645024711,7430669469171060900,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4772 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,7624574582645024711,7430669469171060900,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4976 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,7624574582645024711,7430669469171060900,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5000 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,7624574582645024711,7430669469171060900,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,7624574582645024711,7430669469171060900,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5320 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,7624574582645024711,7430669469171060900,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4500 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=Server.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0x8,0x108,0x7ff9651f46f8,0x7ff9651f4708,0x7ff9651f4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,7624574582645024711,7430669469171060900,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5988 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,7624574582645024711,7430669469171060900,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5940 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2204,7624574582645024711,7430669469171060900,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1760 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 learn.microsoft.com udp
GB 95.100.246.21:443 learn.microsoft.com tcp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 8.8.8.8:53 js.monitor.azure.com udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 21.246.100.95.in-addr.arpa udp
US 13.107.246.64:443 js.monitor.azure.com tcp
US 13.107.246.64:443 js.monitor.azure.com tcp
US 8.8.8.8:53 64.246.107.13.in-addr.arpa udp
US 8.8.8.8:53 browser.events.data.microsoft.com udp
IE 20.50.73.13:443 browser.events.data.microsoft.com tcp
IE 20.50.73.13:443 browser.events.data.microsoft.com tcp
IE 20.50.73.13:443 browser.events.data.microsoft.com tcp
US 8.8.8.8:53 13.73.50.20.in-addr.arpa udp
IE 20.50.73.13:443 browser.events.data.microsoft.com tcp
IE 20.50.73.13:443 browser.events.data.microsoft.com tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 37.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\7366\7366.exe

MD5 8434e4174c6477cf4f53c667d8403ab1
SHA1 cd33e7822c591d85225c07217c78189c25b5f75b
SHA256 662b4f9336665edd36208b48c94f61bdcf32df0c6e5f92f03e34c662c0c09be4
SHA512 540bb033b2099138a1498554ea2f5216236d56db106ba07589e6842a2272a1ee468e2e894a2b4d214ab6f614bad9added522950d319de899a39ebc46f1a9cdd1

memory/4532-8-0x0000000000400000-0x000000000043299E-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Server.exe

MD5 e3d8ec29da5489a16a5e9630bafb4a40
SHA1 298c51871b537951eadf69f13d3b3c61e1e8e55c
SHA256 18b0624fbc10e1732b69a6e87dbe4b09f13368119a7085153b7f12d6802a1c81
SHA512 4fb4b54729dcaf8d53c998fa18ebeaff743be20df30f49a153f5c2e366302a42c32011fc3a0fa350748490e2cc069333ba3b1e28f3f9a831fec2c27792a34369

C:\Users\Admin\AppData\Local\Temp\cat2.exe

MD5 cdf4fedcd923d85043598b7f5232a794
SHA1 35043dec26dd11862797ffeb87611e0a6e466b2a
SHA256 540e5a66a4241fb7a2a68a007abb96c2cb6b49755a3482e796a98ca93d654b8a
SHA512 4685560f46c32c170c850e686f7c504d5800caf005428ba145c54ab0cdc429f5ef361db2f0a114a0054085be80bcf3d74393e59fbb6402efc89a5d159bb70359

memory/4532-26-0x0000000000400000-0x000000000043299E-memory.dmp

memory/3296-29-0x0000000000400000-0x000000000040C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 27304926d60324abe74d7a4b571c35ea
SHA1 78b8f92fcaf4a09eaa786bbe33fd1b0222ef29c1
SHA256 7039ad5c2b40f4d97c8c2269f4942be13436d739b2e1f8feb7a0c9f9fdb931de
SHA512 f5b6181d3f432238c7365f64fc8a373299e23ba8178bcc419471916ef8b23e909787c7c0617ab22e4eb90909c02bd7b84f1386fbc61e2bdb5a0eb474175da4bd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 9e3fc58a8fb86c93d19e1500b873ef6f
SHA1 c6aae5f4e26f5570db5e14bba8d5061867a33b56
SHA256 828f4eacac1c40b790fd70dbb6fa6ba03dcc681171d9b2a6579626d27837b1c4
SHA512 e5e245b56fa82075e060f468a3224cf2ef43f1b6d87f0351a2102d85c7c897e559be4caeaecfdc4059af29fdc674681b61229319dda95cb2ee649b2eb98d313e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\333a6534-0389-494d-8f8d-d0bce5f0547a.tmp

MD5 e681f04c63170363131dd575dcb36f3a
SHA1 b80a5abd7a164b7c521f4ac99771bea227319601
SHA256 bce35480bb0dde99e4e51ee3410cebc1d8c5b7ac0521ea5ee4e885079a351586
SHA512 48db2f5a0b83950d13dc53c02a5a07127ffe05548c0999a226b6bcecb862279f3622b921390a7af19d77a1cb39c040be791356a855c66812c941af53f327895c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 d5c10e639852aad558c5378eb2ced20e
SHA1 ef2cd7f7059068192727b2bece297f0b20cf4846
SHA256 6d4d8ea8c48486daa6d37db92ab5cb3f2f3c3f8f54d8e789a922c6a3b5cbb277
SHA512 7f91628f86247d1d22649119710648e77b07388e6ab340b087fe891148f19fa18ee8809ee5d787d943121ce3fdbdfe07b8dc013f2d2bd20c50e7b483443767a1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 d82276921e7598283092b6ae47077ac9
SHA1 62ec39762f55d7535746dc338f4d90415dccd8e1
SHA256 b27133cfaa909f43b8f4331dc1db0b2a73dd9108a119c932901e507b98e5c67e
SHA512 9b49b8a66a213b8ff40422be64e820a569714e36a6342dcc74b24b6c43fcb031610934e072a709ea4e93315af9115fd4de5cda7f2074fba5a6aea621ebe81489

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 51a98a863ceed5a6ed5029fb9e44a639
SHA1 bbe2befe4ab37a8ad77f35c116a5dc029da73fa8
SHA256 ba6dd4e45abc2eecb96bbcd92e7a726e0666f5d80f0d38ef70a6eebb4cfb3349
SHA512 f428085c1a0cadebe1ba6eba9ca785f588bb11d3f2dfa1ee70592b0f341d975d643702726ac865411f92eb20c03e3e881f069f19f6851253c4f4cce01247bbdb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 b4eca22374416e2367aed2029900aab9
SHA1 916177c73358f59f230730852f3e232cd4e0fc2c
SHA256 da7c79c9f5bb5152cc437cd45c6f0e36f64d9ce85efee116b2bff8aa16121472
SHA512 7c5ed0aaa553f4d57666300af2e27068ed56a9fcb7fc6f49755df5e91970e22e710b650f95cb1855757240bdf2ac34bdb7267f24adad66e62f679fd7b7b6bab3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 05592d6b429a6209d372dba7629ce97c
SHA1 b4d45e956e3ec9651d4e1e045b887c7ccbdde326
SHA256 3aacb982b8861c38a392829ee3156d05dfdd46b0ecb46154f0ea9374557bc0fd
SHA512 caa85bdccabea9250e8a5291f987b8d54362a7b3eec861c56f79cebb06277aa35d411e657ec632079f46affd4d6730e82115e7b317fbda55dacc16378528abaa