788b033f4d8e891eb4e5731a4284a5bc3ba2d79a9e51aae5fc01f4595138dbf2

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02/10/2024, 14:07 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b0a2731eef31ed0c6ab0b6c253a6fce_JaffaCakes118.html
Size

101KB
MD5

0b0a2731eef31ed0c6ab0b6c253a6fce
SHA1

3368c4437dabdb68bbda18568f5d9a0c8fc1458b
SHA256

788b033f4d8e891eb4e5731a4284a5bc3ba2d79a9e51aae5fc01f4595138dbf2
SHA512

352f61208d3f1104d2f9a670d3fb9e5b6b53c88eb073b4647d50535b3eb4e40e523f58c35343abff85c980e9b70036a6910347f1793ce1c7a59d5292ac369a8c
SSDEEP

3072:SfI3so9bz+wbPl9ILwbi69WhFkax0T/EVTHxEcaVTAF:S6RTAF

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2340	msedge.exe
2340	msedge.exe
384	msedge.exe
384	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
384	msedge.exe
384	msedge.exe
384	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe
384	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 384 wrote to memory of 1712	384	msedge.exe	81
PID 384 wrote to memory of 1712	384	msedge.exe	81
PID 384 wrote to memory of 1112	384	msedge.exe	82
PID 384 wrote to memory of 1112	384	msedge.exe	82
PID 384 wrote to memory of 1112	384	msedge.exe	82
PID 384 wrote to memory of 1112	384	msedge.exe	82
PID 384 wrote to memory of 1112	384	msedge.exe	82
PID 384 wrote to memory of 1112	384	msedge.exe	82
PID 384 wrote to memory of 1112	384	msedge.exe	82
PID 384 wrote to memory of 1112	384	msedge.exe	82
PID 384 wrote to memory of 1112	384	msedge.exe	82
PID 384 wrote to memory of 1112	384	msedge.exe	82
PID 384 wrote to memory of 1112	384	msedge.exe	82
PID 384 wrote to memory of 1112	384	msedge.exe	82
PID 384 wrote to memory of 1112	384	msedge.exe	82
PID 384 wrote to memory of 1112	384	msedge.exe	82
PID 384 wrote to memory of 1112	384	msedge.exe	82
PID 384 wrote to memory of 1112	384	msedge.exe	82
PID 384 wrote to memory of 1112	384	msedge.exe	82
PID 384 wrote to memory of 1112	384	msedge.exe	82
PID 384 wrote to memory of 1112	384	msedge.exe	82
PID 384 wrote to memory of 1112	384	msedge.exe	82
PID 384 wrote to memory of 1112	384	msedge.exe	82
PID 384 wrote to memory of 1112	384	msedge.exe	82
PID 384 wrote to memory of 1112	384	msedge.exe	82
PID 384 wrote to memory of 1112	384	msedge.exe	82
PID 384 wrote to memory of 1112	384	msedge.exe	82
PID 384 wrote to memory of 1112	384	msedge.exe	82
PID 384 wrote to memory of 1112	384	msedge.exe	82
PID 384 wrote to memory of 1112	384	msedge.exe	82
PID 384 wrote to memory of 1112	384	msedge.exe	82
PID 384 wrote to memory of 1112	384	msedge.exe	82
PID 384 wrote to memory of 1112	384	msedge.exe	82
PID 384 wrote to memory of 1112	384	msedge.exe	82
PID 384 wrote to memory of 1112	384	msedge.exe	82
PID 384 wrote to memory of 1112	384	msedge.exe	82
PID 384 wrote to memory of 1112	384	msedge.exe	82
PID 384 wrote to memory of 1112	384	msedge.exe	82
PID 384 wrote to memory of 1112	384	msedge.exe	82
PID 384 wrote to memory of 1112	384	msedge.exe	82
PID 384 wrote to memory of 1112	384	msedge.exe	82
PID 384 wrote to memory of 1112	384	msedge.exe	82
PID 384 wrote to memory of 2340	384	msedge.exe	83
PID 384 wrote to memory of 2340	384	msedge.exe	83
PID 384 wrote to memory of 2108	384	msedge.exe	84
PID 384 wrote to memory of 2108	384	msedge.exe	84
PID 384 wrote to memory of 2108	384	msedge.exe	84
PID 384 wrote to memory of 2108	384	msedge.exe	84
PID 384 wrote to memory of 2108	384	msedge.exe	84
PID 384 wrote to memory of 2108	384	msedge.exe	84
PID 384 wrote to memory of 2108	384	msedge.exe	84
PID 384 wrote to memory of 2108	384	msedge.exe	84
PID 384 wrote to memory of 2108	384	msedge.exe	84
PID 384 wrote to memory of 2108	384	msedge.exe	84
PID 384 wrote to memory of 2108	384	msedge.exe	84
PID 384 wrote to memory of 2108	384	msedge.exe	84
PID 384 wrote to memory of 2108	384	msedge.exe	84
PID 384 wrote to memory of 2108	384	msedge.exe	84
PID 384 wrote to memory of 2108	384	msedge.exe	84
PID 384 wrote to memory of 2108	384	msedge.exe	84
PID 384 wrote to memory of 2108	384	msedge.exe	84
PID 384 wrote to memory of 2108	384	msedge.exe	84
PID 384 wrote to memory of 2108	384	msedge.exe	84
PID 384 wrote to memory of 2108	384	msedge.exe	84

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\0b0a2731eef31ed0c6ab0b6c253a6fce_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbd65d46f8,0x7ffbd65d4708,0x7ffbd65d4718
  2⤵
  PID:1712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2020,8148291120148968982,4042854599090229384,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
  2⤵
  PID:1112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2020,8148291120148968982,4042854599090229384,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2020,8148291120148968982,4042854599090229384,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2660 /prefetch:8
  2⤵
  PID:2108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,8148291120148968982,4042854599090229384,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3192 /prefetch:1
  2⤵
  PID:2808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,8148291120148968982,4042854599090229384,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
  2⤵
  PID:1368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,8148291120148968982,4042854599090229384,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1292 /prefetch:1
  2⤵
  PID:2848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2020,8148291120148968982,4042854599090229384,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1736 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3808

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4420

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:872

Network

DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

bbs.vc52.cn

msedge.exe

Remote address:

8.8.8.8:53

Request

bbs.vc52.cn

IN A

Response

bbs.vc52.cn

IN A

119.98.223.176
DNS

cpro.baidu.com

msedge.exe

Remote address:

8.8.8.8:53

Request

cpro.baidu.com

IN A

Response

cpro.baidu.com

IN CNAME

cpro.e.shifen.com

cpro.e.shifen.com

IN A

180.101.49.201
DNS

a.alimama.cn

msedge.exe

Remote address:

8.8.8.8:53

Request

a.alimama.cn

IN A

Response

a.alimama.cn

IN CNAME

a.alimama.cn.danuoyi.tbcache.com

a.alimama.cn.danuoyi.tbcache.com

IN A

79.133.176.243

a.alimama.cn.danuoyi.tbcache.com

IN A

79.133.176.234
DNS

s6.cnzz.com

msedge.exe

Remote address:

8.8.8.8:53

Request

s6.cnzz.com

IN A

Response

s6.cnzz.com

IN CNAME

c.cnzz.com

c.cnzz.com

IN CNAME

all.cnzz.com.danuoyi.tbcache.com

all.cnzz.com.danuoyi.tbcache.com

IN A

122.225.212.209
DNS

st.5d6d.com

msedge.exe

Remote address:

8.8.8.8:53

Request

st.5d6d.com

IN A

Response
DNS

gg.a.5d6d.com

msedge.exe

Remote address:

8.8.8.8:53

Request

gg.a.5d6d.com

IN A

Response
DNS

messenger.services.live.com

msedge.exe

Remote address:

8.8.8.8:53

Request

messenger.services.live.com

IN A

Response
DNS

images.5d6d.net

msedge.exe

Remote address:

8.8.8.8:53

Request

images.5d6d.net

IN A

Response
DNS

images.5d6d.net

msedge.exe

Remote address:

8.8.8.8:53

Request

images.5d6d.net

IN A

Response
GET

http://a.alimama.cn/inf.js

msedge.exe

Remote address:

79.133.176.243:80

Request

GET /inf.js HTTP/1.1
Host: a.alimama.cn
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
DNT: 1
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

Response

HTTP/1.1 200 OK

Server: Tengine
Content-Type: application/javascript
Content-Length: 3691
Connection: keep-alive
Date: Wed, 02 Oct 2024 13:57:02 GMT
Vary: Accept-Encoding
x-oss-request-id: 66FD512E685CB035320AA83F
x-oss-object-type: Normal
x-oss-hash-crc64ecma: 15317270369186392877
x-oss-storage-class: Standard
Content-MD5: 0Jz2LYtM9hnrg0DmjiR0IA==
x-oss-server-time: 3
Cache-Control: max-age=2592000,s-maxage=3600
Access-Control-Allow-Origin: *
Content-Encoding: gzip
Via: ens-cache10.l2de3[0,0,200-0,H], ens-cache11.l2de3[1,0], ens-cache2.gb6[0,0,200-0,H], ens-cache1.gb6[3,0]
Age: 612
Ali-Swift-Global-Savetime: 1727877422
X-Cache: HIT TCP_MEM_HIT dirn:-2:-2
X-Swift-SaveTime: Wed, 02 Oct 2024 14:00:19 GMT
X-Swift-CacheTime: 3403
Timing-Allow-Origin: *
EagleId: 4f85b09517278780348303390e
GET

http://a.alimama.cn/inf/main.js?_t=20130530.js

msedge.exe

Remote address:

79.133.176.243:80

Request

GET /inf/main.js?_t=20130530.js HTTP/1.1
Host: a.alimama.cn
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
DNT: 1
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

Response

HTTP/1.1 200 OK

Server: Tengine
Content-Type: application/javascript
Content-Length: 6684
Connection: keep-alive
Date: Wed, 02 Oct 2024 13:23:51 GMT
Vary: Accept-Encoding
x-oss-request-id: 66FD49674E29A530375ECF35
x-oss-object-type: Normal
x-oss-hash-crc64ecma: 14870770248734017902
x-oss-storage-class: Standard
Content-MD5: wsDRu5ZiPPQUdgF05C7N/A==
x-oss-server-time: 20
Cache-Control: max-age=2592000,s-maxage=3600
Access-Control-Allow-Origin: *
Content-Encoding: gzip
Via: ens-cache4.l2de3[0,0,200-0,H], ens-cache14.l2de3[1,0], ens-cache10.gb6[0,0,200-0,H], ens-cache1.gb6[2,0]
Age: 2639
Ali-Swift-Global-Savetime: 1727875432
X-Cache: HIT TCP_MEM_HIT dirn:-2:-2
X-Swift-SaveTime: Wed, 02 Oct 2024 13:26:26 GMT
X-Swift-CacheTime: 3446
Timing-Allow-Origin: *
EagleId: 4f85b09517278780714836403e
GET

http://a.alimama.cn/inf/type/f.js?_t=20130530.js

msedge.exe

Remote address:

79.133.176.243:80

Request

GET /inf/type/f.js?_t=20130530.js HTTP/1.1
Host: a.alimama.cn
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
DNT: 1
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

Response

HTTP/1.1 200 OK

Server: Tengine
Content-Type: application/javascript
Content-Length: 832
Connection: keep-alive
Date: Wed, 02 Oct 2024 14:07:59 GMT
Vary: Accept-Encoding
x-oss-request-id: 66FD53BFE78282373020832F
x-oss-object-type: Normal
x-oss-hash-crc64ecma: 7426797296705371778
x-oss-storage-class: Standard
Content-MD5: hry7ZuM09h5mLEyon4rhCQ==
x-oss-server-time: 32
Cache-Control: max-age=2592000,s-maxage=3600
Access-Control-Allow-Origin: *
Content-Encoding: gzip
Via: ens-cache10.l2de3[661,660,200-0,M], ens-cache14.l2de3[662,0], ens-cache1.gb6[0,0,200-0,H], ens-cache1.gb6[0,0]
Age: 12
Ali-Swift-Global-Savetime: 1727878079
X-Cache: HIT TCP_MEM_HIT dirn:-2:-2
X-Swift-SaveTime: Wed, 02 Oct 2024 14:08:00 GMT
X-Swift-CacheTime: 3599
Timing-Allow-Origin: *
EagleId: 4f85b09517278780911398230e
DNS

133.211.185.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

133.211.185.52.in-addr.arpa

IN PTR

Response
DNS

74.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

74.32.126.40.in-addr.arpa

IN PTR

Response
DNS

240.221.184.93.in-addr.arpa

Remote address:

8.8.8.8:53

Request

240.221.184.93.in-addr.arpa

IN PTR

Response
DNS

243.176.133.79.in-addr.arpa

Remote address:

8.8.8.8:53

Request

243.176.133.79.in-addr.arpa

IN PTR

Response
DNS

show.union.360buy.com

msedge.exe

Remote address:

8.8.8.8:53

Request

show.union.360buy.com

IN A

Response

show.union.360buy.com

IN A

58.83.220.26
DNS

228.249.119.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

228.249.119.40.in-addr.arpa

IN PTR

Response
DNS

images.5d6d.net

msedge.exe

Remote address:

8.8.8.8:53

Request

images.5d6d.net

IN A

Response
DNS

gg.a.5d6d.com

msedge.exe

Remote address:

8.8.8.8:53

Request

gg.a.5d6d.com

IN A

Response
DNS

86.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

86.23.85.13.in-addr.arpa

IN PTR

Response
DNS

18.31.95.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

18.31.95.13.in-addr.arpa

IN PTR

Response
DNS

75.117.19.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

75.117.19.2.in-addr.arpa

IN PTR

Response

75.117.19.2.in-addr.arpa

IN PTR

a2-19-117-75deploystaticakamaitechnologiescom
DNS

images.5d6d.net

msedge.exe

Remote address:

8.8.8.8:53

Request

images.5d6d.net

IN A

Response
DNS

gg.a.5d6d.com

msedge.exe

Remote address:

8.8.8.8:53

Request

gg.a.5d6d.com

IN A

Response
DNS

messenger.services.live.com

msedge.exe

Remote address:

8.8.8.8:53

Request

messenger.services.live.com

IN A

Response
DNS

hm.baidu.com

msedge.exe

Remote address:

8.8.8.8:53

Request

hm.baidu.com

IN A

Response

hm.baidu.com

IN CNAME

hm.e.shifen.com

hm.e.shifen.com

IN A

111.45.11.83

hm.e.shifen.com

IN A

111.45.3.198

hm.e.shifen.com

IN A

183.240.98.228

hm.e.shifen.com

IN A

14.215.182.140

hm.e.shifen.com

IN A

14.215.183.79
DNS

gg.a.5d6d.com

msedge.exe

Remote address:

8.8.8.8:53

Request

gg.a.5d6d.com

IN A

Response
DNS

z.alimama.com

msedge.exe

Remote address:

8.8.8.8:53

Request

z.alimama.com

IN A

Response
DNS

bbs.vc52.cn

msedge.exe

Remote address:

8.8.8.8:53

Request

bbs.vc52.cn

IN A

Response

bbs.vc52.cn

IN A

119.98.223.176
DNS

bbs.vc52.cn

msedge.exe

Remote address:

8.8.8.8:53

Request

bbs.vc52.cn

IN A
DNS

bbs.vc52.cn

msedge.exe

Remote address:

8.8.8.8:53

Request

bbs.vc52.cn

IN A
DNS

bbs.vc52.cn

msedge.exe

Remote address:

8.8.8.8:53

Request

bbs.vc52.cn

IN A
DNS

21.236.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

21.236.111.52.in-addr.arpa

IN PTR

Response

119.98.223.176:80

bbs.vc52.cn

msedge.exe

260 B
5
119.98.223.176:80

bbs.vc52.cn

msedge.exe

260 B
5
119.98.223.176:80

bbs.vc52.cn

msedge.exe

260 B
5
119.98.223.176:80

bbs.vc52.cn

msedge.exe

260 B
5
119.98.223.176:80

bbs.vc52.cn

msedge.exe

260 B
5
119.98.223.176:80

bbs.vc52.cn

msedge.exe

260 B
5
79.133.176.243:80

http://a.alimama.cn/inf/type/f.js?_t=20130530.js

http

msedge.exe

1.6kB
14.4kB
14
17

HTTP Request

GET http://a.alimama.cn/inf.js

HTTP Response

200

HTTP Request

GET http://a.alimama.cn/inf/main.js?_t=20130530.js

HTTP Response

200

HTTP Request

GET http://a.alimama.cn/inf/type/f.js?_t=20130530.js

HTTP Response

200
122.225.212.209:80

s6.cnzz.com

msedge.exe

260 B
5
122.225.212.209:80

s6.cnzz.com

msedge.exe

260 B
5
180.101.49.201:80

cpro.baidu.com

msedge.exe

260 B
5
180.101.49.201:80

cpro.baidu.com

msedge.exe

260 B
5
58.83.220.26:80

show.union.360buy.com

msedge.exe

260 B
5
58.83.220.26:80

show.union.360buy.com

msedge.exe

260 B
5
119.98.223.176:80

bbs.vc52.cn

msedge.exe

260 B
5
119.98.223.176:80

bbs.vc52.cn

msedge.exe

260 B
5
119.98.223.176:80

bbs.vc52.cn

msedge.exe

260 B
5
119.98.223.176:80

bbs.vc52.cn

msedge.exe

260 B
5
119.98.223.176:80

bbs.vc52.cn

msedge.exe

260 B
5
119.98.223.176:80

bbs.vc52.cn

msedge.exe

260 B
5
180.101.49.201:80

cpro.baidu.com

msedge.exe

260 B
5
180.101.49.201:80

cpro.baidu.com

msedge.exe

260 B
5
119.98.223.176:80

bbs.vc52.cn

msedge.exe

260 B
5
119.98.223.176:80

bbs.vc52.cn

msedge.exe

260 B
5
119.98.223.176:80

bbs.vc52.cn

msedge.exe

260 B
5
119.98.223.176:80

bbs.vc52.cn

msedge.exe

260 B
5
119.98.223.176:80

bbs.vc52.cn

msedge.exe

260 B
5
119.98.223.176:80

bbs.vc52.cn

msedge.exe

260 B
5
111.45.11.83:80

hm.baidu.com

msedge.exe

260 B
5
111.45.11.83:80

hm.baidu.com

msedge.exe

260 B
5
111.45.3.198:80

hm.baidu.com

msedge.exe

260 B
5
111.45.3.198:80

hm.baidu.com

msedge.exe

260 B
5
119.98.223.176:80

bbs.vc52.cn

msedge.exe

260 B
5
119.98.223.176:80

bbs.vc52.cn

msedge.exe

260 B
5
119.98.223.176:80

bbs.vc52.cn

msedge.exe

260 B
5
119.98.223.176:80

bbs.vc52.cn

msedge.exe

260 B
5
119.98.223.176:80

bbs.vc52.cn

msedge.exe

260 B
5
119.98.223.176:80

bbs.vc52.cn

msedge.exe

260 B
5
183.240.98.228:80

hm.baidu.com

msedge.exe

260 B
5
183.240.98.228:80

hm.baidu.com

msedge.exe

260 B
5
14.215.182.140:80

hm.baidu.com

msedge.exe

260 B
5
14.215.182.140:80

hm.baidu.com

msedge.exe

260 B
5
14.215.183.79:80

hm.baidu.com

msedge.exe

260 B
5
14.215.183.79:80

hm.baidu.com

msedge.exe

260 B
5

8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

bbs.vc52.cn

dns

msedge.exe

57 B
73 B
1
1

DNS Request

bbs.vc52.cn

DNS Response

119.98.223.176
8.8.8.8:53

cpro.baidu.com

dns

msedge.exe

60 B
104 B
1
1

DNS Request

cpro.baidu.com

DNS Response

180.101.49.201
8.8.8.8:53

a.alimama.cn

dns

msedge.exe

58 B
136 B
1
1

DNS Request

a.alimama.cn

DNS Response

79.133.176.243

79.133.176.234
8.8.8.8:53

s6.cnzz.com

dns

msedge.exe

57 B
132 B
1
1

DNS Request

s6.cnzz.com

DNS Response

122.225.212.209
8.8.8.8:53

st.5d6d.com

dns

msedge.exe

57 B
132 B
1
1

DNS Request

st.5d6d.com
8.8.8.8:53

gg.a.5d6d.com

dns

msedge.exe

59 B
134 B
1
1

DNS Request

gg.a.5d6d.com
8.8.8.8:53

messenger.services.live.com

dns

msedge.exe

73 B
143 B
1
1

DNS Request

messenger.services.live.com
8.8.8.8:53

images.5d6d.net

dns

msedge.exe

122 B
272 B
2
2

DNS Request

images.5d6d.net

DNS Request

images.5d6d.net
8.8.8.8:53

133.211.185.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

133.211.185.52.in-addr.arpa
8.8.8.8:53

74.32.126.40.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

74.32.126.40.in-addr.arpa
8.8.8.8:53

240.221.184.93.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

240.221.184.93.in-addr.arpa
8.8.8.8:53

243.176.133.79.in-addr.arpa

dns

73 B
133 B
1
1

DNS Request

243.176.133.79.in-addr.arpa
8.8.8.8:53

show.union.360buy.com

dns

msedge.exe

67 B
83 B
1
1

DNS Request

show.union.360buy.com

DNS Response

58.83.220.26
224.0.0.251:5353

390 B
6
8.8.8.8:53

228.249.119.40.in-addr.arpa

dns

73 B
159 B
1
1

DNS Request

228.249.119.40.in-addr.arpa
8.8.8.8:53

images.5d6d.net

dns

msedge.exe

61 B
136 B
1
1

DNS Request

images.5d6d.net
8.8.8.8:53

gg.a.5d6d.com

dns

msedge.exe

59 B
134 B
1
1

DNS Request

gg.a.5d6d.com
8.8.8.8:53

86.23.85.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

86.23.85.13.in-addr.arpa
8.8.8.8:53

18.31.95.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

18.31.95.13.in-addr.arpa
8.8.8.8:53

75.117.19.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

75.117.19.2.in-addr.arpa
8.8.8.8:53

images.5d6d.net

dns

msedge.exe

61 B
136 B
1
1

DNS Request

images.5d6d.net
8.8.8.8:53

gg.a.5d6d.com

dns

msedge.exe

59 B
134 B
1
1

DNS Request

gg.a.5d6d.com
8.8.8.8:53

messenger.services.live.com

dns

msedge.exe

73 B
143 B
1
1

DNS Request

messenger.services.live.com
8.8.8.8:53

hm.baidu.com

dns

msedge.exe

58 B
164 B
1
1

DNS Request

hm.baidu.com

DNS Response

111.45.11.83

111.45.3.198

183.240.98.228

14.215.182.140

14.215.183.79
8.8.8.8:53

gg.a.5d6d.com

dns

msedge.exe

59 B
134 B
1
1

DNS Request

gg.a.5d6d.com
8.8.8.8:53

z.alimama.com

dns

msedge.exe

59 B
128 B
1
1

DNS Request

z.alimama.com
8.8.8.8:53

bbs.vc52.cn

dns

msedge.exe

228 B
73 B
4
1

DNS Request

bbs.vc52.cn

DNS Request

bbs.vc52.cn

DNS Request

bbs.vc52.cn

DNS Request

bbs.vc52.cn

DNS Response

119.98.223.176
8.8.8.8:53

21.236.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

21.236.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ab8ce148cb7d44f709fb1c460d03e1b0

SHA1
44d15744015155f3e74580c93317e12d2cc0f859

SHA256
014006a90e43ea9a1903b08b843a5aab8ad3823d22e26e5b113fad5f9fa620ff

SHA512
f685423b1eaee18a2a06030b4b2977335f62499c0041c142a92f6e6f846c2b9ce54324b6ae94efbbb303282dcda70e2b1597c748fddc251c0b3122a412c2d7c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
38f59a47b777f2fc52088e96ffb2baaf

SHA1
267224482588b41a96d813f6d9e9d924867062db

SHA256
13569c5681c71dc42ab57d34879f5a567d7b94afe0e8f6d7c6f6c1314fb0087b

SHA512
4657d13e1bb7cdd7e83f5f2562f5598cca12edf839626ae96da43e943b5550fab46a14b9018f1bec90de88cc714f637605531ccda99deb9e537908ddb826113b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ea5ddd563c0147282c011c1a73f796ba

SHA1
c81be827647ea491e7b50d049681dd3ff9c38882

SHA256
2b029c10d78bee981bdd2fe881ba631f4d6cf129af52b0dc633e6eba58f40299

SHA512
eef90fa213fa48ecd9721b9c09b332926a74eef0382df5430a77455b399b31b736bf4f06977458d5bc05af07e7f55214eca3f8068bfadeb06e642274678a5eb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e495d9cd6adbc8d8400f7029af6cc98d

SHA1
3ec0cfc5696916ba8070d1b91d12db4d1143b5d4

SHA256
adbfeceecf55128360b7bf770f073c239329f79be8e70962e5a8da5ca8080074

SHA512
6859fc756a4bb2e0332550136e26e9fbe866b069c10b31b77a9467e2fb700a155449e2ac1f69851c8dd56e9b49b88725331a5cc03be8c5f1e631d4f3d3fcb00a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\dc3ed929-75d4-410e-9090-0c1f96ac6f57.tmp

Filesize
10KB

MD5
80697544f61415ba08a7ec73eb46a52c

SHA1
746c091c02ee89463de3b02ab16bfcfec75a1ca7

SHA256
66c72eaf3192483add722399ec9aa145a56d977332743fdab6b44cef3b8859d5

SHA512
06c406f71368f01eeae5c28088252e3ef3fbe1bba011c701b5ce879c2125737d5bc33ec0cb93880e7c2b23e0cf318bd21a8f91491fa36d62031955489b19dcc3

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.