Malware Analysis Report

2024-12-07 14:30

Sample ID 241012-18mldavame
Target 3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118
SHA256 6ff047af37d02804167d9354fd0d1eb0440d518679337b9d7984b06c765907c5
Tags
upx discovery defense_evasion evasion exploit ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

6ff047af37d02804167d9354fd0d1eb0440d518679337b9d7984b06c765907c5

Threat Level: Likely malicious

The file 3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

upx discovery defense_evasion evasion exploit ransomware

Modifies boot configuration data using bcdedit

Possible privilege escalation attempt

Drops file in Drivers directory

Loads dropped DLL

Modifies file permissions

Checks computer location settings

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

UPX packed file

Drops file in System32 directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Browser Information Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

Enumerates system info in registry

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-12 22:19

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-12 22:19

Reported

2024-10-12 22:21

Platform

win7-20241010-en

Max time kernel

149s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe"

Signatures

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\tcpip.copy C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\system32\drivers\tcpipreset C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A
File created C:\Windows\system32\drivers\tcpip.copy C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A
File created C:\Windows\system32\drivers\tcpipreset C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\de-de\user32new.dll.mui C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\System32\fr-fr\user32new.dll.mui C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\System32\it-it\user32copy.dll.mui C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\System32\en-us\user32new.dll.mui C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A
File created C:\Windows\System32\en-us\user32copy.dll.mui C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\System32\es-es\user32new.dll.mui C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A
File created C:\Windows\System32\es-es\user32new.dll.mui C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\System32\fr-fr\user32copy.dll.mui C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A
File created C:\Windows\System32\de-de\user32copy.dll.mui C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A
File created C:\Windows\System32\de-de\user32new.dll.mui C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\System32\en-us\user32copy.dll.mui C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\System32\it-it\user32new.dll.mui C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A
File created C:\Windows\System32\it-it\user32copy.dll.mui C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A
File created C:\Windows\System32\ja-jp\user32new.dll.mui C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A
File created C:\Windows\System32\it-it\user32new.dll.mui C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\System32\ja-jp\user32new.dll.mui C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A
File created C:\Windows\System32\ja-jp\user32copy.dll.mui C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\System32\de-de\user32copy.dll.mui C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A
File created C:\Windows\System32\en-us\user32new.dll.mui C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A
File created C:\Windows\System32\fr-fr\user32copy.dll.mui C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\System32\ja-jp\user32copy.dll.mui C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\System32\es-es\user32copy.dll.mui C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A
File created C:\Windows\System32\es-es\user32copy.dll.mui C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A
File created C:\Windows\System32\fr-fr\user32new.dll.mui C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecf3e4259aa05419b9c0951a15b131900000000020000000000106600000001000020000000e051165b430902a53d058d86a176294e72c80a729709a07c24d23cb56ec98a88000000000e8000000002000020000000e0294d34c5ce85fb391e8427d97c074826fd523e2aeba2d6d7fdb98d748a3eb5200000007f2b83a983379b544aedb37c09a81773ecf9a4654313dbb7f077ce563566e306400000002bb90c45355de76353585d8d7ed574c77b6d6675607fdc76930c19d1ad1b7aab01c56ad10e8a96937361c24728d229c02da886171f8a50d59fc4494288e77e8f C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0E3EED91-88E8-11EF-BD8C-6252F262FB8A} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\half-open.com\NumberOfSubdomains = "1" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\half-open.com C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "434933442" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecf3e4259aa05419b9c0951a15b1319000000000200000000001066000000010000200000007ae94a9480f98b9fc38b45c4eed74bb28e5e0c11bbdf70cef734074e830d9fb7000000000e80000000020000200000003b30df2ae61dfc97db97d56b4ce17d33567c590b0a3faac068cc2ece336f783e900000000a7a0c2960000dcecd0125a144117a16c254549432bd5f89a72a09585454d1a408727c846292cce7d38551571ec3d7301dccb92a2718f8b0087cc2447427ac7c7091fb2067dc12bb17d7c04fa02107f18640a786d3162d85a7d9afe512c66b7dc913068f55a5fd81f62ee13b6b86565c9b50bb62591352af02ed8d05fa8e0b3128c3931543ec89262847084dc0795d4f4000000033f32fabc8e234938f85090f13f54ec1a624a21d5be0dd8b97d02fbd8f4172d3c31ad63a83991b63c30b6506b614795847e6d01c8bf70eff0fd9b13407afb63b C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 1022b4e4f41cdb01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://half-open.com/

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2412 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 half-open.com udp
RU 81.177.139.61:80 half-open.com tcp
RU 81.177.139.61:80 half-open.com tcp
GB 216.58.204.66:80 pagead2.googlesyndication.com tcp
GB 216.58.204.66:80 pagead2.googlesyndication.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.178.3:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
GB 142.250.178.3:80 o.pki.goog tcp
US 8.8.8.8:53 www.half-open.com udp
RU 81.177.139.61:80 www.half-open.com tcp
RU 81.177.139.61:80 www.half-open.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/3032-0-0x0000000000400000-0x00000000004C8000-memory.dmp

memory/3032-1-0x0000000000230000-0x0000000000231000-memory.dmp

memory/3032-7-0x0000000002DB0000-0x0000000002FB4000-memory.dmp

memory/3032-24-0x0000000002DB0000-0x0000000002FB4000-memory.dmp

\Windows\System32\de-DE\user32new.dll.mui

MD5 f124dbe67c50788db4fb1d6a9be8d050
SHA1 2949b65e3155eb8f5bf16e0857459ebd3cd0909a
SHA256 bc5a077b0b3daafda0ef75bbf92b9dfa81b0ff01dbbd603f947282437fe0b4d0
SHA512 861e8ad6c611aaad1cd9e471083e0d6688e6b666dc344baacbb444ddc1d94c71f480ce773cad07ec1bad7687c13fcdedb4104228f38dfdb79b5b7e8bd74f87e3

\Windows\System32\en-US\user32new.dll.mui

MD5 ef9bc0d92f9af6a446ca3179efda0ce0
SHA1 fd411d68b187aa5ef59852c9b815846fcf794bbf
SHA256 4420eca521bf0c29aa2b14835a9c4d36770a2c42a3c8b097a7a755e8937b419b
SHA512 171014b7de0e59cd81291fc970c9205616c16ebd8918812a9d59f7342ccad1ac0a3f4971a1c5d846418d58aeadcd08c2edec1bcfda9b8f22e6ac3c3dba7e2479

\Windows\System32\es-ES\user32new.dll.mui

MD5 532ed4f40d2b6f0b9b2490fc3202f79b
SHA1 3e11449ef3e737df8c969946468c48d232d8dbe6
SHA256 8b38226109ce42f831e3b2859f09ceb6dc871fc35e184f05e5e5425b290e41d6
SHA512 20b51771064755a40082c7558f2903bef5bcd33bd5d9c40c47de10a59673b95f8532eac2047ad2a087a3b6243a2a982a32d552c0e0c455b84c82641c6089ab82

\Windows\System32\fr-FR\user32new.dll.mui

MD5 0d57d091e06bb1e58e72e5d08479fddf
SHA1 8e1885e1c030d9ff96c20150c34fa9bd7ddc4919
SHA256 67eee41ba82aad3adf2b4c34d108cc88b108c9eebc02f901863e2c8438e38b40
SHA512 3c38cc5b0e4525dab39ae08cfb57c08a8b28e6ae7bb0a8adc38fdee7ae5461966b0b3f026ddc6b198ce45ec661a940f887d9885e8c8dbc590823dc7ca47a8246

\Windows\System32\it-IT\user32new.dll.mui

MD5 8600c49b59928f85c1db3aab8d1571f6
SHA1 2a7ade977bf35fae4e51c0c8c25c3fce99d601b4
SHA256 d58f104cb5ef742c6cf34edc2d5d7d90f2e24c39b43891f2a2c07cded4bb9c34
SHA512 225e9991df48c2c31db4504e18a54696b7644b0f77032917bc2d0b8e198433fb2aaceff07b612dba24a72571ebcc09adaf6de0f270428da5e9862036f0ea4c9f

\Windows\System32\ja-JP\user32new.dll.mui

MD5 a6beeda73b13dfdb10ae4bbab0209986
SHA1 0028487943dece80b9b32952cce430e2145f1efe
SHA256 7d91394a5c63cd5c6a599700ee0c079b9561f2824973695c886c77982a6adea9
SHA512 adcbb2b4b045317a6a0b69e77f263c259bb5aac6f4340f6bc44196720bf30ab238fefe6d9a9fc5918d47471a5d652298af20ec89758d70da5d01534aeebdb11a

memory/3032-122-0x0000000000400000-0x00000000004C8000-memory.dmp

memory/3032-129-0x0000000000230000-0x0000000000231000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7BCOPU31\f[1].txt

MD5 fcfdd46fd12fa1f3449013201e537b0e
SHA1 551bdcdbb77a8b64d13fdd2e7e3d6e73017d2846
SHA256 6321374f205bdd2e8dec8dd86474da00db8a62eda753e25f6072e019bed773c3
SHA512 96ee0d25b51bfc700096c3d79d94ad0964f413d5fc6d4664b686518125a4ef0aee1888286c62fa119daf182f751614f41042f3847ba580a9b54c9a13e037c6c6

memory/3032-157-0x0000000000400000-0x00000000004C8000-memory.dmp

memory/3032-158-0x0000000002DB0000-0x0000000002FB4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DUME8XYE\favicon[1].ico

MD5 b52bccba80f24a0302940325d198dc4e
SHA1 59482479a5cd3e85397758902c5ed0517a73b713
SHA256 0733e9ae345ee15b468e2aa7363e87aad4e8a42f2e55e641acd02c0c42031a21
SHA512 3c5c727f40bb803b62f701e28150bf65dd17a06ba4873efd2629fc62bef933a74b6ac152bda260d99039511ddc9987cfd686d572fd8376bd404e22276048f964

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\melo7gx\imagestore.dat

MD5 ae219ae679fdfcb10b11fa6a058121b2
SHA1 d6822f1c4dc2942e713170a76c584d4eaed22909
SHA256 629026cc3e77da8c34704e47135923129ddec770ca49fc8e4b21a064319f62dc
SHA512 d3874334a875e3d936584a3f4163de4201ae1b5ac394597fc1801780b044c9da9c27e17f849c07c7f05b34ccb3578eb03f83ff1e07c224195afff647ae133917

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3a0636dc4e2c2a7a85a161739f13c5d0
SHA1 d4f3bc8c0ef823219e81ca7b28e3f26bb2956a75
SHA256 3a7135f8efaaa0850e7a370000d4564ee150aa061da65bfd5975a71f606ab465
SHA512 bd9956e741fa15c2d150790ad71b9fa99cae702f75708a9fdfa10b7d745d2e61fedcf1119ab6b42355eaa6c55d4d5f1d89761b162a5bcd454ffcfde5878fc7e2

C:\Users\Admin\AppData\Local\Temp\CabBBF1.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarBC03.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fc2ff1a538ef37cc2607bcbdc55034e5
SHA1 a930c3489991747437ba757929191698859f15b7
SHA256 dc3e5a4faa0035bd5beee384399433c465d235cc1c4b025ba92031325af5aeb4
SHA512 f37177064d9658d5ef182d6db014cb80bc118f8fd8f829460ed8c6c425b6c18cd6e1cb29f195b818d475e3322592d475dc9e28a54ce43ec6fa49801d0a5bf3aa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8278c3a9d8913d7716260b913432eaba
SHA1 ddaaaa37eb6da18ec5b0b0882bb7df810107205f
SHA256 5f3e1d7f19799b2926d2cabbffe5d77b0ddfe897809bfbff517cfe943f22d0f3
SHA512 be27e53f14aaf19492c11639394f15f5f4c3598750f861b4c8ba5daac8c38359ec0a023174216e140f5e0d48c24c7cd35e29e5599b34381ac5df544643a0c38c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 27d843ca3487e7aa8a1ffc4a9429fed5
SHA1 29a18571a0317db3a7b1d0690ee0837770357034
SHA256 49a5eb8600df8c541368bb27e62c254864d2b80a9956be0d5e65401dddb061e6
SHA512 2d0642e03f1c67315f1d825cd7affbd6a7525e9b4815f2f8df9e5015dd7ffb827a494eab54482d184a78c51060568d870779450f37c9ca5deec0eedd37641461

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 adf5e22deb212ad541dbfeb1a36be807
SHA1 4ff428c6f14da0f7c8ba19b09d5fd9f3c3d1dce3
SHA256 e195253dc877a6518da655cfc1cb3eb8cc46bd360247373199d2bd8c76c2fde7
SHA512 add0e45451cdaa36b232d255392f59ea6afb363d6f81149670be3fa71d9a9938f4d84590779b45269b83ffad744006f24f761bedc79b4e372804b32591a5ca74

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 89c4d1e22ef7de713d94e8de1ed62a83
SHA1 49e2f3a037f09fc23097ac93ed9060cd18371a08
SHA256 264c498f1a131f1ca2f6b8406920b763223c6a5d66b2aa1456a7abfcbd235189
SHA512 924085d9eb19594618baae59b47011ab950b3eacbb4c964ac41edff4f4e69510e206634cedbb91b7f765ec81c761ea72fb19bdf21bb06c6cb017013bfcb6b9ff

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1943904ac77d9e82d2240017d24363a6
SHA1 5850619f332b13a645288ebf72031314eccde1fd
SHA256 4c73445ea1e59dd34b1ffa63779ac099485ce7288936b7a4b8404f6baea0e3d8
SHA512 3a40de2d9b3f58074812dad58e9cefd8a5238d969b1b2ce31e1723b760200f2173a0edee729b6ac2ebd14cd88677a2d8d838c6afbcbd48a7afb57c77a0ead752

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 90260adf015a156786c71a12d703920f
SHA1 63437a5a859e3a2643285419f28fb4aa78212762
SHA256 89d6a0beace6eb183351d8905d7e72bf79211a7edb5906a07a04495b9f733dc8
SHA512 a1cb9e94472025a0c8c908fd10426617ab7591529e268adbe7c0427df29ac02f6b771ce3f1d9ecac4e591b9374a942eba22a9aca8cd1ad96107a919bb6d8565c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 733b0fa3c360bed120efe8d842d9eaad
SHA1 746937e89e65dd8433355ebdc7288c318ec5c938
SHA256 9a8e7bed2a6f4e8fce2329f5cdec4f97df5e559eec4a919de7c85a6e3e6b90db
SHA512 b80f4057bae441355cd248491b0b5e51c3fc93e4338762e0782e36079200c84391c11ed4e07d27e386bf956011dcc37ae9a1a80c2dc581748f656822fecd55ff

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d4497fbab1b1c5894e5075f77579ed43
SHA1 554fa995ebabe2d5c8bf279715a422028f785d17
SHA256 aec09478556214a0f561fd67531dfa4e241b245ab41523afc667f2d0cecf86e6
SHA512 314da0e99831e4ec6f8bf08939cea26113ae210d950fbab3e890b7c493963d4c7d23adcf5c47bfcb3a56e5e3180668ba851dcfbb354d8e1c17e0f4195e90b4fe

memory/3032-555-0x0000000000400000-0x00000000004C8000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2f03010976cfed6f8e74fb7c6717d79b
SHA1 695070681da5d767d41d98587c618a7eb97c2230
SHA256 c88520275aecb326d067e91910b86652221bc13eb1c83fae1717582d979cf04d
SHA512 53d3d158c603227d4cb4d89f003feba98fcdcbb582752b3d2e6f5e63f5b134ae5c443cfe970e155fcba6f6ea8680d00d67179b91a82b6dbf87719a7363bdba5b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0e7c2aff69e3eb63b4de31864af74d1b
SHA1 2dd06460ea470d216fd59f796862d98ba41ec9ad
SHA256 dfca5dbdbd6610c39d1ccefda3fb55cb9eabbe19e698b7cfa32914b105622e66
SHA512 1f4a7e5c67feb5155137c4186129c24f09cb0a65d7561fe4897341d756fe46256261a8225fe3510b8ecba53dbfca027382cfb122c90398c4f736b59ca7ec2f2d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bfb134c4c2064fbb9dca58f27f929796
SHA1 1a40e9caa74f8aede937ff7e0fddbcc8eeef9e9b
SHA256 9b60a049238a2b808b54a3c933709389c14e3c2e77f49dd768cfe2060ab421f1
SHA512 b6f35b37f4fe2363bd65f74a40894d78fe38d58a4a9c8b0422ba52e2631dceeb1303f0e70598c781d795e7d8e49b8111f74ba9233b515fd172cd9908a62af47e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 72dba48f17cac6ea56ff785c716c4cec
SHA1 04e999e8895ca6078bef545a8d8e23966357ca56
SHA256 d867e349046851ab6bf72cbbb8f34712d45612131ff3d7a5640c53e78cd86f74
SHA512 1499325221dc01a871ed8858b7ab7bc537795b2b1fdd47405d5f2d5727dfa1236ff297f1ffaa256d5078bb8855ff46a6aba65bf663c3125e4e5541a7ccc8e46f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1c1225961523a94515a6242c831ae3a6
SHA1 c290013526bb867967713c89e12abe0d7b5b79eb
SHA256 478067dfd12d4b09ccf88155864ee8c1c03b0c09fb264d1558ffa5c4f503e3ac
SHA512 a07fa47c55083f57b59e6f88b28b70ec590023ddbb479b40ea9dbf571c827c6e422b55ea8d2b1298f82975ec794b847ca70a1fe2b232160f21f333a060309945

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a182bbed1758d1da936f5c08d68d0de0
SHA1 996e08b13db7fe2fbea12f6535802986650400eb
SHA256 9f4d3a5907023eaca3fe33da3cdba53bd4dca2275dae93a992b41021d14cd8b4
SHA512 21c017f5fc0628e77bf355f04661f3e6321b73983b2ddf1567cd2b587d5fab2d632a515b20ac35ec69c6191363eed734c8319fa2c2ff1899f9fc4f9deda644aa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a416a3281314d70f7287fe624505dd10
SHA1 de8f6e11b128a27a975c9f1fa704d82b069a4d0b
SHA256 4be0c6b73055087565a4b4dc94f1b6c6b7709408493c8759a6882a541ffbb524
SHA512 363317dd1fc8c0e606c2d27f0248c0d2acd726d77a477622b0731c0a045be5177f274885de6f704e17c4a7a744b995952fe4c0c8e3bfebcaeaf21dea4b9f6ab0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 012ff75a257e3e5c7b153243da7f6d88
SHA1 b478382b334f8071d384f640384e21ab5857f833
SHA256 da629b9107ba612a9b22fc9b43fde92475e7f41bd7581fbd1d4b448fb003b011
SHA512 9a63c486b4fb02bb4c9736e80f3094176b58183b60c05d7e94de180f7d628a2a171ad1cee8aef0a79e669e328f540fea0f552251da910795970319616dc8b445

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1bae5d68687143d6293ff539195d9758
SHA1 bb9e3ee8dc87889b43e840c57426f76ff2e4894a
SHA256 d2d721c4c5127d84073da0ccc5af558c8c54645c8ce6f0688b799af2a70e0633
SHA512 9bb1a6fa1a469dbf33edacd4331d24860e70ced3ee208edb4db4a678dbe60295943b3e5c3549a6f29c91ad011a65ab7fea611920af71b90124d87125fe2a19a2

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-12 22:19

Reported

2024-10-12 22:21

Platform

win10v2004-20241007-en

Max time kernel

135s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe"

Signatures

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\System32\bcdedit.exe N/A
N/A N/A C:\Windows\System32\bcdedit.exe N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\tcpipreset C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A
File created C:\Windows\system32\drivers\tcpip.copy C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A
File created C:\Windows\system32\drivers\tcpipreset C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A
File created C:\Windows\system32\drivers\tcpip.copy2 C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A
File created C:\Windows\system32\drivers\tcpiprefresh1 C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\system32\drivers\tcpiprefresh1 C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\system32\drivers\tcpip.copy C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

defense_evasion

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\de-de\user32new.dll.mui C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\System32\en-us\user32copy.dll.mui C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A
File created C:\Windows\System32\es-es\user32copy.dll.mui C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\System32\it-it\user32copy.dll.mui C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\System32\uk-ua\user32copy.dll.mui C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A
File created C:\Windows\System32\fr-fr\user32.dll.mui C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A
File created C:\Windows\System32\ja-jp\user32.dll.mui C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\System32\en-us\user32new.dll.mui C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\System32\es-es\user32new.dll.mui C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\System32\fr-fr\user32copy.dll.mui C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A
File created C:\Windows\System32\it-it\user32new.dll.mui C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A
File created C:\Windows\System32\uk-ua\user32copy.dll.mui C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\System32\de-de\user32copy.dll.mui C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A
File created C:\Windows\System32\en-us\user32copy.dll.mui C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A
File created C:\Windows\System32\en-us\user32new.dll.mui C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A
File created C:\Windows\System32\es-es\user32new.dll.mui C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\System32\ja-jp\user32copy.dll.mui C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A
File created C:\Windows\System32\es-es\user32.dll.mui C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A
File created C:\Windows\System32\it-it\user32.dll.mui C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A
File created C:\Windows\System32\fr-fr\user32new.dll.mui C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\System32\it-it\user32new.dll.mui C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\System32\es-es\user32copy.dll.mui C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A
File created C:\Windows\System32\fr-fr\user32copy.dll.mui C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A
File created C:\Windows\System32\ja-jp\user32copy.dll.mui C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\System32\uk-ua\user32new.dll.mui C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A
File created C:\Windows\System32\uk-ua\user32new.dll.mui C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A
File created C:\Windows\System32\de-de\user32.dll.mui C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A
File created C:\Windows\System32\de-de\user32copy.dll.mui C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\System32\fr-fr\user32new.dll.mui C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\System32\ja-jp\user32new.dll.mui C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A
File created C:\Windows\System32\ja-jp\user32new.dll.mui C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\System32\de-de\user32new.dll.mui C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A
File created C:\Windows\System32\it-it\user32copy.dll.mui C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A
File created C:\Windows\System32\uk-ua\user32.dll.mui C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A
File created C:\Windows\System32\en-us\user32.dll.mui C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4452 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe C:\Windows\system32\cmd.exe
PID 4452 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe C:\Windows\system32\cmd.exe
PID 4452 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe C:\Windows\system32\cmd.exe
PID 4452 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe C:\Windows\system32\cmd.exe
PID 4452 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe C:\Windows\system32\cmd.exe
PID 4452 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe C:\Windows\system32\cmd.exe
PID 5068 wrote to memory of 4672 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 5068 wrote to memory of 4672 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 4452 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe C:\Windows\system32\cmd.exe
PID 4452 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe C:\Windows\system32\cmd.exe
PID 4452 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe C:\Windows\system32\cmd.exe
PID 4452 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe C:\Windows\system32\cmd.exe
PID 4452 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe C:\Windows\system32\cmd.exe
PID 4452 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe C:\Windows\system32\cmd.exe
PID 1980 wrote to memory of 3140 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 1980 wrote to memory of 3140 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 5068 wrote to memory of 1500 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 5068 wrote to memory of 1500 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 4924 wrote to memory of 1660 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 4924 wrote to memory of 1660 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 4452 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe C:\Windows\system32\cmd.exe
PID 4452 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe C:\Windows\system32\cmd.exe
PID 1724 wrote to memory of 1128 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 1724 wrote to memory of 1128 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 4452 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe C:\Windows\system32\cmd.exe
PID 4452 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe C:\Windows\system32\cmd.exe
PID 4452 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe C:\Windows\system32\cmd.exe
PID 4452 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe C:\Windows\system32\cmd.exe
PID 1980 wrote to memory of 1076 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 1980 wrote to memory of 1076 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 5068 wrote to memory of 3004 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 5068 wrote to memory of 3004 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 4908 wrote to memory of 3152 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 4908 wrote to memory of 3152 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 1724 wrote to memory of 2448 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 1724 wrote to memory of 2448 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 4924 wrote to memory of 2796 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 4924 wrote to memory of 2796 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 4132 wrote to memory of 2608 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 4132 wrote to memory of 2608 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 2976 wrote to memory of 2580 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 2976 wrote to memory of 2580 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 1724 wrote to memory of 2896 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 1724 wrote to memory of 2896 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 4908 wrote to memory of 2500 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 4908 wrote to memory of 2500 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 2560 wrote to memory of 2248 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 2560 wrote to memory of 2248 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 4924 wrote to memory of 4364 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 4924 wrote to memory of 4364 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 1996 wrote to memory of 4104 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 1996 wrote to memory of 4104 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 1980 wrote to memory of 4440 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 1980 wrote to memory of 4440 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 4132 wrote to memory of 1712 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 4132 wrote to memory of 1712 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 2976 wrote to memory of 4956 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 2976 wrote to memory of 4956 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 4132 wrote to memory of 3292 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 4132 wrote to memory of 3292 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 2976 wrote to memory of 1016 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 2976 wrote to memory of 1016 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 1996 wrote to memory of 2804 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 1996 wrote to memory of 2804 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\3c516df25c4656ccc8467daeaa1fa12b_JaffaCakes118.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /C ""C:\Windows\system32\takeown.exe" /F "C:\Windows\System32\de-de\user32.dll.mui" /A&"C:\Windows\system32\icacls.exe" "C:\Windows\System32\de-de\user32.dll.mui" /reset&"C:\Windows\system32\icacls.exe" "C:\Windows\System32\de-de\user32.dll.mui" /grant "":f"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /C ""C:\Windows\system32\takeown.exe" /F "C:\Windows\System32\en-us\user32.dll.mui" /A&"C:\Windows\system32\icacls.exe" "C:\Windows\System32\en-us\user32.dll.mui" /reset&"C:\Windows\system32\icacls.exe" "C:\Windows\System32\en-us\user32.dll.mui" /grant "":f"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /C ""C:\Windows\system32\takeown.exe" /F "C:\Windows\System32\es-es\user32.dll.mui" /A&"C:\Windows\system32\icacls.exe" "C:\Windows\System32\es-es\user32.dll.mui" /reset&"C:\Windows\system32\icacls.exe" "C:\Windows\System32\es-es\user32.dll.mui" /grant "":f"

C:\Windows\system32\takeown.exe

"C:\Windows\system32\takeown.exe" /F "C:\Windows\System32\de-de\user32.dll.mui" /A

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /C ""C:\Windows\system32\takeown.exe" /F "C:\Windows\System32\fr-fr\user32.dll.mui" /A&"C:\Windows\system32\icacls.exe" "C:\Windows\System32\fr-fr\user32.dll.mui" /reset&"C:\Windows\system32\icacls.exe" "C:\Windows\System32\fr-fr\user32.dll.mui" /grant "":f"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /C ""C:\Windows\system32\takeown.exe" /F "C:\Windows\System32\it-it\user32.dll.mui" /A&"C:\Windows\system32\icacls.exe" "C:\Windows\System32\it-it\user32.dll.mui" /reset&"C:\Windows\system32\icacls.exe" "C:\Windows\System32\it-it\user32.dll.mui" /grant "":f"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /C ""C:\Windows\system32\takeown.exe" /F "C:\Windows\System32\ja-jp\user32.dll.mui" /A&"C:\Windows\system32\icacls.exe" "C:\Windows\System32\ja-jp\user32.dll.mui" /reset&"C:\Windows\system32\icacls.exe" "C:\Windows\System32\ja-jp\user32.dll.mui" /grant "":f"

C:\Windows\system32\takeown.exe

"C:\Windows\system32\takeown.exe" /F "C:\Windows\System32\en-us\user32.dll.mui" /A

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" "C:\Windows\System32\de-de\user32.dll.mui" /reset

C:\Windows\system32\takeown.exe

"C:\Windows\system32\takeown.exe" /F "C:\Windows\System32\es-es\user32.dll.mui" /A

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /C ""C:\Windows\system32\takeown.exe" /F "C:\Windows\System32\uk-ua\user32.dll.mui" /A&"C:\Windows\system32\icacls.exe" "C:\Windows\System32\uk-ua\user32.dll.mui" /reset&"C:\Windows\system32\icacls.exe" "C:\Windows\System32\uk-ua\user32.dll.mui" /grant "":f"

C:\Windows\system32\takeown.exe

"C:\Windows\system32\takeown.exe" /F "C:\Windows\System32\fr-fr\user32.dll.mui" /A

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /C ""C:\Windows\system32\takeown.exe" /F "C:\Windows\System32\drivers\tcpip.sys" /A&"C:\Windows\system32\icacls.exe" "C:\Windows\System32\drivers\tcpip.sys" /reset&"C:\Windows\system32\icacls.exe" "C:\Windows\System32\drivers\tcpip.sys" /grant "Admin":f"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /C ""C:\Windows\system32\takeown.exe" /F "C:\Windows\rescache" /A&"C:\Windows\system32\icacls.exe" "C:\Windows\rescache" /reset&"C:\Windows\system32\icacls.exe" "C:\Windows\rescache" /grant "Admin":f"

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" "C:\Windows\System32\en-us\user32.dll.mui" /reset

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" "C:\Windows\System32\de-de\user32.dll.mui" /grant "":f

C:\Windows\system32\takeown.exe

"C:\Windows\system32\takeown.exe" /F "C:\Windows\System32\it-it\user32.dll.mui" /A

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" "C:\Windows\System32\fr-fr\user32.dll.mui" /reset

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" "C:\Windows\System32\es-es\user32.dll.mui" /reset

C:\Windows\system32\takeown.exe

"C:\Windows\system32\takeown.exe" /F "C:\Windows\System32\uk-ua\user32.dll.mui" /A

C:\Windows\system32\takeown.exe

"C:\Windows\system32\takeown.exe" /F "C:\Windows\System32\drivers\tcpip.sys" /A

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" "C:\Windows\System32\fr-fr\user32.dll.mui" /grant "":f

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" "C:\Windows\System32\it-it\user32.dll.mui" /reset

C:\Windows\system32\takeown.exe

"C:\Windows\system32\takeown.exe" /F "C:\Windows\rescache" /A

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" "C:\Windows\System32\es-es\user32.dll.mui" /grant "":f

C:\Windows\system32\takeown.exe

"C:\Windows\system32\takeown.exe" /F "C:\Windows\System32\ja-jp\user32.dll.mui" /A

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" "C:\Windows\System32\en-us\user32.dll.mui" /grant "":f

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" "C:\Windows\System32\uk-ua\user32.dll.mui" /reset

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" "C:\Windows\System32\drivers\tcpip.sys" /reset

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" "C:\Windows\System32\uk-ua\user32.dll.mui" /grant "":f

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" "C:\Windows\System32\drivers\tcpip.sys" /grant "Admin":f

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" "C:\Windows\System32\ja-jp\user32.dll.mui" /reset

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" "C:\Windows\System32\ja-jp\user32.dll.mui" /grant "":f

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" "C:\Windows\rescache" /reset

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" "C:\Windows\System32\it-it\user32.dll.mui" /grant "":f

C:\Windows\system32\icacls.exe

"C:\Windows\system32\icacls.exe" "C:\Windows\rescache" /grant "Admin":f

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /C "C:\Windows\System32\bcdedit.exe" /set TESTSIGNING Off

C:\Windows\System32\bcdedit.exe

C:\Windows\System32\bcdedit.exe /set TESTSIGNING Off

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://half-open.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0x80,0x108,0x7ffe1c1a46f8,0x7ffe1c1a4708,0x7ffe1c1a4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2216,4227601426301146017,11608798164626735252,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2220 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2216,4227601426301146017,11608798164626735252,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2216,4227601426301146017,11608798164626735252,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2912 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,4227601426301146017,11608798164626735252,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,4227601426301146017,11608798164626735252,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,4227601426301146017,11608798164626735252,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5012 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2216,4227601426301146017,11608798164626735252,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6048 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2216,4227601426301146017,11608798164626735252,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6048 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,4227601426301146017,11608798164626735252,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6068 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,4227601426301146017,11608798164626735252,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4768 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,4227601426301146017,11608798164626735252,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4164 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,4227601426301146017,11608798164626735252,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:1

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /C "C:\Windows\System32\bcdedit.exe" /set TESTSIGNING Off

C:\Windows\System32\bcdedit.exe

C:\Windows\System32\bcdedit.exe /set TESTSIGNING Off

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2216,4227601426301146017,11608798164626735252,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5016 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 half-open.com udp
RU 81.177.139.61:80 half-open.com tcp
RU 81.177.139.61:80 half-open.com tcp
US 8.8.8.8:53 61.139.177.81.in-addr.arpa udp
GB 172.217.169.34:80 pagead2.googlesyndication.com tcp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
GB 142.250.200.2:443 googleads.g.doubleclick.net tcp
US 8.8.8.8:53 www.half-open.com udp
US 8.8.8.8:53 tpc.googlesyndication.com udp
US 8.8.8.8:53 34.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 2.200.250.142.in-addr.arpa udp
RU 81.177.139.61:80 www.half-open.com tcp
GB 216.58.204.65:443 tpc.googlesyndication.com tcp
GB 216.58.204.65:443 tpc.googlesyndication.com udp
US 8.8.8.8:53 65.204.58.216.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 99.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 69.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp

Files

memory/4452-0-0x0000000000400000-0x00000000004C8000-memory.dmp

memory/4452-1-0x00000000006B0000-0x00000000006B1000-memory.dmp

C:\Windows\System32\de-DE\user32new.dll.mui

MD5 f8d6dd4349b7f240c6cd4d04d21657f7
SHA1 744e7220be770ddce55fc6242fa3c5547725fcd7
SHA256 bd2c70e7e8720942b4bc3020929b894bfbe5e9d97082a821272b73f5d480e9b3
SHA512 96f3e427b735a63b49c07e7f14754b996324a58cc15cf99e55c1ba1555dfdbeb7734719b06d4a95c322b3a9bb31c0bb192d78b06981c03ba0678538dd4890f4f

C:\Windows\System32\en-US\user32new.dll.mui

MD5 90b43ec7eb2e379561b0efd0d93342bb
SHA1 efdc5321144229a02e2347ae71ef1e9a869d8d3c
SHA256 6921a8d82bd3586df770d2854dc9c538f6de996a64c63c29e31b1e84be040f4a
SHA512 5cc5f9045c90e8fd7d0ddbc242ef64df71b10e36c3a6e5d25db8dbc2608aa3ec48b2a6b71686fa4646e40eefec700e0b2c324e8bde7da9239be98f1416a58e4e

C:\Windows\System32\fr-FR\user32new.dll.mui

MD5 3996e9a5f0cc85e93aa7ade49a892c5e
SHA1 fa2b4d88bc4b2efb7acd13a83003ec23c44c2664
SHA256 39519ade42cac753b5fd8586786e292ada3c4910041353b31730fa3079801c21
SHA512 99a84f565c0c730472ebb7940c260460f54b1c88c446c3869ce5e889f4fd14230b40c6267de751d93a3e1882d6ac6cd29a6026591aebb3600caa7b508bd5d414

C:\Windows\System32\es-ES\user32new.dll.mui

MD5 88e058f2f65a9ecfc4023f5d6512bfee
SHA1 c3a86890e1560d33309c0e019d573855028a811b
SHA256 a0fc551bc1fe60ecedc79c387a3311f9879d1f69509e61c6a6e472534d7b4448
SHA512 e51ac8a044bd5a0de3eb5128efccaa04ee54c5578c698b00bef3ffd9094e51e550b757916af4e7992407019614fd816dd9d78231b6821813bf3e9b4e217f807d

C:\Windows\System32\it-IT\user32new.dll.mui

MD5 c99c413b13017aa89431469764aab8cd
SHA1 a556fc89f96414c3d2b262841b207065a5e205c9
SHA256 da174e40ddc8260b809f6331a2d3aa37daa108acd09aef38048432bd1ca283f7
SHA512 da93ae0f081900c612c66967c27baf19b2d2054462971887d295b3db3ca5c1e5dbfd92bd258c4acc683b7ea3414466ded4d6ae85464a4eca7e08029fb4c1d615

C:\Windows\System32\ja-jp\user32new.dll.mui

MD5 e69bdd36a3eb328b1af034c72f160495
SHA1 7615ada4ae284c46dd7ae5212e336aef597814ca
SHA256 9c8c73bd07a703b1561e611e8e0754e3070aca9780069016061986550c3da772
SHA512 f6fb9b3936b856548d2a728506898556048e0708be7803b50a12063db39943f9ebb5013a8f670e3e1c2ce1f4865b7cc6470c3b87bc01957b8749305cc4cc2ec8

C:\Windows\System32\uk-UA\user32new.dll.mui

MD5 aa12a3301c30a46acd35972b04c0a71f
SHA1 56a6a8b5f74e1bddb382f70e8fafa84d2313e364
SHA256 4d8dadf1c2659434290a2e304f9e87a1bd7de443ec8c7599d44d6f9e1636e77e
SHA512 cd64db81fcc2129b73c864bc63f987b447b7c1cea3194bd48f9aa34fb905617e72c585885f3dc071063a08b760bb75ef57f0ae2bca261435c567b4ce8e6f80c3

C:\Windows\System32\drivers\tcpip.sys

MD5 313dd64a73ab31797e7263bbc33b91b2
SHA1 540a838d3e6c8cae9280d0241f66a5a6a94359fa
SHA256 7c3096abccd98d710b9642c162e424e8cd1d1cb6fc1f8439431bf149ce09c9d2
SHA512 72d6d29aa630497f030553711b54fa087b5bc2a5b94c308b4304809392b9a5448f3f0e43e60a9df83c6f6f57e62e6a302ec787118d660bbff192bbb5f576c870

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 f426165d1e5f7df1b7a3758c306cd4ae
SHA1 59ef728fbbb5c4197600f61daec48556fec651c1
SHA256 b68dfc21866d0abe5c75d70acc54670421fa9b26baf98af852768676a901b841
SHA512 8d437fcb85acb0705bf080141e7a021740901248985a76299ea8c43e46ad78fb88c738322cf302f6a550caa5e79d85b36827e9b329b1094521b17cf638c015b6

\??\pipe\LOCAL\crashpad_3384_KZOEZIOIXKGMLUSC

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 6960857d16aadfa79d36df8ebbf0e423
SHA1 e1db43bd478274366621a8c6497e270d46c6ed4f
SHA256 f40b812ce44e391423eb66602ac0af138a1e948aa8c4116045fef671ef21cd32
SHA512 6deb2a63055a643759dd0ae125fb2f68ec04a443dbf8b066a812b42352bbcfa4517382ed0910c190c986a864559c3453c772e153ee2e9432fb2de2e1e49ca7fe

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 4cfab9f54de1e06e8811c2f0de08baa8
SHA1 ffbb7b5648de5d24a16a36561c47728c9eb9aad8
SHA256 52b4b88275bd56abd6896097965bc1fa83d16e93a9145ba6bd69cd62ca921cd8
SHA512 0c8afc5199cee6b48ad250c18d9932f755f8cb3c909c861cb6784941e3dc36ddb20a2061fd942e0ddb673c9150859818b0f5a0f228700b47313a10decf18ccc4

memory/4452-188-0x0000000000400000-0x00000000004C8000-memory.dmp

memory/4452-194-0x00000000006B0000-0x00000000006B1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 7732368371de54fed673ad9b626d876b
SHA1 f8d3cf73fbd781c4baa4cd8a31a1809baaf91959
SHA256 80d07c45de2876d367a34a0531e0db8eedf74c6ef438c302fd8d86e8e46ca01f
SHA512 ecd4e76b44a8e993cc0d18200e572e9d61e6a832fa56780218899d49b5e447d18a9244d5e3a613eab606af4fb3f7bef038efe705e06e602da1b34e9d64e3c6a8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 f6072f41279369e35a79b1bb9ef138e8
SHA1 c8051479ce92d630a931289cbb32f8844580ad8b
SHA256 5c39f3c42842554c86e0274145dd3ff40403d9f3f068976a28ba499ff9f2b416
SHA512 a415432a6c0c8972e93a71a71fb32d2e81823e7c3e61ca7021f39727e987d4a5e7e94cd526183fd3ca3bf22f372e79f8bc51649e877573ccb0b4086e56a567c2

memory/4452-270-0x0000000000400000-0x00000000004C8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 13dae5929a9d4d7006f3dd59f22c2be1
SHA1 2cdda5e4d6ca57b25f1298090d08c7d041ccf4fd
SHA256 5c5b4b9ce894cf9cf936def86139e8320c028ff19d3b531f87ce08c89423c30f
SHA512 d1000ec3f14bb2b4a602812ed9f48525d3098e2e92d6a209600296326c44b2933dcff8bf6c7dd63a6897b4e15f39922f49d5986ba5e594dd2557bfc3b106ad40

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 266195668920f8d19225224dda95799d
SHA1 bdf695d5e10464c6f91ef4fd2a9be7277a3b7770
SHA256 aeb9aa4bb79881090de1a36b23f24b32be3b7d4e1ea68c24dd46d6342b4809ec
SHA512 4c8a3d058d561c292134600a9e8908f8de657848cf632ab1a850eeccb5dc6724bc78a8005f64f1984b6be3f8693b86ad838e80d55fdc695b1ac5b8abfa31cf0e