Analysis Overview
SHA256
df3d4b03c2fcd0050c01e5be70962d833c960aaf937765e2a043ec4ae14bba9a
Threat Level: Known bad
The file 8173bdfafc135aa867c33525bcbbee03_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Gh0st RAT payload
Gh0strat family
Gh0strat
Server Software Component: Terminal Services DLL
Checks computer location settings
VMProtect packed file
Executes dropped EXE
Loads dropped DLL
Enumerates physical storage devices
Browser Information Discovery
Program crash
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of SendNotifyMessage
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Enumerates system info in registry
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-31 03:31
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-31 03:31
Reported
2024-10-31 03:33
Platform
win7-20241010-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0strat
Gh0strat family
Server Software Component: Terminal Services DLL
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\360svc\Parameters\ServiceDll = "C:\\Documents and Settings\\Local User\\ntuser.dll" | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VIP加强版.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8173bdfafc135aa867c33525bcbbee03_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8173bdfafc135aa867c33525bcbbee03_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8173bdfafc135aa867c33525bcbbee03_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8173bdfafc135aa867c33525bcbbee03_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\VIP加强版.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a00fc272452bdb01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{99EE22D1-9738-11EF-9333-DEF96DC0BBD1} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e78a69453f00554b9c7935775bae7b9600000000020000000000106600000001000020000000edc56b7551e430ae8c1b2ee4c66664973f011007fdf9995f9a9b81434bc4efa6000000000e8000000002000020000000567792b1743b72bf27ddf60ac6619e77a28aa5bcbff9dc1c424eacd449db77af900000007c8cd76dd47ba5bed4e4fb71495825989c2adc4799484729cc6930a0f336ecf2e8ad07c015c66ac56f00f4496e95edf372b21a8c89beae00edf9524c92b016aca9465d057f2592ca32129e9a7d35064977e3036a570f92e38218b6b725dccccb6cc13f44d1887d016f4425749e80951a90b237b44e1b164c7d9edf020bf68dca5ebfc57d66ea1365dc7bea56a0cbe90f40000000986f65d6943f5328f7dfc0cc58f672be99d7c8b66f5ed2ceacec6418e084091deede9470d80c6c58fa1761031b2a6f7226e722ce83e6f265b435047238fce7ef | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "436507350" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e78a69453f00554b9c7935775bae7b9600000000020000000000106600000001000020000000590e53aafca7185897b769c0425553bfd846114444b4a37f56f597bb03b1b081000000000e8000000002000020000000f5a90c3cfe354b63adcac4cf231b1dd6d7226370eb58b12b8f2ce6c318729adc200000008a0d3ebc90a39e7f3e53414df428e4b8ca025a4b2cb35fdf199934c7fc0bd43540000000109ebaca44aaa07af6c1096cafe8405c4fc16b58753726c558d59412a49751c271fb63ee723ee05578c585ceaf91b6108e178ba16ba3cc34845b360b66323c48 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VIP加强版.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VIP加强版.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VIP加强版.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8173bdfafc135aa867c33525bcbbee03_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8173bdfafc135aa867c33525bcbbee03_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\VIP加强版.exe
"C:\Users\Admin\AppData\Local\Temp\VIP加强版.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://tg.94fz.com/
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1968 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tg.94fz.com | udp |
| US | 8.8.8.8:53 | xshz20002.gotoip2.com | udp |
| US | 8.8.8.8:53 | lihu1086.3322.org | udp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
memory/1988-0-0x00000000002F0000-0x000000000039C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\server.exe
| MD5 | 8e1f7b3bd7b1296e645a57fbe8cd5b22 |
| SHA1 | f7374b8a9b2b36b5103e0297be27b62583447156 |
| SHA256 | 02e1dfc8f92ca1932a25e00fdf7c71811b73b0e4f394234faa1057b54a3cbccd |
| SHA512 | b96137b5ec95bb5adc16c9984a6d4794f811b47d36e019aedf2e5b1eb501e61dbaae9587317deb2f6adc2e317130e7754f6ac699e68d5e98c82116b1c6f0f67e |
memory/1812-14-0x0000000000400000-0x0000000000421000-memory.dmp
memory/1988-11-0x00000000023B0000-0x00000000023D1000-memory.dmp
memory/1988-10-0x00000000023B0000-0x00000000023D1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\VIP加强版.exe
| MD5 | c477707537564645109268f1b8312185 |
| SHA1 | 075a960a93f706fb1d8516ff5e402814a99eabf1 |
| SHA256 | 019f06b57860be00c9f1f3d118dbfff1c692052c595299b9e9e4407e380967b1 |
| SHA512 | 6b9ca69f531fe705a7905a3e30c2de3257937ef8e65e3260a130bc8f08b6afbc3c8c5de0bebc9938c7c8a149574148f1098874e31e4d02644736a52c21fa0d2d |
memory/1988-21-0x00000000037F0000-0x000000000427F000-memory.dmp
memory/1692-23-0x00000000010A0000-0x0000000001B2F000-memory.dmp
memory/1692-30-0x0000000076EE0000-0x0000000076EE1000-memory.dmp
memory/1692-26-0x0000000077DB0000-0x0000000077DB1000-memory.dmp
memory/1692-24-0x0000000077DB0000-0x0000000077DB1000-memory.dmp
memory/1692-32-0x00000000010A0000-0x0000000001B2F000-memory.dmp
\??\c:\documents and settings\local user\ntuser.dll
| MD5 | be785ba2258ba4163ef37105f0b82ca4 |
| SHA1 | 389a22eaf4994c084ea0d85bb1cf65a4d0ab70cd |
| SHA256 | 918b2d488aa9a83558ec8341cf6e4701a3b8d8f8125105f35e381656a63df509 |
| SHA512 | e70c9666fbdc10509b0b24fa8682054d709f0544397981490cdc6c0f979daa827c28561616eb74c6c436959b31439c1394978db90a9a5ce36a27a49231257fc3 |
memory/2860-37-0x0000000010000000-0x000000001001D000-memory.dmp
memory/1812-34-0x0000000000400000-0x0000000000421000-memory.dmp
memory/1692-38-0x00000000010A0000-0x0000000001B2F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabE0E0.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarE170.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | caac40627506c78083f52ab385f90695 |
| SHA1 | 5b1251fd45516e135fe1753d880b2633635f3a80 |
| SHA256 | 30841e1178c4e69898da1b1a6b88a0d8434690f339db05be63b7db154f474ec1 |
| SHA512 | b7b71d8ce61563764804f0529053d86f15b4920c63a198e86af816152121098af4b4e3d5fa9ec12080fb5cccea543f8b8c00280fc6cda7421e72589742302314 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 000df84cdccb5291acd3ecab14a16da9 |
| SHA1 | e7a08449a31bd423ed324e2228b7416020ea21ab |
| SHA256 | d028836cbc89843513ed94002d75f32c43d345741ab487bfc9f0d232f99d9c1c |
| SHA512 | 69ab1ea8a9b6852b124af304291f3186534724820cb6dc4a7ccb1b87835be9abe089f2507994a9ac89aaeba6662ba32300ee1d6e243589a75e37187534793276 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5831e71a353e0d0e7cebafeaf7a16a90 |
| SHA1 | 6123969ce75afc7de001a1404933f9d95549eac7 |
| SHA256 | 04d02abc8f68505d8e65d55469c4199fae3a336517c778a0a963205a92424a6f |
| SHA512 | 37a4e79f166a5b51925e61db95b1a93cadceaf3987ee67e1a0c4df83d57c9dbfc25f0fa2ae2c95a073e1e916734c4f1761dd87b1f6f13cd41b04c65be3e77663 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | bb7f5740576487b5da280d0c2e837bd8 |
| SHA1 | f19cad61eff8b4cd00633e3289df85d39cab3107 |
| SHA256 | 60450637fcd12caf2678ee5fa57258c8cfd0c846957f141f39602d6f03bed604 |
| SHA512 | 000415eb5b1b9e5047dc2ffb2b3dc514f0ac2342e52c0213c2c2f282d095af9bf322c06a83aa7dceb3bd56a036b500e4166a1065cf2cfb485721afeef4449be7 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2b23357a9c7f856cd5e74f456d65eef4 |
| SHA1 | d29862ff5a066b0a2d0dd6539922429390fd9578 |
| SHA256 | 854f555ab5bafa72e5fa1abbe16e168731d874aa0588e8b461163f5385c2c669 |
| SHA512 | 9e3a0f94202fa68223f95c7528fccb325d0c3fef977379ed6ac00e5a7486f4528016d5709c2937a844cbb3ded9c2170c16f6b939fe6ae1281db4c1a5384fb1cb |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 65252a2be751e6c096da58e964df6e81 |
| SHA1 | 7e1fe513d1a86f01385996a97bee2a55707464ad |
| SHA256 | a7f09c38ac83a7291aa99cbf27e677a8d566e5038b4968cce34c317a9d136d4b |
| SHA512 | 53cb23abec6d7a1d43e1eb62ac548f500635a496828572df855f7a65c27b746a99c0adb3fde9e876631d99dc8e0aed5cb9a2f55d97f763c7cf0a06e9edad410e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 13d493a1308fb59ea9a5c5ec77272471 |
| SHA1 | edab5a7ec244e8da87736a14fe7daa58d209a920 |
| SHA256 | 287da11ea792e61b4d64c99809530dcaacc0c8a0fe7a3f1b7561ab792efa8304 |
| SHA512 | 965a3a11e68608664fc841f09dc3d36a312e42910e3dc51970a10a7bdc22ba5804937c1fd5c811b537c040c98310f770001db9f0a9c7b1cb45f47705d5407fd8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b2420c7b91c3dad0e2e277139bcb1b24 |
| SHA1 | aba0a50017e97200fef4b862f929a94cff9dd8a9 |
| SHA256 | 4e894eb96f33b71f3e88853f1cbf82dd840e9124ebadc428dcce1ed1ba46d5ed |
| SHA512 | 46f7b18f47d0ba1fb13fc06404bfe43a7d01df8f08c3712bee8ccf6c7a1b861088927a2b5e7ca77e40e1f590624f9232487586309281a09dca28a436b4ab8a5a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ebb53d6074782d296b8b9a59fe983ef5 |
| SHA1 | a8bb42a83afa96cf9d65e4a453f2aaffbf1c7243 |
| SHA256 | d363db6a7e842b4fafc3bc21e0ad0bf4625f94f5c1c5a7295fcda00b67b9cc76 |
| SHA512 | 2ccb1aaec097c989d48dd5a50f91232d56c38e96f57da95384a5e472e1b2a9f1f75c34e32ae08d3b785eef1d4e50bce54977ce58d6f89662a7aa679fe907aa58 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b097931502ce2bdb371eddb87c5a8545 |
| SHA1 | f0fd3a2114877b35f13284d91bce536372e1823e |
| SHA256 | 0a1e78bd572020cd33acff19a40d37608526b19a2ffa1807b1e2748147f319a6 |
| SHA512 | 1ad42a9131210a46f802b86148662397f54bf7ec21171e4235e15bec23d06ccf261e4ef100dacd1d1e9ad72fe312ad88398abdcc919aaac769b755bb30311619 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 670a12adccdcfd2507c03c606d9b6638 |
| SHA1 | 7ee62b691add937df39386c405a3346e9108b523 |
| SHA256 | bf52f79b53c95af157eec0eb0d9ecf42aa63b82c17693a43019e6f0a8bab36cf |
| SHA512 | c1bae469da0fa7d71f93566a2c6beaf5f4e0a07aad26daee35c0e8f3ad83fedd4e25d2dda1f58f574fd27def35a3ae98742042f8d312639458cfb6090ec1b3e8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 47643cf694eb9b6119c4cb5d4630bb16 |
| SHA1 | c8b5e58d41a0496a8a56ee54d2f21d632b079a9d |
| SHA256 | 63286b6ad18c16eaf19f9a157fd4bbce40c1f4dd80022e8109cd6e066ccb7cb0 |
| SHA512 | c16f4f74a0739b2922867fef00feafa807182a683f23b01877b62d6695c61317d6d5c6368b4a2e18035e91e1b3cb1191c4e2dbc54cb8000aefaccb81b77b707d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1804f136e309b8df35f9ef348e082465 |
| SHA1 | c33373098d0f27d8986792c6de2b85065add64e0 |
| SHA256 | f7e24bdbd543a4c963862b845e093cda05efb820ff9b2dd845c1b48236557302 |
| SHA512 | 9324028003fae4812bfd6ad245f88a01c599996730b508f78069254e409a285c1e6bb485a26e9c922c98abfaae12673895c520f2aea3f1f01e051f69126c50da |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9448fb6b1d4975f44158e4877e6e25b7 |
| SHA1 | b458bd01b0dfef3f95032cf5b311e40c0acd6853 |
| SHA256 | 729f186707429d7e455ee111b0a9233ba0559ac28742154c7e3939a9e800ea45 |
| SHA512 | c22afc7c2e3c19f3d589db0481bc09fe9f116f8424c43eb513764ba783ff733b18211908e3d7770fc36a07fc4cd63f39566cc9ad44e462dbc2fd72f7dfc067d4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f60ad2d16b39de24c55cf7d76a93c7c5 |
| SHA1 | 44a60d8442296c2e6a03657d0dfd12df4f09e9bb |
| SHA256 | 93ffcc408571c0866373115e7c9879afdb46ed45606383c478de6f3e9ccaf43f |
| SHA512 | fa1599460af7c40f226124a2a4a00c2d4485f6104999b369f7a7c5c6ec0e88b89301d534d64f59cd4f768031ba0b3e180f2e64b539237e782f892cd434d9e3b5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6c5410e27ab0d328517d0487c987117b |
| SHA1 | eaffb9c68774d9ff087e34bda7d86ced9234cb81 |
| SHA256 | 8658ca311b00d07eb8d042581146aae77b9c5fd9e075b7a1b676f57387853c0f |
| SHA512 | b179faeb5812ca127a1b2dbed8fd4b0c94aaac3260191f0a083abae24dc3a93eb644b729c0c44a2b664b584f0a1b3decefc27f783d2fbb2a68ddea362870520f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a13201dd2b7b60941f55de05505db325 |
| SHA1 | 66cf8c0927313ae9598f260a6c586352420058c9 |
| SHA256 | 602c0af5f8c94c80a3e22a2c81fa4ae9320fa97d81fdff7e279ade5147156eba |
| SHA512 | 1199e41de51a42f8f44f8b707005b45f6b8f3baf056c9b73a8f1bca1cb13365cdf2e21466ea9b0b1c51a3845d9f25ba1ffe17fb9e57956f77dad23f020b577f0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9fd7400c12f9d9141932fae9f3b21d65 |
| SHA1 | ef96cff6e02478848f9c7aa91b6205e70f24c0bf |
| SHA256 | b2b85a0df9d59d7c63ed2e2964ad412394211de1cb313dc642b18ab95814f771 |
| SHA512 | 4e51e09f71af163363c42f200709d409562244779f8add10746bf5e922e5801169e5bcc0cbcc10d6d90e13b2797f21e8cd8c4a4efd47de48389d77974a6edca2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d75821f22c5a63e5c53e62747bdc3eec |
| SHA1 | c24bb799a7b812d12db0843a7d867add159158f3 |
| SHA256 | 8870b948e0e0a8520caab22e82bcf7e599428cc0a32b36a1a4cbd019e8e7d921 |
| SHA512 | 55c003e74af0a50e4d20dd0730fe45a4889fbbe542dbd03b432b058969f7fb948766bd52ab53102c38fa9c7327eade2f565d65f762debfbd1ec452586f9d77d4 |
memory/2860-903-0x0000000010000000-0x000000001001D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-31 03:31
Reported
2024-10-31 03:33
Platform
win10v2004-20241007-en
Max time kernel
147s
Max time network
142s
Command Line
Signatures
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0strat
Gh0strat family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\8173bdfafc135aa867c33525bcbbee03_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VIP加强版.exe | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Browser Information Discovery
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\server.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8173bdfafc135aa867c33525bcbbee03_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\VIP加强版.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VIP加强版.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VIP加强版.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VIP加强版.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VIP加强版.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8173bdfafc135aa867c33525bcbbee03_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8173bdfafc135aa867c33525bcbbee03_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\VIP加强版.exe
"C:\Users\Admin\AppData\Local\Temp\VIP加强版.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1312 -ip 1312
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1312 -s 332
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://tg.94fz.com/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffaf2d446f8,0x7ffaf2d44708,0x7ffaf2d44718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,14148589509624424632,8763747336013610190,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,14148589509624424632,8763747336013610190,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,14148589509624424632,8763747336013610190,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2792 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,14148589509624424632,8763747336013610190,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,14148589509624424632,8763747336013610190,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,14148589509624424632,8763747336013610190,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4212 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,14148589509624424632,8763747336013610190,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3480 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,14148589509624424632,8763747336013610190,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4368 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,14148589509624424632,8763747336013610190,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5388 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,14148589509624424632,8763747336013610190,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4280 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,14148589509624424632,8763747336013610190,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4280 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,14148589509624424632,8763747336013610190,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4236 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,14148589509624424632,8763747336013610190,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4036 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,14148589509624424632,8763747336013610190,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3068 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,14148589509624424632,8763747336013610190,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,14148589509624424632,8763747336013610190,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1952 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xshz20002.gotoip2.com | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tg.94fz.com | udp |
| US | 8.8.8.8:53 | google.com | udp |
| US | 8.8.8.8:53 | google.com | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tg.94fz.com | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tg.94fz.com | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tg.94fz.com | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\server.exe
| MD5 | 8e1f7b3bd7b1296e645a57fbe8cd5b22 |
| SHA1 | f7374b8a9b2b36b5103e0297be27b62583447156 |
| SHA256 | 02e1dfc8f92ca1932a25e00fdf7c71811b73b0e4f394234faa1057b54a3cbccd |
| SHA512 | b96137b5ec95bb5adc16c9984a6d4794f811b47d36e019aedf2e5b1eb501e61dbaae9587317deb2f6adc2e317130e7754f6ac699e68d5e98c82116b1c6f0f67e |
memory/1312-11-0x0000000000400000-0x0000000000421000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\VIP加强版.exe
| MD5 | c477707537564645109268f1b8312185 |
| SHA1 | 075a960a93f706fb1d8516ff5e402814a99eabf1 |
| SHA256 | 019f06b57860be00c9f1f3d118dbfff1c692052c595299b9e9e4407e380967b1 |
| SHA512 | 6b9ca69f531fe705a7905a3e30c2de3257937ef8e65e3260a130bc8f08b6afbc3c8c5de0bebc9938c7c8a149574148f1098874e31e4d02644736a52c21fa0d2d |
memory/4256-23-0x0000000000A20000-0x00000000014AF000-memory.dmp
memory/4256-24-0x0000000000A21000-0x0000000000A59000-memory.dmp
memory/4256-25-0x0000000000A20000-0x00000000014AF000-memory.dmp
memory/4256-27-0x0000000000A20000-0x00000000014AF000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 443a627d539ca4eab732bad0cbe7332b |
| SHA1 | 86b18b906a1acd2a22f4b2c78ac3564c394a9569 |
| SHA256 | 1e1ad9dce141f5f17ea07c7e9c2a65e707c9943f172b9134b0daf9eef25f0dc9 |
| SHA512 | 923b86d75a565c91250110162ce13dd3ef3f6bdde1a83f7af235ed302d4a96b8c9ed722e2152781e699dfcb26bb98afc73f5adb298f8fd673f14c9f28b5f764d |
\??\pipe\LOCAL\crashpad_4900_TJONZXIUPPJDPMMX
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 99afa4934d1e3c56bbce114b356e8a99 |
| SHA1 | 3f0e7a1a28d9d9c06b6663df5d83a65c84d52581 |
| SHA256 | 08e098bb97fd91d815469cdfd5568607a3feca61f18b6b5b9c11b531fde206c8 |
| SHA512 | 76686f30ed68144cf943b80ac10b52c74eee84f197cee3c24ef7845ef44bdb5586b6e530824543deeed59417205ac0e2559808bcb46450504106ac8f4c95b9da |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | e039d5a82f4fe646523f453f53b54e78 |
| SHA1 | 02103706035d740192a23cca1e441dcb9f63e16a |
| SHA256 | 74fb9f63913a1539e9821ae4e6ac0fec30649f92a4dd47348d028d00c486790f |
| SHA512 | 082aab75543d749c3ca9ec47fa904dbc4da444e375d745b530366c666e8123abb9031804db94e03c0dc80f4a3ad12cc6c04e9f3ca84bc9d9136d04b78e2dd32c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 206702161f94c5cd39fadd03f4014d98 |
| SHA1 | bd8bfc144fb5326d21bd1531523d9fb50e1b600a |
| SHA256 | 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167 |
| SHA512 | 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145 |
memory/4256-80-0x0000000000A20000-0x00000000014AF000-memory.dmp
memory/4256-81-0x0000000001AC0000-0x0000000001B1F000-memory.dmp
memory/4256-82-0x0000000001AC0000-0x0000000001B1F000-memory.dmp
memory/4256-83-0x0000000000A20000-0x00000000014AF000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | cc279eedb75aa89648747a79d2118064 |
| SHA1 | 7f796e8fa049daa46c45605804a7818218016af6 |
| SHA256 | 7017bcc83366702647a26ac257224b3c340db8762dba6bd2dfe6f0308750697d |
| SHA512 | d450951370815725b3ea533e52f5f31912de083c00b4ae371e219c9a4b7c849fb510e34ed34639cedef322baddef8528d9138f857f67bc0b80ebd844b94e7c1e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 7bc4b882525a04e4ce0a460ed7e0d228 |
| SHA1 | 351e1f7efaab8ca7b79988919dd9af24a428dd72 |
| SHA256 | 6ff7c74ddec7273ff8ba46e75b36edb0921f053ef0016b0d6c2b5d5c6bc6ebdf |
| SHA512 | 7c4259a79f4848b6e806e3d8c8061f04f5f030559ef419ee97d6dcde88aa7750a2886c698d0b2f4d45736819032a8cb2d19404d70d9b88e1e4ac4ac282bd8801 |