Malware Analysis Report

2025-06-16 06:57

Sample ID 241104-bm6ppazfmq
Target 8e6e6628361d039687659382a446970b_JaffaCakes118
SHA256 7d1d456f15dbb86720ad82d947274e9246215e4c809a9abc31ac87269d6df457
Tags
discovery evasion trojan
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

7d1d456f15dbb86720ad82d947274e9246215e4c809a9abc31ac87269d6df457

Threat Level: Shows suspicious behavior

The file 8e6e6628361d039687659382a446970b_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery evasion trojan

Checks whether UAC is enabled

Unsigned PE

Enumerates physical storage devices

Browser Information Discovery

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

NTFS ADS

Modifies Internet Explorer settings

Suspicious use of SetWindowsHookEx

Enumerates system info in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-04 01:16

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-04 01:16

Reported

2024-11-04 03:23

Platform

win10v2004-20241007-en

Max time kernel

140s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\rscat\RSHappyHourChecker-EN.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\rscat\RSHappyHourChecker-EN.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\rscat\RSHappyHourChecker-EN.exe

"C:\Users\Admin\AppData\Local\Temp\rscat\RSHappyHourChecker-EN.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

memory/3384-0-0x0000000002450000-0x0000000002451000-memory.dmp

memory/3384-1-0x0000000000400000-0x00000000004BF000-memory.dmp

memory/3384-2-0x0000000002450000-0x0000000002451000-memory.dmp

memory/3384-7-0x0000000000400000-0x00000000004BF000-memory.dmp

memory/3384-8-0x0000000000400000-0x00000000004BF000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-04 01:16

Reported

2024-11-04 03:22

Platform

win7-20240903-en

Max time kernel

129s

Max time network

148s

Command Line

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\rscat\Readme.url

Signatures

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\System32\rundll32.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "0" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.youtube.com\ = "121" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{AF77F331-9A5B-11EF-BEB7-46BBF83CD43C} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DOMStorage C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b8d48fc8adfa6b4a805f1a4a681aaa6f00000000020000000000106600000001000020000000a4b47eba586d2d28a62ab227a44c3a7ee88886dcf6fcdb76f13f7e6b35ebc305000000000e8000000002000020000000be5049609ff1351896d309da393ccec6f563d8a647adf267bd48ed8d50a075dd2000000071541c2530c984e0d88181e32c52e4ddf88828748107b5eb19fe0d41571894454000000021e15f6767d80e5afa70450129f7c034ed68d7d04eef727e947b232cc6e1175ba24705532f68548fe296c12a9008b73e5538dfcf4cad0809915dd25d59c82d89 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "282" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DOMStorage\youtube.com\Total = "282" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DOMStorage\youtube.com\NumberOfSubdomains = "1" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DOMStorage\youtube.com C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "197" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "10315" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.youtube.com\ = "282" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "436852273" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.youtube.com C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DOMStorage\youtube.com\Total = "121" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DOMStorage\youtube.com\Total = "197" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.youtube.com\ = "197" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b8d48fc8adfa6b4a805f1a4a681aaa6f000000000200000000001066000000010000200000004975401cf97027340e39b6d9a991599c0bf0ab0116f6184afeff8605692852f5000000000e80000000020000200000005f0b87d867d111edb9fa9d80db4128da876631291e0a144762c8fa38a61e05269000000062bdf55317abb9ab982faa559e2da3e7af9d5b4b343bf6aa026435b0e0f026d9e5fb44397f7c0258323a8c9e74361f83303a90967a5e3d5f6e6b1c62e68b14e1b55aa5c109b9220d3c748d069261e11d9d2756d5e8c3d7caeecc79e772b8b2574d979076beffda9fd0e15e3ed5d5858e05926ddff8cec17179e2c8308d2a59a699582ca444871b10617970465685bd3b400000001842281a8f88d5f4069b636bb1b6bc97aaab4b30af036a4db4d77da3152e2a1f9ec12f8d752f4abd091a96eb873dae78c4abaefa8a20b31c7e832300dcbb11e7 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.youtube.com\ = "10315" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "115" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "121" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DOMStorage\youtube.com\Total = "115" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.youtube.com\ = "0" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.youtube.com\ = "115" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.youtube.com\ = "6" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "6" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DOMStorage\youtube.com\Total = "10315" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DOMStorage\youtube.com\Total = "0" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DOMStorage\youtube.com\Total = "6" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 901b4d89682edb01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A

NTFS ADS

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Temp\wwwD186.tmp\:favicon:$DATA C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
File created C:\Users\Admin\AppData\Local\Temp\rscat\Readme.url\:favicon:$DATA C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
File created C:\Users\Admin\AppData\Local\Temp\rscat\Readme.url:favicon C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Windows\System32\rundll32.exe

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\rscat\Readme.url

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2392 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.bloggeraz.com udp
US 162.215.117.230:80 www.bloggeraz.com tcp
US 162.215.117.230:80 www.bloggeraz.com tcp
US 162.215.117.230:80 www.bloggeraz.com tcp
US 162.215.117.230:80 www.bloggeraz.com tcp
US 162.215.117.230:80 www.bloggeraz.com tcp
US 162.215.117.230:80 www.bloggeraz.com tcp
US 8.8.8.8:53 static.addtoany.com udp
US 8.8.8.8:53 platform.twitter.com udp
GB 151.101.188.157:443 platform.twitter.com tcp
GB 151.101.188.157:443 platform.twitter.com tcp
US 104.22.70.197:443 static.addtoany.com tcp
US 104.22.70.197:443 static.addtoany.com tcp
US 8.8.8.8:53 c.pki.goog udp
US 8.8.8.8:53 c.pki.goog udp
US 8.8.8.8:53 o.pki.goog udp
US 8.8.8.8:53 o.pki.goog udp
GB 142.250.187.227:80 o.pki.goog tcp
GB 142.250.187.227:80 o.pki.goog tcp
US 8.8.8.8:53 www.youtube.com udp
US 104.22.70.197:443 static.addtoany.com tcp
GB 216.58.201.110:443 www.youtube.com tcp
GB 216.58.201.110:443 www.youtube.com tcp
GB 151.101.188.157:443 platform.twitter.com tcp
GB 216.58.201.110:443 www.youtube.com tcp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
GB 216.58.212.226:443 googleads.g.doubleclick.net tcp
GB 216.58.212.226:443 googleads.g.doubleclick.net tcp
US 8.8.8.8:53 static.doubleclick.net udp
GB 142.250.180.6:443 static.doubleclick.net tcp
GB 142.250.180.6:443 static.doubleclick.net tcp
GB 142.250.187.227:80 o.pki.goog tcp
GB 142.250.187.227:80 o.pki.goog tcp
US 8.8.8.8:53 jnn-pa.googleapis.com udp
GB 216.58.204.74:443 jnn-pa.googleapis.com tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.19.252.157:80 crl.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
GB 216.58.212.226:443 googleads.g.doubleclick.net tcp
GB 216.58.212.226:443 googleads.g.doubleclick.net tcp

Files

memory/2100-0-0x0000000000150000-0x0000000000160000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabC2C5.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarC383.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 94c0db25a48538027fcb629ddf4422ab
SHA1 e06ac08af2cbacf15480c2f05de830e7d96cad70
SHA256 399e5e44a98b877a97ecba9eaebb811a80abcf46dd6d806c086fdf06bdb6b474
SHA512 3ac491226c5b80e89525258e217f3a1f3b0b63582f27b3f384fdfda86884eef5fd51f0c5ed0f4d08220b66962d3a7961542d8c367f0d4632fff6bb2e6677692a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5fbad4885c5665a2da513dbc0c3c5e6f
SHA1 c8f2ad8122227f1f9317a27bf97114ff25d852e7
SHA256 5fbaa184f448d0309555be878ae0c772d18264fd43fd75a333b800f912e75821
SHA512 1896cd61a2f541d73dfcf5021cab1202a36f64dc700aba33279fb3c854f89f41b0fb01d59f48b234c74974602576d653730bc4776d4ce3162cafdde94fc3f799

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cabacc842da5e7006c305c8a469c1afe
SHA1 37aaa447ba44edd1d1effa26d2352844bb8a8c01
SHA256 db7c2c850f595fe45a5b2fc72a56a4b4e504aa9f753e139d170d3faac3b07c7c
SHA512 44878f1d0d71457d440783b0339817089b619679d4742fadcc3b12e0554640af24ccc9a50cbb19549ff0b4dd4dc8c96e685136be5781f65166de7799a84d04f7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5bf20417b7c22b012ef7880842ab21db
SHA1 a89056dc3f3f632b21588f015b178f858ab2cf0e
SHA256 800bb2dfa3ee94029012c002b18e19e62d0363b90a723a58687e80fad57b3d9e
SHA512 bf66a3a188c8d86d59885c9240a3b6a8f886304772d3468b4364a5f4c2b4742c5b32337f12318553fdb6e33973b50bd79535bd9e5e8c55f4533e86e051b39648

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 45625bc0f1fde9c6fc37d4ecf5f0f5bf
SHA1 1e528ba338d051b8ae89a7e3df04d1c2da52c7da
SHA256 ce04e6c408c78ffe4a1ac2ca4ff2412e843f6762027c9801c610a9935579a89b
SHA512 928554d5c9fdf0123d31aef20c838e24d34049d4bcb268500d6a0c6be006f950d5619c39a47fd3ce43f1f2134bb2fa5eac0675ab6f70ef3a554e67844e5b54f1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c2e4481284ef3cf7402cd14a390acfcb
SHA1 28a2c6fe68aba7cddba807677d1a0aafabffa708
SHA256 c6047f6e1fce66362d45a50b687893d83dd0fdcb2daffc3c6c4c661e3cc8edfd
SHA512 70656e0ad0284ec7ce0d655d57ef979d5db1eb478a2612844b553d89e8125ce42c6976190830d194958e3d5b9d67087a464747fa4ec3f308c98af42eec6286d7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 affebd2410f96ac214e25041231ae71a
SHA1 4981dac88b2231308d9ff5391bb7c7e311b2e58b
SHA256 5d5ecf46261c63fc7ed6106f3ea3486c7e64c1f120acc677c64db8503ea292bb
SHA512 af7c4df3b0b766073fe47591912fb1b2e339c0a0d391203905251ec6a9e945b7e20c29d734ef9decd4d8717af045ba03738fb852719c93c218cbb472e01ec7c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 598c3df54ebe29e984cdd9d68447da3a
SHA1 cbde9cbb6dbaad5d961b50836efb74abb96ff5c2
SHA256 1927d26351ee15d3337cf67a403f1c2a3871e776db7b257b4c923896d8a3cf96
SHA512 c9281c027a4151a1f99f4bf3d17d16dd1c50d41ba29f5c7cb1971805014700159dd79d2add36d7a17c2e90a0213eeccc2934c42ebe6689a0aad298fbf030a80e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 19a91e63f6d3d0716ed3953335133668
SHA1 cb122011bf1178825c4886bae126dfab9a097cfe
SHA256 72f0aa25b09e13d03af61896645be16343a9b278f79301af5c42686baa5fa4e3
SHA512 aa083a9ab92e00a5373738ebe0ee59ce14112b1c689a01c0a8e12540da5f0c615a3ab365c60de7c9e73615e93d29c700b1441ffbc465bd6bc1b503540cbe1e82

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\RTW26M5Q\www.youtube[1].xml

MD5 c1ddea3ef6bbef3e7060a1a9ad89e4c5
SHA1 35e3224fcbd3e1af306f2b6a2c6bbea9b0867966
SHA256 b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db
SHA512 6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y8UFEBH5\cropped-chip-32x32[1].png

MD5 d94ecb50e54abaad6b5a912225285c29
SHA1 8e6027ca07a35999869c5ad6087a21b5cb4989ee
SHA256 51c59eaad58fcf2e451d316b7667ead359c04f31890d05c8a8c1843a21fe5035
SHA512 68fdcdb18b8100c6263f3433df616d751dfa8953d3be9edfe8b4f79f76ddccf195c504375c4b4264a50671cbd4ae6506e52020d29f59b174000f426ffc56937d

C:\Users\Admin\AppData\Local\Temp\wwwD186.tmp

MD5 c4572e615a21f27c97d802ba69f5a99a
SHA1 22a6bc2a2bb9b644f413d01c9b47349607924f70
SHA256 bd6a3c7be949c2dbc4960ab956e7e1e80ecfa1a543470a5f0af493761c409ad7
SHA512 bbff500933e3d4e80135495ef157d9f919572fd72ba65dcafd2e6c4c7877e0a11f709c2e9cbba0480069f6bd83a031f1e5fb58921265ad627e2ef4cedf8787ed

C:\Users\Admin\AppData\Local\Temp\rscat\Readme.url

MD5 75e413750b3a35a8665a79efe8f2c6a7
SHA1 6b3675742c0a157c8fa39fce52fea617963ad8de
SHA256 e3594203157b04722269db26fcc3b4a229a8f42d47fbb3fdb7bc5640630eb89a
SHA512 0550821aaa3bc0db100b78ea6787843a84d984a4911e338d44adbceed417955618ad2409f45a15b1cc128c7d59f46171a223a23e1a18763b2a75b874b3d2aea0

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\anyweax\imagestore.dat

MD5 d11df80a2f3758ffb2f3074f6f4379b6
SHA1 edb8122733eb1e4973095db70b194841f7c51c16
SHA256 8a73861530d8a60a10f67ecab7133950beadbebd5efa36e03d688392fda04191
SHA512 5e302cc853ebb61cc1ac6c1e527917f4d16eb10b87b779dd59266b8ae4d9a01c14804517209a38957f124da573340236633d497243f95927233271b0a6893a3b

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\RTW26M5Q\www.youtube[1].xml

MD5 c7f571319cda712d3b69a49e8e38104c
SHA1 4df67f22da1c5aa96cc2f34e2761245a8f5c50c9
SHA256 d3017ab6275ab85d8847f849426a6b786cc4c349ed6e60015d56ac319aa24aef
SHA512 6bf6a7bdd83ae6db8ac4e6d00ca8678de568a5e79737175df04c201e6be66f154b16a0921a120a0939f473d1e84b005a505077b746a08ac2e16c59957238a351

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\RTW26M5Q\www.youtube[1].xml

MD5 c7bfbb7aad0eaa176bcd0f9a7be31550
SHA1 a4c3013bf8e7829c61227b00f9327ef970507bd4
SHA256 6006cdc4f242cee6f8499bf8c82f13e3a5f8f377f7b1daac1ca55922d768c89c
SHA512 bf0fc64877e246c63732eadce4afd642038dde5ae460979d38c423d5cab9f11e1b088f74b32eaeb0a3bb3be5eb13e04b154e73a9dc9ddb0941662461ed1b1fc0

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\RTW26M5Q\www.youtube[1].xml

MD5 aa2d954f573ebca2f32f348ba8545aa9
SHA1 eaf4b74bba6e857c20d07f04783fbdf3e7494c80
SHA256 e0c568bbe9533c004879029667e1e51649b6ac1c58c85591696be5541a64bef8
SHA512 9cee8a4c8444651e0323d714a3103dff458cd42a65ce40d1ac86c304d898485c26a10f8ca60175a231edc4527aa992b09f260b75f15691a3c2490d1506b3edf3

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\RTW26M5Q\www.youtube[1].xml

MD5 99d3f0ff0bb3e5382487290aee10b6ef
SHA1 c856fdd1bbe146b2e10e45e14fee7a6bfc39307b
SHA256 a1c6597826a0137f88a10de45f3362cfcc0777f06680b6c0d0569a0b74abc706
SHA512 ec4a4d64ef12dcc4e224b1e2ae9bcf4e23f9556354f1053d815314df2144a74ea63931d8515ea5b9b55857f0e8566c751e6762dd7d2a4b3e47152a219e22dd10

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\RTW26M5Q\www.youtube[1].xml

MD5 b807c50186e856530ad2643b9a53ceac
SHA1 c532317b21f3e6900c9cff6095b0cc65d445b564
SHA256 34f8125a5e97cbd9245aef6d784ac16145d4edcaa7b746e4a0abc99d1b57ee05
SHA512 700d88a02e3ed8ad3b307230a4a0fabd10040067c3f7c3833731212d7038eb71d0803c559613487ebf16df3c2dff968993675ad337507abde9ac405fcc075bb3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 eac6725c333510a0ecf82f59b0124d36
SHA1 e44e72f7007479ca7ead2d9cec8b5a0861c5bc5a
SHA256 44fb268e0fa49a049e069fb95b09c69bc8fc0da194a04537ca058a450c2383ed
SHA512 98e36da70e6936bf7b746c190d844e5feea66c6d9e265b1b737f3fc168d79b2e14a3edcb341c9fbf6e1da80b533d9644023ed74ddccaf76a954367ac8be47d33

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 89d70d0dabdf04bd6c1daf19a15eba7c
SHA1 1a856db869950f0b32408346bd463194c64d03a5
SHA256 cdfd7d394d20eac2f7472db37e6617442409da1fb3fc622b97c2c5f50cd79eba
SHA512 774ac35d14ac9fc5381a2920bda130ac4cd1d86dc2ff1838b939d6d7948fea67267d6fd7cc6a98c79474ae6dafab065b222c2d10d4e5709376c7e60be7d59da7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f07b0114cc3eb5765a4678f3fd7ab921
SHA1 150bcd166bb931db17e177f57db0ce1e70822888
SHA256 01abeb17a2ee6225cdce2261bfd4564413366391e2e0900b2b995d73b4738b9f
SHA512 bb044ca4ddc4556461a0b70b8c29737279bd5af23c0ab94a4d96cda66ca2ddf0e3aa02c3972eabd2e0b29eb774df6239e01e3f54956a852f4d0611b5f56ccabb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 38784405781bdc20b56cf34fd4490d25
SHA1 7f2c70683c814d06d21aacc010b9eb9bc23a43b3
SHA256 64314c5b0a214c6b1b5dd41a76eba63a2af5a0587df18acdad554ffc76947a46
SHA512 13fdb6f9024ecd3a349845d438de7dc84a81264dddc9a46f1f11d3928b13f54d61a3f524c69d48d2831ce32003ec2041c7bfb12df8936591e367bc376f50f936

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e7dad9bc7ab563a76d6c0fa5917bc687
SHA1 c129a64f2850bc860401b1db4a413800eeb6be03
SHA256 67c50ad64894f25905e32da346bbd0693b8266fb7addfd7e1b8e2c79bda0ad7d
SHA512 c010da842b5bb187351a4e378f422938eb633c42fc0ee040a7dc78a896b703aeff4c84ed9f549e4c3940b40e9d0a9f1af2ec76982a9637cf044fd77419a411b0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 029545f4d89bc5ee9c43a6ce6a717bc1
SHA1 d0e3d9fe4cd4870a65bc33e212f42a0b734d4e2f
SHA256 bfb0496d4bbf848a7054ebc5dc769a4e3bba71227f2e5b75bb57530ddcc34a8c
SHA512 25dcd02577ae5a878a0ebb1e19aad98531be1f73442d0e3bf7a094e0744fecfaface014f0e7057075debef87098af67f146c66edc597f5f4299f0bb50140a606

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6080110f2ad717c90ea5ba3eb7bc04dd
SHA1 8178ffdeb5c3ef5303233291149c353a91c33f94
SHA256 563fe29f5b06103ac80fb8b32ae091e83686355d4fa08178067f2a312a576a76
SHA512 1b23f76fed1a880dab1a2f6032bb2d08b75d66815458ce4562ec1c6ab76d8f116d619a7147a37edbb5f89d8f978289666bfc2907fd627d4b412a7626f0ad5907

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2c00f91f9bf6325548da5659277d01c0
SHA1 ef847c132194d179c048880f8cfc7dbcbc5d911c
SHA256 ca916a4e001388635a84b5c5804a99d7599545ed7b8d72af3f13bc4ee6995a18
SHA512 d0c44455e5dffc0678de87c13a7bac5b283fa1db1f2d79190a65496e645ae1841e9bd06e8866fc84212a9aa33ff0b53738791c040e20d2339771dfe9828535dd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5ccc9962eec3959fecf5255229e5274f
SHA1 0686a2382179ca2afe3f79a00d8a12efcfdaa2f1
SHA256 cd2b216ae0739e89ca3ffa292d622373ccffece7bf064df26c260caa9d7b817e
SHA512 e6c21845f05246ab709fd8bf32323c64fde490f3822635fc3af658ea899305970a246dea0dae43d02e5b6fe70ac829e532e9d5dd93ca158998d2f9fd03a08c91

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c8acbb1d389f607f6a3900a6a4d2c4b9
SHA1 20f2a0908bdee46c2cfa4fed640ed9e04e906313
SHA256 13280e39269617d3907fdb83272f2316dddc5066980b0582a2979b5dc37e4dfc
SHA512 a815eae7afbd078ce8f8c547ad21b32821bfddb5c4e444e3c8513f73355cf62ca85b4e72190e51c5f1fdc8f52d084bf61844caee1d982d78bd8ef993be081655

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e6e7e90f4c79e9309c9226ef1af7c723
SHA1 39c2b4d84908b8aedf88a97f7aaf34cc9d1b844d
SHA256 6f991d87dd0518c36a986738b271f2e45d7455a82cd9f618d4da807d30bdcf2a
SHA512 fc3804867c541e9302caafd9575ccb09806bff9b34c927a027065dd6dd4b1b55513e452c2812e6d9fe14eee78970cbd4d2939307db91e22264d21e842084d2c1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0754108f18c0f0ebd7760a6c8b0d54f4
SHA1 c3645712f229d5787c417b71cc8870a174b3806c
SHA256 fe5db561e09c8c83e605ae58236fdb31062c65a074f04c9c55981c43b162ebb4
SHA512 840d6b6511a0fa0b7792cefdb24e6b1de59c0d390cb70ddfe714c478d5543e690b929cbb7b6c7dcd228ada7622e7645463871a25f4492b744d3c02e59fc26c90

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 b74918028f51f19d88b1df655e545850
SHA1 912c93f09746a3a548581ed028a658b92d083e75
SHA256 4338d68c3d8c117c32f9d48a64fb057ddf1d4f2c657774eb4075a4da12e2745a
SHA512 7fc1ebbf55c50166638a5dd6af3fa82b03cce9716b06a505670ee1d856fe2a21268af53c3baaaf6a4820c99afbe925a2d48cb5fce182e67c43b750879526a805

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 520cf209903d8844b1e6091b8324ec96
SHA1 43b4a15fcd2db7d89e0c9602d8bdc87d2a564e8c
SHA256 4cc5954c467dec41c68337b16e60d712b50cb8542cf45f34edc18204a9d5c46f
SHA512 67f3b627ecef6be03d56074eecb4b11b1a2bec1df300a153141746ab7cd977f928ab2711310348fe073741db4ed9e639aee8fadc95f9d77fd0d8ea31adb3ff5f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 66153ae55eacd4f82a0d8bc3fb44a34e
SHA1 00f0d6960141792625272bc41e60effcf4269612
SHA256 644d8bbc30e8757b19702ee2078a7114dab18d4519b6bebf5fbc4c2ce9a18482
SHA512 93e125f6612699b24d6f73dca54421975752ee4c6b8ebd3109294668d6facfacdd24d9dcab2391b29eae64f5b647bdaef1da923eb24a088e779ad9207ec21da9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a173417895571daaba516038e3ba7384
SHA1 b32d33a40abec6f76329d908f5a34fd8cade6d4b
SHA256 de088261309b2bb5c35c2ca636f92b38058aea30282fb2ff662c7e6349b778e7
SHA512 0ca71705c61736fb645372e999c9f861eab05f7bfe99bedf84b4661200dadde11e89e80c7dd707cd9090bd5692e2be91c4409e0efefaf08b1a1c558a3409aa11

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8801a59953f04583335736388efaf214
SHA1 725cbb05182b4ed5eb6238e7a16bed4b0f3e0634
SHA256 8b430850c8ef8d6b7008156ca73df1b49328232bddb12a3aa152a881a1d6fabe
SHA512 ba853f5dcf2a87c0934625ee769d66ce88498b589d4ddaade3a2d88105046332c21934ffa9b552b79c0958c8552071eb45c98f42d332ae2b6ff5620e964ba713

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f166407fafd273b4992698020bc6271b
SHA1 105b6e521215366e25ad198a41f6be24269497cb
SHA256 a76b71bf86277373e9c6b0cdc42fc5c3f97a11b88c765c73b0048228dc9d6bf8
SHA512 5809dfd30deeca4695e628a3f301703fa9b6d54c3c50a222dd009ee510b6632e3d8c388e55c2b0770053bbe158d2d8e7c6f863b56215f4f7fbc887c7086080ac

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 d39a568b2f5f8a70d12b827af6eda342
SHA1 6184c1e1ecf56af76b0261f008c86a891aa64cdf
SHA256 a6af90d132260ad611838b6cfa653af5366939bb30dc3253f15927040b3ebafc
SHA512 db30b28e3cc2cfda1de68d5e0753e6200a7b0250cde88657e37fc2e88d349313cce805ff880fcc567919d309ca53eaea35b79844bf0eb347765b2f43f773ea3f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 789dcdc3ec2449b9eea24fc5b83ea07b
SHA1 566112337e912f0c58ebe653f18f5c7a24db414c
SHA256 7f7c224235c623e81289df1b57b6f8369c478db3b33891249e2679300f2bcb61
SHA512 e8268d1f428355381b4670be163522610e858cead48cef2953e1bc8783bab8e4c79c9fd53d1bf8edc317bf45d5a98989d82ead4db37637a13e639a7e6bfc55c7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c848f239704619385c66fd4a2cc1ba17
SHA1 a0fd11e5e1bfc62ad17594dbed470f388489df05
SHA256 a7d9b9ac2e7b54896ad1fd1f26fcf11103b478c8283afd753da6af24baa7faf1
SHA512 9b00b21c0fbd1d585d006e95b653b3d7c8c6f0380113aa1c1c2c3ed898c90f2361319f2c50d6f058aef6e02fe435af9a667191674882904d075085463807a371

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8751793949e618428dda86467c6c8c8d
SHA1 884c17f86910c638bfa9ba3b5d67cc5fae506964
SHA256 cc1a1d473ac14954e1621a1b64d4d1b7fcde63b687f11dbcffdf314f29cf8b4a
SHA512 a633724a6c6c57e8d08582294d34ed4e58b5dcda91149fb6c4ac16c14ceedb16029471522b6718ea23f27490cb98175d15056b1492484eea41ecca63895169bd

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-04 01:16

Reported

2024-11-04 03:27

Platform

win10v2004-20241007-en

Max time kernel

146s

Max time network

145s

Command Line

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\rscat\Readme.url

Signatures

Browser Information Discovery

discovery

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4584 wrote to memory of 3060 N/A C:\Windows\System32\rundll32.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4584 wrote to memory of 3060 N/A C:\Windows\System32\rundll32.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3060 wrote to memory of 2544 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3060 wrote to memory of 2544 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3060 wrote to memory of 1868 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3060 wrote to memory of 1868 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3060 wrote to memory of 1868 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3060 wrote to memory of 1868 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3060 wrote to memory of 1868 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3060 wrote to memory of 1868 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3060 wrote to memory of 1868 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3060 wrote to memory of 1868 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3060 wrote to memory of 1868 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3060 wrote to memory of 1868 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3060 wrote to memory of 1868 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3060 wrote to memory of 1868 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3060 wrote to memory of 1868 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3060 wrote to memory of 1868 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3060 wrote to memory of 1868 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3060 wrote to memory of 1868 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3060 wrote to memory of 1868 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3060 wrote to memory of 1868 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3060 wrote to memory of 1868 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3060 wrote to memory of 1868 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3060 wrote to memory of 1868 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3060 wrote to memory of 1868 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3060 wrote to memory of 1868 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3060 wrote to memory of 1868 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3060 wrote to memory of 1868 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3060 wrote to memory of 1868 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3060 wrote to memory of 1868 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3060 wrote to memory of 1868 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3060 wrote to memory of 1868 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3060 wrote to memory of 1868 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3060 wrote to memory of 1868 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3060 wrote to memory of 1868 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3060 wrote to memory of 1868 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3060 wrote to memory of 1868 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3060 wrote to memory of 1868 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3060 wrote to memory of 1868 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3060 wrote to memory of 1868 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3060 wrote to memory of 1868 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3060 wrote to memory of 1868 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3060 wrote to memory of 1868 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3060 wrote to memory of 404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3060 wrote to memory of 404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3060 wrote to memory of 1472 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3060 wrote to memory of 1472 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3060 wrote to memory of 1472 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3060 wrote to memory of 1472 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3060 wrote to memory of 1472 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3060 wrote to memory of 1472 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3060 wrote to memory of 1472 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3060 wrote to memory of 1472 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3060 wrote to memory of 1472 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3060 wrote to memory of 1472 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3060 wrote to memory of 1472 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3060 wrote to memory of 1472 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3060 wrote to memory of 1472 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3060 wrote to memory of 1472 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3060 wrote to memory of 1472 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3060 wrote to memory of 1472 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3060 wrote to memory of 1472 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3060 wrote to memory of 1472 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Windows\System32\rundll32.exe

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\rscat\Readme.url

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.bloggeraz.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fff06ba46f8,0x7fff06ba4708,0x7fff06ba4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,14928148372010394749,11862450025570937138,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2060 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,14928148372010394749,11862450025570937138,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,14928148372010394749,11862450025570937138,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2852 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,14928148372010394749,11862450025570937138,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,14928148372010394749,11862450025570937138,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,14928148372010394749,11862450025570937138,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4700 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,14928148372010394749,11862450025570937138,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4136 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,14928148372010394749,11862450025570937138,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5012 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,14928148372010394749,11862450025570937138,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5856 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,14928148372010394749,11862450025570937138,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5856 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,14928148372010394749,11862450025570937138,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5900 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,14928148372010394749,11862450025570937138,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5968 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,14928148372010394749,11862450025570937138,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5928 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,14928148372010394749,11862450025570937138,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5988 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,14928148372010394749,11862450025570937138,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5392 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.bloggeraz.com udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 162.215.117.230:80 www.bloggeraz.com tcp
US 162.215.117.230:80 www.bloggeraz.com tcp
US 162.215.117.230:80 www.bloggeraz.com tcp
US 162.215.117.230:80 www.bloggeraz.com tcp
US 162.215.117.230:80 www.bloggeraz.com tcp
US 162.215.117.230:80 www.bloggeraz.com tcp
US 8.8.8.8:53 static.addtoany.com udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 230.117.215.162.in-addr.arpa udp
US 104.22.71.197:443 static.addtoany.com tcp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 ojibwacasino.com udp
US 8.8.8.8:53 playatgila.com udp
US 8.8.8.8:53 sparklewpthemes.com udp
GB 142.250.187.206:443 www.youtube.com tcp
US 8.8.8.8:53 platform.twitter.com udp
US 8.8.8.8:53 twitter.com udp
US 8.8.8.8:53 www.addtoany.com udp
GB 151.101.188.157:443 platform.twitter.com tcp
US 8.8.8.8:53 www.sclv.com udp
US 104.22.71.197:443 www.addtoany.com tcp
US 8.8.8.8:53 i.ytimg.com udp
GB 142.250.187.206:443 www.youtube.com udp
US 8.8.8.8:53 10.213.58.216.in-addr.arpa udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
GB 142.250.200.22:443 i.ytimg.com tcp
US 8.8.8.8:53 197.71.22.104.in-addr.arpa udp
US 8.8.8.8:53 206.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 157.188.101.151.in-addr.arpa udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
GB 216.58.201.98:443 googleads.g.doubleclick.net tcp
US 8.8.8.8:53 22.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 static.doubleclick.net udp
GB 216.58.201.98:443 googleads.g.doubleclick.net udp
US 8.8.8.8:53 jnn-pa.googleapis.com udp
GB 142.250.180.6:443 static.doubleclick.net tcp
GB 142.250.200.10:443 jnn-pa.googleapis.com tcp
GB 142.250.200.10:443 jnn-pa.googleapis.com udp
US 8.8.8.8:53 syndication.twitter.com udp
US 104.244.42.200:443 syndication.twitter.com tcp
US 8.8.8.8:53 98.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 6.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 10.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 200.42.244.104.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
GB 172.217.16.238:443 play.google.com tcp
GB 172.217.16.238:443 play.google.com tcp
US 8.8.8.8:53 g.bing.com udp
GB 172.217.16.238:443 play.google.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 238.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
GB 172.217.16.238:443 play.google.com udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
GB 216.58.201.98:443 googleads.g.doubleclick.net udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 ba6ef346187b40694d493da98d5da979
SHA1 643c15bec043f8673943885199bb06cd1652ee37
SHA256 d86eec91f295dfda8ed1c5fa99de426f2fe359282c7ebf67e3a40be739475d73
SHA512 2e6cc97330be8868d4b9c53be7e12c558f6eb1ac2c4080a611ba6c43561d0c5bb4791b8a11a8c2371599f0ba73ed1d9a7a2ea6dee2ae6a080f1912e0cb1f656c

\??\pipe\LOCAL\crashpad_3060_GRNYWMHCIHTENQYU

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 b8880802fc2bb880a7a869faa01315b0
SHA1 51d1a3fa2c272f094515675d82150bfce08ee8d3
SHA256 467b8cd4aacac66557712f9843023dcedefcc26efc746f3e44157bc8dac73812
SHA512 e1c6dba2579357ba70de58968b167d2c529534d24bff70568144270c48ac18a48ee2af2d58d78ae741e5a36958fa78a57955bd2456f1df00b781fc1002e123d2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 59a847c31e66e0b02eee8e7ef74b0ecb
SHA1 d8b262f2b1558925304d7006c00fa85e5e040d05
SHA256 1c403762c9a6da0de66208845a7c615d4d4c6f6c2f05eecadcd62d0ff878bfde
SHA512 70c10c83bd9e5e353d48986cd6fc48980598f52ec6b551e24576c30226eed1315b00a9ceb2e4a6a11d83fed671205b3eeb19dec7fda0c6da2a2971947ac8765f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\cba4d844-8886-4cee-9eff-1a30113ab4a5.tmp

MD5 02186577d660478bba3d8999f5ed5ceb
SHA1 a60eb372e81df0425e7874e7377722dd93c4ef98
SHA256 eedfab87c0b8804caa37ae9e1a1e4b6d5df8a0e89e4205f6425ab8134f985a56
SHA512 403a2d4f1388ef3592b492a9b5e583bf5cada4fa07aa81795ed15d5987675c8fd55b9d5951f77efc4c573c2cc4eb080bdb566014be28f63a655ba556237a0b76

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 532f32754798ae48218ef5e31a7e6d75
SHA1 05b74313be06cb4517f9040d1ca9430bbd33b126
SHA256 912a42169f6545015b7dc63e6839222766de3a6d8b1a202c6ecc04c5c3f32e68
SHA512 e92e2a2a5b94142c2c8737e1a2959edf949ff20bc23ff733ea80fa9c72549dd4478311e7fab6b01fc055f61ae84ccd16e19a63a67b08d4956873c300bfad998f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 b8c5cd9861fb4692b068c4d2cac833c7
SHA1 597f2707ac271861346795decb49d2fb06cdc902
SHA256 8d0fa08674fa54849bef420ee51dbdd3340f94a2dfd7002fe0e7f52c459ce02f
SHA512 7b4d02549ecbd428e53153aad53e42582b48ae6632f3e264aff3a9c7d9f1ecd64c9b5a4358643890dafdb4d4cf066fe751d7e71356c98940ef9413d446105fcd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 6bd0836ca123da1f3bfc55aa675ef802
SHA1 95eeb6639716fbdfbd0901a4f87c9d644299c49e
SHA256 d24d60cd158ed21c9de8ee1be913faec2c541302dff5a5e2b5abf82582d229d6
SHA512 28aadb663155e60466359a5810aa15513302e866f10f8d0d1854c10f38b38db7f923ede9d66c2a690482faca1935e445f623c23e69475bbbcf9414970dab74e6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 4bfdd2a95c8b685becd9d6edec8a029f
SHA1 22668f9fdfb7746edbc13661e4d6539837d1e069
SHA256 8ad4cc6341ee1c243a8bf038cbfdc66145949fba39f2e45e25fe67452fc0d089
SHA512 c9f44c7c1c6b4be8a1a71f181b861a8544377469140885a4953fb68ced9d14566433b5c7431483599f42113d49c5dacbd123e212eb2fdb5a91a627dd6b976f0a

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-04 01:16

Reported

2024-11-04 03:26

Platform

win7-20240903-en

Max time kernel

141s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\rscat\RSHappyHourChecker-EN.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\rscat\RSHappyHourChecker-EN.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\rscat\RSHappyHourChecker-EN.exe

"C:\Users\Admin\AppData\Local\Temp\rscat\RSHappyHourChecker-EN.exe"

Network

N/A

Files

memory/2688-0-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/2688-2-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/2688-1-0x0000000000400000-0x00000000004BF000-memory.dmp

memory/2688-7-0x0000000000400000-0x00000000004BF000-memory.dmp

memory/2688-8-0x0000000000400000-0x00000000004BF000-memory.dmp

memory/2688-13-0x0000000000400000-0x00000000004BF000-memory.dmp