Malware Analysis Report

2025-01-02 15:01

Sample ID 241124-l8ztdavmfx
Target 9401bdd3dd74040b371abb07d85c9914_JaffaCakes118
SHA256 f9070e98ca18fe2ff7b5934e9c90f627ea6e653506496473fb9ee688d43ce8ef
Tags
discovery execution cerber defense_evasion impact ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f9070e98ca18fe2ff7b5934e9c90f627ea6e653506496473fb9ee688d43ce8ef

Threat Level: Known bad

The file 9401bdd3dd74040b371abb07d85c9914_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

discovery execution cerber defense_evasion impact ransomware spyware stealer

Cerber

Cerber family

Deletes shadow copies

Blocklisted process makes network request

Contacts a large (520) amount of remote hosts

Loads dropped DLL

Executes dropped EXE

Reads user/profile data of web browsers

Deletes itself

Sets desktop wallpaper using registry

Suspicious use of SetThreadContext

Drops file in Program Files directory

Browser Information Discovery

Command and Scripting Interpreter: JavaScript

Unsigned PE

System Network Configuration Discovery: Internet Connection Discovery

Program crash

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

Enumerates system info in registry

Kills process with taskkill

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Runs ping.exe

Uses Volume Shadow Copy service COM API

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-24 10:12

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-11-24 10:12

Reported

2024-11-24 10:15

Platform

win7-20240903-en

Max time kernel

140s

Max time network

150s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\Dedicated_Servers.html

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{ADE92971-AA4C-11EF-B439-523A95B0E536} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000953bd8210872ea40aad5946cc0771cd300000000020000000000106600000001000020000000dff457c518f4ee604105f43798468c305d71de40490d4ea0bf928436864892ca000000000e8000000002000020000000d27c2efad703632f368aad31269fd1663633a10a58c8e496e4d09d3d498fabb6900000004c91d0428aa2008fb3d86f43cd2847b05957ecaaf7c88cd6a9a8908b499e883b8a23a14e4caf7c0213d1c8607971fa99bb683fa826545ce56c90d72572c4bdbf24068e4c26b6a3d038e020d91b06ba900b57a6b9d6f947c3dfb2085be0dfbcb0c8e27c1c5ec5982e06a8cba77025f4639c9685841e33a33992a5b0cd75681f6b3b0306a9bb140a5dc382b0749aa7bbc540000000f7d55b13679f5f9b7ac38f8184ec7410424efe30d754944270efa46a79f51a986b324b859c1dd4a424d0fe8b67ecc877e29d8c18c2b40419bdf44e1b9749ca44 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50314e84593edb01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000953bd8210872ea40aad5946cc0771cd3000000000200000000001066000000010000200000005e301615aa8b41a56ce874834b396ffd8794b6bd20b7ec9a958f7874a054f11e000000000e800000000200002000000022aed2b452408d210a39320a874dff23781bd4c7b7a15b75cd7518ef7c8ff26c20000000a680f22fa8755a7047a2844411b1777429d2259e8851a581a3bc3c95d94c0e574000000010b4fb1fa19794010c727d164bd75e4e9b2391606d0aaf81465859244060c50cc6844f373f547b3e4c47252740da9ac957ddf81f8a56e5917c245bc892a84761 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "438605045" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\Dedicated_Servers.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1740 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 faq.he.net udp
US 64.62.138.190:80 faq.he.net tcp
US 64.62.138.190:80 faq.he.net tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\CabB2AF.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarB31F.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3574e26234bcdbe581c7facf1d66c503
SHA1 bf7bfc4a1f6d0a8cb32b638d1fc08fc5d616727b
SHA256 192ea65a48fc1d2fdd3513c82345fc7b2c8f3671537009a481aed4a2a6bc9efd
SHA512 d99271db4837273a52519b396ca6562649aaf9771f25294fe96b1a48cd548d0ef5977f48e2f587121d2b39aa8cc5b528647fd7bde654f89b4f7057083b924962

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a6c5faaecb020ad264ecd73c91b0936e
SHA1 6122e6c873c7e6db4417afa1f94e11ec2fc795f5
SHA256 b6f215afa1f52b685805ef21765636fa350b3726c53b4648d5b9f64c39f84425
SHA512 75a7f755545e0c2bca5bc05c863b76d958eb1778fb4a495c2679e6cf6f4601bbc0ea1e9c5fda76814bcef2160ab8615658ef2fa7fb067d0bda4e53c0cbbbbb6d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 36a1a76ca01542147ab18ea11c61aff5
SHA1 396d31350fa79bced89e85ab7fe40d6d76257fd1
SHA256 1f5d8f8d7a460ae52b29ac674e4a6b1cdd38c7b231abf4bca37a0931e304b186
SHA512 bbfda886c4be7c24ecd4c0043092ed9685855d9c398dbc127360a7551d05a87fb09de63c06482f3db967664506479c249310fd01bf307dbb3e0aefeeefdf036b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8408f49edfce54c0343ba25913aa4416
SHA1 f240b5e57bd96f17d8e74facfc5d462e1bba31fd
SHA256 8aede3ef738531883da3b35bcb4a4e139125fc1a1141f65b1dbefb0451f24134
SHA512 48d031f19dafdc873814e430fbcb14ce1a6d13e09a3f6cfc4a5fcd17825d2206fbe1448e90fe9a51f4703f3ef5443ecad2ecaacc25e2b3a4ba9591e43ea897da

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 221d423c19f3182068456c8b478c5deb
SHA1 f73d0e6abe53396372fa278fc86790e185e691f3
SHA256 9148d12299680acf328f6d38893a759c85ca9e5662f0155739bba793242b6d6c
SHA512 6ff809d528a0b1c5b9fc26b23570fd5bf6f82cf35d4985d0ec29a0b86234724fbed8c047eae6f832af19ef39208f78dc56c44218250123a21a02491e7d5dfbd9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 78c9f58d16868b7d28e4271f5ce6e1ce
SHA1 bdccfe76f9ee93c46f03699f961f0c99d6f091a2
SHA256 1aa4e0e018c8f96c5e14a8571e058d98e7f1c54ede7f69a13fde5cd8a382905a
SHA512 a3564c3810e0c8e03601e91487e34f3a65d743cd0ae0d11505f5d031ab1c48761d7397f8008d32fbf3a245003976b64aa8965e4c78fe7a9992b47a6c5aad47f0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d2b7b8c07b58f2ac02eb79ce26c78f3e
SHA1 2db31b7b451644cbb4621991de0f00972afa37af
SHA256 190ad050eaff017f1928660183f478d1ec55c44cafc09e110ea441324c84774f
SHA512 13f23b3e497af09cc48d1269aeab1ae48e3cdaedaff11a1253ddd03f7407ab9571405a856cd2c0015a05449909b8f3b632e61a8f9228d560f2c2e5960625ed67

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cb46539523f88ed3f28b0dde4dd0626e
SHA1 26c12f5f41780ac4f076adb8b23044919f76e5b8
SHA256 e27027d6a541b2a1faff0178de1aa12374c4a790a5c449a11039342eabbfed9f
SHA512 5f33b03fbb46f1e1db23b39987319db34f70386d0292f59cf30434385ef8b237c0e06af1dffdd5f739b1a4ca67a059f1047856c85ec13e87d0a9527a9f6fc5b7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 11f75d9ecc7788788cf3a72559c5bf49
SHA1 3f2fa91a2cdb8ca3114c7673fb8fda9f3b5e3e0f
SHA256 6c4adfa92128f45c0cd54f57707d308be3c5f335469202d8fc1b28bcbc70eadf
SHA512 5c80fba2eb6192b7c3aced29c1e1b4b13a385137f39080918baea3bb4facf685d079fb2190a4509b517cc697c63a304d0192ec741b9eeedb7a262724a7f28844

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2ef285440a40f474fb6852f7cc63e49b
SHA1 df6a40034cee945eb17571640fcd8bbd2eb42647
SHA256 7833e4c96b13c7c7d3664d233c46094f4b4765cb96e314f061044b772f48bc0d
SHA512 086c3ae38f6605ef00007068f57e870ca542489b999beb558fbd9c53a8f8e8663cbb84e3d20a5c42b8b04cca69454002641e73790d8d2749f092f0f902664bf5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9877727f31e0ae2eee550def3885d91e
SHA1 a8407bab1380e3c6d2429f18637a6cb9682fd4e4
SHA256 877c9d132c195dac4148280911c8ab9015183393758d41b3fe0ac4cc97841e46
SHA512 57306d67217f95acce6380c766fe614fe10339c7d41eef35c4d85a84b92bbff22b95fe8b57c791b9a5c525d82e6d447ebcca5eb5f40aa9a125a1932abd6f9321

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 04389003fb60fd5c7d4c98fd6cdd9eb9
SHA1 9b5598d7e6f7a6ad6ee70684021b4a299632a66e
SHA256 ec6faf2ff73b3a96463a2eac8b62432ea42fa63baa6e8014f9e684714c118637
SHA512 6f02aaf6e4fd0a14262fe4e2df54a388bf260a443acc8776fb87778cf942798939994cd8b72c2c5c31ace2b2a2f1ed76b3754f0726fec38eaaad51bdffa58015

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5438d0c87710707e0a4e1e4a875277be
SHA1 accc89e2989ff335fdf52991f16b14f82ff924da
SHA256 0f98559cb6053c78925c09d7d15a28ccde2e88a9665ffa48ecd1651ae13a6ceb
SHA512 bf6e87f90d387ceb6af6ef41a8b59b5b7a47ccfec09b925af1af3d663ccbc90cba052d22652c7e48dca187348ee1db64eec6c3b53fd9331410c82f63ad4152bd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f75a5a060a6471ef45291f684139682a
SHA1 fb63b3d5679d08c16c78e2f71d7cadfb6c8c2178
SHA256 83c0ee0498572993120e52464f3fe8e15ad9ad7f4df64c50cf7655601e602eb9
SHA512 89e692a2eb16f02965b6fdf8a200de5669512772098b745eabefa4c2111d464c9bfccdbdaa7b987993b01eaf064187f5f2a66f3a6c65376dfb6181543104028f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8bdc540a02b12c63e2bb0439d814fc54
SHA1 f1ed6f4ff5898b032f04defd7d676c9d4bcbc9bd
SHA256 a4465f3aba5ab2a4a852f193904643f089e0eac58f6616f816656ba797da5092
SHA512 4900cc0fc40afb8ba2e44fcf1290bccf71210f74fa41b39dcc68ade05e5aad2ec972a91c3f3d8e11793b001c9b7cc7cd546c73543177ed5591a872645ee0a113

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 778914c6f024d53dae6da628c7ce38b1
SHA1 a36970a9f191076496365fc2f523fefa3ae1f5f6
SHA256 181cc95849d8929b92241285202a748ca6def2e13cf96e605d28404e68424b10
SHA512 0cd534055d80942bac516241e9a9a8278e3e8a0cd19e6a9033c372d8756177b32000388107ed05b9be05f696a7307a25097d48a804ee112f23bc0017befad1fd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d71d647fc2dda4e365e2e7e353f9553f
SHA1 2e7f1eb1396973e0c2efebd80b2c65a43a1c10ba
SHA256 2eceb11f8c136e14b16b926266884867ae4147b7a695f1b0fe5fa75f2ace6aef
SHA512 fd4366a0c511b0dd4cc2048311a8656da27477a9d3add06b8838a238c4c3ddeab2c641a9ec33c685a2b28770171af9e20bff966906a11f603b66f0049d1c4c5b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 523b27bc8d05068991d7bd102088ff83
SHA1 6de95acfdb2b54c49cb54750cf3baa44838091cd
SHA256 b39b33952c6ba6d26af862dadb16d4ca8f1813bb3c0bc4b877dca38535e1c287
SHA512 365c70d33be16c210d7ff0037784df0d1c69d59e78272933be9b9b3b8916690b23e9c28998465605a448df357c0eb25f622276f889189683738eca5bdc55a4d0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6b2583f9a2052414b360d90d3a19ff41
SHA1 dbdffddb202e0ee536479c12f9ef1c41910c3118
SHA256 9f78341e96d799ab89cafcca9b0215b46d36e7f36670cdf21f515fd2768d722e
SHA512 022e390a54c767e33e62bed3e1e4e299d45c7ef664cb111a39d004518c30556a281c0ef58706d2780d57abee2578c359d493657acf206e391b4ad99273ffab5e

Analysis: behavioral11

Detonation Overview

Submitted

2024-11-24 10:12

Reported

2024-11-24 10:15

Platform

win7-20240903-en

Max time kernel

133s

Max time network

128s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\cse.html

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 4064ce81593edb01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "438605045" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000045c0dde48c11474f81d9a2c02be4ea2200000000020000000000106600000001000020000000e4ed16fe5233ecfef5984baf02732470110d7841e00dae3f2d8c6d14f6870a15000000000e8000000002000020000000b32c969e4a10f9348802a16ff2b59f77c52b26dff8594ecfd70458c28a4df4e3200000009bacac984b2887230c3e413076e27421037af2540626997e9cba29e1309ad50d4000000024a873eecc71e8bd72f4b6b6b69b2aa92fd537d1e0e65961c13575170103c841f1b40f0962a8763fe968ecee26db8407300a41fe61f9a7612b218a7519f93f99 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{AD523101-AA4C-11EF-ABAB-F245C6AC432F} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000045c0dde48c11474f81d9a2c02be4ea2200000000020000000000106600000001000020000000391cbe298effe3e8a0f1455290ce4851dc6bd7b6c66f03e8d7243df121ad725e000000000e80000000020000200000005beea5f61272cdddb8c605d0b554efe51ec4aaeb9f22348423bb3669113aecb1900000008e117ff5f1564d4e0addce9c767d29f9474f5667e5860a0e06ebeda4d6f581f4a75abaec6c28f61d83b366a2075fb1ffb14e79df43caa85b22ff62d374956e24719adceaadf7ccf0a7cfd4a793c9d7cf45540d738f6328b282eb8698f087b6168495072c2e3ca76f40ff5db4ab0816774a50f030d8b8027425603512e361736daeeb20a7c14baafa76525f28ee97b5d440000000bff434bd8d7a700c5afc91a5f910ee22ba10badcd64f1406664b20715b132e67dfeecb2e1af309f99ed2ea117d21c5867c8d3eaa5fd285a21f9241ba4cb29a8b C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\cse.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2848 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\CabF46F.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarF54D.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bb8541fa71f900891c34fda8df6490dc
SHA1 507c47d16af49ef67c4c8a2bd6f04a9b46a245cf
SHA256 d92e7c6486ba4129e0d28915a6b6bb613c037a65213e539027ec5192b00c9cd8
SHA512 00beba8a91f65cd33537c6a6719be3f398e14457d9c621fbb21421c486d0f95fc4171c4d035accef9d64dd8000d76936ff19f9834956a9b4be200ec16f7721c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 83f3f3f0d9c0583ad2c34d3141dc6ea3
SHA1 0e291ff9bfe20a65d68c34f4bc3d66ff8b3ae647
SHA256 438533c03c418e675a339a49d50c490d5e1288ee2d0b8b8148f5b855b6a51fe6
SHA512 178ee27bbff026d22778fea45f6a21cdd2dfd79ea412b5caa8301dd7f629d1a978b6c1e339590148b18bd1e1230c52bac6462280f8c0c99da4fac1521372403f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8c97cfbb5b41fce025c7b452dcd3f875
SHA1 132d44a2e917a14dc2ea0baa45b2d9a3fc74f403
SHA256 b744fa345c91fa1ce09fd3731a06da28f62ca93d977abfc3b96259af6297ef4d
SHA512 216ccabfca0979681062d9ae9683e1522c109c588bc007c108d575c7d64fb0f2520453c6c0a4960a25df898a354e00019df43733b66f16b431111323bc492b56

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5f55d6d8f20476757ee18fa08f5ef8d8
SHA1 9dbbbeca17f3c550dbd594c5517ed756f238c4e3
SHA256 f34eb75752be186d2eb966a2650981885da6475a72dfcab10ade98de1720da82
SHA512 868a3e84722fbf2bb648d05bd3cecb249bbf2db7c2422efcc8303292faeb6feecd959932d59b9d2f037bebe418ecd0ebaafb09f516b631e0b8022c3aa1ff6732

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7034367f3164b3b5ac8e715d082e93df
SHA1 47b945b9db938492618a31963efb16a0eaac606e
SHA256 87eea30e20fc8f02165bace08ec576126e685b3f7085e46cb140e790ede37c91
SHA512 fcd019bded2f865bed60545174fa8b016f30aea230a1697b355b5d0d96e51df42e2e4bfd0dacd1693f45fa4665ded103b79cc0b64b0b02883a2c7e8634630975

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ea2257bc3aaec4db7321c2975e6c5426
SHA1 cd7fd678734a159183390cada9bb8ea20d3e68e4
SHA256 00e08ab9fa4ba0a94eaf2987953347b2bbabbbf31220ee0e6c67a6a33026670f
SHA512 25686b75939490acc75492a43c7c8c59c7473999cef390ca21200bf0a030d9a5f3c5371d34dad0bf63ef317624daf2c39dfc380efe63d1739d083a7c9b1e4a88

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e7380ea7af647e5d49a1a8c8d3accf7a
SHA1 cf3d39f9babbde377771b9bff7f917bd1470f8ca
SHA256 ed6b4a4b71dbfac62d310bf8f3d0875cac5eb6a2e1f9d63d4717c4cdd19ada1a
SHA512 e13f78982fbd5b675de4fbfc03bcd942cc5af584c31e6c8aab41e6db7ff87a800be4fc6b78529f8255a9c45c6046da5b6c4c51954419e1c0a223786ec60f2843

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f88551beed6b342fea64f506991ec392
SHA1 9370a4cb29518e72fa3f38a553440eec92d47b58
SHA256 74b893a6a0304a0c18cef29b1809dbf02675f894589438210d40aff80dd8d5a5
SHA512 d5464a931e1cc3e3f77d00f2c071d63e92cdc4f25a476befd98dc40e03b4aa12fa81ec4a7b834006ee35b5aac4a75e3effb531f4b77297a922f01816dc32cef5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4dc5df5a0d157c2e95182b6e7c79c5df
SHA1 d5dfb96e4e6468dfb018f0bb4ffee79b89241db9
SHA256 6b8948db21a5666ac11fa403c9c5927d51e5e1e8eebdc40c5ebc6537d274ee8d
SHA512 b3673c642a0af4afe36b03b1ec78c5fff34f09ec8371fd4d7e68f043c0fda6acda189dd54ab50b7f3769d70426c3166361fb86d72a7e91ad294c3f17c1642dec

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 12b7545a51aa3b3c7e89bcee9354551a
SHA1 97f438b4f14d8916a3070896fafb6ff598beaca7
SHA256 dc495d639603356748f87a10dd00621a764921de58bd79a9c003b9188021aa07
SHA512 817444299abe1867199a9be6f7275a6d1ac69a72847974d516df9366f2158202a58596778a3c151626d891d86de60988f0f51f9d6333cd22ac749e5ce83c4f99

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 be06fba3d56215252237558945c87125
SHA1 7966fbd9d2269a545abbaf7716bfb8668ae1eb9e
SHA256 73e4064b5576f86b1691112d53370d3292bfee75c95ffe1fb05252287d2fbfeb
SHA512 5dc2fbe3e3eed9218f1762622f6b7b37ea8dd7911de0e6a959ec603d01a8eb13324d04f1c6aa0b68c9c18b1ccc4fa6563c643d474025fbf9f47f1b3f3193ab13

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 537593513ad08072c30e86726c5fb809
SHA1 9acdb2013e3722f737767381ec404e86f09bb5cd
SHA256 1c85111d2d5f6c7847c5412d7f248050e32dfe3089940b2c35c163e30b26e5b6
SHA512 5395914d1f3183ba5d1f9907c4fc5cae505c4152edd62691aa70645a9fd48ae8b9e4295cd7929aa9f7c87dadacc40fce92ad422d4d3ddbb7052bb04aa046caf6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dd7e117d0605b30955cb4bd896739552
SHA1 f53354f83f6b5b1c053478690a550e01514dac51
SHA256 14f894ecc92c6b4f8cc3fd3b05beb2ae9e2d9b119585b3c3051ff8ae75d3ac6e
SHA512 b0efca2a1010f77114872345d1db9884d1d6958241a8bd9eabb5445259b0e54670d560710b271e21d3fe9e98ce609407a4e0555e0e3964cd7ea9eb596a270ddd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f4bc405f5eb9bdbf83948bd250e1df96
SHA1 aa6d94ad68bd8627549648d0afac3e7e90a4ae33
SHA256 d5b11f784c2f49cc9f55d4533fa1a54a4f7e75a6906c3dfab08b00606c2f3268
SHA512 1bdcc6a1ce692e911c6c994e68871f8fcece5dfd141e5931410e1250881e8114dfc8971c1498bf00012eba9c954237d448e6530e275f36d178cb51a26a59c8b0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9c89f17d094360b08b67d4ad3ec9d101
SHA1 112c6649cc113e4ae0e46fc40fa73647acf6b6d7
SHA256 82583374bf59251c02857811545a588cde2e3b7c0597cc1707fc6aba4c5447ac
SHA512 b7c1c35ddfd0cde634626fb2e58d389bfd9ac6c2e316b6798cd21e4ed3d7f66da3fdc960857b74f1dbb5bd05103ac4259daf20bd7a5fb06aef4adfb20c392eaa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5a897d154b66eddedb3bd76c88b0287d
SHA1 bed4ac73f9fb2f00cfaf7438a3227f650ce58fed
SHA256 d82030c71660fd053a3f18ba5c268fa5e0be12cdc7f4405ee6ebe17a2a4d2507
SHA512 4a0ae6fa82b85a3128584fcd9de3e3946592d19b04921bf1405e55478eab03bd4b2c04f1a23ef4eb8fdf28cd0106afb16e3331aa0d9351df3c0858e1def463a9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1ef1114f802a57791f769e39b931ccf0
SHA1 6b57e2c3a814f40b321aa4b9eeb5c81f6371eb67
SHA256 79debfe4cc07ef55fba4c2cb2d28705eca8d28379fee3a02ffe8de7d248fe181
SHA512 93840f378aaccf9bc86114a2f0b554b0903a3b3898c3fc99b1440f1842dc2a21f27fcb5afb286fd02a93a60b79232dc8757e9356ead6d1f713f429cead887b5a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f700ceab10d8ef2ffd9d022f34b8611b
SHA1 e2fb9ce40fc91cb06d4593aeaa9be4fa9feb3f56
SHA256 9630feb9c93851fe9163d41bfc114652b2452769822ab177cc6419e36fa71a42
SHA512 8ce6fa1831202a0fe8a37b28332961b77df582455ed46973912cbdb34a5c94c3a83ec2a8c768b875246618867b01420715e8fd8027519f621e6aec1b743d31ac

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 57716de57e6fdc348c2e3cad78d76ec2
SHA1 8d38d23627c4e7783d243e70925b408d277d9b95
SHA256 8e67a09f6e1f451b607338d6a2df44e75163dd5cbdd2b8e0f068b22441a57c8f
SHA512 199fd485e93ea9167f1534f901f90c607d79d5acc6ab2c935782c1940b932df0d31f7d53796c46e3e05722f146d8aa9c41e58d478b9c1514ddd7cc7a0845c005

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0f36a6cc538a115ea2bc15f5439eb882
SHA1 86ea73d6bb68f1f4304a4734ddd336de6122485d
SHA256 84aff3d3e70b65379697fffe68d9c657795293dde4824ff7ce38dbf27e7a395b
SHA512 0b3378e752676f9820e1a85aa22eb55512cdc0d0b5aefcd5203c1fd51c1dce1c79e1ab94fd85bad0973540d5736685665431f16612fef09583e3033d1ee22808

Analysis: behavioral14

Detonation Overview

Submitted

2024-11-24 10:12

Reported

2024-11-24 10:15

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

147s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\lightbox.js1651793503.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\lightbox.js1651793503.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-11-24 10:12

Reported

2024-11-24 10:15

Platform

win7-20240903-en

Max time kernel

122s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 244

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-24 10:12

Reported

2024-11-24 10:15

Platform

win7-20240903-en

Max time kernel

120s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9401bdd3dd74040b371abb07d85c9914_JaffaCakes118.exe"

Signatures

Cerber

ransomware cerber

Cerber family

cerber

Deletes shadow copies

ransomware defense_evasion impact execution

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A

Contacts a large (520) amount of remote hosts

discovery

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9401bdd3dd74040b371abb07d85c9914_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp62B9.bmp" C:\Users\Admin\AppData\Local\Temp\9401bdd3dd74040b371abb07d85c9914_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\PLANNERS.ONE C:\Users\Admin\AppData\Local\Temp\9401bdd3dd74040b371abb07d85c9914_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\ACADEMIC.ONE C:\Users\Admin\AppData\Local\Temp\9401bdd3dd74040b371abb07d85c9914_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\README.hta C:\Users\Admin\AppData\Local\Temp\9401bdd3dd74040b371abb07d85c9914_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\BLANK.ONE C:\Users\Admin\AppData\Local\Temp\9401bdd3dd74040b371abb07d85c9914_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\BUSINESS.ONE C:\Users\Admin\AppData\Local\Temp\9401bdd3dd74040b371abb07d85c9914_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\DESIGNER.ONE C:\Users\Admin\AppData\Local\Temp\9401bdd3dd74040b371abb07d85c9914_JaffaCakes118.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9401bdd3dd74040b371abb07d85c9914_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9401bdd3dd74040b371abb07d85c9914_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\DllHost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9401bdd3dd74040b371abb07d85c9914_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9401bdd3dd74040b371abb07d85c9914_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9401bdd3dd74040b371abb07d85c9914_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9401bdd3dd74040b371abb07d85c9914_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9401bdd3dd74040b371abb07d85c9914_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9401bdd3dd74040b371abb07d85c9914_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9401bdd3dd74040b371abb07d85c9914_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9401bdd3dd74040b371abb07d85c9914_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9401bdd3dd74040b371abb07d85c9914_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9401bdd3dd74040b371abb07d85c9914_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9401bdd3dd74040b371abb07d85c9914_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9401bdd3dd74040b371abb07d85c9914_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9401bdd3dd74040b371abb07d85c9914_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9401bdd3dd74040b371abb07d85c9914_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9401bdd3dd74040b371abb07d85c9914_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9401bdd3dd74040b371abb07d85c9914_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9401bdd3dd74040b371abb07d85c9914_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9401bdd3dd74040b371abb07d85c9914_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9401bdd3dd74040b371abb07d85c9914_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9401bdd3dd74040b371abb07d85c9914_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9401bdd3dd74040b371abb07d85c9914_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9401bdd3dd74040b371abb07d85c9914_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9401bdd3dd74040b371abb07d85c9914_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9401bdd3dd74040b371abb07d85c9914_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9401bdd3dd74040b371abb07d85c9914_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9401bdd3dd74040b371abb07d85c9914_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9401bdd3dd74040b371abb07d85c9914_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9401bdd3dd74040b371abb07d85c9914_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9401bdd3dd74040b371abb07d85c9914_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9401bdd3dd74040b371abb07d85c9914_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9401bdd3dd74040b371abb07d85c9914_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9401bdd3dd74040b371abb07d85c9914_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9401bdd3dd74040b371abb07d85c9914_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9401bdd3dd74040b371abb07d85c9914_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9401bdd3dd74040b371abb07d85c9914_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9401bdd3dd74040b371abb07d85c9914_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9401bdd3dd74040b371abb07d85c9914_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9401bdd3dd74040b371abb07d85c9914_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9401bdd3dd74040b371abb07d85c9914_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9401bdd3dd74040b371abb07d85c9914_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9401bdd3dd74040b371abb07d85c9914_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9401bdd3dd74040b371abb07d85c9914_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9401bdd3dd74040b371abb07d85c9914_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9401bdd3dd74040b371abb07d85c9914_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9401bdd3dd74040b371abb07d85c9914_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9401bdd3dd74040b371abb07d85c9914_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9401bdd3dd74040b371abb07d85c9914_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9401bdd3dd74040b371abb07d85c9914_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9401bdd3dd74040b371abb07d85c9914_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9401bdd3dd74040b371abb07d85c9914_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9401bdd3dd74040b371abb07d85c9914_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9401bdd3dd74040b371abb07d85c9914_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9401bdd3dd74040b371abb07d85c9914_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9401bdd3dd74040b371abb07d85c9914_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9401bdd3dd74040b371abb07d85c9914_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9401bdd3dd74040b371abb07d85c9914_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9401bdd3dd74040b371abb07d85c9914_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9401bdd3dd74040b371abb07d85c9914_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9401bdd3dd74040b371abb07d85c9914_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9401bdd3dd74040b371abb07d85c9914_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9401bdd3dd74040b371abb07d85c9914_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9401bdd3dd74040b371abb07d85c9914_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9401bdd3dd74040b371abb07d85c9914_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9401bdd3dd74040b371abb07d85c9914_JaffaCakes118.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9401bdd3dd74040b371abb07d85c9914_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9401bdd3dd74040b371abb07d85c9914_JaffaCakes118.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2700 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\9401bdd3dd74040b371abb07d85c9914_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\9401bdd3dd74040b371abb07d85c9914_JaffaCakes118.exe
PID 2700 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\9401bdd3dd74040b371abb07d85c9914_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\9401bdd3dd74040b371abb07d85c9914_JaffaCakes118.exe
PID 2700 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\9401bdd3dd74040b371abb07d85c9914_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\9401bdd3dd74040b371abb07d85c9914_JaffaCakes118.exe
PID 2700 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\9401bdd3dd74040b371abb07d85c9914_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\9401bdd3dd74040b371abb07d85c9914_JaffaCakes118.exe
PID 2700 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\9401bdd3dd74040b371abb07d85c9914_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\9401bdd3dd74040b371abb07d85c9914_JaffaCakes118.exe
PID 1924 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\9401bdd3dd74040b371abb07d85c9914_JaffaCakes118.exe C:\Windows\system32\cmd.exe
PID 1924 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\9401bdd3dd74040b371abb07d85c9914_JaffaCakes118.exe C:\Windows\system32\cmd.exe
PID 1924 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\9401bdd3dd74040b371abb07d85c9914_JaffaCakes118.exe C:\Windows\system32\cmd.exe
PID 1924 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\9401bdd3dd74040b371abb07d85c9914_JaffaCakes118.exe C:\Windows\system32\cmd.exe
PID 2896 wrote to memory of 2776 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbem\WMIC.exe
PID 2896 wrote to memory of 2776 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbem\WMIC.exe
PID 2896 wrote to memory of 2776 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbem\WMIC.exe
PID 1924 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\9401bdd3dd74040b371abb07d85c9914_JaffaCakes118.exe C:\Windows\SysWOW64\mshta.exe
PID 1924 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\9401bdd3dd74040b371abb07d85c9914_JaffaCakes118.exe C:\Windows\SysWOW64\mshta.exe
PID 1924 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\9401bdd3dd74040b371abb07d85c9914_JaffaCakes118.exe C:\Windows\SysWOW64\mshta.exe
PID 1924 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\9401bdd3dd74040b371abb07d85c9914_JaffaCakes118.exe C:\Windows\SysWOW64\mshta.exe
PID 1924 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\9401bdd3dd74040b371abb07d85c9914_JaffaCakes118.exe C:\Windows\system32\cmd.exe
PID 1924 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\9401bdd3dd74040b371abb07d85c9914_JaffaCakes118.exe C:\Windows\system32\cmd.exe
PID 1924 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\9401bdd3dd74040b371abb07d85c9914_JaffaCakes118.exe C:\Windows\system32\cmd.exe
PID 1924 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\9401bdd3dd74040b371abb07d85c9914_JaffaCakes118.exe C:\Windows\system32\cmd.exe
PID 2084 wrote to memory of 2360 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2084 wrote to memory of 2360 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2084 wrote to memory of 2360 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2084 wrote to memory of 2056 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2084 wrote to memory of 2056 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2084 wrote to memory of 2056 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\9401bdd3dd74040b371abb07d85c9914_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\9401bdd3dd74040b371abb07d85c9914_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\9401bdd3dd74040b371abb07d85c9914_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\9401bdd3dd74040b371abb07d85c9914_JaffaCakes118.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\wbem\WMIC.exe

C:\Windows\system32\wbem\wmic.exe shadowcopy delete

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\README.hta"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\taskkill.exe

taskkill /f /im "9401bdd3dd74040b371abb07d85c9914_JaffaCakes118.exe"

C:\Windows\system32\PING.EXE

ping -n 1 127.0.0.1

Network

Country Destination Domain Proto
AM 31.184.234.0:6892 udp
AM 31.184.234.1:6892 udp
AM 31.184.234.2:6892 udp
AM 31.184.234.3:6892 udp
AM 31.184.234.4:6892 udp
AM 31.184.234.5:6892 udp
AM 31.184.234.6:6892 udp
AM 31.184.234.7:6892 udp
AM 31.184.234.8:6892 udp
AM 31.184.234.9:6892 udp
AM 31.184.234.10:6892 udp
AM 31.184.234.11:6892 udp
AM 31.184.234.12:6892 udp
AM 31.184.234.13:6892 udp
AM 31.184.234.14:6892 udp
AM 31.184.234.15:6892 udp
AM 31.184.234.16:6892 udp
AM 31.184.234.17:6892 udp
AM 31.184.234.18:6892 udp
AM 31.184.234.19:6892 udp
AM 31.184.234.20:6892 udp
AM 31.184.234.21:6892 udp
AM 31.184.234.22:6892 udp
AM 31.184.234.23:6892 udp
AM 31.184.234.24:6892 udp
AM 31.184.234.25:6892 udp
AM 31.184.234.26:6892 udp
AM 31.184.234.27:6892 udp
AM 31.184.234.28:6892 udp
AM 31.184.234.29:6892 udp
AM 31.184.234.30:6892 udp
AM 31.184.234.31:6892 udp
AM 31.184.234.32:6892 udp
AM 31.184.234.33:6892 udp
AM 31.184.234.34:6892 udp
AM 31.184.234.35:6892 udp
AM 31.184.234.36:6892 udp
AM 31.184.234.37:6892 udp
AM 31.184.234.38:6892 udp
AM 31.184.234.39:6892 udp
AM 31.184.234.40:6892 udp
AM 31.184.234.41:6892 udp
AM 31.184.234.42:6892 udp
AM 31.184.234.43:6892 udp
AM 31.184.234.44:6892 udp
AM 31.184.234.45:6892 udp
AM 31.184.234.46:6892 udp
AM 31.184.234.47:6892 udp
AM 31.184.234.48:6892 udp
AM 31.184.234.49:6892 udp
AM 31.184.234.50:6892 udp
AM 31.184.234.51:6892 udp
AM 31.184.234.52:6892 udp
AM 31.184.234.53:6892 udp
AM 31.184.234.54:6892 udp
AM 31.184.234.55:6892 udp
AM 31.184.234.56:6892 udp
AM 31.184.234.57:6892 udp
AM 31.184.234.58:6892 udp
AM 31.184.234.59:6892 udp
AM 31.184.234.60:6892 udp
AM 31.184.234.61:6892 udp
AM 31.184.234.62:6892 udp
AM 31.184.234.63:6892 udp
AM 31.184.234.64:6892 udp
AM 31.184.234.65:6892 udp
AM 31.184.234.66:6892 udp
AM 31.184.234.67:6892 udp
AM 31.184.234.68:6892 udp
AM 31.184.234.69:6892 udp
AM 31.184.234.70:6892 udp
AM 31.184.234.71:6892 udp
AM 31.184.234.72:6892 udp
AM 31.184.234.73:6892 udp
AM 31.184.234.74:6892 udp
AM 31.184.234.75:6892 udp
AM 31.184.234.76:6892 udp
AM 31.184.234.77:6892 udp
AM 31.184.234.78:6892 udp
AM 31.184.234.79:6892 udp
AM 31.184.234.80:6892 udp
AM 31.184.234.81:6892 udp
AM 31.184.234.82:6892 udp
AM 31.184.234.83:6892 udp
AM 31.184.234.84:6892 udp
AM 31.184.234.85:6892 udp
AM 31.184.234.86:6892 udp
AM 31.184.234.87:6892 udp
AM 31.184.234.88:6892 udp
AM 31.184.234.89:6892 udp
AM 31.184.234.90:6892 udp
AM 31.184.234.91:6892 udp
AM 31.184.234.92:6892 udp
AM 31.184.234.93:6892 udp
AM 31.184.234.94:6892 udp
AM 31.184.234.95:6892 udp
AM 31.184.234.96:6892 udp
AM 31.184.234.97:6892 udp
AM 31.184.234.98:6892 udp
AM 31.184.234.99:6892 udp
AM 31.184.234.100:6892 udp
AM 31.184.234.101:6892 udp
AM 31.184.234.102:6892 udp
AM 31.184.234.103:6892 udp
AM 31.184.234.104:6892 udp
AM 31.184.234.105:6892 udp
AM 31.184.234.106:6892 udp
AM 31.184.234.107:6892 udp
AM 31.184.234.108:6892 udp
AM 31.184.234.109:6892 udp
AM 31.184.234.110:6892 udp
AM 31.184.234.111:6892 udp
AM 31.184.234.112:6892 udp
AM 31.184.234.113:6892 udp
AM 31.184.234.114:6892 udp
AM 31.184.234.115:6892 udp
AM 31.184.234.116:6892 udp
AM 31.184.234.117:6892 udp
AM 31.184.234.118:6892 udp
AM 31.184.234.119:6892 udp
AM 31.184.234.120:6892 udp
AM 31.184.234.121:6892 udp
AM 31.184.234.122:6892 udp
AM 31.184.234.123:6892 udp
AM 31.184.234.124:6892 udp
AM 31.184.234.125:6892 udp
AM 31.184.234.126:6892 udp
AM 31.184.234.127:6892 udp
AM 31.184.234.128:6892 udp
AM 31.184.234.129:6892 udp
AM 31.184.234.130:6892 udp
AM 31.184.234.131:6892 udp
AM 31.184.234.132:6892 udp
AM 31.184.234.133:6892 udp
AM 31.184.234.134:6892 udp
AM 31.184.234.135:6892 udp
AM 31.184.234.136:6892 udp
AM 31.184.234.137:6892 udp
AM 31.184.234.138:6892 udp
AM 31.184.234.139:6892 udp
AM 31.184.234.140:6892 udp
AM 31.184.234.141:6892 udp
AM 31.184.234.142:6892 udp
AM 31.184.234.143:6892 udp
AM 31.184.234.144:6892 udp
AM 31.184.234.145:6892 udp
AM 31.184.234.146:6892 udp
AM 31.184.234.147:6892 udp
AM 31.184.234.148:6892 udp
AM 31.184.234.149:6892 udp
AM 31.184.234.150:6892 udp
AM 31.184.234.151:6892 udp
AM 31.184.234.152:6892 udp
AM 31.184.234.153:6892 udp
AM 31.184.234.154:6892 udp
AM 31.184.234.155:6892 udp
AM 31.184.234.156:6892 udp
AM 31.184.234.157:6892 udp
AM 31.184.234.158:6892 udp
AM 31.184.234.159:6892 udp
AM 31.184.234.160:6892 udp
AM 31.184.234.161:6892 udp
AM 31.184.234.162:6892 udp
AM 31.184.234.163:6892 udp
AM 31.184.234.164:6892 udp
AM 31.184.234.165:6892 udp
AM 31.184.234.166:6892 udp
AM 31.184.234.167:6892 udp
AM 31.184.234.168:6892 udp
AM 31.184.234.169:6892 udp
AM 31.184.234.170:6892 udp
AM 31.184.234.171:6892 udp
AM 31.184.234.172:6892 udp
AM 31.184.234.173:6892 udp
AM 31.184.234.174:6892 udp
AM 31.184.234.175:6892 udp
AM 31.184.234.176:6892 udp
AM 31.184.234.177:6892 udp
AM 31.184.234.178:6892 udp
AM 31.184.234.179:6892 udp
AM 31.184.234.180:6892 udp
AM 31.184.234.181:6892 udp
AM 31.184.234.182:6892 udp
AM 31.184.234.183:6892 udp
AM 31.184.234.184:6892 udp
AM 31.184.234.185:6892 udp
AM 31.184.234.186:6892 udp
AM 31.184.234.187:6892 udp
AM 31.184.234.188:6892 udp
AM 31.184.234.189:6892 udp
AM 31.184.234.190:6892 udp
AM 31.184.234.191:6892 udp
AM 31.184.234.192:6892 udp
AM 31.184.234.193:6892 udp
AM 31.184.234.194:6892 udp
AM 31.184.234.195:6892 udp
AM 31.184.234.196:6892 udp
AM 31.184.234.197:6892 udp
AM 31.184.234.198:6892 udp
AM 31.184.234.199:6892 udp
AM 31.184.234.200:6892 udp
AM 31.184.234.201:6892 udp
AM 31.184.234.202:6892 udp
AM 31.184.234.203:6892 udp
AM 31.184.234.204:6892 udp
AM 31.184.234.205:6892 udp
AM 31.184.234.206:6892 udp
AM 31.184.234.207:6892 udp
AM 31.184.234.208:6892 udp
AM 31.184.234.209:6892 udp
AM 31.184.234.210:6892 udp
AM 31.184.234.211:6892 udp
AM 31.184.234.212:6892 udp
AM 31.184.234.213:6892 udp
AM 31.184.234.214:6892 udp
AM 31.184.234.215:6892 udp
AM 31.184.234.216:6892 udp
AM 31.184.234.217:6892 udp
AM 31.184.234.218:6892 udp
AM 31.184.234.219:6892 udp
AM 31.184.234.220:6892 udp
AM 31.184.234.221:6892 udp
AM 31.184.234.222:6892 udp
AM 31.184.234.223:6892 udp
AM 31.184.234.224:6892 udp
AM 31.184.234.225:6892 udp
AM 31.184.234.226:6892 udp
AM 31.184.234.227:6892 udp
AM 31.184.234.228:6892 udp
AM 31.184.234.229:6892 udp
AM 31.184.234.230:6892 udp
AM 31.184.234.231:6892 udp
AM 31.184.234.232:6892 udp
AM 31.184.234.233:6892 udp
AM 31.184.234.234:6892 udp
AM 31.184.234.235:6892 udp
AM 31.184.234.236:6892 udp
AM 31.184.234.237:6892 udp
AM 31.184.234.238:6892 udp
AM 31.184.234.239:6892 udp
AM 31.184.234.240:6892 udp
AM 31.184.234.241:6892 udp
AM 31.184.234.242:6892 udp
AM 31.184.234.243:6892 udp
AM 31.184.234.244:6892 udp
AM 31.184.234.245:6892 udp
AM 31.184.234.246:6892 udp
AM 31.184.234.247:6892 udp
AM 31.184.234.248:6892 udp
AM 31.184.234.249:6892 udp
AM 31.184.234.250:6892 udp
AM 31.184.234.251:6892 udp
AM 31.184.234.252:6892 udp
AM 31.184.234.253:6892 udp
AM 31.184.234.254:6892 udp
AM 31.184.234.255:6892 udp
AM 31.184.235.0:6892 udp
AM 31.184.235.1:6892 udp
AM 31.184.235.2:6892 udp
AM 31.184.235.3:6892 udp
AM 31.184.235.4:6892 udp
AM 31.184.235.5:6892 udp
AM 31.184.235.6:6892 udp
AM 31.184.235.7:6892 udp
AM 31.184.235.8:6892 udp
AM 31.184.235.9:6892 udp
AM 31.184.235.10:6892 udp
AM 31.184.235.11:6892 udp
AM 31.184.235.12:6892 udp
AM 31.184.235.13:6892 udp
AM 31.184.235.14:6892 udp
AM 31.184.235.15:6892 udp
AM 31.184.235.16:6892 udp
AM 31.184.235.17:6892 udp
AM 31.184.235.18:6892 udp
AM 31.184.235.19:6892 udp
AM 31.184.235.20:6892 udp
AM 31.184.235.21:6892 udp
AM 31.184.235.22:6892 udp
AM 31.184.235.23:6892 udp
AM 31.184.235.24:6892 udp
AM 31.184.235.25:6892 udp
AM 31.184.235.26:6892 udp
AM 31.184.235.27:6892 udp
AM 31.184.235.28:6892 udp
AM 31.184.235.29:6892 udp
AM 31.184.235.30:6892 udp
AM 31.184.235.31:6892 udp
AM 31.184.235.32:6892 udp
AM 31.184.235.33:6892 udp
AM 31.184.235.34:6892 udp
AM 31.184.235.35:6892 udp
AM 31.184.235.36:6892 udp
AM 31.184.235.37:6892 udp
AM 31.184.235.38:6892 udp
AM 31.184.235.39:6892 udp
AM 31.184.235.40:6892 udp
AM 31.184.235.41:6892 udp
AM 31.184.235.42:6892 udp
AM 31.184.235.43:6892 udp
AM 31.184.235.44:6892 udp
AM 31.184.235.45:6892 udp
AM 31.184.235.46:6892 udp
AM 31.184.235.47:6892 udp
AM 31.184.235.48:6892 udp
AM 31.184.235.49:6892 udp
AM 31.184.235.50:6892 udp
AM 31.184.235.51:6892 udp
AM 31.184.235.52:6892 udp
AM 31.184.235.53:6892 udp
AM 31.184.235.54:6892 udp
AM 31.184.235.55:6892 udp
AM 31.184.235.56:6892 udp
AM 31.184.235.57:6892 udp
AM 31.184.235.58:6892 udp
AM 31.184.235.59:6892 udp
AM 31.184.235.60:6892 udp
AM 31.184.235.61:6892 udp
AM 31.184.235.62:6892 udp
AM 31.184.235.63:6892 udp
AM 31.184.235.64:6892 udp
AM 31.184.235.65:6892 udp
AM 31.184.235.66:6892 udp
AM 31.184.235.67:6892 udp
AM 31.184.235.68:6892 udp
AM 31.184.235.69:6892 udp
AM 31.184.235.70:6892 udp
AM 31.184.235.71:6892 udp
AM 31.184.235.72:6892 udp
AM 31.184.235.73:6892 udp
AM 31.184.235.74:6892 udp
AM 31.184.235.75:6892 udp
AM 31.184.235.76:6892 udp
AM 31.184.235.77:6892 udp
AM 31.184.235.78:6892 udp
AM 31.184.235.79:6892 udp
AM 31.184.235.80:6892 udp
AM 31.184.235.81:6892 udp
AM 31.184.235.82:6892 udp
AM 31.184.235.83:6892 udp
AM 31.184.235.84:6892 udp
AM 31.184.235.85:6892 udp
AM 31.184.235.86:6892 udp
AM 31.184.235.87:6892 udp
AM 31.184.235.88:6892 udp
AM 31.184.235.89:6892 udp
AM 31.184.235.90:6892 udp
AM 31.184.235.91:6892 udp
AM 31.184.235.92:6892 udp
AM 31.184.235.93:6892 udp
AM 31.184.235.94:6892 udp
AM 31.184.235.95:6892 udp
AM 31.184.235.96:6892 udp
AM 31.184.235.97:6892 udp
AM 31.184.235.98:6892 udp
AM 31.184.235.99:6892 udp
AM 31.184.235.100:6892 udp
AM 31.184.235.101:6892 udp
AM 31.184.235.102:6892 udp
AM 31.184.235.103:6892 udp
AM 31.184.235.104:6892 udp
AM 31.184.235.105:6892 udp
AM 31.184.235.106:6892 udp
AM 31.184.235.107:6892 udp
AM 31.184.235.108:6892 udp
AM 31.184.235.109:6892 udp
AM 31.184.235.110:6892 udp
AM 31.184.235.111:6892 udp
AM 31.184.235.112:6892 udp
AM 31.184.235.113:6892 udp
AM 31.184.235.114:6892 udp
AM 31.184.235.115:6892 udp
AM 31.184.235.116:6892 udp
AM 31.184.235.117:6892 udp
AM 31.184.235.118:6892 udp
AM 31.184.235.119:6892 udp
AM 31.184.235.120:6892 udp
AM 31.184.235.121:6892 udp
AM 31.184.235.122:6892 udp
AM 31.184.235.123:6892 udp
AM 31.184.235.124:6892 udp
AM 31.184.235.125:6892 udp
AM 31.184.235.126:6892 udp
AM 31.184.235.127:6892 udp
AM 31.184.235.128:6892 udp
AM 31.184.235.129:6892 udp
AM 31.184.235.130:6892 udp
AM 31.184.235.131:6892 udp
AM 31.184.235.132:6892 udp
AM 31.184.235.133:6892 udp
AM 31.184.235.134:6892 udp
AM 31.184.235.135:6892 udp
AM 31.184.235.136:6892 udp
AM 31.184.235.137:6892 udp
AM 31.184.235.138:6892 udp
AM 31.184.235.139:6892 udp
AM 31.184.235.140:6892 udp
AM 31.184.235.141:6892 udp
AM 31.184.235.142:6892 udp
AM 31.184.235.143:6892 udp
AM 31.184.235.144:6892 udp
AM 31.184.235.145:6892 udp
AM 31.184.235.146:6892 udp
AM 31.184.235.147:6892 udp
AM 31.184.235.148:6892 udp
AM 31.184.235.149:6892 udp
AM 31.184.235.150:6892 udp
AM 31.184.235.151:6892 udp
AM 31.184.235.152:6892 udp
AM 31.184.235.153:6892 udp
AM 31.184.235.154:6892 udp
AM 31.184.235.155:6892 udp
AM 31.184.235.156:6892 udp
AM 31.184.235.157:6892 udp
AM 31.184.235.158:6892 udp
AM 31.184.235.159:6892 udp
AM 31.184.235.160:6892 udp
AM 31.184.235.161:6892 udp
AM 31.184.235.162:6892 udp
AM 31.184.235.163:6892 udp
AM 31.184.235.164:6892 udp
AM 31.184.235.165:6892 udp
AM 31.184.235.166:6892 udp
AM 31.184.235.167:6892 udp
AM 31.184.235.168:6892 udp
AM 31.184.235.169:6892 udp
AM 31.184.235.170:6892 udp
AM 31.184.235.171:6892 udp
AM 31.184.235.172:6892 udp
AM 31.184.235.173:6892 udp
AM 31.184.235.174:6892 udp
AM 31.184.235.175:6892 udp
AM 31.184.235.176:6892 udp
AM 31.184.235.177:6892 udp
AM 31.184.235.178:6892 udp
AM 31.184.235.179:6892 udp
AM 31.184.235.180:6892 udp
AM 31.184.235.181:6892 udp
AM 31.184.235.182:6892 udp
AM 31.184.235.183:6892 udp
AM 31.184.235.184:6892 udp
AM 31.184.235.185:6892 udp
AM 31.184.235.186:6892 udp
AM 31.184.235.187:6892 udp
AM 31.184.235.188:6892 udp
AM 31.184.235.189:6892 udp
AM 31.184.235.190:6892 udp
AM 31.184.235.191:6892 udp
AM 31.184.235.192:6892 udp
AM 31.184.235.193:6892 udp
AM 31.184.235.194:6892 udp
AM 31.184.235.195:6892 udp
AM 31.184.235.196:6892 udp
AM 31.184.235.197:6892 udp
AM 31.184.235.198:6892 udp
AM 31.184.235.199:6892 udp
AM 31.184.235.200:6892 udp
AM 31.184.235.201:6892 udp
AM 31.184.235.202:6892 udp
AM 31.184.235.203:6892 udp
AM 31.184.235.204:6892 udp
AM 31.184.235.205:6892 udp
AM 31.184.235.206:6892 udp
AM 31.184.235.207:6892 udp
AM 31.184.235.208:6892 udp
AM 31.184.235.209:6892 udp
AM 31.184.235.210:6892 udp
AM 31.184.235.211:6892 udp
AM 31.184.235.212:6892 udp
AM 31.184.235.213:6892 udp
AM 31.184.235.214:6892 udp
AM 31.184.235.215:6892 udp
AM 31.184.235.216:6892 udp
AM 31.184.235.217:6892 udp
AM 31.184.235.218:6892 udp
AM 31.184.235.219:6892 udp
AM 31.184.235.220:6892 udp
AM 31.184.235.221:6892 udp
AM 31.184.235.222:6892 udp
AM 31.184.235.223:6892 udp
AM 31.184.235.224:6892 udp
AM 31.184.235.225:6892 udp
AM 31.184.235.226:6892 udp
AM 31.184.235.227:6892 udp
AM 31.184.235.228:6892 udp
AM 31.184.235.229:6892 udp
AM 31.184.235.230:6892 udp
AM 31.184.235.231:6892 udp
AM 31.184.235.232:6892 udp
AM 31.184.235.233:6892 udp
AM 31.184.235.234:6892 udp
AM 31.184.235.235:6892 udp
AM 31.184.235.236:6892 udp
AM 31.184.235.237:6892 udp
AM 31.184.235.238:6892 udp
AM 31.184.235.239:6892 udp
AM 31.184.235.240:6892 udp
AM 31.184.235.241:6892 udp
AM 31.184.235.242:6892 udp
AM 31.184.235.243:6892 udp
AM 31.184.235.244:6892 udp
AM 31.184.235.245:6892 udp
AM 31.184.235.246:6892 udp
AM 31.184.235.247:6892 udp
AM 31.184.235.248:6892 udp
AM 31.184.235.249:6892 udp
AM 31.184.235.250:6892 udp
AM 31.184.235.251:6892 udp
AM 31.184.235.252:6892 udp
AM 31.184.235.253:6892 udp
AM 31.184.235.254:6892 udp
AM 31.184.235.255:6892 udp
AM 31.184.234.0:6892 udp
AM 31.184.234.1:6892 udp
AM 31.184.234.2:6892 udp
AM 31.184.234.3:6892 udp
AM 31.184.234.4:6892 udp
AM 31.184.234.5:6892 udp
AM 31.184.234.6:6892 udp
AM 31.184.234.7:6892 udp
AM 31.184.234.8:6892 udp
AM 31.184.234.9:6892 udp
AM 31.184.234.10:6892 udp
AM 31.184.234.11:6892 udp
AM 31.184.234.12:6892 udp
AM 31.184.234.13:6892 udp
AM 31.184.234.14:6892 udp
AM 31.184.234.15:6892 udp
AM 31.184.234.16:6892 udp
AM 31.184.234.17:6892 udp
AM 31.184.234.18:6892 udp
AM 31.184.234.19:6892 udp
AM 31.184.234.20:6892 udp
AM 31.184.234.21:6892 udp
AM 31.184.234.22:6892 udp
AM 31.184.234.23:6892 udp
AM 31.184.234.24:6892 udp
AM 31.184.234.25:6892 udp
AM 31.184.234.26:6892 udp
AM 31.184.234.27:6892 udp
AM 31.184.234.28:6892 udp
AM 31.184.234.29:6892 udp
AM 31.184.234.30:6892 udp
AM 31.184.234.31:6892 udp
AM 31.184.234.32:6892 udp
AM 31.184.234.33:6892 udp
AM 31.184.234.34:6892 udp
AM 31.184.234.35:6892 udp
AM 31.184.234.36:6892 udp
AM 31.184.234.37:6892 udp
AM 31.184.234.38:6892 udp
AM 31.184.234.39:6892 udp
AM 31.184.234.40:6892 udp
AM 31.184.234.41:6892 udp
AM 31.184.234.42:6892 udp
AM 31.184.234.43:6892 udp
AM 31.184.234.44:6892 udp
AM 31.184.234.45:6892 udp
AM 31.184.234.46:6892 udp
AM 31.184.234.47:6892 udp
AM 31.184.234.48:6892 udp
AM 31.184.234.49:6892 udp
AM 31.184.234.50:6892 udp
AM 31.184.234.51:6892 udp
AM 31.184.234.52:6892 udp
AM 31.184.234.53:6892 udp
AM 31.184.234.54:6892 udp
AM 31.184.234.55:6892 udp
AM 31.184.234.56:6892 udp
AM 31.184.234.57:6892 udp
AM 31.184.234.58:6892 udp
AM 31.184.234.59:6892 udp
AM 31.184.234.60:6892 udp
AM 31.184.234.61:6892 udp
AM 31.184.234.62:6892 udp
AM 31.184.234.63:6892 udp
AM 31.184.234.64:6892 udp
AM 31.184.234.65:6892 udp
AM 31.184.234.66:6892 udp
AM 31.184.234.67:6892 udp
AM 31.184.234.68:6892 udp
AM 31.184.234.69:6892 udp
AM 31.184.234.70:6892 udp
AM 31.184.234.71:6892 udp
AM 31.184.234.72:6892 udp
AM 31.184.234.73:6892 udp
AM 31.184.234.74:6892 udp
AM 31.184.234.75:6892 udp
AM 31.184.234.76:6892 udp
AM 31.184.234.77:6892 udp
AM 31.184.234.78:6892 udp
AM 31.184.234.79:6892 udp
AM 31.184.234.80:6892 udp
AM 31.184.234.81:6892 udp
AM 31.184.234.82:6892 udp
AM 31.184.234.83:6892 udp
AM 31.184.234.84:6892 udp
AM 31.184.234.85:6892 udp
AM 31.184.234.86:6892 udp
AM 31.184.234.87:6892 udp
AM 31.184.234.88:6892 udp
AM 31.184.234.89:6892 udp
AM 31.184.234.90:6892 udp
AM 31.184.234.91:6892 udp
AM 31.184.234.92:6892 udp
AM 31.184.234.93:6892 udp
AM 31.184.234.94:6892 udp
AM 31.184.234.95:6892 udp
AM 31.184.234.96:6892 udp
AM 31.184.234.97:6892 udp
AM 31.184.234.98:6892 udp
AM 31.184.234.99:6892 udp
AM 31.184.234.100:6892 udp
AM 31.184.234.101:6892 udp
AM 31.184.234.102:6892 udp
AM 31.184.234.103:6892 udp
AM 31.184.234.104:6892 udp
AM 31.184.234.105:6892 udp
AM 31.184.234.106:6892 udp
AM 31.184.234.107:6892 udp
AM 31.184.234.108:6892 udp
AM 31.184.234.109:6892 udp
AM 31.184.234.110:6892 udp
AM 31.184.234.111:6892 udp
AM 31.184.234.112:6892 udp
AM 31.184.234.113:6892 udp
AM 31.184.234.114:6892 udp
AM 31.184.234.115:6892 udp
AM 31.184.234.116:6892 udp
AM 31.184.234.117:6892 udp
AM 31.184.234.118:6892 udp
AM 31.184.234.119:6892 udp
AM 31.184.234.120:6892 udp
AM 31.184.234.121:6892 udp
AM 31.184.234.122:6892 udp
AM 31.184.234.123:6892 udp
AM 31.184.234.124:6892 udp
AM 31.184.234.125:6892 udp
AM 31.184.234.126:6892 udp
AM 31.184.234.127:6892 udp
AM 31.184.234.128:6892 udp
AM 31.184.234.129:6892 udp
AM 31.184.234.130:6892 udp
AM 31.184.234.131:6892 udp
AM 31.184.234.132:6892 udp
AM 31.184.234.133:6892 udp
AM 31.184.234.134:6892 udp
AM 31.184.234.135:6892 udp
AM 31.184.234.136:6892 udp
AM 31.184.234.137:6892 udp
AM 31.184.234.138:6892 udp
AM 31.184.234.139:6892 udp
AM 31.184.234.140:6892 udp
AM 31.184.234.141:6892 udp
AM 31.184.234.142:6892 udp
AM 31.184.234.143:6892 udp
AM 31.184.234.144:6892 udp
AM 31.184.234.145:6892 udp
AM 31.184.234.146:6892 udp
AM 31.184.234.147:6892 udp
AM 31.184.234.148:6892 udp
AM 31.184.234.149:6892 udp
AM 31.184.234.150:6892 udp
AM 31.184.234.151:6892 udp
AM 31.184.234.152:6892 udp
AM 31.184.234.153:6892 udp
AM 31.184.234.154:6892 udp
AM 31.184.234.155:6892 udp
AM 31.184.234.156:6892 udp
AM 31.184.234.157:6892 udp
AM 31.184.234.158:6892 udp
AM 31.184.234.159:6892 udp
AM 31.184.234.160:6892 udp
AM 31.184.234.161:6892 udp
AM 31.184.234.162:6892 udp
AM 31.184.234.163:6892 udp
AM 31.184.234.164:6892 udp
AM 31.184.234.165:6892 udp
AM 31.184.234.166:6892 udp
AM 31.184.234.167:6892 udp
AM 31.184.234.168:6892 udp
AM 31.184.234.169:6892 udp
AM 31.184.234.170:6892 udp
AM 31.184.234.171:6892 udp
AM 31.184.234.172:6892 udp
AM 31.184.234.173:6892 udp
AM 31.184.234.174:6892 udp
AM 31.184.234.175:6892 udp
AM 31.184.234.176:6892 udp
AM 31.184.234.177:6892 udp
AM 31.184.234.178:6892 udp
AM 31.184.234.179:6892 udp
AM 31.184.234.180:6892 udp
AM 31.184.234.181:6892 udp
AM 31.184.234.182:6892 udp
AM 31.184.234.183:6892 udp
AM 31.184.234.184:6892 udp
AM 31.184.234.185:6892 udp
AM 31.184.234.186:6892 udp
AM 31.184.234.187:6892 udp
AM 31.184.234.188:6892 udp
AM 31.184.234.189:6892 udp
AM 31.184.234.190:6892 udp
AM 31.184.234.191:6892 udp
AM 31.184.234.192:6892 udp
AM 31.184.234.193:6892 udp
AM 31.184.234.194:6892 udp
AM 31.184.234.195:6892 udp
AM 31.184.234.196:6892 udp
AM 31.184.234.197:6892 udp
AM 31.184.234.198:6892 udp
AM 31.184.234.199:6892 udp
AM 31.184.234.200:6892 udp
AM 31.184.234.201:6892 udp
AM 31.184.234.202:6892 udp
AM 31.184.234.203:6892 udp
AM 31.184.234.204:6892 udp
AM 31.184.234.205:6892 udp
AM 31.184.234.206:6892 udp
AM 31.184.234.207:6892 udp
AM 31.184.234.208:6892 udp
AM 31.184.234.209:6892 udp
AM 31.184.234.210:6892 udp
AM 31.184.234.211:6892 udp
AM 31.184.234.212:6892 udp
AM 31.184.234.213:6892 udp
AM 31.184.234.214:6892 udp
AM 31.184.234.215:6892 udp
AM 31.184.234.216:6892 udp
AM 31.184.234.217:6892 udp
AM 31.184.234.218:6892 udp
AM 31.184.234.219:6892 udp
AM 31.184.234.220:6892 udp
AM 31.184.234.221:6892 udp
AM 31.184.234.222:6892 udp
AM 31.184.234.223:6892 udp
AM 31.184.234.224:6892 udp
AM 31.184.234.225:6892 udp
AM 31.184.234.226:6892 udp
AM 31.184.234.227:6892 udp
AM 31.184.234.228:6892 udp
AM 31.184.234.229:6892 udp
AM 31.184.234.230:6892 udp
AM 31.184.234.231:6892 udp
AM 31.184.234.232:6892 udp
AM 31.184.234.233:6892 udp
AM 31.184.234.234:6892 udp
AM 31.184.234.235:6892 udp
AM 31.184.234.236:6892 udp
AM 31.184.234.237:6892 udp
AM 31.184.234.238:6892 udp
AM 31.184.234.239:6892 udp
AM 31.184.234.240:6892 udp
AM 31.184.234.241:6892 udp
AM 31.184.234.242:6892 udp
AM 31.184.234.243:6892 udp
AM 31.184.234.244:6892 udp
AM 31.184.234.245:6892 udp
AM 31.184.234.246:6892 udp
AM 31.184.234.247:6892 udp
AM 31.184.234.248:6892 udp
AM 31.184.234.249:6892 udp
AM 31.184.234.250:6892 udp
AM 31.184.234.251:6892 udp
AM 31.184.234.252:6892 udp
AM 31.184.234.253:6892 udp
AM 31.184.234.254:6892 udp
AM 31.184.234.255:6892 udp
AM 31.184.235.0:6892 udp
AM 31.184.235.1:6892 udp
AM 31.184.235.2:6892 udp
AM 31.184.235.3:6892 udp
AM 31.184.235.4:6892 udp
AM 31.184.235.5:6892 udp
AM 31.184.235.6:6892 udp
AM 31.184.235.7:6892 udp
AM 31.184.235.8:6892 udp
AM 31.184.235.9:6892 udp
AM 31.184.235.10:6892 udp
AM 31.184.235.11:6892 udp
AM 31.184.235.12:6892 udp
AM 31.184.235.13:6892 udp
AM 31.184.235.14:6892 udp
AM 31.184.235.15:6892 udp
AM 31.184.235.16:6892 udp
AM 31.184.235.17:6892 udp
AM 31.184.235.18:6892 udp
AM 31.184.235.19:6892 udp
AM 31.184.235.20:6892 udp
AM 31.184.235.21:6892 udp
AM 31.184.235.22:6892 udp
AM 31.184.235.23:6892 udp
AM 31.184.235.24:6892 udp
AM 31.184.235.25:6892 udp
AM 31.184.235.26:6892 udp
AM 31.184.235.27:6892 udp
AM 31.184.235.28:6892 udp
AM 31.184.235.29:6892 udp
AM 31.184.235.30:6892 udp
AM 31.184.235.31:6892 udp
AM 31.184.235.32:6892 udp
AM 31.184.235.33:6892 udp
AM 31.184.235.34:6892 udp
AM 31.184.235.35:6892 udp
AM 31.184.235.36:6892 udp
AM 31.184.235.37:6892 udp
AM 31.184.235.38:6892 udp
AM 31.184.235.39:6892 udp
AM 31.184.235.40:6892 udp
AM 31.184.235.41:6892 udp
AM 31.184.235.42:6892 udp
AM 31.184.235.43:6892 udp
AM 31.184.235.44:6892 udp
AM 31.184.235.45:6892 udp
AM 31.184.235.46:6892 udp
AM 31.184.235.47:6892 udp
AM 31.184.235.48:6892 udp
AM 31.184.235.49:6892 udp
AM 31.184.235.50:6892 udp
AM 31.184.235.51:6892 udp
AM 31.184.235.52:6892 udp
AM 31.184.235.53:6892 udp
AM 31.184.235.54:6892 udp
AM 31.184.235.55:6892 udp
AM 31.184.235.56:6892 udp
AM 31.184.235.57:6892 udp
AM 31.184.235.58:6892 udp
AM 31.184.235.59:6892 udp
AM 31.184.235.60:6892 udp
AM 31.184.235.61:6892 udp
AM 31.184.235.62:6892 udp
AM 31.184.235.63:6892 udp
AM 31.184.235.64:6892 udp
AM 31.184.235.65:6892 udp
AM 31.184.235.66:6892 udp
AM 31.184.235.67:6892 udp
AM 31.184.235.68:6892 udp
AM 31.184.235.69:6892 udp
AM 31.184.235.70:6892 udp
AM 31.184.235.71:6892 udp
AM 31.184.235.72:6892 udp
AM 31.184.235.73:6892 udp
AM 31.184.235.74:6892 udp
AM 31.184.235.75:6892 udp
AM 31.184.235.76:6892 udp
AM 31.184.235.77:6892 udp
AM 31.184.235.78:6892 udp
AM 31.184.235.79:6892 udp
AM 31.184.235.80:6892 udp
AM 31.184.235.81:6892 udp
AM 31.184.235.82:6892 udp
AM 31.184.235.83:6892 udp
AM 31.184.235.84:6892 udp
AM 31.184.235.85:6892 udp
AM 31.184.235.86:6892 udp
AM 31.184.235.87:6892 udp
AM 31.184.235.88:6892 udp
AM 31.184.235.89:6892 udp
AM 31.184.235.90:6892 udp
AM 31.184.235.91:6892 udp
AM 31.184.235.92:6892 udp
AM 31.184.235.93:6892 udp
AM 31.184.235.94:6892 udp
AM 31.184.235.95:6892 udp
AM 31.184.235.96:6892 udp
AM 31.184.235.97:6892 udp
AM 31.184.235.98:6892 udp
AM 31.184.235.99:6892 udp
AM 31.184.235.100:6892 udp
AM 31.184.235.101:6892 udp
AM 31.184.235.102:6892 udp
AM 31.184.235.103:6892 udp
AM 31.184.235.104:6892 udp
AM 31.184.235.105:6892 udp
AM 31.184.235.106:6892 udp
AM 31.184.235.107:6892 udp
AM 31.184.235.108:6892 udp
AM 31.184.235.109:6892 udp
AM 31.184.235.110:6892 udp
AM 31.184.235.111:6892 udp
AM 31.184.235.112:6892 udp
AM 31.184.235.113:6892 udp
AM 31.184.235.114:6892 udp
AM 31.184.235.115:6892 udp
AM 31.184.235.116:6892 udp
AM 31.184.235.117:6892 udp
AM 31.184.235.118:6892 udp
AM 31.184.235.119:6892 udp
AM 31.184.235.120:6892 udp
AM 31.184.235.121:6892 udp
AM 31.184.235.122:6892 udp
AM 31.184.235.123:6892 udp
AM 31.184.235.124:6892 udp
AM 31.184.235.125:6892 udp
AM 31.184.235.126:6892 udp
AM 31.184.235.127:6892 udp
AM 31.184.235.128:6892 udp
AM 31.184.235.129:6892 udp
AM 31.184.235.130:6892 udp
AM 31.184.235.131:6892 udp
AM 31.184.235.132:6892 udp
AM 31.184.235.133:6892 udp
AM 31.184.235.134:6892 udp
AM 31.184.235.135:6892 udp
AM 31.184.235.136:6892 udp
AM 31.184.235.137:6892 udp
AM 31.184.235.138:6892 udp
AM 31.184.235.139:6892 udp
AM 31.184.235.140:6892 udp
AM 31.184.235.141:6892 udp
AM 31.184.235.142:6892 udp
AM 31.184.235.143:6892 udp
AM 31.184.235.144:6892 udp
AM 31.184.235.145:6892 udp
AM 31.184.235.146:6892 udp
AM 31.184.235.147:6892 udp
AM 31.184.235.148:6892 udp
AM 31.184.235.149:6892 udp
AM 31.184.235.150:6892 udp
AM 31.184.235.151:6892 udp
AM 31.184.235.152:6892 udp
AM 31.184.235.153:6892 udp
AM 31.184.235.154:6892 udp
AM 31.184.235.155:6892 udp
AM 31.184.235.156:6892 udp
AM 31.184.235.157:6892 udp
AM 31.184.235.158:6892 udp
AM 31.184.235.159:6892 udp
AM 31.184.235.160:6892 udp
AM 31.184.235.161:6892 udp
AM 31.184.235.162:6892 udp
AM 31.184.235.163:6892 udp
AM 31.184.235.164:6892 udp
AM 31.184.235.165:6892 udp
AM 31.184.235.166:6892 udp
AM 31.184.235.167:6892 udp
AM 31.184.235.168:6892 udp
AM 31.184.235.169:6892 udp
AM 31.184.235.170:6892 udp
AM 31.184.235.171:6892 udp
AM 31.184.235.172:6892 udp
AM 31.184.235.173:6892 udp
AM 31.184.235.174:6892 udp
AM 31.184.235.175:6892 udp
AM 31.184.235.176:6892 udp
AM 31.184.235.177:6892 udp
AM 31.184.235.178:6892 udp
AM 31.184.235.179:6892 udp
AM 31.184.235.180:6892 udp
AM 31.184.235.181:6892 udp
AM 31.184.235.182:6892 udp
AM 31.184.235.183:6892 udp
AM 31.184.235.184:6892 udp
AM 31.184.235.185:6892 udp
AM 31.184.235.186:6892 udp
AM 31.184.235.187:6892 udp
AM 31.184.235.188:6892 udp
AM 31.184.235.189:6892 udp
AM 31.184.235.190:6892 udp
AM 31.184.235.191:6892 udp
AM 31.184.235.192:6892 udp
AM 31.184.235.193:6892 udp
AM 31.184.235.194:6892 udp
AM 31.184.235.195:6892 udp
AM 31.184.235.196:6892 udp
AM 31.184.235.197:6892 udp
AM 31.184.235.198:6892 udp
AM 31.184.235.199:6892 udp
AM 31.184.235.200:6892 udp
AM 31.184.235.201:6892 udp
AM 31.184.235.202:6892 udp
AM 31.184.235.203:6892 udp
AM 31.184.235.204:6892 udp
AM 31.184.235.205:6892 udp
AM 31.184.235.206:6892 udp
AM 31.184.235.207:6892 udp
AM 31.184.235.208:6892 udp
AM 31.184.235.209:6892 udp
AM 31.184.235.210:6892 udp
AM 31.184.235.211:6892 udp
AM 31.184.235.212:6892 udp
AM 31.184.235.213:6892 udp
AM 31.184.235.214:6892 udp
AM 31.184.235.215:6892 udp
AM 31.184.235.216:6892 udp
AM 31.184.235.217:6892 udp
AM 31.184.235.218:6892 udp
AM 31.184.235.219:6892 udp
AM 31.184.235.220:6892 udp
AM 31.184.235.221:6892 udp
AM 31.184.235.222:6892 udp
AM 31.184.235.223:6892 udp
AM 31.184.235.224:6892 udp
AM 31.184.235.225:6892 udp
AM 31.184.235.226:6892 udp
AM 31.184.235.227:6892 udp
AM 31.184.235.228:6892 udp
AM 31.184.235.229:6892 udp
AM 31.184.235.230:6892 udp
AM 31.184.235.231:6892 udp
AM 31.184.235.232:6892 udp
AM 31.184.235.233:6892 udp
AM 31.184.235.234:6892 udp
AM 31.184.235.235:6892 udp
AM 31.184.235.236:6892 udp
AM 31.184.235.237:6892 udp
AM 31.184.235.238:6892 udp
AM 31.184.235.239:6892 udp
AM 31.184.235.240:6892 udp
AM 31.184.235.241:6892 udp
AM 31.184.235.242:6892 udp
AM 31.184.235.243:6892 udp
AM 31.184.235.244:6892 udp
AM 31.184.235.245:6892 udp
AM 31.184.235.246:6892 udp
AM 31.184.235.247:6892 udp
AM 31.184.235.248:6892 udp
AM 31.184.235.249:6892 udp
AM 31.184.235.250:6892 udp
AM 31.184.235.251:6892 udp
AM 31.184.235.252:6892 udp
AM 31.184.235.253:6892 udp
AM 31.184.235.254:6892 udp
AM 31.184.235.255:6892 udp
AM 31.184.234.0:6892 udp
AM 31.184.234.1:6892 udp
AM 31.184.234.2:6892 udp
AM 31.184.234.3:6892 udp
AM 31.184.234.4:6892 udp
AM 31.184.234.5:6892 udp
AM 31.184.234.6:6892 udp
AM 31.184.234.7:6892 udp
AM 31.184.234.8:6892 udp
AM 31.184.234.9:6892 udp
AM 31.184.234.10:6892 udp
AM 31.184.234.11:6892 udp
AM 31.184.234.12:6892 udp
AM 31.184.234.13:6892 udp
AM 31.184.234.14:6892 udp
AM 31.184.234.15:6892 udp
AM 31.184.234.16:6892 udp
AM 31.184.234.17:6892 udp
AM 31.184.234.18:6892 udp
AM 31.184.234.19:6892 udp
AM 31.184.234.20:6892 udp
AM 31.184.234.21:6892 udp
AM 31.184.234.22:6892 udp
AM 31.184.234.23:6892 udp
AM 31.184.234.24:6892 udp
AM 31.184.234.25:6892 udp
AM 31.184.234.26:6892 udp
AM 31.184.234.27:6892 udp
AM 31.184.234.28:6892 udp
AM 31.184.234.29:6892 udp
AM 31.184.234.30:6892 udp
AM 31.184.234.31:6892 udp
AM 31.184.234.32:6892 udp
AM 31.184.234.33:6892 udp
AM 31.184.234.34:6892 udp
AM 31.184.234.35:6892 udp
AM 31.184.234.36:6892 udp
AM 31.184.234.37:6892 udp
AM 31.184.234.38:6892 udp
AM 31.184.234.39:6892 udp
AM 31.184.234.40:6892 udp
AM 31.184.234.41:6892 udp
AM 31.184.234.42:6892 udp
AM 31.184.234.43:6892 udp
AM 31.184.234.44:6892 udp
AM 31.184.234.45:6892 udp
AM 31.184.234.46:6892 udp
AM 31.184.234.47:6892 udp
AM 31.184.234.48:6892 udp
AM 31.184.234.49:6892 udp
AM 31.184.234.50:6892 udp
AM 31.184.234.51:6892 udp
AM 31.184.234.52:6892 udp
AM 31.184.234.53:6892 udp
AM 31.184.234.54:6892 udp
AM 31.184.234.55:6892 udp
AM 31.184.234.56:6892 udp
AM 31.184.234.57:6892 udp
AM 31.184.234.58:6892 udp
AM 31.184.234.59:6892 udp
AM 31.184.234.60:6892 udp
AM 31.184.234.61:6892 udp
AM 31.184.234.62:6892 udp
AM 31.184.234.63:6892 udp
AM 31.184.234.64:6892 udp
AM 31.184.234.65:6892 udp
AM 31.184.234.66:6892 udp
AM 31.184.234.67:6892 udp
AM 31.184.234.68:6892 udp
AM 31.184.234.69:6892 udp
AM 31.184.234.70:6892 udp
AM 31.184.234.71:6892 udp
AM 31.184.234.72:6892 udp
AM 31.184.234.73:6892 udp
AM 31.184.234.74:6892 udp
AM 31.184.234.75:6892 udp
AM 31.184.234.76:6892 udp
AM 31.184.234.77:6892 udp
AM 31.184.234.78:6892 udp
AM 31.184.234.79:6892 udp
AM 31.184.234.80:6892 udp
AM 31.184.234.81:6892 udp
AM 31.184.234.82:6892 udp
AM 31.184.234.83:6892 udp
AM 31.184.234.84:6892 udp
AM 31.184.234.85:6892 udp
AM 31.184.234.86:6892 udp
AM 31.184.234.87:6892 udp
AM 31.184.234.88:6892 udp
AM 31.184.234.89:6892 udp
AM 31.184.234.90:6892 udp
AM 31.184.234.91:6892 udp
AM 31.184.234.92:6892 udp
AM 31.184.234.93:6892 udp
AM 31.184.234.94:6892 udp
AM 31.184.234.95:6892 udp
AM 31.184.234.96:6892 udp
AM 31.184.234.97:6892 udp
AM 31.184.234.98:6892 udp
AM 31.184.234.99:6892 udp
AM 31.184.234.100:6892 udp
AM 31.184.234.101:6892 udp
AM 31.184.234.102:6892 udp
AM 31.184.234.103:6892 udp
AM 31.184.234.104:6892 udp
AM 31.184.234.105:6892 udp
AM 31.184.234.106:6892 udp
AM 31.184.234.107:6892 udp
AM 31.184.234.108:6892 udp
AM 31.184.234.109:6892 udp
AM 31.184.234.110:6892 udp
AM 31.184.234.111:6892 udp
AM 31.184.234.112:6892 udp
AM 31.184.234.113:6892 udp
AM 31.184.234.114:6892 udp
AM 31.184.234.115:6892 udp
AM 31.184.234.116:6892 udp
AM 31.184.234.117:6892 udp
AM 31.184.234.118:6892 udp
AM 31.184.234.119:6892 udp
AM 31.184.234.120:6892 udp
AM 31.184.234.121:6892 udp
AM 31.184.234.122:6892 udp
AM 31.184.234.123:6892 udp
AM 31.184.234.124:6892 udp
AM 31.184.234.125:6892 udp
AM 31.184.234.126:6892 udp
AM 31.184.234.127:6892 udp
AM 31.184.234.128:6892 udp
AM 31.184.234.129:6892 udp
AM 31.184.234.130:6892 udp
AM 31.184.234.131:6892 udp
AM 31.184.234.132:6892 udp
AM 31.184.234.133:6892 udp
AM 31.184.234.134:6892 udp
AM 31.184.234.135:6892 udp
AM 31.184.234.136:6892 udp
AM 31.184.234.137:6892 udp
AM 31.184.234.138:6892 udp
AM 31.184.234.139:6892 udp
AM 31.184.234.140:6892 udp
AM 31.184.234.141:6892 udp
AM 31.184.234.142:6892 udp
AM 31.184.234.143:6892 udp
AM 31.184.234.144:6892 udp
AM 31.184.234.145:6892 udp
AM 31.184.234.146:6892 udp
AM 31.184.234.147:6892 udp
AM 31.184.234.148:6892 udp
AM 31.184.234.149:6892 udp
AM 31.184.234.150:6892 udp
AM 31.184.234.151:6892 udp
AM 31.184.234.152:6892 udp
AM 31.184.234.153:6892 udp
AM 31.184.234.154:6892 udp
AM 31.184.234.155:6892 udp
AM 31.184.234.156:6892 udp
AM 31.184.234.157:6892 udp
AM 31.184.234.158:6892 udp
AM 31.184.234.159:6892 udp
AM 31.184.234.160:6892 udp
AM 31.184.234.161:6892 udp
AM 31.184.234.162:6892 udp
AM 31.184.234.163:6892 udp
AM 31.184.234.164:6892 udp
AM 31.184.234.165:6892 udp
AM 31.184.234.166:6892 udp
AM 31.184.234.167:6892 udp
AM 31.184.234.168:6892 udp
AM 31.184.234.169:6892 udp
AM 31.184.234.170:6892 udp
AM 31.184.234.171:6892 udp
AM 31.184.234.172:6892 udp
AM 31.184.234.173:6892 udp
AM 31.184.234.174:6892 udp
AM 31.184.234.175:6892 udp
AM 31.184.234.176:6892 udp
AM 31.184.234.177:6892 udp
AM 31.184.234.178:6892 udp
AM 31.184.234.179:6892 udp
AM 31.184.234.180:6892 udp
AM 31.184.234.181:6892 udp
AM 31.184.234.182:6892 udp
AM 31.184.234.183:6892 udp
AM 31.184.234.184:6892 udp
AM 31.184.234.185:6892 udp
AM 31.184.234.186:6892 udp
AM 31.184.234.187:6892 udp
AM 31.184.234.188:6892 udp
AM 31.184.234.189:6892 udp
AM 31.184.234.190:6892 udp
AM 31.184.234.191:6892 udp
AM 31.184.234.192:6892 udp
AM 31.184.234.193:6892 udp
AM 31.184.234.194:6892 udp
AM 31.184.234.195:6892 udp
AM 31.184.234.196:6892 udp
AM 31.184.234.197:6892 udp
AM 31.184.234.198:6892 udp
AM 31.184.234.199:6892 udp
AM 31.184.234.200:6892 udp
AM 31.184.234.201:6892 udp
AM 31.184.234.202:6892 udp
AM 31.184.234.203:6892 udp
AM 31.184.234.204:6892 udp
AM 31.184.234.205:6892 udp
AM 31.184.234.206:6892 udp
AM 31.184.234.207:6892 udp
AM 31.184.234.208:6892 udp
AM 31.184.234.209:6892 udp
AM 31.184.234.210:6892 udp
AM 31.184.234.211:6892 udp
AM 31.184.234.212:6892 udp
AM 31.184.234.213:6892 udp
AM 31.184.234.214:6892 udp
AM 31.184.234.215:6892 udp
AM 31.184.234.216:6892 udp
AM 31.184.234.217:6892 udp
AM 31.184.234.218:6892 udp
AM 31.184.234.219:6892 udp
AM 31.184.234.220:6892 udp
AM 31.184.234.221:6892 udp
AM 31.184.234.222:6892 udp
AM 31.184.234.223:6892 udp
AM 31.184.234.224:6892 udp
AM 31.184.234.225:6892 udp
AM 31.184.234.226:6892 udp
AM 31.184.234.227:6892 udp
AM 31.184.234.228:6892 udp
AM 31.184.234.229:6892 udp
AM 31.184.234.230:6892 udp
AM 31.184.234.231:6892 udp
AM 31.184.234.232:6892 udp
AM 31.184.234.233:6892 udp
AM 31.184.234.234:6892 udp
AM 31.184.234.235:6892 udp
AM 31.184.234.236:6892 udp
AM 31.184.234.237:6892 udp
AM 31.184.234.238:6892 udp
AM 31.184.234.239:6892 udp
AM 31.184.234.240:6892 udp
AM 31.184.234.241:6892 udp
AM 31.184.234.242:6892 udp
AM 31.184.234.243:6892 udp
AM 31.184.234.244:6892 udp
AM 31.184.234.245:6892 udp
AM 31.184.234.246:6892 udp
AM 31.184.234.247:6892 udp
AM 31.184.234.248:6892 udp
AM 31.184.234.249:6892 udp
AM 31.184.234.250:6892 udp
AM 31.184.234.251:6892 udp
AM 31.184.234.252:6892 udp
AM 31.184.234.253:6892 udp
AM 31.184.234.254:6892 udp
AM 31.184.234.255:6892 udp
AM 31.184.235.0:6892 udp
AM 31.184.235.1:6892 udp
AM 31.184.235.2:6892 udp
AM 31.184.235.3:6892 udp
AM 31.184.235.4:6892 udp
AM 31.184.235.5:6892 udp
AM 31.184.235.6:6892 udp
AM 31.184.235.7:6892 udp
AM 31.184.235.8:6892 udp
AM 31.184.235.9:6892 udp
AM 31.184.235.10:6892 udp
AM 31.184.235.11:6892 udp
AM 31.184.235.12:6892 udp
AM 31.184.235.13:6892 udp
AM 31.184.235.14:6892 udp
AM 31.184.235.15:6892 udp
AM 31.184.235.16:6892 udp
AM 31.184.235.17:6892 udp
AM 31.184.235.18:6892 udp
AM 31.184.235.19:6892 udp
AM 31.184.235.20:6892 udp
AM 31.184.235.21:6892 udp
AM 31.184.235.22:6892 udp
AM 31.184.235.23:6892 udp
AM 31.184.235.24:6892 udp
AM 31.184.235.25:6892 udp
AM 31.184.235.26:6892 udp
AM 31.184.235.27:6892 udp
AM 31.184.235.28:6892 udp
AM 31.184.235.29:6892 udp
AM 31.184.235.30:6892 udp
AM 31.184.235.31:6892 udp
AM 31.184.235.32:6892 udp
AM 31.184.235.33:6892 udp
AM 31.184.235.34:6892 udp
AM 31.184.235.35:6892 udp
AM 31.184.235.36:6892 udp
AM 31.184.235.37:6892 udp
AM 31.184.235.38:6892 udp
AM 31.184.235.39:6892 udp
AM 31.184.235.40:6892 udp
AM 31.184.235.41:6892 udp
AM 31.184.235.42:6892 udp
AM 31.184.235.43:6892 udp
AM 31.184.235.44:6892 udp
AM 31.184.235.45:6892 udp
AM 31.184.235.46:6892 udp
AM 31.184.235.47:6892 udp
AM 31.184.235.48:6892 udp
AM 31.184.235.49:6892 udp
AM 31.184.235.50:6892 udp
AM 31.184.235.51:6892 udp
AM 31.184.235.52:6892 udp
AM 31.184.235.53:6892 udp
AM 31.184.235.54:6892 udp
AM 31.184.235.55:6892 udp
AM 31.184.235.56:6892 udp
AM 31.184.235.57:6892 udp
AM 31.184.235.58:6892 udp
AM 31.184.235.59:6892 udp
AM 31.184.235.60:6892 udp
AM 31.184.235.61:6892 udp
AM 31.184.235.62:6892 udp
AM 31.184.235.63:6892 udp
AM 31.184.235.64:6892 udp
AM 31.184.235.65:6892 udp
AM 31.184.235.66:6892 udp
AM 31.184.235.67:6892 udp
AM 31.184.235.68:6892 udp
AM 31.184.235.69:6892 udp
AM 31.184.235.70:6892 udp
AM 31.184.235.71:6892 udp
AM 31.184.235.72:6892 udp
AM 31.184.235.73:6892 udp
AM 31.184.235.74:6892 udp
AM 31.184.235.75:6892 udp
AM 31.184.235.76:6892 udp
AM 31.184.235.77:6892 udp
AM 31.184.235.78:6892 udp
AM 31.184.235.79:6892 udp
AM 31.184.235.80:6892 udp
AM 31.184.235.81:6892 udp
AM 31.184.235.82:6892 udp
AM 31.184.235.83:6892 udp
AM 31.184.235.84:6892 udp
AM 31.184.235.85:6892 udp
AM 31.184.235.86:6892 udp
AM 31.184.235.87:6892 udp
AM 31.184.235.88:6892 udp
AM 31.184.235.89:6892 udp
AM 31.184.235.90:6892 udp
AM 31.184.235.91:6892 udp
AM 31.184.235.92:6892 udp
AM 31.184.235.93:6892 udp
AM 31.184.235.94:6892 udp
AM 31.184.235.95:6892 udp
AM 31.184.235.96:6892 udp
AM 31.184.235.97:6892 udp
AM 31.184.235.98:6892 udp
AM 31.184.235.99:6892 udp
AM 31.184.235.100:6892 udp
AM 31.184.235.101:6892 udp
AM 31.184.235.102:6892 udp
AM 31.184.235.103:6892 udp
AM 31.184.235.104:6892 udp
AM 31.184.235.105:6892 udp
AM 31.184.235.106:6892 udp
AM 31.184.235.107:6892 udp
AM 31.184.235.108:6892 udp
AM 31.184.235.109:6892 udp
AM 31.184.235.110:6892 udp
AM 31.184.235.111:6892 udp
AM 31.184.235.112:6892 udp
AM 31.184.235.113:6892 udp
AM 31.184.235.114:6892 udp
AM 31.184.235.115:6892 udp
AM 31.184.235.116:6892 udp
AM 31.184.235.117:6892 udp
AM 31.184.235.118:6892 udp
AM 31.184.235.119:6892 udp
AM 31.184.235.120:6892 udp
AM 31.184.235.121:6892 udp
AM 31.184.235.122:6892 udp
AM 31.184.235.123:6892 udp
AM 31.184.235.124:6892 udp
AM 31.184.235.125:6892 udp
AM 31.184.235.126:6892 udp
AM 31.184.235.127:6892 udp
AM 31.184.235.128:6892 udp
AM 31.184.235.129:6892 udp
AM 31.184.235.130:6892 udp
AM 31.184.235.131:6892 udp
AM 31.184.235.132:6892 udp
AM 31.184.235.133:6892 udp
AM 31.184.235.134:6892 udp
AM 31.184.235.135:6892 udp
AM 31.184.235.136:6892 udp
AM 31.184.235.137:6892 udp
AM 31.184.235.138:6892 udp
AM 31.184.235.139:6892 udp
AM 31.184.235.140:6892 udp
AM 31.184.235.141:6892 udp
AM 31.184.235.142:6892 udp
AM 31.184.235.143:6892 udp
AM 31.184.235.144:6892 udp
AM 31.184.235.145:6892 udp
AM 31.184.235.146:6892 udp
AM 31.184.235.147:6892 udp
AM 31.184.235.148:6892 udp
AM 31.184.235.149:6892 udp
AM 31.184.235.150:6892 udp
AM 31.184.235.151:6892 udp
AM 31.184.235.152:6892 udp
AM 31.184.235.153:6892 udp
AM 31.184.235.154:6892 udp
AM 31.184.235.155:6892 udp
AM 31.184.235.156:6892 udp
AM 31.184.235.157:6892 udp
AM 31.184.235.158:6892 udp
AM 31.184.235.159:6892 udp
AM 31.184.235.160:6892 udp
AM 31.184.235.161:6892 udp
AM 31.184.235.162:6892 udp
AM 31.184.235.163:6892 udp
AM 31.184.235.164:6892 udp
AM 31.184.235.165:6892 udp
AM 31.184.235.166:6892 udp
AM 31.184.235.167:6892 udp
AM 31.184.235.168:6892 udp
AM 31.184.235.169:6892 udp
AM 31.184.235.170:6892 udp
AM 31.184.235.171:6892 udp
AM 31.184.235.172:6892 udp
AM 31.184.235.173:6892 udp
AM 31.184.235.174:6892 udp
AM 31.184.235.175:6892 udp
AM 31.184.235.176:6892 udp
AM 31.184.235.177:6892 udp
AM 31.184.235.178:6892 udp
AM 31.184.235.179:6892 udp
AM 31.184.235.180:6892 udp
AM 31.184.235.181:6892 udp
AM 31.184.235.182:6892 udp
AM 31.184.235.183:6892 udp
AM 31.184.235.184:6892 udp
AM 31.184.235.185:6892 udp
AM 31.184.235.186:6892 udp
AM 31.184.235.187:6892 udp
AM 31.184.235.188:6892 udp
AM 31.184.235.189:6892 udp
AM 31.184.235.190:6892 udp
AM 31.184.235.191:6892 udp
AM 31.184.235.192:6892 udp
AM 31.184.235.193:6892 udp
AM 31.184.235.194:6892 udp
AM 31.184.235.195:6892 udp
AM 31.184.235.196:6892 udp
AM 31.184.235.197:6892 udp
AM 31.184.235.198:6892 udp
AM 31.184.235.199:6892 udp
AM 31.184.235.200:6892 udp
AM 31.184.235.201:6892 udp
AM 31.184.235.202:6892 udp
AM 31.184.235.203:6892 udp
AM 31.184.235.204:6892 udp
AM 31.184.235.205:6892 udp
AM 31.184.235.206:6892 udp
AM 31.184.235.207:6892 udp
AM 31.184.235.208:6892 udp
AM 31.184.235.209:6892 udp
AM 31.184.235.210:6892 udp
AM 31.184.235.211:6892 udp
AM 31.184.235.212:6892 udp
AM 31.184.235.213:6892 udp
AM 31.184.235.214:6892 udp
AM 31.184.235.215:6892 udp
AM 31.184.235.216:6892 udp
AM 31.184.235.217:6892 udp
AM 31.184.235.218:6892 udp
AM 31.184.235.219:6892 udp
AM 31.184.235.220:6892 udp
AM 31.184.235.221:6892 udp
AM 31.184.235.222:6892 udp
AM 31.184.235.223:6892 udp
AM 31.184.235.224:6892 udp
AM 31.184.235.225:6892 udp
AM 31.184.235.226:6892 udp
AM 31.184.235.227:6892 udp
AM 31.184.235.228:6892 udp
AM 31.184.235.229:6892 udp
AM 31.184.235.230:6892 udp
AM 31.184.235.231:6892 udp
AM 31.184.235.232:6892 udp
AM 31.184.235.233:6892 udp
AM 31.184.235.234:6892 udp
AM 31.184.235.235:6892 udp
AM 31.184.235.236:6892 udp
AM 31.184.235.237:6892 udp
AM 31.184.235.238:6892 udp
AM 31.184.235.239:6892 udp
AM 31.184.235.240:6892 udp
AM 31.184.235.241:6892 udp
AM 31.184.235.242:6892 udp
AM 31.184.235.243:6892 udp
AM 31.184.235.244:6892 udp
AM 31.184.235.245:6892 udp
AM 31.184.235.246:6892 udp
AM 31.184.235.247:6892 udp
AM 31.184.235.248:6892 udp
AM 31.184.235.249:6892 udp
AM 31.184.235.250:6892 udp
AM 31.184.235.251:6892 udp
AM 31.184.235.252:6892 udp
AM 31.184.235.253:6892 udp
AM 31.184.235.254:6892 udp
AM 31.184.235.255:6892 udp
US 8.8.8.8:53 lfdachijzuwx4bc4.wasf56.bid udp
US 8.8.8.8:53 btc.blockr.io udp
US 8.8.8.8:53 api.blockcypher.com udp
US 104.20.99.10:80 api.blockcypher.com tcp
US 8.8.8.8:53 chain.so udp
US 104.22.65.108:443 chain.so tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.200.3:80 c.pki.goog tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 104.77.118.72:80 crl.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
GB 104.120.141.176:80 www.microsoft.com tcp

Files

memory/2700-25-0x0000000000500000-0x0000000000504000-memory.dmp

\Users\Admin\AppData\Local\Temp\nsyA19E.tmp\System.dll

MD5 3e6bf00b3ac976122f982ae2aadb1c51
SHA1 caab188f7fdc84d3fdcb2922edeeb5ed576bd31d
SHA256 4ff9b2678d698677c5d9732678f9cf53f17290e09d053691aac4cc6e6f595cbe
SHA512 1286f05e6a7e6b691f6e479638e7179897598e171b52eb3a3dc0e830415251069d29416b6d1ffc6d7dce8da5625e1479be06db9b7179e7776659c5c1ad6aa706

memory/1924-27-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2700-30-0x0000000000500000-0x0000000000504000-memory.dmp

memory/1924-31-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1924-29-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1924-36-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1924-37-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1924-40-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1924-42-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1924-41-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\Pictures\README.hta

MD5 7be70bcae386fce0d4a21e6f5c27602e
SHA1 79d2fc2ab6b723ca1d86152dcd75d4d24d0ee321
SHA256 be5e612bfe9d9cbe78038ee52ff0c384475a9f61e2b49d1238af88ac86b0eb81
SHA512 a91ea00fee549e84dd2ea3e0a0d1c1ec38eb511bfc567726bd3014f833fe2ec1647fc4d0300aa20c36cc8094f912391b6f69a5c062c169a911c3eb5205f5b55c

memory/1924-342-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1924-345-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1924-348-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1924-351-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1924-354-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1924-357-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1924-360-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1924-363-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1924-366-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1924-372-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1924-369-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1924-375-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1924-378-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1924-381-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1924-384-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1924-387-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1924-394-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1924-401-0x0000000000400000-0x0000000000431000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-24 10:12

Reported

2024-11-24 10:15

Platform

win7-20241010-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$1\$OUTDIR\sftp_plugin\tc_sftp_uninstaller.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\$1\$OUTDIR\sftp_plugin\tc_sftp_uninstaller.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\$1\$OUTDIR\sftp_plugin\tc_sftp_uninstaller.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$1\$OUTDIR\sftp_plugin\tc_sftp_uninstaller.exe

"C:\Users\Admin\AppData\Local\Temp\$1\$OUTDIR\sftp_plugin\tc_sftp_uninstaller.exe"

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\$1\$OUTDIR\sftp_plugin\

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

MD5 5587b9b65235807f61d2cea67a726098
SHA1 5a0e8ee64b946ae91d8d9e5f17b6e14c9a45dff3
SHA256 13257c64f9d820ecd8ae2a3aa198a5f93a7a93773c9153e2dfabf678586c0d08
SHA512 fc60c7dba11cb54e76d31f5dc8f7c103c5049c3ca6018a75b7e4394078aa787693a7577202ac872a001f8f4cd77c82fc262489f31f73b1752315f40ef49fea04

Analysis: behavioral7

Detonation Overview

Submitted

2024-11-24 10:12

Reported

2024-11-24 10:15

Platform

win7-20241010-en

Max time kernel

72s

Max time network

19s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1128 -s 228

Network

N/A

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-11-24 10:12

Reported

2024-11-24 10:15

Platform

win7-20240903-en

Max time kernel

118s

Max time network

122s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\lightbox.js1651793503.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\lightbox.js1651793503.js

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-11-24 10:12

Reported

2024-11-24 10:15

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3496 wrote to memory of 2496 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3496 wrote to memory of 2496 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3496 wrote to memory of 2496 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2496 -ip 2496

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2496 -s 644

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-11-24 10:12

Reported

2024-11-24 10:15

Platform

win7-20240708-en

Max time kernel

134s

Max time network

128s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\visualization-analysis-options.html

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "438605044" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{ACBB6F41-AA4C-11EF-AF9A-46D787DB8171} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007493de80dfa4fc4e8a30573235749afb00000000020000000000106600000001000020000000005bb61c98fe6ddc63e291372156712c8593642e7e69e1766576b170b0d8379b000000000e80000000020000200000008a7479a9c2e582fc5e63e2e6393d0d5c30e59bebf26a10dd3dd96a5ecb48b0072000000002b6aa9f7bdd1085f7ef3023fe0fa85e731bc91e6f9e3dc035cd1758dc19b78740000000bb54b04e6176d1ec14a3d2e6230d3947ca733c4315719bdfc899245ad6ef6aed397dcbb6720a4004c0e607d8130a8d44612e66a0dbacf42c42764a2987b55373 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00fb6886593edb01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007493de80dfa4fc4e8a30573235749afb00000000020000000000106600000001000020000000c3b8d6e19f8cbb735fcb4ec8d1740cccd828c8e816b524c327165c5e425851e9000000000e800000000200002000000043439d1d8cfbf462dc54806d68dbdf076812fbdaf0a40a5c800c6e6a2b3a17679000000073d46ac7728c35e3b8a949b1284f08d909e0cf68a1da3e31ffc616b9f33424520e75d25e7bdcfcbb8fb6dff6b63c02ab7424f6caa7c5e5531e1648da7ad1c40a94a2e85492250dc53fa8377eaaf043c97f19bf74c127e0e8d865088d1023d943b1acdbfa623c9458083763cc31f0c594693fc1aedf75e2ad74ad92a526d0ffcfa27faff059b6d59248fad6a990618ab740000000956e9189da25776671af392f8c573cff99fa961b847f1b796b7d5de4e5cf328da98bc19435ab0ab7c61799b69386b18e9eecdd2cdf33814007fa3464ddca57fe C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\visualization-analysis-options.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1300 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 static.webshopapp.com udp
US 8.8.8.8:53 assets.webshopapp.com udp
US 104.17.156.30:80 assets.webshopapp.com tcp
US 104.17.156.30:80 assets.webshopapp.com tcp
US 104.17.156.30:80 assets.webshopapp.com tcp
US 104.17.156.30:80 assets.webshopapp.com tcp
US 104.16.8.49:80 assets.webshopapp.com tcp
US 104.16.8.49:80 assets.webshopapp.com tcp
US 104.17.156.30:80 assets.webshopapp.com tcp
US 104.16.8.49:80 assets.webshopapp.com tcp
US 104.16.8.49:80 assets.webshopapp.com tcp
US 104.17.156.30:80 assets.webshopapp.com tcp
US 104.16.8.49:80 assets.webshopapp.com tcp
US 104.16.8.49:80 assets.webshopapp.com tcp
US 104.16.8.49:443 assets.webshopapp.com tcp
US 104.16.8.49:443 assets.webshopapp.com tcp
US 104.16.8.49:443 assets.webshopapp.com tcp
US 104.16.8.49:443 assets.webshopapp.com tcp
US 104.16.8.49:443 assets.webshopapp.com tcp
US 104.17.156.30:443 assets.webshopapp.com tcp
US 104.17.156.30:443 assets.webshopapp.com tcp
US 104.17.156.30:443 assets.webshopapp.com tcp
US 104.17.156.30:443 assets.webshopapp.com tcp
US 104.17.156.30:443 assets.webshopapp.com tcp
US 104.17.156.30:443 assets.webshopapp.com tcp
US 104.16.8.49:443 assets.webshopapp.com tcp
US 8.8.8.8:53 c.pki.goog udp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.200.3:80 c.pki.goog tcp
GB 142.250.200.3:80 c.pki.goog tcp
US 104.16.8.49:443 assets.webshopapp.com tcp
US 104.17.156.30:80 assets.webshopapp.com tcp
US 104.17.156.30:80 assets.webshopapp.com tcp
US 8.8.8.8:53 o.pki.goog udp
US 8.8.8.8:53 o.pki.goog udp
GB 142.250.200.3:80 o.pki.goog tcp
GB 142.250.200.3:80 o.pki.goog tcp
US 8.8.8.8:53 shop.svi.nl udp
GB 216.58.204.78:80 www.google-analytics.com tcp
GB 216.58.204.78:80 www.google-analytics.com tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.18.190.71:80 crl.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
RO 2.20.102.93:80 www.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LPQ313RR\jquery-ui-1-10-1[1].htm

MD5 0104c301c5e02bd6148b8703d19b3a73
SHA1 7436e0b4b1f8c222c38069890b75fa2baf9ca620
SHA256 446a6087825fa73eadb045e5a2e9e2adf7df241b571228187728191d961dda1f
SHA512 84427b656a6234a651a6d8285c103645b861a18a6c5af4abb5cb4f3beb5a4f0df4a74603a0896c7608790fbb886dc40508e92d5709f44dca05dd46c8316d15bf

C:\Users\Admin\AppData\Local\Temp\CabBB55.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarBB58.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 058abf8e21a50e6c4d6941a5743665b4
SHA1 13a17623ab637c5aeade776404f47d60e94abfd4
SHA256 60335eed15674cd545bc8c4dd75eefd1391d91807e8facf7995a86564fb58659
SHA512 e5c58076ee91b67e28ece8bb770b1dbc893009fdfc75c34eb51d293ae5b3ddedfbc04d099ef4131eb39314f1af47602e86fe77a0073c377a500738864f397cfa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 569eb2eb64003bb3821168f93f4f1057
SHA1 73d8ffd9c4b807b30d5a4ce408426d6181cda7be
SHA256 430768cbe2021e01cf095b93a7c05d1ca0874ac9f9735c1690392bea1a6efcb0
SHA512 c1c5205f55d28a7ffd50f1d61defa7256ace024eed95c22293e724e8cc41c9cff6b5cd664ea9058201cad9ebf3f4a19c6287501e2948c552a2a3f9c2ed280c5a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

MD5 c8a3c8d3aeff682e2c21cb8da6688750
SHA1 35adccdcdae4ee867b99a6d1315089eda8746f3b
SHA256 cc124bdaf04845fe6b3c92236379a42798bd03d0a8c93a0722252bfc5b648a9f
SHA512 bab3c7a55110fc74dbb727dbcffd63e6618d4f1014af1aef56be8d88e16ac3b56444d2b2e8ce249a2fa8303878a2754083cf7240480fa38b38f6e5d3adec3cc2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

MD5 d05f4c453e7c4352517ee0e817ca8406
SHA1 ffc80d51c93e0c08a492b31c93b3f47d4e464e72
SHA256 ef54145feaec8480b26c58b6e8a55318ee74ee72cab83153df35ce33661e29e0
SHA512 da101303a23d6ac2137184c098c666b38aec59f29adb4ad6b811b04df3366cb849952868a367ca3d6202cd2c0a06b5e8cfaf7c5dfdf5f1ff0b8bf6461ba43d1a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

MD5 1ced9610b50b5b6d9bfc9fc19f575210
SHA1 06dc46166aa004898e3db7561f0d694fd42126cb
SHA256 80c69583d35202f809bb0d3c8da5b41ff6b1ae264032a6f3c9aeaef992b36fa4
SHA512 4e8acb3056f1dc0b5bbb5f84925fa7b812a315468b943c471cb660ac86e0d88cd199b6a71c7dd24a109c448c855de0e7e5e0ce11d2e15a204c9be5b9161e25dc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9d91588e937584c2a5b1b6735117df8c
SHA1 036546f1787a16b7847e251b63830875ce72a675
SHA256 75f11c237ff4b976e2cc8cfde79186f716f6942435a13d7bdf22802ed6ae011a
SHA512 76a47077fc6684952ca712e1fc2c6d0f73987fa2be3e9ec0721504565797a8bcc6c5b6240d49c13d8e056ec3a2b15b509cc8691fcb72829e123d0d7fb037c14e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2a7612a910aae04b88ec4ea4522b56a1
SHA1 2fa302155c9781b4fde45cd2b088d8f2f9e9df75
SHA256 c96b8d35ac9178b4e6d4c8205396a77b1450442a12013c10ce0bad1e587636f8
SHA512 0da4dd47f8970b7096eeead1a57f5a56b54d3c11f4916700b3653377f36c3a7d2c4afc8433f0fb0da0c51da9f2cc14f992f25034bb47fa5a59b495758e8f1c21

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6cc57b6dd2cf8f5c115f2ab6803649c8
SHA1 0ef183247054bf55b63f18f78e94ed70ecfc71e1
SHA256 aa5c72064e7204db0a6fbff7819b6e5fcbd42f08819d401c5a54c8becd6dc12c
SHA512 21d27102994095c4f3a5a9c5a697e34d339831a71eabfa0d16587a22f890dc6593f63eeabdbbaaa7c4c532b3d93a192519577c7a318b7f9f63e02e870c5350ca

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 23df7775d604a7751de761cca3a3888a
SHA1 b4752d9d527ca8e904748a9aacbfc54365e19071
SHA256 afe425ad63c24883103e19294797f931a6f6ca95ccc004ddd2073d7e28d22aed
SHA512 41c2e4972f72dcd9d3069cb8d220189d0eff00eff8279db7b593ee2be2bf0171ac827851aab649e31c084b581dc8f98254b0b5efa3daedc724550acb93d41f81

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 89ff79652d1d092966a8a76729cab00e
SHA1 f1cfba894d5ad2da1802eaa04856c48fa1916cd2
SHA256 d5252b9dab2fbc7abee1dbcd15a2134a5fb73209dfe1f6b5b1cfbab7d6abd659
SHA512 4f0c0d6a50b997469729684f93521a1bf12d872a57cd65c7795071b9f18ed089520968f27f1e5def026c57dda4eff6fba38dec177dc2ebb2ca8bea1f0a564fc9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 afbf9cbd18feedd271b2017b8210f732
SHA1 b8b0aef33b56dabb4a32a8ed156069d9873c0f7e
SHA256 eec596a28d988d84a67ba10c4397d5f48492ef41df24126fc4468047151a44b7
SHA512 f94e4f09844d129315d27433632a683943cbab0d05acf9a5f99ede51d0fb6c93cdc2e709cb761dafbcff1629b211f77ff08ae8f077f92c7f6b4162817d714e58

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f1102f0e7cb67a62e86479904004b297
SHA1 bb473d9165f200c7c61e38629d529c312693daec
SHA256 de9fefc2b2abf69e3e00a51416540028bf70307d47aee43e2a0bd1c6e1636f3d
SHA512 b3f2da8e5c2b98892579143e9df8f44f4d9f5ffd498a5c9cc2ccd3a4f641dc612f5f4a418d3d3d2d0c9a46307a9e653a68593d26791ebde3f45ee12a08d7ed4e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a106cd8e1ed0b4f75c99ffab06f62f7d
SHA1 30f29516aefd05fe45954f080737e8759532735e
SHA256 9c04394d3b1ec087fbe9fd236aa6210817eb5ddbea72d90919c7d3e18130a633
SHA512 12d3da71ba563e58dd1ac197228499cf5c0eab168ee7e5507f643dde4d274418c8bcd5addc655778d50136ca5ca4273578f17f703977d167ad6a5b9f2ab730bf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8b0ac468e0af56dbca772267e355b1dd
SHA1 89a722b24a16aeaa0e6c821b782015e618dad5ac
SHA256 840fd18e93e57ff34eccd231343d67f1f2c572709c5e6c4e64aef391f90b560d
SHA512 1efe588c752daad069124beda2cc595ea94939742a95a451ed3c71f0b4499ef883b09174ae7e79aa20357068938961aa846838d0d8bfeda7b414aa4a007bc675

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9a8e13d404f77c12b65e421f2a39aee9
SHA1 2a975855e533774c84dee6e1b5d2798a19efb7b0
SHA256 ad0c5cf7f0d08cf3568b8f67811ed66550f2eb733e21f9c1cf9e9949a163114c
SHA512 927ae1308ac04962b1fa8fb8c522aec07d086e3992c8f13d560dbbf780fd0a79313123d21929fed0c990965bbca9e0c2802e699980b9e326d54b821dae8c7adc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5d7f81da5c72a434449766b8203f0691
SHA1 bd6e5816ee8f3ae482b9c4bf03a68241fda9d4fb
SHA256 c3649d17eca81bc7aa1fb7f6db416476af9f15ccc3301a68a98023fb7de002d2
SHA512 f34374d811f7d96a0142ef07be035843187f446a98aabdfebdcf7d51387700dbb6659a06864d8bd1238eceb77337e16c50189b81bb9421f0651a3b8c9138dfe8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 023df27f0b5771c08766d571395d084e
SHA1 85898a12b24c32b5158108c530119250e470bc4b
SHA256 33c5d710ced9e38c3586dc42e5cbd22b7cbece5e48b782ed02025c37e5fff8c4
SHA512 574646443f9bc99960a983d90969fc5c4ba21f96e4f3f219e5ee41eedbe9d1ffece2e61ba3c66ed40a7c8c25425f317a69977f775f1b176e906cb950866d62d2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 29dc116fec0755e57a490e2453b1c772
SHA1 dac1fbdbc1fb70b38743ac42a68e9e92ae597264
SHA256 f690d174e1afbf4c0ba160349765076e4ab8510ca72be41a4158c108d22ec9f7
SHA512 730ece896c14b4ccbdd52d8482bca7da672e3d09e8db087f8a61c77ddf9975f70f9303bba464bebee36f1dbd98b8d12e47cfffab6d1d44d0b6f20d43c8a96766

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e621b2d14f05faf81bf18b81dab826b8
SHA1 d2f66af9fc91d5b82dacf8955aae062808494e73
SHA256 a1f6a6d6e74e105e84ccb2230d5347c0d09de038fbf01d5a6de1458653296ab2
SHA512 de9220827003a43e8784bc9af76b3cec02648a591cc02edc757f3422e7741c9175d64ea15b7aeca630fb3c0eb852634e9ebe909cbc4c20fbc17138e757271518

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 5b24e05a41acf15d4f9a252412383d25
SHA1 50be2dc148da8811b03d2f39e770632f7e6988cd
SHA256 18ea81d8d339b0627a09c80b304201b2a835a115821decac3a2aac6cb741da6f
SHA512 45b4037741a042dc4fd8da2c92e4d6aeea55e6e636d2520f3472f4d064eb96dabdde397fa829c722f98875750ebd2a9533f17cbca0bc50e0c5d43165a52581ee

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 eeb722de06bd7469b7b7e8df188c209a
SHA1 18413f2f524bc377cc510649339013aaa5235e72
SHA256 3cbb35e235c68ff2dcdd3377e477660c6235d9da9f78577e5caa02b9b91fceb1
SHA512 96c0e85cee9585cde16c6a075722c38e6b95fb1fdaa0c767eb1b54c8c30863029f831c57852420aba27e443f3447e618cf87dfd39e663ca4cb83f85bdb008762

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 efd2335e0a7e8b89dd519c8df0d7292d
SHA1 a4331d49977c39ff7b722d8fec4a2a01a1352530
SHA256 d6d8a29d7da9cceb79ce91472f3c97f8ff543e41a87616ecb3c3228e2b0c0a3f
SHA512 55d8db4008c57ac4b94efee9f2afbe85cfbc48a254f38f8dc68799e5d51cdc6888ad2652d45c5ce0622161b4c73e1f0d4cb8ee0612d6b1dd2945afa34c93e99a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f3600ab771eb3eb816067f5d8c67ad1d
SHA1 25aba78f6064d3b8c35dfe79f43e2eb2fcf5136f
SHA256 a78dac6ff5de937559c754cfa62cada03dc11bba7839d529c4681499d2895518
SHA512 32197092d6ed5754221e9a8b20d855cbd7117dd483441bf0610e38fbe094243b242050df9719d23136f282603285729e912649d9f674a752e9198af3355c6f14

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1e709b3b53205bc4bc423b6e964a27c1
SHA1 363cfa9708975de8441e7a4e3fd4097c0dedc3ce
SHA256 00a22af78c28dfba941cbfba25823e2bd5a1ff0f9a7e04e2d198cff6334c70da
SHA512 ad200d064618844ddee77d4bd3ec5cd1b22a73f1c09e481738184e5a6153c8d9abb7e3be7365f5eb2929ce1f7f855ea432c5f9a5532c0c4eef48ced961062fc0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 64009a0fa2606702d994d2e6c0398ebd
SHA1 8cc7b0fec0e25f9b9a6655e2b28dcdeca29c0a52
SHA256 ad978e028416440b22b5a2d476bf0da40f448d3ef99a0669c734814fa5b3cabf
SHA512 0e75c7eaea1720756edf1b9be3329476c53be7a7bdba193e2b406ee9585b7ad5a2c0a2d5a59de0b9152956e4acebd197141483a0f76f00c9b1875d3a6d4eb0ce

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f6c0bc34e8e84b7b09bb8d11bd0c7f9f
SHA1 9ddbe0d9b9998e17dd12b5d848475a263d32baa8
SHA256 0c92253fcfbd5d456dc45f859c5c76a6dd94cc3baf5ffc8d1582d85f669d3873
SHA512 806ced58c9860f977b64dbd3fc6e00a502869b2303f8325902be8665416c77bccd37e2affa4a0e8c5abb8a7c6d524f323ca1c529b930a6b660102eec9c5b01b5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4fa7dc55aee3a04f556ae3dd47d1490c
SHA1 81113542f0bcb722de1491901085bacd93683656
SHA256 a4033ef46423f1c51b188c57e1900a12804703e99fd274d1104c8735b30d7577
SHA512 f5c68fe666c78ec3ba4ab425422a4278ee8a70dfa1823bf921ef3f81efef5890f89200e498841ff36bad80c1d1e9e188cbb09bfeaec71c8826941da50a32a721

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 04962ae3ed7dfa137b02e4d21d1e26fa
SHA1 c2853607a7c8411d0b43a787e800418a1ac3b0df
SHA256 6facadc261e3f0dbb4c201b482bb0c9e904b0edee7f9349dc1c999884bea7bab
SHA512 a5ef65c49e36f5eeca6183b3c8d7d3e3d8c8b85b22faf795f7c84246d016c0604c0ba44649b07641f2cfc8a1db4a8d6c343fa94e7db92343af4c8bd761edfd75

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 27f144d7e23b734183a04b0468980d47
SHA1 0bf2cad2b3eba6c752f226111bcba456df17148e
SHA256 23835cd1cb829a4017df2c57444f4dc54e8576ad8558706656da4bb353833cbe
SHA512 b8b77616c3c28b3235b13c74063a1a737e8685ee2feea643f55f55ad4c41ac19d6cbaa784dc8d22624f3b8d227ea2bdc5a551ec6163e21c05fe30112ef1bb429

Analysis: behavioral18

Detonation Overview

Submitted

2024-11-24 10:12

Reported

2024-11-24 10:15

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\visualization-analysis-options.html

Signatures

Browser Information Discovery

discovery

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3644 wrote to memory of 2100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 2100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 2384 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 2384 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 2384 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 2384 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 2384 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 2384 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 2384 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 2384 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 2384 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 2384 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 2384 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 2384 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 2384 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 2384 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 2384 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 2384 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 2384 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 2384 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 2384 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 2384 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 2384 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 2384 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 2384 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 2384 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 2384 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 2384 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 2384 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 2384 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 2384 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 2384 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 2384 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 2384 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 2384 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 2384 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 2384 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 2384 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 2384 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 2384 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 2384 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 2384 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 3612 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 3612 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 2072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 2072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 2072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 2072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 2072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 2072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 2072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 2072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 2072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 2072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 2072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 2072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 2072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 2072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 2072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 2072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 2072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 2072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 2072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3644 wrote to memory of 2072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\visualization-analysis-options.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xb4,0x108,0x7ffed0a346f8,0x7ffed0a34708,0x7ffed0a34718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,862738808491203808,17589028130437878035,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,862738808491203808,17589028130437878035,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2164,862738808491203808,17589028130437878035,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2764 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,862738808491203808,17589028130437878035,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,862738808491203808,17589028130437878035,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,862738808491203808,17589028130437878035,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5144 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,862738808491203808,17589028130437878035,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5144 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,862738808491203808,17589028130437878035,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5140 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,862738808491203808,17589028130437878035,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,862738808491203808,17589028130437878035,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,862738808491203808,17589028130437878035,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,862738808491203808,17589028130437878035,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4816 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 static.webshopapp.com udp
US 8.8.8.8:53 assets.webshopapp.com udp
US 104.16.8.49:80 assets.webshopapp.com tcp
US 104.16.8.49:80 assets.webshopapp.com tcp
US 104.16.8.49:80 assets.webshopapp.com tcp
US 104.16.8.49:80 assets.webshopapp.com tcp
US 104.16.8.49:80 assets.webshopapp.com tcp
US 104.17.156.30:80 assets.webshopapp.com tcp
US 104.17.156.30:80 assets.webshopapp.com tcp
US 104.17.156.30:80 assets.webshopapp.com tcp
US 104.17.156.30:80 assets.webshopapp.com tcp
US 104.17.156.30:80 assets.webshopapp.com tcp
US 104.17.156.30:80 assets.webshopapp.com tcp
US 104.16.8.49:443 assets.webshopapp.com tcp
US 104.17.156.30:443 assets.webshopapp.com tcp
US 104.16.8.49:443 assets.webshopapp.com tcp
US 104.16.8.49:443 assets.webshopapp.com tcp
US 104.17.156.30:443 assets.webshopapp.com tcp
US 104.17.156.30:443 assets.webshopapp.com tcp
US 104.17.156.30:443 assets.webshopapp.com tcp
US 104.16.8.49:443 assets.webshopapp.com tcp
US 104.16.8.49:443 assets.webshopapp.com tcp
US 104.17.156.30:443 assets.webshopapp.com tcp
US 104.17.156.30:443 assets.webshopapp.com tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 86.242.123.52.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 49.8.16.104.in-addr.arpa udp
US 8.8.8.8:53 30.156.17.104.in-addr.arpa udp
US 8.8.8.8:53 234.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 shop.svi.nl udp
GB 216.58.204.78:80 www.google-analytics.com tcp
US 8.8.8.8:53 78.204.58.216.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 ba6ef346187b40694d493da98d5da979
SHA1 643c15bec043f8673943885199bb06cd1652ee37
SHA256 d86eec91f295dfda8ed1c5fa99de426f2fe359282c7ebf67e3a40be739475d73
SHA512 2e6cc97330be8868d4b9c53be7e12c558f6eb1ac2c4080a611ba6c43561d0c5bb4791b8a11a8c2371599f0ba73ed1d9a7a2ea6dee2ae6a080f1912e0cb1f656c

\??\pipe\LOCAL\crashpad_3644_YBBITBCNCFFESVBH

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 b8880802fc2bb880a7a869faa01315b0
SHA1 51d1a3fa2c272f094515675d82150bfce08ee8d3
SHA256 467b8cd4aacac66557712f9843023dcedefcc26efc746f3e44157bc8dac73812
SHA512 e1c6dba2579357ba70de58968b167d2c529534d24bff70568144270c48ac18a48ee2af2d58d78ae741e5a36958fa78a57955bd2456f1df00b781fc1002e123d2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 b455fa4719e886d96306cb7f97699daa
SHA1 1371f710fa18d0e68ff4783fcb4ee401d259d3a8
SHA256 ef82390b1cd06b146b3522603179fc355f2a62d8cc55520d95c1888bd0209489
SHA512 51c191f030fcad88595ca8a9c93443e4da8b534eed9d1922ecf0b941ebbc9826003fd1b0e961efadf21101d5ed56488a0b439584ca6716d169b51a491c4a600f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 5d543931c86a753be95c974a2cd4eae8
SHA1 7120b2da801ebc3ed05c92b7bee491d0b8602133
SHA256 0216bc564284ac3541a81b65bb11bf3ce086ea6873573affb14fa9abcb082798
SHA512 cd58d4c68cba798590ac8f3b811c8e74b9831dba9a1fbbeb810471115b1b25b6f1f24f88e6b72c3c36d023f2a201696f74700dd817c49813d0b68cba8080f681

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 00467b464b8d457190ef787a225e8134
SHA1 52ea89efbb61914161898f61fa1a71387fd006f9
SHA256 05bcc24aee640f098dd8dd839937aa45c4441b237d83398ee98cdaa445731f30
SHA512 52e008259727584216599f6e91747b713f2303ba03198bfff1e98cf7b9664daab51f0b7cc37e1cc2a07978ce174d576b3c1f6c71a69af3f2bf9da28b17d280f9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 222bac61d592d0306113b088ac74717d
SHA1 b942569248b2501a71960c6ab776f575109addf8
SHA256 0bf4bec34808534258f7013aef34e08a4e189e2900a429caf2b4125f091f428d
SHA512 8e0ad1360b1c5fc51fb4d5268827e09d88bd30198e18c71bf59bd25d5e245f43397c78790d1f9ed0a665cff306e630c9644410261d4510ebd1a3c463c295d4b0

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-24 10:12

Reported

2024-11-24 10:15

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$1\$OUTDIR\sftp_plugin\tc_sftp_uninstaller.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\$1\$OUTDIR\sftp_plugin\tc_sftp_uninstaller.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$1\$OUTDIR\sftp_plugin\tc_sftp_uninstaller.exe

"C:\Users\Admin\AppData\Local\Temp\$1\$OUTDIR\sftp_plugin\tc_sftp_uninstaller.exe"

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\$1\$OUTDIR\sftp_plugin\

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 138.136.73.23.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

MD5 5587b9b65235807f61d2cea67a726098
SHA1 5a0e8ee64b946ae91d8d9e5f17b6e14c9a45dff3
SHA256 13257c64f9d820ecd8ae2a3aa198a5f93a7a93773c9153e2dfabf678586c0d08
SHA512 fc60c7dba11cb54e76d31f5dc8f7c103c5049c3ca6018a75b7e4394078aa787693a7577202ac872a001f8f4cd77c82fc262489f31f73b1752315f40ef49fea04

Analysis: behavioral8

Detonation Overview

Submitted

2024-11-24 10:12

Reported

2024-11-24 10:15

Platform

win10v2004-20241007-en

Max time kernel

92s

Max time network

141s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4724 wrote to memory of 4552 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4724 wrote to memory of 4552 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4724 wrote to memory of 4552 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4552 -ip 4552

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4552 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 82.190.18.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-11-24 10:12

Reported

2024-11-24 10:15

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

155s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\Dedicated_Servers.html

Signatures

Browser Information Discovery

discovery

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3824 wrote to memory of 4156 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3824 wrote to memory of 4156 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3824 wrote to memory of 1544 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3824 wrote to memory of 1544 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3824 wrote to memory of 1544 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3824 wrote to memory of 1544 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3824 wrote to memory of 1544 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3824 wrote to memory of 1544 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3824 wrote to memory of 1544 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3824 wrote to memory of 1544 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3824 wrote to memory of 1544 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3824 wrote to memory of 1544 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3824 wrote to memory of 1544 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3824 wrote to memory of 1544 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3824 wrote to memory of 1544 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3824 wrote to memory of 1544 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3824 wrote to memory of 1544 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3824 wrote to memory of 1544 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3824 wrote to memory of 1544 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3824 wrote to memory of 1544 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3824 wrote to memory of 1544 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3824 wrote to memory of 1544 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3824 wrote to memory of 1544 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3824 wrote to memory of 1544 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3824 wrote to memory of 1544 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3824 wrote to memory of 1544 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3824 wrote to memory of 1544 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3824 wrote to memory of 1544 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3824 wrote to memory of 1544 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3824 wrote to memory of 1544 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3824 wrote to memory of 1544 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3824 wrote to memory of 1544 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3824 wrote to memory of 1544 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3824 wrote to memory of 1544 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3824 wrote to memory of 1544 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3824 wrote to memory of 1544 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3824 wrote to memory of 1544 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3824 wrote to memory of 1544 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3824 wrote to memory of 1544 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3824 wrote to memory of 1544 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3824 wrote to memory of 1544 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3824 wrote to memory of 1544 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3824 wrote to memory of 1688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3824 wrote to memory of 1688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3824 wrote to memory of 4068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3824 wrote to memory of 4068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3824 wrote to memory of 4068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3824 wrote to memory of 4068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3824 wrote to memory of 4068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3824 wrote to memory of 4068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3824 wrote to memory of 4068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3824 wrote to memory of 4068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3824 wrote to memory of 4068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3824 wrote to memory of 4068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3824 wrote to memory of 4068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3824 wrote to memory of 4068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3824 wrote to memory of 4068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3824 wrote to memory of 4068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3824 wrote to memory of 4068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3824 wrote to memory of 4068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3824 wrote to memory of 4068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3824 wrote to memory of 4068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3824 wrote to memory of 4068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3824 wrote to memory of 4068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\Dedicated_Servers.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffaf21a46f8,0x7ffaf21a4708,0x7ffaf21a4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2200,4000954660869410651,2515926704340232640,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2216 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2200,4000954660869410651,2515926704340232640,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2200,4000954660869410651,2515926704340232640,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2356 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,4000954660869410651,2515926704340232640,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3020 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,4000954660869410651,2515926704340232640,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2200,4000954660869410651,2515926704340232640,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5140 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2200,4000954660869410651,2515926704340232640,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5140 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,4000954660869410651,2515926704340232640,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,4000954660869410651,2515926704340232640,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5240 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,4000954660869410651,2515926704340232640,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,4000954660869410651,2515926704340232640,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2200,4000954660869410651,2515926704340232640,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2432 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 faq.he.net udp
US 64.62.138.190:80 faq.he.net tcp
US 64.62.138.190:80 faq.he.net tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 190.138.62.64.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 7de1bbdc1f9cf1a58ae1de4951ce8cb9
SHA1 010da169e15457c25bd80ef02d76a940c1210301
SHA256 6e390bbc0d03a652516705775e8e9a7b7936312a8a5bea407f9d7d9fa99d957e
SHA512 e4a33f2128883e71ab41e803e8b55d0ac17cbc51be3bde42bed157df24f10f34ad264f74ef3254dbe30d253aca03158fde21518c2b78aaa05dae8308b1c5f30c

\??\pipe\LOCAL\crashpad_3824_NODYBZKACPWFRTOX

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 85ba073d7015b6ce7da19235a275f6da
SHA1 a23c8c2125e45a0788bac14423ae1f3eab92cf00
SHA256 5ad04b8c19bf43b550ad725202f79086168ecccabe791100fba203d9aa27e617
SHA512 eb4fd72d7030ea1a25af2b59769b671a5760735fb95d18145f036a8d9e6f42c903b34a7e606046c740c644fab0bb9f5b7335c1869b098f121579e71f10f5a9c3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 6102f7ce623f42baa76fc387b396f9d9
SHA1 2d246d35966f21fbd9815c139217197c52d87cf2
SHA256 317aa13219697d0bb302758cbd1c348be7099240ce01ad321f49872aec3ee0dc
SHA512 f3edec8979d07782c82e26c7ee9098dea899f614c9b5391244db93d298239b5bfc25dafcde621be2c154cc04f7fd734ca588c4bcce3f57aae54415af522c7125

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 58a56555b2cd19d7087b38a913f0b16e
SHA1 55980868ab705a516ed31fc5671abc2397fbd336
SHA256 a01f425b94d30e1c6a6b8bc1020d85a416434ef32bd618b8bdb176827bbebe4e
SHA512 c4fcee996f33702690a734cf68f7277c07482a7f796ce36c51d94fb1a08a3fbd4c81207eb23480af4764ed8f94db9a26757226c636de1bb8718e4f12d20259b5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 6fe45d45ab48c18ede8c3497a29f95e7
SHA1 a6a6a9430e67e959097a1f8919730962eb53b6d5
SHA256 82e22c1d5a52dd9a4dc3531b2ec03367bcc9a991f994df1c50199b9379ab0b83
SHA512 a24180f9e84931c8c32c13c135f8d2850a716b25c149e30f6060f568edf42e67686f975610c3e12d0bcf9ff18cb994057f6e5004e5ce5a6882b8e934c7ea35fd

Analysis: behavioral12

Detonation Overview

Submitted

2024-11-24 10:12

Reported

2024-11-24 10:15

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\cse.html

Signatures

Browser Information Discovery

discovery

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3504 wrote to memory of 1384 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3504 wrote to memory of 1384 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3504 wrote to memory of 3344 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3504 wrote to memory of 3344 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3504 wrote to memory of 3344 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3504 wrote to memory of 3344 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3504 wrote to memory of 3344 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3504 wrote to memory of 3344 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3504 wrote to memory of 3344 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3504 wrote to memory of 3344 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3504 wrote to memory of 3344 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3504 wrote to memory of 3344 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3504 wrote to memory of 3344 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3504 wrote to memory of 3344 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3504 wrote to memory of 3344 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3504 wrote to memory of 3344 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3504 wrote to memory of 3344 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3504 wrote to memory of 3344 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3504 wrote to memory of 3344 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3504 wrote to memory of 3344 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3504 wrote to memory of 3344 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3504 wrote to memory of 3344 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3504 wrote to memory of 3344 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3504 wrote to memory of 3344 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3504 wrote to memory of 3344 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3504 wrote to memory of 3344 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3504 wrote to memory of 3344 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3504 wrote to memory of 3344 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3504 wrote to memory of 3344 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3504 wrote to memory of 3344 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3504 wrote to memory of 3344 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3504 wrote to memory of 3344 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3504 wrote to memory of 3344 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3504 wrote to memory of 3344 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3504 wrote to memory of 3344 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3504 wrote to memory of 3344 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3504 wrote to memory of 3344 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3504 wrote to memory of 3344 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3504 wrote to memory of 3344 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3504 wrote to memory of 3344 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3504 wrote to memory of 3344 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3504 wrote to memory of 3344 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3504 wrote to memory of 3512 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3504 wrote to memory of 3512 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3504 wrote to memory of 2764 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3504 wrote to memory of 2764 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3504 wrote to memory of 2764 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3504 wrote to memory of 2764 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3504 wrote to memory of 2764 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3504 wrote to memory of 2764 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3504 wrote to memory of 2764 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3504 wrote to memory of 2764 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3504 wrote to memory of 2764 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3504 wrote to memory of 2764 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3504 wrote to memory of 2764 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3504 wrote to memory of 2764 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3504 wrote to memory of 2764 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3504 wrote to memory of 2764 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3504 wrote to memory of 2764 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3504 wrote to memory of 2764 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3504 wrote to memory of 2764 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3504 wrote to memory of 2764 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3504 wrote to memory of 2764 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3504 wrote to memory of 2764 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\cse.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb346f46f8,0x7ffb346f4708,0x7ffb346f4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1996,8725392728183597520,275711103882425662,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2036 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1996,8725392728183597520,275711103882425662,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1996,8725392728183597520,275711103882425662,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2800 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,8725392728183597520,275711103882425662,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,8725392728183597520,275711103882425662,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,8725392728183597520,275711103882425662,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5160 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,8725392728183597520,275711103882425662,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1996,8725392728183597520,275711103882425662,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5656 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1996,8725392728183597520,275711103882425662,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5656 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,8725392728183597520,275711103882425662,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4156 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,8725392728183597520,275711103882425662,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4032 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1996,8725392728183597520,275711103882425662,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1936 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 172.217.16.228:445 www.google.com tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 www.youtube.com udp
GB 216.58.212.234:445 fonts.googleapis.com tcp
GB 172.217.16.238:445 www.youtube.com tcp
GB 142.250.187.238:445 www.youtube.com tcp
GB 216.58.201.110:445 www.youtube.com tcp
GB 216.58.212.238:445 www.youtube.com tcp
GB 142.250.179.238:445 www.youtube.com tcp
GB 172.217.169.78:445 www.youtube.com tcp
GB 142.250.200.46:445 www.youtube.com tcp
GB 216.58.212.206:445 www.youtube.com tcp
GB 216.58.212.234:139 fonts.googleapis.com tcp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
GB 216.58.204.78:445 www.youtube.com tcp
GB 142.250.200.14:445 www.youtube.com tcp
GB 142.250.187.206:445 www.youtube.com tcp
GB 142.250.178.14:445 www.youtube.com tcp
GB 172.217.169.14:445 www.youtube.com tcp
GB 172.217.169.46:445 www.youtube.com tcp
GB 142.250.180.14:445 www.youtube.com tcp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 www.google.com udp
GB 172.217.16.228:445 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 443a627d539ca4eab732bad0cbe7332b
SHA1 86b18b906a1acd2a22f4b2c78ac3564c394a9569
SHA256 1e1ad9dce141f5f17ea07c7e9c2a65e707c9943f172b9134b0daf9eef25f0dc9
SHA512 923b86d75a565c91250110162ce13dd3ef3f6bdde1a83f7af235ed302d4a96b8c9ed722e2152781e699dfcb26bb98afc73f5adb298f8fd673f14c9f28b5f764d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 99afa4934d1e3c56bbce114b356e8a99
SHA1 3f0e7a1a28d9d9c06b6663df5d83a65c84d52581
SHA256 08e098bb97fd91d815469cdfd5568607a3feca61f18b6b5b9c11b531fde206c8
SHA512 76686f30ed68144cf943b80ac10b52c74eee84f197cee3c24ef7845ef44bdb5586b6e530824543deeed59417205ac0e2559808bcb46450504106ac8f4c95b9da

\??\pipe\LOCAL\crashpad_3504_GLDZCBCLBUKLVMBC

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 31eee4d03583bc37aa592834e22c4b25
SHA1 1c554cacd3013a5e0dc4477d3961eb0897252708
SHA256 9fe12e457a91ed2ce0094d2bb9e47d711146b3bf9bf3287f7dbb1e75e05b4017
SHA512 1553578569ded0150e6b6d73c530dc443e9433d79b7c78c80f7abc5d0bdc245c9bd26dfa7efc0c4dd37bfb7826623fc3a0f1b1e68e79e7bdbbb4e1125f1e8976

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 6277bb45e6c71ab6516bd67e1540c29b
SHA1 e6fe95beba1ee7b2a3c56979d3269cd2f1cadd22
SHA256 8a88ba3073d52f261637da9714dada1b6ee0519d5c4520131eef10e37d551a4a
SHA512 7cc58e01b3534c5fb1b5040a1566edd4cb72ec52c7a3aadddc5f6090da2bc66b8cb903c39ec131f732fa70b04cd68407f2738ad95b38ac03e0506e6bd44cfd0c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 a4f488cd2faa24b6ab634a5c5f0ec314
SHA1 3a85997176a5f0737e6f7a8628cd1f8202e49a3e
SHA256 4876e53a176074b88f6cfa266055ec994434a099584ad3c7511f32da48ce31fd
SHA512 c05fe0f8cbf1db4e6d4ca8d69696d0c7ed7e3cb19e9fe59529c8831e9f4f2d6cbb9b6c5a66fe6d9be5165b3d92a065dcdcbda1975287401a6ec9f53a94ae1434

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 837d6bb1c975ea30babea06b2d41f37b
SHA1 b2905612e226c99061dbbc3867d122f01292c126
SHA256 a56825326d85e9ff3ff2e6b224fedcc66d8e9dc1f8973a56a238d9bd1ca6f42e
SHA512 4dfdde03c3dd46d95b6e71b61041f28a4a506ca6959d1a6ac516ae97d80e17b511865d1ab491039203db6bb3547b5c84c41b48574e65828273a7821faf380253

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\000002.dbtmp

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Analysis: behavioral15

Detonation Overview

Submitted

2024-11-24 10:12

Reported

2024-11-24 10:15

Platform

win7-20240903-en

Max time kernel

119s

Max time network

122s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\postproject.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\postproject.js

Network

N/A

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-11-24 10:12

Reported

2024-11-24 10:15

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

151s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\postproject.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\postproject.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 82.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 138.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-24 10:12

Reported

2024-11-24 10:15

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9401bdd3dd74040b371abb07d85c9914_JaffaCakes118.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\9401bdd3dd74040b371abb07d85c9914_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\9401bdd3dd74040b371abb07d85c9914_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 138.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nst8EC5.tmp\System.dll

MD5 3e6bf00b3ac976122f982ae2aadb1c51
SHA1 caab188f7fdc84d3fdcb2922edeeb5ed576bd31d
SHA256 4ff9b2678d698677c5d9732678f9cf53f17290e09d053691aac4cc6e6f595cbe
SHA512 1286f05e6a7e6b691f6e479638e7179897598e171b52eb3a3dc0e830415251069d29416b6d1ffc6d7dce8da5625e1479be06db9b7179e7776659c5c1ad6aa706

C:\Users\Admin\AppData\Local\Temp\nst8EC5.tmp\InstallOptions.dll

MD5 f8d9d9418e6e1827ed2b53dd930e48fb
SHA1 c78b0e5b274dbbfd032a0f3ed795d82d5ea617c8
SHA256 2a2878b54550178144665d4c5f67309f71f1089679ae0f84fa419b8a309a88e4
SHA512 510ac31f9e330ec2e6133c1cbe775a955b79b94dc5a84d94b2c59d9b513c35f3786ff8a7f706d04ec2503a4ffc16535624a34e0dcc53e91eedd2321691b617fc