Malware Analysis Report

2025-01-18 21:59

Sample ID 240622-p9m3raygkh
Target 023ffc154d694dad62ae6c98b5d5f327_JaffaCakes118
SHA256 583e16e5a6d356025b2289aaa6a1cc244cde8992856154891a2b89c1f540d53d
Tags
adware evasion stealer
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

583e16e5a6d356025b2289aaa6a1cc244cde8992856154891a2b89c1f540d53d

Threat Level: Likely malicious

The file 023ffc154d694dad62ae6c98b5d5f327_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

adware evasion stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Loads dropped DLL

Identifies Wine through registry keys

Executes dropped EXE

Checks computer location settings

Installs/modifies Browser Helper Object

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Modifies registry class

Suspicious use of FindShellTrayWindow

Enumerates system info in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-22 13:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-22 13:01

Reported

2024-06-22 13:04

Platform

win7-20240611-en

Max time kernel

121s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\023ffc154d694dad62ae6c98b5d5f327_JaffaCakes118.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Windows\install.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Windows\SysWOW64\regsvr32.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\install.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Wine C:\Windows\install.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Wine C:\Windows\SysWOW64\regsvr32.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{361B2978-88FF-11D2-8D96-E7ACAC95951F} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{361B2978-88FF-11D2-8D96-E7ACAC95951F}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\install.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created \??\c:\windows\protesto1.pdf C:\Users\Admin\AppData\Local\Temp\023ffc154d694dad62ae6c98b5d5f327_JaffaCakes118.exe N/A
File created C:\Windows\jsp062201.dll C:\Windows\install.exe N/A
File opened for modification C:\Windows\jsp062201.dll C:\Windows\install.exe N/A
File created \??\c:\windows\install.exe C:\Users\Admin\AppData\Local\Temp\023ffc154d694dad62ae6c98b5d5f327_JaffaCakes118.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{99AD0A01-3097-11EF-8E7F-CE8752B95906} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000b2968c6cf60b74b94229c882944fb8100000000020000000000106600000001000020000000cfb3a04c9802cfea86b5abab0092a94197b7f34e9dbc3fab754a24ab3d1af18a000000000e800000000200002000000027680f7ce9c8a0589411dcf1788a7a584dfde290c60414ce6cfd30fe7904d351200000001b17f9917ed2cc019d696382f07cdef4bce50b7f5d7ec42e5cc1a69931de493c40000000758af949a6ebae845458fa66af79c887277f2499bf606246d2b98b339e3698b4a68cea532f8c31ca37ab24e3517df606ba1ecbcd80503eddf9a7789717c79ffb C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60e2c471a4c4da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425223182" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000b2968c6cf60b74b94229c882944fb8100000000020000000000106600000001000020000000bff1a86c0ff2839924d2afc8b6c9d7855c1c7fcf63873326f2e06dcb88e8b08f000000000e8000000002000020000000778230b52fa2e2a58868d8d15be93ed60998bb60e154df429d1257ebac5dbdcf90000000f3be490ae7f6f63408d6424b6cdd287ce144aa001a69481996edd5102cf0dfaab7f20914fa928b3d2fa842b182356642dd2a3b7868a96a2bf1813a549ff1481dd199e4dbb5f8439c0635f383e9aec049cf328a05041c487558ae156131028922f08d0ee62f2e27a13abfb61399014143307f0ef711e92401cd0fd41762f0577d4735eef40e242b746f0ca75e1a40d12840000000a547c46e8a6f546b8dc0fdd4b66067a38e572372b97113c0a4731f0bf46a1af00954dbf29ce2b185e70f0e3c9da67b10b823db4b63bd6c42bc62982a7b9eaeeb C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{361B2978-88FF-11D2-8D96-E7ACAC95951F}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{361B2978-88FF-11D2-8D96-E7ACAC95951F} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{361B2978-88FF-11D2-8D96-E7ACAC95951F}\ C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{361B2978-88FF-11D2-8D96-E7ACAC95951F}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{361B2978-88FF-11D2-8D96-E7ACAC95951F}\InprocServer32\ = "C:\\Windows\\jsp062201.dll" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\install.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1912 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\023ffc154d694dad62ae6c98b5d5f327_JaffaCakes118.exe C:\Windows\install.exe
PID 1912 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\023ffc154d694dad62ae6c98b5d5f327_JaffaCakes118.exe C:\Windows\install.exe
PID 1912 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\023ffc154d694dad62ae6c98b5d5f327_JaffaCakes118.exe C:\Windows\install.exe
PID 1912 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\023ffc154d694dad62ae6c98b5d5f327_JaffaCakes118.exe C:\Windows\install.exe
PID 1912 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\023ffc154d694dad62ae6c98b5d5f327_JaffaCakes118.exe C:\Windows\install.exe
PID 1912 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\023ffc154d694dad62ae6c98b5d5f327_JaffaCakes118.exe C:\Windows\install.exe
PID 1912 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\023ffc154d694dad62ae6c98b5d5f327_JaffaCakes118.exe C:\Windows\install.exe
PID 2168 wrote to memory of 2920 N/A C:\Windows\install.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2168 wrote to memory of 2920 N/A C:\Windows\install.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2168 wrote to memory of 2920 N/A C:\Windows\install.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2168 wrote to memory of 2920 N/A C:\Windows\install.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2168 wrote to memory of 2920 N/A C:\Windows\install.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2168 wrote to memory of 2920 N/A C:\Windows\install.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2168 wrote to memory of 2920 N/A C:\Windows\install.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2168 wrote to memory of 2576 N/A C:\Windows\install.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2168 wrote to memory of 2576 N/A C:\Windows\install.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2168 wrote to memory of 2576 N/A C:\Windows\install.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2168 wrote to memory of 2576 N/A C:\Windows\install.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2576 wrote to memory of 1732 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2576 wrote to memory of 1732 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2576 wrote to memory of 1732 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2576 wrote to memory of 1732 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\023ffc154d694dad62ae6c98b5d5f327_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\023ffc154d694dad62ae6c98b5d5f327_JaffaCakes118.exe"

C:\Windows\install.exe

"C:\Windows\install.exe"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 /s C:\Windows\jsp062201.dll

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://www.correiosonline.com.br/pt_telegrama_sel.asp

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2576 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.correiosonline.com.br udp
US 8.8.8.8:53 www.correiosonline.com.br udp
BR 201.48.198.80:80 www.correiosonline.com.br tcp
BR 201.48.198.80:80 www.correiosonline.com.br tcp
BR 201.48.198.80:443 www.correiosonline.com.br tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/1912-4-0x0000000003440000-0x00000000035B3000-memory.dmp

C:\Windows\install.exe

MD5 3bcf1d552a3f5ca5e641df52c572418e
SHA1 d3b193b3adb12e4bc5ab29bae76105dc47941ee9
SHA256 ee2f91eb69ac18b9c057dd9e5716eb26fef37501e941f8b781e610477b76bb51
SHA512 593d0a09305709ba8a318ebb94f9bd3db2798f865bc9b3b8a7d8191f0abaaf50be11dfead9f2b75e7c431de827d8a4416187aeece56396bee55ad63e686f99a0

memory/2168-7-0x0000000000400000-0x0000000000573000-memory.dmp

memory/2168-8-0x00000000775A0000-0x00000000775A2000-memory.dmp

C:\Windows\protesto1.pdf

MD5 4756efeab0b28a6284ad7b07699615c5
SHA1 d0da2ffc0c5a6ab4236e28ebcc0828af3c91f475
SHA256 8983faca41c1ed196f82ed2e4fd0927c69008e733e16b673b2b295c00f89ce56
SHA512 fbf3c22a3a0c88bbab3c4e626ba69451fa3ce51e265416f47e0272fcc86380c5e073a8fd40afac3f3b53317dbbd0dae5ab20096ce4a4949aef6f38c20a8f0539

memory/2168-12-0x0000000000401000-0x0000000000402000-memory.dmp

memory/2168-13-0x0000000000400000-0x0000000000573000-memory.dmp

memory/2920-17-0x00000000021F0000-0x00000000024A8000-memory.dmp

memory/2168-22-0x0000000000400000-0x0000000000573000-memory.dmp

memory/2168-21-0x0000000004590000-0x00000000045A0000-memory.dmp

memory/2168-20-0x0000000000400000-0x0000000000573000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ba16a14c533c1ece23d00bd9326f5138
SHA1 d8844dd8fa75dae4e3111d606ea41110e5646f64
SHA256 7afdcaddffc0cbc6a5fccd03a9e4fb873bef168e6d7648a41ab27509faeb94b5
SHA512 f310d0aba235525eacc219e52e402fa7c09726cc24a689a656fe121db9cc0fe4e5a304b53606d608fa271dafab085d07a42e94d455158c212796ff89715c3512

C:\Users\Admin\AppData\Local\Temp\Cab4701.tmp

MD5 2d3dcf90f6c99f47e7593ea250c9e749
SHA1 51be82be4a272669983313565b4940d4b1385237
SHA256 8714e7be9f9b6de26673d9d09bd4c9f41b1b27ae10b1d56a7ad83abd7430ebd4
SHA512 9c11dd7d448ffebe2167acde37be77d42175edacf5aaf6fb31d3bdfe6bb1f63f5fdbc9a0a2125ed9d5ce0529b6b548818c8021532e1ea6b324717cc9bec0aaa5

C:\Users\Admin\AppData\Local\Temp\Tar4784.tmp

MD5 7186ad693b8ad9444401bd9bcd2217c2
SHA1 5c28ca10a650f6026b0df4737078fa4197f3bac1
SHA256 9a71fa0cb44aa51412b16a0bf83a275977ba4e807d022f78364338b99b3a3eed
SHA512 135be0e6370fd057762c56149526f46bf6a62fb65ef5b3b26ae01fa07b4c4e37188e203bd3812f31e260ec5cccff5924633dd55ab17e9fa106479783c2fb212b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e6a8a0f137e0057bfacbcdea4f9f8306
SHA1 fc5b1f8c8e3a1aabaf065eb19b571349f73a41d7
SHA256 967d01981a3d1faf8e9fd7c6bbbb5bf655d97a70eeb3717aaf1ef3ad44851694
SHA512 1064e13af6950712d8677a3816494376ee2fea006e2de0b94f534b328520153718a35a3dec6f4743cfe1c4567885b3dad04cd6582f00fbaf51b3c25c5ac4e18c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 82ad1f14766162df9876ddec6fb1e6b1
SHA1 8a270d5099d6c4b1907248ebb421d69d6e457c59
SHA256 c8ff3583404a61f2c680eba7a55523214d95a1eb4ffc0325714311284d0094f2
SHA512 634aacb98cf9d5877bba122de14b0b6d498fc84598b95534c7974f412465bcc4a1fb3be61c9ee07e14e97b1b984b061550a8160f8f86aa0da3510b7f06c94967

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1b0ff6993d5468467ed4ad27aa455891
SHA1 7aadb902f0351efdb1820122007d79cdb2207592
SHA256 1fa79c1e567c75515a2ffb7dd0c50bc2fd8a38f187b01e25a5d4670335d14432
SHA512 8ddf7026a04dc2975407365809488502a2431bc2ce1f0ca12cde98316f34745e6a4b71678d6849117820cc7c62c5c3e3fee62c2f8c77c3e9415e36fd15785f83

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d97f423225550e6ebce14c2b8af9fc63
SHA1 9f9dbd6c625dfdc920b013e3cd792bafc24e1a11
SHA256 77e5fd6d13bb5cb228431de7fd5969476e4a2d804dba2d5cc2171bc92ae1bdf7
SHA512 0d6bf1c7c3673d63d3017b26caa8c1b6ddc8ec5a05cf635e6aba1865c566870d3d3b16fef59450a443c2f6d479018cf8a701e3b0a95c8336739d09ba5bd2cd4b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c94072d047375562cd33419e8b2bf04b
SHA1 cc151aefbad5c2a7eb11387af5ac4d1448da7e18
SHA256 880bd1969ae73ec8096daf4243231c5e5dd40c29c0b5c2d51b7c438ebe7712eb
SHA512 f5957f7f1c09d0c521051d2a6cf87b9a09beaafddd443f95a25b4bd8bb5bba2a96c9515222e57d3232181a18452953b27f8d5fd136ad8c8b36de96abc6e25aa7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8b064595d1ce40e1cceccb414190d21a
SHA1 4cfde82df9800ec58203ec818c191a8d017f1554
SHA256 198b7b0b5de24549ef49a6ab7a682d68afee67d77ff94567ada9886bea88cc76
SHA512 49edc59dda5ff4f8f864f45c57a76f43ae9d7f8f08103ce58b1da0a75b0e616190e42c6b058771d68522e602edec04d2f7de2ae3153607789c008d8263279635

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 249c526e69a4e73e25c26fdb0dd21bc5
SHA1 32db7e77c50a20d505e74f3ac2b3f62f07810c90
SHA256 5c74277ed4af8ee2b9c2b516ad356ef8e3bfc09c0411d8233ba4fdf9ef504092
SHA512 e165243b4750866ee23ac6f3ab5b56d1f42eb36892e84cdb5863ccbedef8b7dbf9a51ca447774df859c5d104b79d40da75f78ddedc7764c5eab6f2c51c086985

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 db3c90496896df0506155f00377551e2
SHA1 06809c69b370ea87a387249a88c0ff5b90c1049a
SHA256 a4f42ecdaef4eb09f9e7d71e55c28b9f91cd6a07f7cbd565d63dad1f0fc52e12
SHA512 2cba69885161e451b02548c0388249df4f0025a1165389e76473ff54383b937ecf006c61c54f5e8fdeeede30095c9a7ff0a0cd49c625b4ebc8a8397f4914a050

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 42dd8de1781c334532de04a2e7689f40
SHA1 fbb93be4b9724df93154b8a3e77d154f54f65df1
SHA256 7b58fc37dac5875edee7b306d56f158149c8345db19f40ce9bfaa503fb1e57ea
SHA512 27b9131916b3dc20ab78c5c35c5cfa179899392ecc0a1989e50a0ef8907bb198f85ef29a0c81b81f9e409d7f35659a42d65c71cdffdc4d89387dcbef7f3dee49

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2fde8c2918b0168647654fffa7d06124
SHA1 244115edf2472479b7affb2dc96a994d9680e15f
SHA256 5d0eab68a967ed4e726cb960095f69a6dbaae5fe613bd34168fc562ffc29624d
SHA512 9de7ada1dd416cb3e035a8ac804e7bd6cb06ff44a08561a2a3b642cdd2fab6bda9de2db579d774c15b456a200d11ccf4c26cfd823aac8cffbc7b3103aba86089

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 16aec7e7f993a505426b49601b59ba58
SHA1 00d1c4b80b98146234a5f560769aa9fbe4cdc2aa
SHA256 3bd5d62c9d121f2edc16acf3b8e49c590b330925eadd9f714e518e96056dfb12
SHA512 84c4f6a163ae5b496a71472363a448efdd567e491be99303c510954587c39afed04f4bb4728ee500903d306c0a94fdf8a8afebf6d45ffe7adc599f9851486213

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e6cf31cc9f1705b8b1dde2c1776cc99a
SHA1 8c120f40cf47ee5380dd485c935321880d4f5a20
SHA256 77d2a379596832ee8d6da66ebc6e1f3c9476fa85aa415b0ecda6d42a48626269
SHA512 7309d5cc31e958e33eec1f873e10cdf28385e3c265c834c56ab3934a2827f551b59e0b8cc665e771bed0a8413743b373ee5da09221bc26f6ce1a882c2ac94692

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4eb55cce6c9f838eea204541c411505d
SHA1 e416fcc6e506acbc2197c54ba15e1f0e50f86680
SHA256 0774fea74e7c12d224b861263db11b7a427414bc413d2bd7d935ce13b3d5deb4
SHA512 8d277c5cf2a468f2a430262b9619a8d7ac4abb717664a21f0d8660f0db4f8a932925b7dbda7f99c02e43dce58e56efdf9510ac7fa75cb7a99a94025d67fb4425

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 689846116e24c78bd5458aff1705c3b4
SHA1 bc60dc4f40671c20c54705d52425726e33c63bc6
SHA256 8706901c8e1a72e87e36ccccd8749bcfc690af8dfa61ee32f0797bb5234b6d49
SHA512 3c4f5b0db5f7e1b58bc70d6f5c98278d1908be1124b984c95f07756f064f9bfb94bfa41a312fd5baa5a56caf55b5a8e6f147f8bedee0f99dc9f28dd85bd69f0e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c9db96df8f2c3d05bf18a7275a3e2363
SHA1 b89eae5c939eaa54ac698b9b2d24931ecc81bc57
SHA256 4f92af68942ccc11ce0d7c5cf30318b04d840100981a184d729b644250f51bc0
SHA512 5cfca76a40f58cf83b1b5f114054389021d02538f802649687fbf3d09d90416bf6f01654565a76e5061c4145dd2908fb632f0b29b92f828fab8e2a8076c3250f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c7152b64586b5b77e4daf2c5a7ed2b63
SHA1 fda40d6c529ccc3523b117409172e5a8e852e71a
SHA256 1b321314a89195f2c906740d662fdbad9441db448cad51f90bc5ae18f3dc48e4
SHA512 c61335f33d399e2cb5352c5ded8b9011a7657b61241e5076414b569682185e708dbb73fa1b39841a56f3b219ea30c63c60b850aa6f0b850d113cb082dd8db717

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b7e3dd48f8e5b2bc059052f814ca0358
SHA1 3defe235752ea3c6328e4a8f686ec29e2a2fae3f
SHA256 da3f3760fb0e3c856c8b397c0b366a1ee0b440796f68186f2f167b5f582f3829
SHA512 27cf68c9148402003911bb8eb14401b8fabbf387551d2d9abd86c87b5e88bcc24e49ac9fd699d740450667018ba7e791b3add9ae35ab37ed98929858d105e5a4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7c84a2339f8f5de8dc90d8d314534210
SHA1 a2b8a2f96c7742336baa51bb2c70b3802c3da392
SHA256 1a5e3645db50e44dfc684a7ed6db0655b7a397733b66de40a22f212bc4c5c27e
SHA512 c58c535b0ce82b8f2c04ffb2065b8d9e86f1e91ff1db1b67afb1cf6786209c899a706abe8080c44e2bf513ef59d048758638896d95b2f368651a53b1b5b2609a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 86b8f5f2d48cc7ef40b0ad749a2992eb
SHA1 0eb185f404b0a528f825efe3d019504e1eb1a9d7
SHA256 e80a1fb67353c52b1513185628ce6932c9a4bb6485c7d9401adcabfb4392449b
SHA512 535c3c162b054a859558e286c698dbb5af523ff625f7fdf913ad70a8608aa411b95a43aeb8dca98444e88d6455fc4c7d360fcf6711735955b18de670bf76470f

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-22 13:01

Reported

2024-06-22 13:04

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\023ffc154d694dad62ae6c98b5d5f327_JaffaCakes118.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Windows\install.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Windows\SysWOW64\regsvr32.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\023ffc154d694dad62ae6c98b5d5f327_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\install.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Wine C:\Windows\install.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Wine C:\Windows\SysWOW64\regsvr32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\install.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\jsp062201.dll C:\Windows\install.exe N/A
File opened for modification C:\Windows\jsp062201.dll C:\Windows\install.exe N/A
File created \??\c:\windows\install.exe C:\Users\Admin\AppData\Local\Temp\023ffc154d694dad62ae6c98b5d5f327_JaffaCakes118.exe N/A
File created \??\c:\windows\protesto1.pdf C:\Users\Admin\AppData\Local\Temp\023ffc154d694dad62ae6c98b5d5f327_JaffaCakes118.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{361B2978-88FF-11D2-8D96-E7ACAC95951F} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{361B2978-88FF-11D2-8D96-E7ACAC95951F}\ C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\install.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4316 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\023ffc154d694dad62ae6c98b5d5f327_JaffaCakes118.exe C:\Windows\install.exe
PID 4316 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\023ffc154d694dad62ae6c98b5d5f327_JaffaCakes118.exe C:\Windows\install.exe
PID 4316 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\023ffc154d694dad62ae6c98b5d5f327_JaffaCakes118.exe C:\Windows\install.exe
PID 4264 wrote to memory of 4740 N/A C:\Windows\install.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4264 wrote to memory of 4740 N/A C:\Windows\install.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4264 wrote to memory of 4740 N/A C:\Windows\install.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4264 wrote to memory of 1780 N/A C:\Windows\install.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4264 wrote to memory of 1780 N/A C:\Windows\install.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1780 wrote to memory of 2008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1780 wrote to memory of 2008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1780 wrote to memory of 1956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1780 wrote to memory of 1956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1780 wrote to memory of 1956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1780 wrote to memory of 1956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1780 wrote to memory of 1956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1780 wrote to memory of 1956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1780 wrote to memory of 1956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1780 wrote to memory of 1956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1780 wrote to memory of 1956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1780 wrote to memory of 1956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1780 wrote to memory of 1956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1780 wrote to memory of 1956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1780 wrote to memory of 1956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1780 wrote to memory of 1956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1780 wrote to memory of 1956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1780 wrote to memory of 1956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1780 wrote to memory of 1956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1780 wrote to memory of 1956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1780 wrote to memory of 1956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1780 wrote to memory of 1956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1780 wrote to memory of 1956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1780 wrote to memory of 1956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1780 wrote to memory of 1956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1780 wrote to memory of 1956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1780 wrote to memory of 1956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1780 wrote to memory of 1956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1780 wrote to memory of 1956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1780 wrote to memory of 1956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1780 wrote to memory of 1956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1780 wrote to memory of 1956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1780 wrote to memory of 1956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1780 wrote to memory of 1956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1780 wrote to memory of 1956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1780 wrote to memory of 1956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1780 wrote to memory of 1956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1780 wrote to memory of 1956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1780 wrote to memory of 1956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1780 wrote to memory of 1956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1780 wrote to memory of 1956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1780 wrote to memory of 1956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1780 wrote to memory of 1488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1780 wrote to memory of 1488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1780 wrote to memory of 3248 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1780 wrote to memory of 3248 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1780 wrote to memory of 3248 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1780 wrote to memory of 3248 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1780 wrote to memory of 3248 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1780 wrote to memory of 3248 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1780 wrote to memory of 3248 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1780 wrote to memory of 3248 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1780 wrote to memory of 3248 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1780 wrote to memory of 3248 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1780 wrote to memory of 3248 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1780 wrote to memory of 3248 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\023ffc154d694dad62ae6c98b5d5f327_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\023ffc154d694dad62ae6c98b5d5f327_JaffaCakes118.exe"

C:\Windows\install.exe

"C:\Windows\install.exe"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 /s C:\Windows\jsp062201.dll

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.correiosonline.com.br/pt_telegrama_sel.asp

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9050646f8,0x7ff905064708,0x7ff905064718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,14168432008386025664,17739900720352126366,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2064,14168432008386025664,17739900720352126366,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2564 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2064,14168432008386025664,17739900720352126366,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2976 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14168432008386025664,17739900720352126366,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14168432008386025664,17739900720352126366,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,14168432008386025664,17739900720352126366,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4992 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,14168432008386025664,17739900720352126366,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4992 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14168432008386025664,17739900720352126366,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4188 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14168432008386025664,17739900720352126366,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5116 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14168432008386025664,17739900720352126366,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4648 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14168432008386025664,17739900720352126366,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14168432008386025664,17739900720352126366,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14168432008386025664,17739900720352126366,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4192 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14168432008386025664,17739900720352126366,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4156 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14168432008386025664,17739900720352126366,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2684 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,14168432008386025664,17739900720352126366,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4692 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14168432008386025664,17739900720352126366,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4468 /prefetch:1

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.correiosonline.com.br udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 google.com udp
US 8.8.4.4:53 google.com udp
US 8.8.8.8:53 www.correiosonline.com.br udp
US 8.8.8.8:53 4.4.8.8.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 www.correiosonline.com.br udp
US 8.8.8.8:53 www.correiosonline.com.br udp

Files

C:\Windows\install.exe

MD5 3bcf1d552a3f5ca5e641df52c572418e
SHA1 d3b193b3adb12e4bc5ab29bae76105dc47941ee9
SHA256 ee2f91eb69ac18b9c057dd9e5716eb26fef37501e941f8b781e610477b76bb51
SHA512 593d0a09305709ba8a318ebb94f9bd3db2798f865bc9b3b8a7d8191f0abaaf50be11dfead9f2b75e7c431de827d8a4416187aeece56396bee55ad63e686f99a0

memory/4264-11-0x0000000000400000-0x0000000000573000-memory.dmp

memory/4264-13-0x0000000077564000-0x0000000077566000-memory.dmp

memory/4264-15-0x0000000000401000-0x0000000000402000-memory.dmp

C:\Windows\protesto1.pdf

MD5 4756efeab0b28a6284ad7b07699615c5
SHA1 d0da2ffc0c5a6ab4236e28ebcc0828af3c91f475
SHA256 8983faca41c1ed196f82ed2e4fd0927c69008e733e16b673b2b295c00f89ce56
SHA512 fbf3c22a3a0c88bbab3c4e626ba69451fa3ce51e265416f47e0272fcc86380c5e073a8fd40afac3f3b53317dbbd0dae5ab20096ce4a4949aef6f38c20a8f0539

memory/4264-20-0x0000000000400000-0x0000000000573000-memory.dmp

memory/4740-24-0x0000000002E70000-0x0000000003128000-memory.dmp

memory/4740-25-0x0000000002E70000-0x0000000003128000-memory.dmp

memory/4740-26-0x0000000001540000-0x00000000015DD000-memory.dmp

memory/4740-27-0x0000000002E71000-0x0000000002EE9000-memory.dmp

memory/4740-28-0x0000000002E70000-0x0000000003128000-memory.dmp

memory/4264-29-0x0000000000400000-0x0000000000573000-memory.dmp

memory/4264-30-0x0000000000400000-0x0000000000573000-memory.dmp

memory/4264-32-0x0000000000400000-0x0000000000573000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 4158365912175436289496136e7912c2
SHA1 813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59
SHA256 354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1
SHA512 74b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b

\??\pipe\LOCAL\crashpad_1780_RUNHPOXJSRWUCLLY

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 ce4c898f8fc7601e2fbc252fdadb5115
SHA1 01bf06badc5da353e539c7c07527d30dccc55a91
SHA256 bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa
SHA512 80fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 a286cf5222c93ccc8234217b196a3ce1
SHA1 412c0e5ab8ef2e3e1f3ba6abeda5c80ca88da051
SHA256 1e25dde3f2106cc8547198736b85d7a293946a3df8014bdfccf469c8cb2d0e9e
SHA512 989fde1bdf93400f61bf7f509578470adf94a6af901d04fe86d7fb40456d050285c1aff79672cab52a22d9046093fe7fc8f8c91acaf15d671a4e05484438769b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 60c413158f45800c739a647951afe2c1
SHA1 5f41df4aa2d50605bbdf9901d63f6d68280d099d
SHA256 2cc739545466e2172ae32dc109932b9a8ef7187f36fb438144b0fff6fbee4846
SHA512 7cbd66baf5eaac4d43ba51c8c08f8ac03ec17652b4710db5b310c7f2a11e72b1211924e34835666552760d241ec88771550f61c759eabc0b5cf9afc728e5f1eb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 5826ea6cbad0100958310861101f30b8
SHA1 6bf5385fb99981dad1950d11797b39c67d84d8de
SHA256 e96436567b447488f4b3de4bbb85abecfc612ed0b82a956567f660d11d51706f
SHA512 c4bbc964739c1355ed16bfc46bf02ace196e8346371ba572fb7f9a37ed259602674bb8fb8069506b291ffd17209ac1394439bd6ee2e91a1607a9f1742c627b4f