96e9689af6a4d040f970dd00d5e05ab4d64fd10bc9da6f2811542be6acead877

Analysis

max time kernel
135s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2024, 02:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ea752bd9988420f1497145fc2b53e7d4_JaffaCakes118.exe
Size

1.8MB
MD5

ea752bd9988420f1497145fc2b53e7d4
SHA1

2b371eb5747a8cc0daa1c1ce7ea7c5d35adaddb1
SHA256

96e9689af6a4d040f970dd00d5e05ab4d64fd10bc9da6f2811542be6acead877
SHA512

dc563481ac0b32358d551a3bc5cd3ac7a30715272ae5e07543e546d224b75614fc90cbac5bcca21a9c130c4a2fd384d3d22d72cdff24b20fec87ad53c46521c4
SSDEEP

49152:Qhg6I7xd/xTE+wjEflFaY5Uxq8Rqrhlru2pDdcsZpxjy:tSjEgwrjuWFZrjy

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\system32\drivers\etc\hosts	ea752bd9988420f1497145fc2b53e7d4_JaffaCakes118.exe

Loads dropped DLL 5 IoCs

pid	Process
64	ea752bd9988420f1497145fc2b53e7d4_JaffaCakes118.exe
64	ea752bd9988420f1497145fc2b53e7d4_JaffaCakes118.exe
64	ea752bd9988420f1497145fc2b53e7d4_JaffaCakes118.exe
64	ea752bd9988420f1497145fc2b53e7d4_JaffaCakes118.exe
64	ea752bd9988420f1497145fc2b53e7d4_JaffaCakes118.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ea752bd9988420f1497145fc2b53e7d4_JaffaCakes118.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4620	msedge.exe
4620	msedge.exe
4280	msedge.exe
4280	msedge.exe
4540	identity_helper.exe
4540	identity_helper.exe
2900	msedge.exe
2900	msedge.exe
2900	msedge.exe
2900	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4280	msedge.exe
4280	msedge.exe
4280	msedge.exe
4280	msedge.exe
4280	msedge.exe
4280	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4280	msedge.exe
4280	msedge.exe
4280	msedge.exe
4280	msedge.exe
4280	msedge.exe
4280	msedge.exe
4280	msedge.exe
4280	msedge.exe
4280	msedge.exe
4280	msedge.exe
4280	msedge.exe
4280	msedge.exe
4280	msedge.exe
4280	msedge.exe
4280	msedge.exe
4280	msedge.exe
4280	msedge.exe
4280	msedge.exe
4280	msedge.exe
4280	msedge.exe
4280	msedge.exe
4280	msedge.exe
4280	msedge.exe
4280	msedge.exe
4280	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4280	msedge.exe
4280	msedge.exe
4280	msedge.exe
4280	msedge.exe
4280	msedge.exe
4280	msedge.exe
4280	msedge.exe
4280	msedge.exe
4280	msedge.exe
4280	msedge.exe
4280	msedge.exe
4280	msedge.exe
4280	msedge.exe
4280	msedge.exe
4280	msedge.exe
4280	msedge.exe
4280	msedge.exe
4280	msedge.exe
4280	msedge.exe
4280	msedge.exe
4280	msedge.exe
4280	msedge.exe
4280	msedge.exe
4280	msedge.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
64	ea752bd9988420f1497145fc2b53e7d4_JaffaCakes118.exe
64	ea752bd9988420f1497145fc2b53e7d4_JaffaCakes118.exe
64	ea752bd9988420f1497145fc2b53e7d4_JaffaCakes118.exe
64	ea752bd9988420f1497145fc2b53e7d4_JaffaCakes118.exe
64	ea752bd9988420f1497145fc2b53e7d4_JaffaCakes118.exe
64	ea752bd9988420f1497145fc2b53e7d4_JaffaCakes118.exe
64	ea752bd9988420f1497145fc2b53e7d4_JaffaCakes118.exe
64	ea752bd9988420f1497145fc2b53e7d4_JaffaCakes118.exe
64	ea752bd9988420f1497145fc2b53e7d4_JaffaCakes118.exe
64	ea752bd9988420f1497145fc2b53e7d4_JaffaCakes118.exe
64	ea752bd9988420f1497145fc2b53e7d4_JaffaCakes118.exe
64	ea752bd9988420f1497145fc2b53e7d4_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 64 wrote to memory of 4280	64	ea752bd9988420f1497145fc2b53e7d4_JaffaCakes118.exe	82
PID 64 wrote to memory of 4280	64	ea752bd9988420f1497145fc2b53e7d4_JaffaCakes118.exe	82
PID 4280 wrote to memory of 2684	4280	msedge.exe	83
PID 4280 wrote to memory of 2684	4280	msedge.exe	83
PID 4280 wrote to memory of 932	4280	msedge.exe	84
PID 4280 wrote to memory of 932	4280	msedge.exe	84
PID 4280 wrote to memory of 932	4280	msedge.exe	84
PID 4280 wrote to memory of 932	4280	msedge.exe	84
PID 4280 wrote to memory of 932	4280	msedge.exe	84
PID 4280 wrote to memory of 932	4280	msedge.exe	84
PID 4280 wrote to memory of 932	4280	msedge.exe	84
PID 4280 wrote to memory of 932	4280	msedge.exe	84
PID 4280 wrote to memory of 932	4280	msedge.exe	84
PID 4280 wrote to memory of 932	4280	msedge.exe	84
PID 4280 wrote to memory of 932	4280	msedge.exe	84
PID 4280 wrote to memory of 932	4280	msedge.exe	84
PID 4280 wrote to memory of 932	4280	msedge.exe	84
PID 4280 wrote to memory of 932	4280	msedge.exe	84
PID 4280 wrote to memory of 932	4280	msedge.exe	84
PID 4280 wrote to memory of 932	4280	msedge.exe	84
PID 4280 wrote to memory of 932	4280	msedge.exe	84
PID 4280 wrote to memory of 932	4280	msedge.exe	84
PID 4280 wrote to memory of 932	4280	msedge.exe	84
PID 4280 wrote to memory of 932	4280	msedge.exe	84
PID 4280 wrote to memory of 932	4280	msedge.exe	84
PID 4280 wrote to memory of 932	4280	msedge.exe	84
PID 4280 wrote to memory of 932	4280	msedge.exe	84
PID 4280 wrote to memory of 932	4280	msedge.exe	84
PID 4280 wrote to memory of 932	4280	msedge.exe	84
PID 4280 wrote to memory of 932	4280	msedge.exe	84
PID 4280 wrote to memory of 932	4280	msedge.exe	84
PID 4280 wrote to memory of 932	4280	msedge.exe	84
PID 4280 wrote to memory of 932	4280	msedge.exe	84
PID 4280 wrote to memory of 932	4280	msedge.exe	84
PID 4280 wrote to memory of 932	4280	msedge.exe	84
PID 4280 wrote to memory of 932	4280	msedge.exe	84
PID 4280 wrote to memory of 932	4280	msedge.exe	84
PID 4280 wrote to memory of 932	4280	msedge.exe	84
PID 4280 wrote to memory of 932	4280	msedge.exe	84
PID 4280 wrote to memory of 932	4280	msedge.exe	84
PID 4280 wrote to memory of 932	4280	msedge.exe	84
PID 4280 wrote to memory of 932	4280	msedge.exe	84
PID 4280 wrote to memory of 932	4280	msedge.exe	84
PID 4280 wrote to memory of 932	4280	msedge.exe	84
PID 4280 wrote to memory of 4620	4280	msedge.exe	85
PID 4280 wrote to memory of 4620	4280	msedge.exe	85
PID 4280 wrote to memory of 2180	4280	msedge.exe	86
PID 4280 wrote to memory of 2180	4280	msedge.exe	86
PID 4280 wrote to memory of 2180	4280	msedge.exe	86
PID 4280 wrote to memory of 2180	4280	msedge.exe	86
PID 4280 wrote to memory of 2180	4280	msedge.exe	86
PID 4280 wrote to memory of 2180	4280	msedge.exe	86
PID 4280 wrote to memory of 2180	4280	msedge.exe	86
PID 4280 wrote to memory of 2180	4280	msedge.exe	86
PID 4280 wrote to memory of 2180	4280	msedge.exe	86
PID 4280 wrote to memory of 2180	4280	msedge.exe	86
PID 4280 wrote to memory of 2180	4280	msedge.exe	86
PID 4280 wrote to memory of 2180	4280	msedge.exe	86
PID 4280 wrote to memory of 2180	4280	msedge.exe	86
PID 4280 wrote to memory of 2180	4280	msedge.exe	86
PID 4280 wrote to memory of 2180	4280	msedge.exe	86
PID 4280 wrote to memory of 2180	4280	msedge.exe	86
PID 4280 wrote to memory of 2180	4280	msedge.exe	86
PID 4280 wrote to memory of 2180	4280	msedge.exe	86

C:\Users\Admin\AppData\Local\Temp\ea752bd9988420f1497145fc2b53e7d4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ea752bd9988420f1497145fc2b53e7d4_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:64
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.111dnf.com/
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4280
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xdc,0x108,0x7ff914f746f8,0x7ff914f74708,0x7ff914f74718
    3⤵
    PID:2684
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,4102855360721606576,16252923969429295232,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
    3⤵
    PID:932
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,4102855360721606576,16252923969429295232,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4620
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,4102855360721606576,16252923969429295232,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2788 /prefetch:8
    3⤵
    PID:2180
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,4102855360721606576,16252923969429295232,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
    3⤵
    PID:4288
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,4102855360721606576,16252923969429295232,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
    3⤵
    PID:1464
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,4102855360721606576,16252923969429295232,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6128 /prefetch:8
    3⤵
    PID:5112
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,4102855360721606576,16252923969429295232,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6128 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4540
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,4102855360721606576,16252923969429295232,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:1
    3⤵
    PID:2988
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,4102855360721606576,16252923969429295232,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4756 /prefetch:1
    3⤵
    PID:4756
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,4102855360721606576,16252923969429295232,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5024 /prefetch:1
    3⤵
    PID:2188
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,4102855360721606576,16252923969429295232,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:1
    3⤵
    PID:2336
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,4102855360721606576,16252923969429295232,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5676 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2900

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4496

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e765f3d75e6b0e4a7119c8b14d47d8da

SHA1
cc9f7c7826c2e1a129e7d98884926076c3714fc0

SHA256
986443556d3878258b710d9d9efbf4f25f0d764c3f83dc54217f2b12a6eccd89

SHA512
a1872a849f27da78ebe9adb9beb260cb49ed5f4ca2d403f23379112bdfcd2482446a6708188100496e45db1517cdb43aba8bb93a75e605713c3f97cd716b1079

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
53bc70ecb115bdbabe67620c416fe9b3

SHA1
af66ec51a13a59639eaf54d62ff3b4f092bb2fc1

SHA256
b36cad5c1f7bc7d07c7eaa2f3cad2959ddb5447d4d3adcb46eb6a99808e22771

SHA512
cad44933b94e17908c0eb8ac5feeb53d03a7720d97e7ccc8724a1ed3021a5bece09e1f9f3cec56ce0739176ebbbeb20729e650f8bca04e5060c986b75d8e4921

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\33322c25-83c1-4d0f-aa1f-38f793fcef5a.tmp

Filesize
5KB

MD5
c0bd992d0482eee6258690359361a7a9

SHA1
8a530bcdb341fcd5cb8ab079a66a4c80ea4071e6

SHA256
9aeddc2ec2f6f54a6d2b311b019bbb348fae856f280e402e1a93b62d5bac130a

SHA512
48fe410dbe54b84a993a6e88460a74c9a9d634a1e9fd9ed54c72cc9d24cf9f32d81d0197f843875d47d70615039c825a8b5c9ea01c54e17e4d5e1db8abdb9a5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
11892464e5acf6acd691774a80fbbe48

SHA1
c9cc4d0bde363366fedc1a5530dce35a9937ee19

SHA256
16fe5525a5a935334b90659575f4e3781762b028830e5803aef318bead9062dd

SHA512
04cad823293883aff609e78d8804b32cb77e44a916289b88b21309fc4cbc9713ee28c935a1acec6c512c2b36405b01cd07ff00a5d97f41737855f677efaeffa3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
616b5f6dc48cf0322edd02bc9c0aacbb

SHA1
6de8531177405d03af2678001be8f323c8708862

SHA256
a9bba8426a2a70be69c8b7b57e51605ab2e825aa2fe8b63d5b7dc823a8cb6505

SHA512
cf6682e0542b9bfc84c669fb19c91780f55f35aaec70d8f8e18be81f4c968b7c92af99c582f70d778e0a2336d63c96065d3b4b82b78c7068bc696d033782171b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
c5028df11b910942325e1ceb9105d2d5

SHA1
b990eb995e558189a39ea3f1bae6498b592c406b

SHA256
35f22c6c100a3574f28f154160f3e627344c3c0c2f4bcff51d1d0cf02d512e20

SHA512
28a3333e8bd34292fba7f2923bed60bf7fb328b59a616cd9da494aefffb7a6961b8dd01593535f7c0b6c0713e0d384baf82bcaf63c14f3e8d9dc5409e24efc29

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\HtmlView.fne

Filesize
212KB

MD5
4c9e8f81bf741a61915d0d4fc49d595e

SHA1
d033008b3a0e5d3fc8876e0423ee5509ecb3897c

SHA256
951d725f4a12cd4ff713ca147fa3be08a02367db6731283c3f1ba30445990129

SHA512
cf2c6f8f471c8a5aad563bc257035515860689b73ce343599c7713de8bc8338a031a722f366e005bc1907d6fc97b68b8b415e8ff05b7324fb1040c5dc02315d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\eAPI.fne

Filesize
328KB

MD5
d0e0d53a970aaa7068bdb41a6b8a7c5a

SHA1
b4fde4e2b7924e1fd76c094a5a7244d1fd351700

SHA256
6898d235f653db69a96a614259a6512db1a89b638d3c00dfaa72339595d3bdfe

SHA512
f4dfd2e64f0505861286fe71cf272119518b1e0b18e4ea3095d62c616fcd6d6dff953218fff8da6d42343303d56a9eee815f0ba3ab16c6514e1fe19fdb8c7660

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\krnln.fnr

Filesize
1.1MB

MD5
3fe72f93ab5f24a0ea2d753013a41c4b

SHA1
9206cd206c0b2782a2b1ad1d19ace97bae6e491e

SHA256
db32e8ea1d91009ca25b79d7e863a08be56632641a7a145326fbfbf0931b6c79

SHA512
24ce75304e6b5508d9bbf425a68b1907bc51f30c168dd3b800f34e1f7fc1aee044818848d1fde40e7556af5f16f94ea02d19344bd9ffda1a6d011a624d6f46e9

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
572B

MD5
e064f5dd13f0e6c0c3dc7be725f69bff

SHA1
a6f6785acc3edcbe742752e1f3b7431282cd22db

SHA256
486c984b307024c3db41cbacaf37b10acf48d0ae663dd8e788f4ff17ce4f1230

SHA512
a96fbe151101959cc75b691ea272d06516889f5d5dbf755dea1857f4ff01977aa023359c825b09b3247c9cd92ed8fc923dee4b8de8e93986fc3723e8394a1ca2

Download Submit
memory/64-51-0x0000000000400000-0x000000000050C000-memory.dmp

Filesize
1.0MB

Download
memory/64-17-0x0000000003C00000-0x0000000003C61000-memory.dmp

Filesize
388KB

Download
memory/64-0-0x0000000000400000-0x000000000050C000-memory.dmp

Filesize
1.0MB

Download
memory/64-10-0x00000000022B0000-0x00000000022E8000-memory.dmp

Filesize
224KB

Download