b0a01e8e961e890c3b16c319c551b7309cf6cc2c14a31a0ca61bc7746641f8ca

Analysis

max time kernel
143s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02-10-2024 08:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

09ca29c8d8573e0c4b4d034ccdca7ddb_JaffaCakes118.exe
Size

768KB
MD5

09ca29c8d8573e0c4b4d034ccdca7ddb
SHA1

55721de238b7ea9b2ec32a76a99c0a5fb0faf817
SHA256

b0a01e8e961e890c3b16c319c551b7309cf6cc2c14a31a0ca61bc7746641f8ca
SHA512

ba9aadda048c7695ff44946e665f94b61d888365cab5dfd3ca9b3cc6f7c87f5ebffc018c06af367cb4d9c6d0127212391859fb40ec94adf2c9728fb892df835b
SSDEEP

24576:Y7ZFFW45c3dj5dP/EVnlUgZ1GzAgYJlaLF39oRx:Y7ZF80c3tnk5fPoAgQlah38x

Score

7^/10

discovery upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	09ca29c8d8573e0c4b4d034ccdca7ddb_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
4700	pxinstall718.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3756-0-0x0000000000400000-0x00000000004D0000-memory.dmp	upx
behavioral2/memory/3756-15-0x0000000000400000-0x00000000004D0000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\wininit.ini	09ca29c8d8573e0c4b4d034ccdca7ddb_JaffaCakes118.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	09ca29c8d8573e0c4b4d034ccdca7ddb_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pxinstall718.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4700	pxinstall718.exe
4700	pxinstall718.exe
2620	msedge.exe
2620	msedge.exe
3992	msedge.exe
3992	msedge.exe
2376	identity_helper.exe
2376	identity_helper.exe
4544	msedge.exe
4544	msedge.exe
4544	msedge.exe
4544	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4700	pxinstall718.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3756 wrote to memory of 4700	3756	09ca29c8d8573e0c4b4d034ccdca7ddb_JaffaCakes118.exe	82
PID 3756 wrote to memory of 4700	3756	09ca29c8d8573e0c4b4d034ccdca7ddb_JaffaCakes118.exe	82
PID 3756 wrote to memory of 4700	3756	09ca29c8d8573e0c4b4d034ccdca7ddb_JaffaCakes118.exe	82
PID 4700 wrote to memory of 3992	4700	pxinstall718.exe	83
PID 4700 wrote to memory of 3992	4700	pxinstall718.exe	83
PID 3992 wrote to memory of 2640	3992	msedge.exe	84
PID 3992 wrote to memory of 2640	3992	msedge.exe	84
PID 3992 wrote to memory of 1892	3992	msedge.exe	85
PID 3992 wrote to memory of 1892	3992	msedge.exe	85
PID 3992 wrote to memory of 1892	3992	msedge.exe	85
PID 3992 wrote to memory of 1892	3992	msedge.exe	85
PID 3992 wrote to memory of 1892	3992	msedge.exe	85
PID 3992 wrote to memory of 1892	3992	msedge.exe	85
PID 3992 wrote to memory of 1892	3992	msedge.exe	85
PID 3992 wrote to memory of 1892	3992	msedge.exe	85
PID 3992 wrote to memory of 1892	3992	msedge.exe	85
PID 3992 wrote to memory of 1892	3992	msedge.exe	85
PID 3992 wrote to memory of 1892	3992	msedge.exe	85
PID 3992 wrote to memory of 1892	3992	msedge.exe	85
PID 3992 wrote to memory of 1892	3992	msedge.exe	85
PID 3992 wrote to memory of 1892	3992	msedge.exe	85
PID 3992 wrote to memory of 1892	3992	msedge.exe	85
PID 3992 wrote to memory of 1892	3992	msedge.exe	85
PID 3992 wrote to memory of 1892	3992	msedge.exe	85
PID 3992 wrote to memory of 1892	3992	msedge.exe	85
PID 3992 wrote to memory of 1892	3992	msedge.exe	85
PID 3992 wrote to memory of 1892	3992	msedge.exe	85
PID 3992 wrote to memory of 1892	3992	msedge.exe	85
PID 3992 wrote to memory of 1892	3992	msedge.exe	85
PID 3992 wrote to memory of 1892	3992	msedge.exe	85
PID 3992 wrote to memory of 1892	3992	msedge.exe	85
PID 3992 wrote to memory of 1892	3992	msedge.exe	85
PID 3992 wrote to memory of 1892	3992	msedge.exe	85
PID 3992 wrote to memory of 1892	3992	msedge.exe	85
PID 3992 wrote to memory of 1892	3992	msedge.exe	85
PID 3992 wrote to memory of 1892	3992	msedge.exe	85
PID 3992 wrote to memory of 1892	3992	msedge.exe	85
PID 3992 wrote to memory of 1892	3992	msedge.exe	85
PID 3992 wrote to memory of 1892	3992	msedge.exe	85
PID 3992 wrote to memory of 1892	3992	msedge.exe	85
PID 3992 wrote to memory of 1892	3992	msedge.exe	85
PID 3992 wrote to memory of 1892	3992	msedge.exe	85
PID 3992 wrote to memory of 1892	3992	msedge.exe	85
PID 3992 wrote to memory of 1892	3992	msedge.exe	85
PID 3992 wrote to memory of 1892	3992	msedge.exe	85
PID 3992 wrote to memory of 1892	3992	msedge.exe	85
PID 3992 wrote to memory of 1892	3992	msedge.exe	85
PID 3992 wrote to memory of 2620	3992	msedge.exe	86
PID 3992 wrote to memory of 2620	3992	msedge.exe	86
PID 3992 wrote to memory of 3540	3992	msedge.exe	87
PID 3992 wrote to memory of 3540	3992	msedge.exe	87
PID 3992 wrote to memory of 3540	3992	msedge.exe	87
PID 3992 wrote to memory of 3540	3992	msedge.exe	87
PID 3992 wrote to memory of 3540	3992	msedge.exe	87
PID 3992 wrote to memory of 3540	3992	msedge.exe	87
PID 3992 wrote to memory of 3540	3992	msedge.exe	87
PID 3992 wrote to memory of 3540	3992	msedge.exe	87
PID 3992 wrote to memory of 3540	3992	msedge.exe	87
PID 3992 wrote to memory of 3540	3992	msedge.exe	87
PID 3992 wrote to memory of 3540	3992	msedge.exe	87
PID 3992 wrote to memory of 3540	3992	msedge.exe	87
PID 3992 wrote to memory of 3540	3992	msedge.exe	87
PID 3992 wrote to memory of 3540	3992	msedge.exe	87
PID 3992 wrote to memory of 3540	3992	msedge.exe	87

C:\Users\Admin\AppData\Local\Temp\09ca29c8d8573e0c4b4d034ccdca7ddb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\09ca29c8d8573e0c4b4d034ccdca7ddb_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3756
- C:\Users\Admin\AppData\Local\Temp\pxinstall718.exe
  "C:\Users\Admin\AppData\Local\Temp\pxinstall718.exe" /prop PRIORITY=Y /prop INSTSHELL=Y
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4700
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.prevx.com/
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:3992
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbda3646f8,0x7ffbda364708,0x7ffbda364718
      4⤵
      PID:2640
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,9622228277636165673,1249750538713566618,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
      4⤵
      PID:1892
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,9622228277636165673,1249750538713566618,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2496 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2620
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,9622228277636165673,1249750538713566618,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2696 /prefetch:8
      4⤵
      PID:3540
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9622228277636165673,1249750538713566618,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
      4⤵
      PID:1708
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9622228277636165673,1249750538713566618,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
      4⤵
      PID:2800
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9622228277636165673,1249750538713566618,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5092 /prefetch:1
      4⤵
      PID:1720
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,9622228277636165673,1249750538713566618,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5756 /prefetch:8
      4⤵
      PID:3644
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,9622228277636165673,1249750538713566618,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5756 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2376
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9622228277636165673,1249750538713566618,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
      4⤵
      PID:4568
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9622228277636165673,1249750538713566618,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:1
      4⤵
      PID:2368
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9622228277636165673,1249750538713566618,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4028 /prefetch:1
      4⤵
      PID:468
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9622228277636165673,1249750538713566618,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5000 /prefetch:1
      4⤵
      PID:3148
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,9622228277636165673,1249750538713566618,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4228 /prefetch:2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4544

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3292

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
15e9c4b4eefb3e1c08a010e748e10f58

SHA1
3172378f2c7a00553ce086dbf53fcf3126c5a724

SHA256
07b56a769467e8b57f9b7acd9d32da266ca5000803758c18bb6818ac236c7000

SHA512
811058b539e914a812c88543bb6657de736f691d18d6dadb5e1f6ced286780fb334dc5f575babbcf4fd2dceda30d1bf4004b374c5775e7f278346b100b29eb7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d4829218222c8bedb9ffe89dffd37095

SHA1
aae577f33f413ec3d09f2e7ff5d9cc20a602241c

SHA256
49239b229a2519583ba5d6de3702480b8a8ebf3cfaa8945100dbab25fcb02b7b

SHA512
03e26a2e3de41b8a829b5543da504c7d7ccdc4c112d629efcac24dcda23acb50a52b5b99572b5efb2a01cf392a457cf9fac85663b3d63f7606be00dba218f8f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
408B

MD5
dade49c9ad4208814064cca7e9a703d0

SHA1
20a147e2f8733515b9c5ddefbdee769a18dfeedb

SHA256
f4f17952664626979d83c527bb3a0262bc365ea205b24011557e30f886f2cf65

SHA512
74063adeb7792ebd7d152c196024f391b7486e20d48e7420c630215d2ca540cd29c36bd46af4084e266a91258a66a73796cb974285a8db114b7c2632a800c81c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
176f9b79dc1f54a2b2aaa64ad954db0c

SHA1
e34092c32d8575a39deff904df17e8fac60f741c

SHA256
031ba2a1dac9e65284fdae48221f0559fb4564c2fe6640afe4ac7fb0fe57e057

SHA512
d91bf34400d67d12dda5b27717d534c69feec3dbf6307697ff67a332ea8f2a3f84bfa26a85539e5e8e8113f727445b6a259b0b92b2f004cb8078a748315c1e80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
caee2e2cba2ff038872feee8029cc755

SHA1
3c4dc9912a90b4c59885dd9ed948e95e00828111

SHA256
3c4c7feadfe0dd9ce854ca038eee38d2dc2bd915efd7d833b8ab14cd856a6426

SHA512
18fae6873ef06acfea1f9e08a1f941406da6ea704961516442aac9aec155cde35b6303db081b157f410ef98839e1a1d46fabd3e02d5dfb8cc919942e71ac7680

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
509aa5c3d087aafd1626c240becf55b4

SHA1
53cb563472bf41542980734f16e8672645abb01c

SHA256
4affb3eaea5593a2273f56fcb24336142b76f722adf7af5b9c312d80c17d6d7a

SHA512
822a3d5484472f253bb1fec169683356eac293e53b96c7180a72b674f34216660670364a3465b7ddfd70b7537556d122e16ae197df2599a817b64bd8ec89ca45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
7915ba0545666aa5833cf9f9f86d45d6

SHA1
743ecc319bc2a54973582d4a5198042a48fbe8db

SHA256
f8fcc045da13bde0f5dec3ada86342105cbff34ebc2442bcf51e8ed509a95b20

SHA512
a53036251a22cdc95579ea8641c5574f1dc1f7dfd0390f00ebeafbbea0c1a2c0c3e6dba23bbbb8d8e2c77a3e1e816ccfaf84a97da1c334019c8df1414999d1f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\99f165cb2044a72beb74125231569e99f93e0a79\index.txt

Filesize
93B

MD5
adaf61413c05c1d633c33edb7921c445

SHA1
539a3ab5bd16c74e3294bd4720df73b83c2316ab

SHA256
6444a6c71efac5f779db29f4fd2ccff644fc60d72dd2cb4ef42bfd2ce897a50f

SHA512
2845f4b51b941258e2d34c1096370c3fdf4a59deeceff74ea3d64a1101328a9f4420947956cb72533f4a45fa0ad7db4cdbddfd0a00b5c9d73a208c3ed695860f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\99f165cb2044a72beb74125231569e99f93e0a79\index.txt

Filesize
86B

MD5
8d8e39af335d64f7a7b0aced67bb414f

SHA1
eaf01f570c9d61f0dde33f98eebd2917d82d4134

SHA256
ad9839420d0945ddec2603769a195253a14e6809d92365c04f99ba3e77e3e5fb

SHA512
2e291edbf6327f64eca1d1c9b8459da941609313dc013480beaf0e65760bce3fd4fca8a7ce0a5b683fbd3dd6cd51169a28eb55e261a2f924976d675c19a32288

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
71285bb1e71ee7e92a2b44d602c459cf

SHA1
2bb05cd73e03ee2731bc976030697b4e9ce52a38

SHA256
15fee19a7da82c53f7bea9d20a0a87a12a1929ddc12beb8aa521e8418d8673d6

SHA512
27867e70e1a375e44d2227814db2d13fedc210c03b429c353a4603a1ba3783abb00fa353da90326ed11c37d2c68e220446192f57bbc01262109b52c3a4b9c1e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\pxinstall718.exe

Filesize
4.2MB

MD5
dc6dcb62ef19ffb6e19eb806d53e8816

SHA1
c3cecf4467bd0b38559bbc5df7a900dab7315943

SHA256
833ba8848f93cb639019b6128a64522b343f552d8664e5de460037279e9a70d0

SHA512
cd503482e798eb704ebc9f1ea16f72890d653f5ba6053c8323187cc7e4962ef144b158558f4bd968115195ecd4952a38d534341e89455711bf6a944da129de35

Download Submit
memory/3756-0-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/3756-15-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download