b7dcd7609d1b1361e3b5d539fec1b44e284eab0afe5cc8cf1c3e7780c4a06e89

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09/10/2024, 01:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

283063ed0e77163c6783f9a650d60208_JaffaCakes118.exe
Size

2.0MB
MD5

283063ed0e77163c6783f9a650d60208
SHA1

40e0db17c4961c4b1fcbb2e293ac24afdd272e54
SHA256

b7dcd7609d1b1361e3b5d539fec1b44e284eab0afe5cc8cf1c3e7780c4a06e89
SHA512

3f84bad317a25ebcf6d68ddf8b5c3d11fcf45c970f42ef1a01a4a91cabd1e4098fe9bfe112cca1aaacb61a8aafe57d08b0a16bb655c8c85fe5353b8c0d4d29f2
SSDEEP

49152:Xk2li/s7rZidGlmqGCQs20gmNm9gNMSlSW9X9x3P15k1K4F:02li6NvlaCL202gT99XVe1KK

Score

7^/10

adware discovery persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1744	gamevance32.exe

Loads dropped DLL 3 IoCs

pid	Process
696	283063ed0e77163c6783f9a650d60208_JaffaCakes118.exe
1744	gamevance32.exe
996	regsvr32.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Gamevance = "C:\\Program Files (x86)\\Gamevance\\gamevance32.exe a"	283063ed0e77163c6783f9a650d60208_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{beaC7DC8-E106-4C6A-931E-5A42E7362883}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\ = "Gamevance Text"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\NoExplorer = "1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	283063ed0e77163c6783f9a650d60208_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0ED403E8-470A-4a8a-85A4-D7688CFE39A3}	283063ed0e77163c6783f9a650d60208_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0ED403E8-470A-4a8a-85A4-D7688CFE39A3}\ = "Gamevance"	283063ed0e77163c6783f9a650d60208_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0ED403E8-470A-4a8a-85A4-D7688CFE39A3}\NoExplorer = "1"	283063ed0e77163c6783f9a650d60208_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Gamevance\ars.cfg	283063ed0e77163c6783f9a650d60208_JaffaCakes118.exe
File created	C:\Program Files (x86)\Gamevance\gamevance32.exe	283063ed0e77163c6783f9a650d60208_JaffaCakes118.exe
File created	C:\Program Files (x86)\Gamevance\gvun.exe	283063ed0e77163c6783f9a650d60208_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Gamevance\ars.cfg	283063ed0e77163c6783f9a650d60208_JaffaCakes118.exe
File created	C:\Program Files (x86)\Gamevance\icon.ico	283063ed0e77163c6783f9a650d60208_JaffaCakes118.exe
File created	C:\Program Files (x86)\Gamevance\gvtl.dll	283063ed0e77163c6783f9a650d60208_JaffaCakes118.exe
File created	C:\Program Files (x86)\Gamevance\gamevancelib32.dll	283063ed0e77163c6783f9a650d60208_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Gamevance\ars.cfg	gamevance32.exe
File created	C:\Program Files (x86)\Gamevance\gvff.tmp	283063ed0e77163c6783f9a650d60208_JaffaCakes118.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	283063ed0e77163c6783f9a650d60208_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gamevance32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	283063ed0e77163c6783f9a650d60208_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	gamevance32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	gamevance32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	gamevance32.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	283063ed0e77163c6783f9a650d60208_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	283063ed0e77163c6783f9a650d60208_JaffaCakes118.exe

Enumerates system info in registry 2 TTPs 7 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	gamevance32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	gamevance32.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	283063ed0e77163c6783f9a650d60208_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	283063ed0e77163c6783f9a650d60208_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 31 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker.1\CLSID\ = "{beaC7DC8-E106-4C6A-931E-5A42E7362883}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker\CurVer\ = "GamevanceText.Linker.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\GamevanceText.DLL\ = "GamevanceText"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker\ = "Gamevance Text"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\ = "Gamevance Text"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\ProgID\ = "GamevanceText.Linker.1"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\WOW6432Node\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\VersionIndependentProgID\ = "GamevanceText.Linker"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\InprocServer32\ = "C:\\Program Files (x86)\\Gamevance\\gvtl.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0ED403E8-470A-4a8a-85A4-D7688CFE39A3}\ = "Gamevance"	283063ed0e77163c6783f9a650d60208_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0ED403E8-470A-4a8a-85A4-D7688CFE39A3}\InprocServer32\ThreadingModel = "Apartment"	283063ed0e77163c6783f9a650d60208_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker.1\ = "Gamevance Text"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0ED403E8-470A-4a8a-85A4-D7688CFE39A3}\InprocServer32\ = "C:\\Program Files (x86)\\Gamevance\\gamevancelib32.dll"	283063ed0e77163c6783f9a650d60208_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\GamevanceText.DLL	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker\CLSID\ = "{beaC7DC8-E106-4C6A-931E-5A42E7362883}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0ED403E8-470A-4a8a-85A4-D7688CFE39A3}\InprocServer32	283063ed0e77163c6783f9a650d60208_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\GamevanceText.DLL\AppID = "{beaC7DC8-E106-4C6A-931E-5A42E7362883}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\TypeLib\ = "{014C4232-6904-47B9-9144-7E0FB7277444}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0ED403E8-470A-4a8a-85A4-D7688CFE39A3}	283063ed0e77163c6783f9a650d60208_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
696	283063ed0e77163c6783f9a650d60208_JaffaCakes118.exe
696	283063ed0e77163c6783f9a650d60208_JaffaCakes118.exe
696	283063ed0e77163c6783f9a650d60208_JaffaCakes118.exe
696	283063ed0e77163c6783f9a650d60208_JaffaCakes118.exe
696	283063ed0e77163c6783f9a650d60208_JaffaCakes118.exe
696	283063ed0e77163c6783f9a650d60208_JaffaCakes118.exe
696	283063ed0e77163c6783f9a650d60208_JaffaCakes118.exe
696	283063ed0e77163c6783f9a650d60208_JaffaCakes118.exe
696	283063ed0e77163c6783f9a650d60208_JaffaCakes118.exe
696	283063ed0e77163c6783f9a650d60208_JaffaCakes118.exe
696	283063ed0e77163c6783f9a650d60208_JaffaCakes118.exe
696	283063ed0e77163c6783f9a650d60208_JaffaCakes118.exe
696	283063ed0e77163c6783f9a650d60208_JaffaCakes118.exe
696	283063ed0e77163c6783f9a650d60208_JaffaCakes118.exe
696	283063ed0e77163c6783f9a650d60208_JaffaCakes118.exe
696	283063ed0e77163c6783f9a650d60208_JaffaCakes118.exe
696	283063ed0e77163c6783f9a650d60208_JaffaCakes118.exe
696	283063ed0e77163c6783f9a650d60208_JaffaCakes118.exe
696	283063ed0e77163c6783f9a650d60208_JaffaCakes118.exe
696	283063ed0e77163c6783f9a650d60208_JaffaCakes118.exe
696	283063ed0e77163c6783f9a650d60208_JaffaCakes118.exe
696	283063ed0e77163c6783f9a650d60208_JaffaCakes118.exe
696	283063ed0e77163c6783f9a650d60208_JaffaCakes118.exe
696	283063ed0e77163c6783f9a650d60208_JaffaCakes118.exe
696	283063ed0e77163c6783f9a650d60208_JaffaCakes118.exe
696	283063ed0e77163c6783f9a650d60208_JaffaCakes118.exe
696	283063ed0e77163c6783f9a650d60208_JaffaCakes118.exe
696	283063ed0e77163c6783f9a650d60208_JaffaCakes118.exe
696	283063ed0e77163c6783f9a650d60208_JaffaCakes118.exe
696	283063ed0e77163c6783f9a650d60208_JaffaCakes118.exe
696	283063ed0e77163c6783f9a650d60208_JaffaCakes118.exe
696	283063ed0e77163c6783f9a650d60208_JaffaCakes118.exe
696	283063ed0e77163c6783f9a650d60208_JaffaCakes118.exe
696	283063ed0e77163c6783f9a650d60208_JaffaCakes118.exe
696	283063ed0e77163c6783f9a650d60208_JaffaCakes118.exe
696	283063ed0e77163c6783f9a650d60208_JaffaCakes118.exe
696	283063ed0e77163c6783f9a650d60208_JaffaCakes118.exe
696	283063ed0e77163c6783f9a650d60208_JaffaCakes118.exe
696	283063ed0e77163c6783f9a650d60208_JaffaCakes118.exe
696	283063ed0e77163c6783f9a650d60208_JaffaCakes118.exe
696	283063ed0e77163c6783f9a650d60208_JaffaCakes118.exe
696	283063ed0e77163c6783f9a650d60208_JaffaCakes118.exe
696	283063ed0e77163c6783f9a650d60208_JaffaCakes118.exe
696	283063ed0e77163c6783f9a650d60208_JaffaCakes118.exe
696	283063ed0e77163c6783f9a650d60208_JaffaCakes118.exe
696	283063ed0e77163c6783f9a650d60208_JaffaCakes118.exe
696	283063ed0e77163c6783f9a650d60208_JaffaCakes118.exe
696	283063ed0e77163c6783f9a650d60208_JaffaCakes118.exe
696	283063ed0e77163c6783f9a650d60208_JaffaCakes118.exe
696	283063ed0e77163c6783f9a650d60208_JaffaCakes118.exe
696	283063ed0e77163c6783f9a650d60208_JaffaCakes118.exe
696	283063ed0e77163c6783f9a650d60208_JaffaCakes118.exe
696	283063ed0e77163c6783f9a650d60208_JaffaCakes118.exe
696	283063ed0e77163c6783f9a650d60208_JaffaCakes118.exe
696	283063ed0e77163c6783f9a650d60208_JaffaCakes118.exe
696	283063ed0e77163c6783f9a650d60208_JaffaCakes118.exe
696	283063ed0e77163c6783f9a650d60208_JaffaCakes118.exe
696	283063ed0e77163c6783f9a650d60208_JaffaCakes118.exe
696	283063ed0e77163c6783f9a650d60208_JaffaCakes118.exe
696	283063ed0e77163c6783f9a650d60208_JaffaCakes118.exe
696	283063ed0e77163c6783f9a650d60208_JaffaCakes118.exe
696	283063ed0e77163c6783f9a650d60208_JaffaCakes118.exe
696	283063ed0e77163c6783f9a650d60208_JaffaCakes118.exe
696	283063ed0e77163c6783f9a650d60208_JaffaCakes118.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 696 wrote to memory of 4356	696	283063ed0e77163c6783f9a650d60208_JaffaCakes118.exe	86
PID 696 wrote to memory of 4356	696	283063ed0e77163c6783f9a650d60208_JaffaCakes118.exe	86
PID 696 wrote to memory of 4356	696	283063ed0e77163c6783f9a650d60208_JaffaCakes118.exe	86
PID 4356 wrote to memory of 1744	4356	cmd.exe	88
PID 4356 wrote to memory of 1744	4356	cmd.exe	88
PID 4356 wrote to memory of 1744	4356	cmd.exe	88
PID 696 wrote to memory of 3788	696	283063ed0e77163c6783f9a650d60208_JaffaCakes118.exe	89
PID 696 wrote to memory of 3788	696	283063ed0e77163c6783f9a650d60208_JaffaCakes118.exe	89
PID 696 wrote to memory of 3788	696	283063ed0e77163c6783f9a650d60208_JaffaCakes118.exe	89
PID 3788 wrote to memory of 996	3788	cmd.exe	91
PID 3788 wrote to memory of 996	3788	cmd.exe	91
PID 3788 wrote to memory of 996	3788	cmd.exe	91
PID 696 wrote to memory of 2848	696	283063ed0e77163c6783f9a650d60208_JaffaCakes118.exe	93
PID 696 wrote to memory of 2848	696	283063ed0e77163c6783f9a650d60208_JaffaCakes118.exe	93
PID 2848 wrote to memory of 4416	2848	msedge.exe	94
PID 2848 wrote to memory of 4416	2848	msedge.exe	94
PID 2848 wrote to memory of 4452	2848	msedge.exe	95
PID 2848 wrote to memory of 4452	2848	msedge.exe	95
PID 2848 wrote to memory of 4452	2848	msedge.exe	95
PID 2848 wrote to memory of 4452	2848	msedge.exe	95
PID 2848 wrote to memory of 4452	2848	msedge.exe	95
PID 2848 wrote to memory of 4452	2848	msedge.exe	95
PID 2848 wrote to memory of 4452	2848	msedge.exe	95
PID 2848 wrote to memory of 4452	2848	msedge.exe	95
PID 2848 wrote to memory of 4452	2848	msedge.exe	95
PID 2848 wrote to memory of 4452	2848	msedge.exe	95
PID 2848 wrote to memory of 4452	2848	msedge.exe	95
PID 2848 wrote to memory of 4452	2848	msedge.exe	95
PID 2848 wrote to memory of 4452	2848	msedge.exe	95
PID 2848 wrote to memory of 4452	2848	msedge.exe	95
PID 2848 wrote to memory of 4452	2848	msedge.exe	95
PID 2848 wrote to memory of 4452	2848	msedge.exe	95
PID 2848 wrote to memory of 4452	2848	msedge.exe	95
PID 2848 wrote to memory of 4452	2848	msedge.exe	95
PID 2848 wrote to memory of 4452	2848	msedge.exe	95
PID 2848 wrote to memory of 4452	2848	msedge.exe	95
PID 2848 wrote to memory of 4452	2848	msedge.exe	95
PID 2848 wrote to memory of 4452	2848	msedge.exe	95
PID 2848 wrote to memory of 4452	2848	msedge.exe	95
PID 2848 wrote to memory of 4452	2848	msedge.exe	95
PID 2848 wrote to memory of 4452	2848	msedge.exe	95
PID 2848 wrote to memory of 4452	2848	msedge.exe	95
PID 2848 wrote to memory of 4452	2848	msedge.exe	95
PID 2848 wrote to memory of 4452	2848	msedge.exe	95
PID 2848 wrote to memory of 4452	2848	msedge.exe	95
PID 2848 wrote to memory of 4452	2848	msedge.exe	95
PID 2848 wrote to memory of 4452	2848	msedge.exe	95
PID 2848 wrote to memory of 4452	2848	msedge.exe	95
PID 2848 wrote to memory of 4452	2848	msedge.exe	95
PID 2848 wrote to memory of 4452	2848	msedge.exe	95
PID 2848 wrote to memory of 4452	2848	msedge.exe	95
PID 2848 wrote to memory of 4452	2848	msedge.exe	95
PID 2848 wrote to memory of 4452	2848	msedge.exe	95
PID 2848 wrote to memory of 4452	2848	msedge.exe	95
PID 2848 wrote to memory of 4452	2848	msedge.exe	95
PID 2848 wrote to memory of 4452	2848	msedge.exe	95
PID 2848 wrote to memory of 3480	2848	msedge.exe	96
PID 2848 wrote to memory of 3480	2848	msedge.exe	96
PID 2848 wrote to memory of 1832	2848	msedge.exe	97
PID 2848 wrote to memory of 1832	2848	msedge.exe	97
PID 2848 wrote to memory of 1832	2848	msedge.exe	97
PID 2848 wrote to memory of 1832	2848	msedge.exe	97
PID 2848 wrote to memory of 1832	2848	msedge.exe	97
PID 2848 wrote to memory of 1832	2848	msedge.exe	97

C:\Users\Admin\AppData\Local\Temp\283063ed0e77163c6783f9a650d60208_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\283063ed0e77163c6783f9a650d60208_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:696
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "C:\Program Files (x86)\Gamevance\gamevance32.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4356
- - C:\Program Files (x86)\Gamevance\gamevance32.exe
    "C:\Program Files (x86)\Gamevance\gamevance32.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:1744
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c regsvr32.exe /s "C:\Program Files (x86)\Gamevance\gvtl.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3788
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Program Files (x86)\Gamevance\gvtl.dll"
    3⤵
    - Loads dropped DLL
    - Installs/modifies Browser Helper Object
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.gamevance.com/aj/ty.php?p=srKz%2F8v1wsH0srLX5uLV2e27tdXEsfrs%2F7u7wMW2sLvFx7Cxxru7%2F6P%2Fs7Ozs7Ozs7P%2FzMg
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2848
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcd74646f8,0x7ffcd7464708,0x7ffcd7464718
    3⤵
    PID:4416
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,15277234484982606226,6304110171976300154,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2
    3⤵
    PID:4452
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,15277234484982606226,6304110171976300154,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2580 /prefetch:3
    3⤵
    PID:3480
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,15277234484982606226,6304110171976300154,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2864 /prefetch:8
    3⤵
    PID:1832
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15277234484982606226,6304110171976300154,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
    3⤵
    PID:1872
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15277234484982606226,6304110171976300154,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
    3⤵
    PID:1216
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15277234484982606226,6304110171976300154,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4936 /prefetch:1
    3⤵
    PID:4464
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15277234484982606226,6304110171976300154,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
    3⤵
    PID:5000
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15277234484982606226,6304110171976300154,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4172 /prefetch:1
    3⤵
    PID:220
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,15277234484982606226,6304110171976300154,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5832 /prefetch:8
    3⤵
    PID:2036
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,15277234484982606226,6304110171976300154,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5832 /prefetch:8
    3⤵
    PID:1096
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15277234484982606226,6304110171976300154,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4136 /prefetch:1
    3⤵
    PID:2516
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15277234484982606226,6304110171976300154,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:1
    3⤵
    PID:3388
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15277234484982606226,6304110171976300154,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:1
    3⤵
    PID:5060
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15277234484982606226,6304110171976300154,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6036 /prefetch:1
    3⤵
    PID:3952
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,15277234484982606226,6304110171976300154,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2
    3⤵
    PID:3728

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3612

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Gamevance\ars.cfg

Filesize
95B

MD5
4311ef2b0b0ca5d3bb028aec1d19e9e1

SHA1
a5c3194de4506cc4c8a74884f6469ba7f709d4f6

SHA256
490fa4a06b4cddca88b5876d8fd9652765f6ad73589b45024ea5948d21ddb924

SHA512
251d4439cd1394df6141fde2b311b6c56fb2ce5952310c7581e0a5cbbb6cf621b1787fc68a2f97b25c1a1b37f61099fda4570edad813fbc53aa0d3bfd2590c57

Download Submit
C:\Program Files (x86)\Gamevance\ars.cfg

Filesize
107B

MD5
dc3caad33406051a724858ff96482eb8

SHA1
1c8544997ab8c93c36fea1bfc9c965d8ff364483

SHA256
307cf9663630b178081c35bccf6082d3cf3b987b502587498ccb25e0973fc042

SHA512
e8cf49830a9b3439c7f7493b464b77e1997d3792b29065ed2de5feb18209f197317dee5a7a726e876990eb4296db59c2ce27017fad49c34b6904375231568561

Download Submit
C:\Program Files (x86)\Gamevance\ars.cfg

Filesize
163B

MD5
1496cd0936b01982a33a511468053e74

SHA1
73ceb3a657788c825ed4ded3b2df93bd610dd507

SHA256
4223aaa571111da7f5ad716b6dc52404ce2ddb7e989238502ac8f54e8361f68b

SHA512
2c43738da6d46690f58543b6dcac4381d56e8df029b4f3fa0223c15a58d61197891be7d6214f11c317d91bb822b1bf6d88d2a791e4a5c5bd0e0806090b900e9c

Download Submit
C:\Program Files (x86)\Gamevance\gamevance32.exe

Filesize
245KB

MD5
93de1834ef3a7fa0b51476bbc26fc294

SHA1
15399c408e9f325e912277e270e6c8db81054e6c

SHA256
f96540d5f8734c1e9969121f0572e033d218f3112bbe77304284b9034952ecf9

SHA512
0ec5027ab7b037a55e2b85fbd086e82bb2f5a5fb84bfdd1a0d8ab0a92b765aab893a4b7f6495f5bc221a9d4d24b3eabac9f504cc4f1829942ed0ce8b8a7f7cc8

Download Submit
C:\Program Files (x86)\Gamevance\gamevancelib32.dll

Filesize
222KB

MD5
46f6d017a601ebfab3b22586d1b748b8

SHA1
fffa62586f2a07684d64ef8fbd67a81aa1fe414d

SHA256
a3348be6ab16508804c2b4ceb6daf5ed1d7e1b64ce75df378a29ae1334c5d38a

SHA512
9261155a4c827923afab2ec8acd357bb59d49aef7980026aea9039d4092fa46778fad1bcd7a99b99cceacc45ddc7ae2ef345cc0316f447e81e76df24cfd34902

Download Submit
C:\Program Files (x86)\Gamevance\gvtl.dll

Filesize
263KB

MD5
33837759071294ec4c777805c764790d

SHA1
3a8cbd794098819b82278ac1511caa45acb97642

SHA256
69f86e13c333c776f071527d077d7edc63753b33fd5dcad418838cefd1354f24

SHA512
0a2e09fb24b32ec998782171b743b830329e6c289adb455c506c203c7fc2947a3384430a192ecce72f83985f1fc5ac97a12ecd8b92d1432aff1aa601799a42d1

Download Submit
C:\Program Files (x86)\Gamevance\gvun.exe

Filesize
251KB

MD5
548bb42bc34d6e2b8352de12d129715a

SHA1
0b9ef96d28f3b2ee74261576aa1178f97aff8906

SHA256
a03e1ad98c527d354ee4f99e053ca038ad9f70ddf22d5ebe7e6db782c8ebbabb

SHA512
f01129f90369dca303eaf97658d90485a1068c167dbd955869bfb349baf638ee3848041b3503d93e5b775b701dab2552554a2ceb53db42911b8d1904cbedc629

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
85ba073d7015b6ce7da19235a275f6da

SHA1
a23c8c2125e45a0788bac14423ae1f3eab92cf00

SHA256
5ad04b8c19bf43b550ad725202f79086168ecccabe791100fba203d9aa27e617

SHA512
eb4fd72d7030ea1a25af2b59769b671a5760735fb95d18145f036a8d9e6f42c903b34a7e606046c740c644fab0bb9f5b7335c1869b098f121579e71f10f5a9c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7de1bbdc1f9cf1a58ae1de4951ce8cb9

SHA1
010da169e15457c25bd80ef02d76a940c1210301

SHA256
6e390bbc0d03a652516705775e8e9a7b7936312a8a5bea407f9d7d9fa99d957e

SHA512
e4a33f2128883e71ab41e803e8b55d0ac17cbc51be3bde42bed157df24f10f34ad264f74ef3254dbe30d253aca03158fde21518c2b78aaa05dae8308b1c5f30c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010

Filesize
213KB

MD5
f942900ff0a10f251d338c612c456948

SHA1
4a283d3c8f3dc491e43c430d97c3489ee7a3d320

SHA256
38b76a54655aff71271a9ad376ac17f20187abd581bf5aced69ccde0fe6e2fd6

SHA512
9b393ce73598ed1997d28ceeddb23491a4d986c337984878ebb0ae06019e30ea77448d375d3d6563c774856d6bc98ee3ca0e0ba88ea5769a451a5e814f6ddb41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
648B

MD5
8f2b0f37772f81d7d1fc1dcbd12c836f

SHA1
edca8ab9cb5e1a8a523b8b590a4705ba6e1c0932

SHA256
8d69437510bf147ad67f4d587517e525460d3d69d0302baf625e45b59946044d

SHA512
dbf5b7495879a441c519c13032cc7bc9dba7c6914d1312083eea7bce7df7eb764037a100fcf61927fcc9513ced371f2de825e8358421a72fcae980ea587ba89e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
01677981b20a88b22f23269ffe47e8d1

SHA1
02fb1063530d8bd98b6dfd78ba1bb289d07bd305

SHA256
9269f169443080f4961cc21e669e6b74bf096999e0d3d25c0a1c7a03a6fcee8b

SHA512
2453c6acd962ab8fe67225963c06ee21ab3cfd6dfe44c3181c5c02f69a42eb22b73dbae5af11871651b30768081fa41890dafae4ad6e21137953ddc5bee4d880

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
92238f968e419195ac26126fb03acefb

SHA1
7394e466a90ddac60ce4c57fc319ec2cb0c344ca

SHA256
12a2c2cfa7fcf9ba4600c41726ca4b405887502094acbe19461999c7862c6d38

SHA512
2f8715ec7e057ac0b754ab400b8ec2466775a734477d78704298e3184079463e0d5394274525f955e889de49d2dfe456cf383eaa4ad2efd251d5cb5c0b7a1774

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ebbac002e272f0ca2fbf926bdb68b170

SHA1
1f3f746bd34ce9d624936cc69db8e8cf2fd00582

SHA256
0c2b1def07346a677471f10230d009ac5fd10ac6ce2c6cc3cbaf7c3eba8f7ece

SHA512
f00340fb0c86545ef2f9b9e4f74a599f46d7d92a9e2ef1178dc7d4f06e23ed8f78aadb1cf76657915906ac2d3f4362a10621ad7970e30ce019676530220163e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
bd24a3a7371c15e276ec11f63cf4166f

SHA1
24389fbcef419f9072b324e6319dca553866d6a3

SHA256
44b17892cc563a53509624bebe28250a324d0bb68ae196b4f30941041decf917

SHA512
d5c9237ef5eb89e924a63061d11e5cace95dd438ca0516ca57df7a920ed8c4b915db00554292ec3f716602021d7130c5591c8db1d06d6552a00a88436ea39d50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe582e10.TMP

Filesize
1KB

MD5
ea28f72405a5bccf17d816b76354e612

SHA1
cb2d021b9e02d717ec9fa7e18fbf5eeee699620d

SHA256
2c3a58aa8b7c92fb5be5cd95a90987b20409f7e3750a0a3fa26613a0019c65bd

SHA512
b1a1f02f22d7f25ea61615e0a4d4433cce4d13cb967fbd13d2d2b1ae03c45492b61b6fa5cef9352db918262a822a7dfb4e891a85008180eebc737c245bc84f5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
201cfdb4192e9a4ce7710917227b1758

SHA1
ba3544af5329b22ea860d55929ee865277a60938

SHA256
c0e1b64ba9d2eabf18f286bb2148d862abc4ec7d66a6e5038ab546e96f1cdbef

SHA512
5fb9ed422f3ac9d9ae7015d973d1ae536327bc29b7c5b64342aa02dcead02fbcdad055b152f3019771c4d06fa5f4ecb341093b0ab2c689cf8a526d452cf1e5d7

Download Submit