734ab649a60c490a87a8821bba5ec8157b4fcb87a252f23a5fefebac71c9e13f

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09/10/2024, 08:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2e3673ad3fcf84b2ee940163b0606991_JaffaCakes118.exe
Size

2.1MB
MD5

2e3673ad3fcf84b2ee940163b0606991
SHA1

91c9224daca394a6c183b3301ffaa0f686f7514b
SHA256

734ab649a60c490a87a8821bba5ec8157b4fcb87a252f23a5fefebac71c9e13f
SHA512

66383a954dcaf05270515c3bc552ad6d2ec1a1399b8bb24956f4fe5d06202a0cc8ecce78f9da824dc9f56773efec75afb08e3beb0e7e0c9fef0d274651377214
SSDEEP

49152:ujcTfcBU0Ny1x16Yf4WNKlTTKjgvpqQbTh4gUMFIaEOrwHC:/Lf664WN4TZpqQbTh4Cb5rwi

Score

7^/10

adware discovery persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2080	gamevance32.exe

Loads dropped DLL 3 IoCs

pid	Process
2040	2e3673ad3fcf84b2ee940163b0606991_JaffaCakes118.exe
2080	gamevance32.exe
4816	regsvr32.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Gamevance = "C:\\Program Files (x86)\\Gamevance\\gamevance32.exe a"	2e3673ad3fcf84b2ee940163b0606991_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	2e3673ad3fcf84b2ee940163b0606991_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0ED403E8-470A-4a8a-85A4-D7688CFE39A3}	2e3673ad3fcf84b2ee940163b0606991_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0ED403E8-470A-4a8a-85A4-D7688CFE39A3}\ = "Gamevance"	2e3673ad3fcf84b2ee940163b0606991_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0ED403E8-470A-4a8a-85A4-D7688CFE39A3}\NoExplorer = "1"	2e3673ad3fcf84b2ee940163b0606991_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{beaC7DC8-E106-4C6A-931E-5A42E7362883}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\ = "Gamevance Text"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\NoExplorer = "1"	regsvr32.exe

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Gamevance\ars.cfg	2e3673ad3fcf84b2ee940163b0606991_JaffaCakes118.exe
File created	C:\Program Files (x86)\Gamevance\gvun.exe	2e3673ad3fcf84b2ee940163b0606991_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Gamevance\ars.cfg	gamevance32.exe
File created	C:\Program Files (x86)\Gamevance\icon.ico	2e3673ad3fcf84b2ee940163b0606991_JaffaCakes118.exe
File created	C:\Program Files (x86)\Gamevance\gamevancelib32.dll	2e3673ad3fcf84b2ee940163b0606991_JaffaCakes118.exe
File created	C:\Program Files (x86)\Gamevance\gamevance32.exe	2e3673ad3fcf84b2ee940163b0606991_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Gamevance\ars.cfg	2e3673ad3fcf84b2ee940163b0606991_JaffaCakes118.exe
File created	C:\Program Files (x86)\Gamevance\gvtl.dll	2e3673ad3fcf84b2ee940163b0606991_JaffaCakes118.exe
File created	C:\Program Files (x86)\Gamevance\gvff.tmp	2e3673ad3fcf84b2ee940163b0606991_JaffaCakes118.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2e3673ad3fcf84b2ee940163b0606991_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gamevance32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2e3673ad3fcf84b2ee940163b0606991_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	2e3673ad3fcf84b2ee940163b0606991_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	2e3673ad3fcf84b2ee940163b0606991_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	gamevance32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	gamevance32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	gamevance32.exe

Enumerates system info in registry 2 TTPs 7 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	gamevance32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	gamevance32.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	2e3673ad3fcf84b2ee940163b0606991_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	2e3673ad3fcf84b2ee940163b0606991_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 31 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker.1\ = "Gamevance Text"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\ProgID\ = "GamevanceText.Linker.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker\CurVer\ = "GamevanceText.Linker.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\ = "Gamevance Text"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\InprocServer32\ = "C:\\Program Files (x86)\\Gamevance\\gvtl.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker.1\CLSID\ = "{beaC7DC8-E106-4C6A-931E-5A42E7362883}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0ED403E8-470A-4a8a-85A4-D7688CFE39A3}\InprocServer32	2e3673ad3fcf84b2ee940163b0606991_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\GamevanceText.DLL\AppID = "{beaC7DC8-E106-4C6A-931E-5A42E7362883}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0ED403E8-470A-4a8a-85A4-D7688CFE39A3}\ = "Gamevance"	2e3673ad3fcf84b2ee940163b0606991_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker.1\CLSID	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\WOW6432Node\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\VersionIndependentProgID\ = "GamevanceText.Linker"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0ED403E8-470A-4a8a-85A4-D7688CFE39A3}	2e3673ad3fcf84b2ee940163b0606991_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\GamevanceText.DLL	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0ED403E8-470A-4a8a-85A4-D7688CFE39A3}\InprocServer32\ThreadingModel = "Apartment"	2e3673ad3fcf84b2ee940163b0606991_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\GamevanceText.DLL\ = "GamevanceText"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker\ = "Gamevance Text"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker\CLSID\ = "{beaC7DC8-E106-4C6A-931E-5A42E7362883}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\TypeLib\ = "{014C4232-6904-47B9-9144-7E0FB7277444}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0ED403E8-470A-4a8a-85A4-D7688CFE39A3}\InprocServer32\ = "C:\\Program Files (x86)\\Gamevance\\gamevancelib32.dll"	2e3673ad3fcf84b2ee940163b0606991_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2040	2e3673ad3fcf84b2ee940163b0606991_JaffaCakes118.exe
2040	2e3673ad3fcf84b2ee940163b0606991_JaffaCakes118.exe
2040	2e3673ad3fcf84b2ee940163b0606991_JaffaCakes118.exe
2040	2e3673ad3fcf84b2ee940163b0606991_JaffaCakes118.exe
2040	2e3673ad3fcf84b2ee940163b0606991_JaffaCakes118.exe
2040	2e3673ad3fcf84b2ee940163b0606991_JaffaCakes118.exe
2040	2e3673ad3fcf84b2ee940163b0606991_JaffaCakes118.exe
2040	2e3673ad3fcf84b2ee940163b0606991_JaffaCakes118.exe
2040	2e3673ad3fcf84b2ee940163b0606991_JaffaCakes118.exe
2040	2e3673ad3fcf84b2ee940163b0606991_JaffaCakes118.exe
2040	2e3673ad3fcf84b2ee940163b0606991_JaffaCakes118.exe
2040	2e3673ad3fcf84b2ee940163b0606991_JaffaCakes118.exe
2040	2e3673ad3fcf84b2ee940163b0606991_JaffaCakes118.exe
2040	2e3673ad3fcf84b2ee940163b0606991_JaffaCakes118.exe
2040	2e3673ad3fcf84b2ee940163b0606991_JaffaCakes118.exe
2040	2e3673ad3fcf84b2ee940163b0606991_JaffaCakes118.exe
2040	2e3673ad3fcf84b2ee940163b0606991_JaffaCakes118.exe
2040	2e3673ad3fcf84b2ee940163b0606991_JaffaCakes118.exe
2040	2e3673ad3fcf84b2ee940163b0606991_JaffaCakes118.exe
2040	2e3673ad3fcf84b2ee940163b0606991_JaffaCakes118.exe
2040	2e3673ad3fcf84b2ee940163b0606991_JaffaCakes118.exe
2040	2e3673ad3fcf84b2ee940163b0606991_JaffaCakes118.exe
2040	2e3673ad3fcf84b2ee940163b0606991_JaffaCakes118.exe
2040	2e3673ad3fcf84b2ee940163b0606991_JaffaCakes118.exe
2040	2e3673ad3fcf84b2ee940163b0606991_JaffaCakes118.exe
2040	2e3673ad3fcf84b2ee940163b0606991_JaffaCakes118.exe
2040	2e3673ad3fcf84b2ee940163b0606991_JaffaCakes118.exe
2040	2e3673ad3fcf84b2ee940163b0606991_JaffaCakes118.exe
2040	2e3673ad3fcf84b2ee940163b0606991_JaffaCakes118.exe
2040	2e3673ad3fcf84b2ee940163b0606991_JaffaCakes118.exe
2040	2e3673ad3fcf84b2ee940163b0606991_JaffaCakes118.exe
2040	2e3673ad3fcf84b2ee940163b0606991_JaffaCakes118.exe
2040	2e3673ad3fcf84b2ee940163b0606991_JaffaCakes118.exe
2040	2e3673ad3fcf84b2ee940163b0606991_JaffaCakes118.exe
2040	2e3673ad3fcf84b2ee940163b0606991_JaffaCakes118.exe
2040	2e3673ad3fcf84b2ee940163b0606991_JaffaCakes118.exe
2040	2e3673ad3fcf84b2ee940163b0606991_JaffaCakes118.exe
2040	2e3673ad3fcf84b2ee940163b0606991_JaffaCakes118.exe
2040	2e3673ad3fcf84b2ee940163b0606991_JaffaCakes118.exe
2040	2e3673ad3fcf84b2ee940163b0606991_JaffaCakes118.exe
2040	2e3673ad3fcf84b2ee940163b0606991_JaffaCakes118.exe
2040	2e3673ad3fcf84b2ee940163b0606991_JaffaCakes118.exe
2040	2e3673ad3fcf84b2ee940163b0606991_JaffaCakes118.exe
2040	2e3673ad3fcf84b2ee940163b0606991_JaffaCakes118.exe
2040	2e3673ad3fcf84b2ee940163b0606991_JaffaCakes118.exe
2040	2e3673ad3fcf84b2ee940163b0606991_JaffaCakes118.exe
2040	2e3673ad3fcf84b2ee940163b0606991_JaffaCakes118.exe
2040	2e3673ad3fcf84b2ee940163b0606991_JaffaCakes118.exe
2040	2e3673ad3fcf84b2ee940163b0606991_JaffaCakes118.exe
2040	2e3673ad3fcf84b2ee940163b0606991_JaffaCakes118.exe
2040	2e3673ad3fcf84b2ee940163b0606991_JaffaCakes118.exe
2040	2e3673ad3fcf84b2ee940163b0606991_JaffaCakes118.exe
2040	2e3673ad3fcf84b2ee940163b0606991_JaffaCakes118.exe
2040	2e3673ad3fcf84b2ee940163b0606991_JaffaCakes118.exe
2040	2e3673ad3fcf84b2ee940163b0606991_JaffaCakes118.exe
2040	2e3673ad3fcf84b2ee940163b0606991_JaffaCakes118.exe
2040	2e3673ad3fcf84b2ee940163b0606991_JaffaCakes118.exe
2040	2e3673ad3fcf84b2ee940163b0606991_JaffaCakes118.exe
2040	2e3673ad3fcf84b2ee940163b0606991_JaffaCakes118.exe
2040	2e3673ad3fcf84b2ee940163b0606991_JaffaCakes118.exe
2040	2e3673ad3fcf84b2ee940163b0606991_JaffaCakes118.exe
2040	2e3673ad3fcf84b2ee940163b0606991_JaffaCakes118.exe
2040	2e3673ad3fcf84b2ee940163b0606991_JaffaCakes118.exe
2040	2e3673ad3fcf84b2ee940163b0606991_JaffaCakes118.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 3552	2040	2e3673ad3fcf84b2ee940163b0606991_JaffaCakes118.exe	85
PID 2040 wrote to memory of 3552	2040	2e3673ad3fcf84b2ee940163b0606991_JaffaCakes118.exe	85
PID 2040 wrote to memory of 3552	2040	2e3673ad3fcf84b2ee940163b0606991_JaffaCakes118.exe	85
PID 3552 wrote to memory of 2080	3552	cmd.exe	87
PID 3552 wrote to memory of 2080	3552	cmd.exe	87
PID 3552 wrote to memory of 2080	3552	cmd.exe	87
PID 2040 wrote to memory of 4668	2040	2e3673ad3fcf84b2ee940163b0606991_JaffaCakes118.exe	88
PID 2040 wrote to memory of 4668	2040	2e3673ad3fcf84b2ee940163b0606991_JaffaCakes118.exe	88
PID 2040 wrote to memory of 4668	2040	2e3673ad3fcf84b2ee940163b0606991_JaffaCakes118.exe	88
PID 4668 wrote to memory of 4816	4668	cmd.exe	90
PID 4668 wrote to memory of 4816	4668	cmd.exe	90
PID 4668 wrote to memory of 4816	4668	cmd.exe	90
PID 2040 wrote to memory of 4448	2040	2e3673ad3fcf84b2ee940163b0606991_JaffaCakes118.exe	92
PID 2040 wrote to memory of 4448	2040	2e3673ad3fcf84b2ee940163b0606991_JaffaCakes118.exe	92
PID 4448 wrote to memory of 2400	4448	msedge.exe	93
PID 4448 wrote to memory of 2400	4448	msedge.exe	93
PID 4448 wrote to memory of 4276	4448	msedge.exe	94
PID 4448 wrote to memory of 4276	4448	msedge.exe	94
PID 4448 wrote to memory of 4276	4448	msedge.exe	94
PID 4448 wrote to memory of 4276	4448	msedge.exe	94
PID 4448 wrote to memory of 4276	4448	msedge.exe	94
PID 4448 wrote to memory of 4276	4448	msedge.exe	94
PID 4448 wrote to memory of 4276	4448	msedge.exe	94
PID 4448 wrote to memory of 4276	4448	msedge.exe	94
PID 4448 wrote to memory of 4276	4448	msedge.exe	94
PID 4448 wrote to memory of 4276	4448	msedge.exe	94
PID 4448 wrote to memory of 4276	4448	msedge.exe	94
PID 4448 wrote to memory of 4276	4448	msedge.exe	94
PID 4448 wrote to memory of 4276	4448	msedge.exe	94
PID 4448 wrote to memory of 4276	4448	msedge.exe	94
PID 4448 wrote to memory of 4276	4448	msedge.exe	94
PID 4448 wrote to memory of 4276	4448	msedge.exe	94
PID 4448 wrote to memory of 4276	4448	msedge.exe	94
PID 4448 wrote to memory of 4276	4448	msedge.exe	94
PID 4448 wrote to memory of 4276	4448	msedge.exe	94
PID 4448 wrote to memory of 4276	4448	msedge.exe	94
PID 4448 wrote to memory of 4276	4448	msedge.exe	94
PID 4448 wrote to memory of 4276	4448	msedge.exe	94
PID 4448 wrote to memory of 4276	4448	msedge.exe	94
PID 4448 wrote to memory of 4276	4448	msedge.exe	94
PID 4448 wrote to memory of 4276	4448	msedge.exe	94
PID 4448 wrote to memory of 4276	4448	msedge.exe	94
PID 4448 wrote to memory of 4276	4448	msedge.exe	94
PID 4448 wrote to memory of 4276	4448	msedge.exe	94
PID 4448 wrote to memory of 4276	4448	msedge.exe	94
PID 4448 wrote to memory of 4276	4448	msedge.exe	94
PID 4448 wrote to memory of 4276	4448	msedge.exe	94
PID 4448 wrote to memory of 4276	4448	msedge.exe	94
PID 4448 wrote to memory of 4276	4448	msedge.exe	94
PID 4448 wrote to memory of 4276	4448	msedge.exe	94
PID 4448 wrote to memory of 4276	4448	msedge.exe	94
PID 4448 wrote to memory of 4276	4448	msedge.exe	94
PID 4448 wrote to memory of 4276	4448	msedge.exe	94
PID 4448 wrote to memory of 4276	4448	msedge.exe	94
PID 4448 wrote to memory of 4276	4448	msedge.exe	94
PID 4448 wrote to memory of 4276	4448	msedge.exe	94
PID 4448 wrote to memory of 4492	4448	msedge.exe	95
PID 4448 wrote to memory of 4492	4448	msedge.exe	95
PID 4448 wrote to memory of 2788	4448	msedge.exe	96
PID 4448 wrote to memory of 2788	4448	msedge.exe	96
PID 4448 wrote to memory of 2788	4448	msedge.exe	96
PID 4448 wrote to memory of 2788	4448	msedge.exe	96
PID 4448 wrote to memory of 2788	4448	msedge.exe	96
PID 4448 wrote to memory of 2788	4448	msedge.exe	96

C:\Users\Admin\AppData\Local\Temp\2e3673ad3fcf84b2ee940163b0606991_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2e3673ad3fcf84b2ee940163b0606991_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "C:\Program Files (x86)\Gamevance\gamevance32.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3552
- - C:\Program Files (x86)\Gamevance\gamevance32.exe
    "C:\Program Files (x86)\Gamevance\gamevance32.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:2080
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c regsvr32.exe /s "C:\Program Files (x86)\Gamevance\gvtl.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4668
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Program Files (x86)\Gamevance\gvtl.dll"
    3⤵
    - Loads dropped DLL
    - Installs/modifies Browser Helper Object
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:4816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.gamevance.com/aj/ty.php?p=srKz%2F8u6wsH0srLp59Tr58rHyeSyu8DH%2F8C0tbeztrDFxrGytsKyurf%2Fo%2F%2Bzs7Ozs7Ozs%2F%2FMyA
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4448
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa37ce46f8,0x7ffa37ce4708,0x7ffa37ce4718
    3⤵
    PID:2400
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,15528511917183151737,16814998001829277182,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2080 /prefetch:2
    3⤵
    PID:4276
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,15528511917183151737,16814998001829277182,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 /prefetch:3
    3⤵
    PID:4492
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,15528511917183151737,16814998001829277182,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2872 /prefetch:8
    3⤵
    PID:2788
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,15528511917183151737,16814998001829277182,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
    3⤵
    PID:4144
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,15528511917183151737,16814998001829277182,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
    3⤵
    PID:2488
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,15528511917183151737,16814998001829277182,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4152 /prefetch:1
    3⤵
    PID:4228
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,15528511917183151737,16814998001829277182,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5284 /prefetch:1
    3⤵
    PID:228
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,15528511917183151737,16814998001829277182,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:1
    3⤵
    PID:312
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,15528511917183151737,16814998001829277182,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5664 /prefetch:8
    3⤵
    PID:4772
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,15528511917183151737,16814998001829277182,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5664 /prefetch:8
    3⤵
    PID:1080
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,15528511917183151737,16814998001829277182,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:1
    3⤵
    PID:632
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,15528511917183151737,16814998001829277182,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5848 /prefetch:1
    3⤵
    PID:4120
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,15528511917183151737,16814998001829277182,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6136 /prefetch:1
    3⤵
    PID:3200
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,15528511917183151737,16814998001829277182,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6056 /prefetch:1
    3⤵
    PID:1204
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,15528511917183151737,16814998001829277182,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1948 /prefetch:2
    3⤵
    PID:3160

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:724

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Gamevance\ars.cfg

Filesize
95B

MD5
846459c511e58bdcb7bbe66c9e5bc3b3

SHA1
0f7a3a5fd7a87dea0508372db398834f06f7c914

SHA256
a2a335ae42b8d5ed2ce86325dfeafd9dd24b279dd0fef3f2cc1b632a5e02fe5e

SHA512
7c200a1b2a39a3172ab9f738e16faaa1bffecdd5e3bca2513b4ce3f0ead70c3c67229fd676732a52f6f922494ae169996b8ee14a11c14da9056ef7d6a17b27f7

Download Submit
C:\Program Files (x86)\Gamevance\ars.cfg

Filesize
107B

MD5
a13a73a23747658273bce56b97f54700

SHA1
1934c716245f8f5d1567563a359e34b4b3387e92

SHA256
135250c74c38442e7c717d4b7a274f57e1d7e919ed93746c2aab290bc81dd298

SHA512
ba1f1e69f6cb187ff6d6edd6a4bb20a41f62e20709551e5577c69de63e7f610c366c3ee3deddc5aa3830540b733c3a2446bad40720cf894c98b4c5f2cb107196

Download Submit
C:\Program Files (x86)\Gamevance\ars.cfg

Filesize
164B

MD5
6b1e482592a1040ed033e7e88041f625

SHA1
b7b425e319b1c22e4e731d6f2e149a636e704dc5

SHA256
01c5fb6d41e5d1e7554735be71c5992cea232459685673f594176042b5265cb0

SHA512
0d23d6af482bec8b183efee295f4656438e7c2c69ff9f89dcf4c1f507e2acfd45598878804b40dac4f4a0fb09164a7406eb7093715a99d73e6da2b29144ce4a6

Download Submit
C:\Program Files (x86)\Gamevance\gamevance32.exe

Filesize
241KB

MD5
3d508e07b8f36df6231913f533e43d30

SHA1
30e70d81d34c23e5e1579146b77520c33aef5f40

SHA256
2c61c2a154c894de7b5d88101f41b8f88a3d7661e53b85d2a3fbcc1a156fd2be

SHA512
4a73dc89060dfe577b65b584305ab2a76c5a0150a5c63975b995ac8474a486e3dd6a0ce18fdaa1765b73a26740548cd94994d3feda5cd2579d5fb8e22205cf15

Download Submit
C:\Program Files (x86)\Gamevance\gamevancelib32.dll

Filesize
228KB

MD5
509878ea0e7510916053cbbd93e5bb87

SHA1
346796160dc50037322be7eff3b299964432ad5f

SHA256
dc825b266d72e39fe5fa0544d5216ca31a5d9dc6854fcb1c0e9293703baf461e

SHA512
f9fabd178d91d4303b5f883e53ea47c61e71e83a81d9c968462ffe15b5183a157fa83f539b93d2bc2184878d5178538c01f342bf101e0227e4e559a2e1dc30c9

Download Submit
C:\Program Files (x86)\Gamevance\gvtl.dll

Filesize
261KB

MD5
a8076c285203aa6c4248362c5168203c

SHA1
9d73ecaf478d843dff8e1781f6f9aa2f11bf7ba5

SHA256
280cd7a2384a21f75541f9bd09ac2660251760ee56759c1d00180f6652a3ea58

SHA512
ec44fc926a2daef2a9bcb477cb9f207c012842a896c5945b33cafbfd54ec7dd09610275a7a30182856c76b825d96991882a10a8e06c962c4e862838fa34ad073

Download Submit
C:\Program Files (x86)\Gamevance\gvun.exe

Filesize
262KB

MD5
cd1e4ebf3d849b0bc43484618e060bfa

SHA1
3180cd4b7d8f37038e52f57a5578fbe619944721

SHA256
4430e580351c0b398590fe56414b2fd5097eef0bed65b5d257baa327f6941ced

SHA512
f49e1d2df5e5d2cdf0da7c05d5a770cd90cdc1009429389fde98aba6a4b30b62644f62cda1f8c079bd7731a98a1dce3b090ad39aa5f525acd5b2cbd4e92f006f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e55832d7cd7e868a2c087c4c73678018

SHA1
ed7a2f6d6437e907218ffba9128802eaf414a0eb

SHA256
a4d7777b980ec53de3a70aca8fb25b77e9b53187e7d2f0fa1a729ee9a35da574

SHA512
897fdebf1a9269a1bf1e3a791f6ee9ab7c24c9d75eeff65ac9599764e1c8585784e1837ba5321d90af0b004af121b2206081a6fb1b1ad571a0051ee33d3f5c5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c2d9eeb3fdd75834f0ac3f9767de8d6f

SHA1
4d16a7e82190f8490a00008bd53d85fb92e379b0

SHA256
1e5efb5f1d78a4cc269cb116307e9d767fc5ad8a18e6cf95c81c61d7b1da5c66

SHA512
d92f995f9e096ecc0a7b8b4aca336aeef0e7b919fe7fe008169f0b87da84d018971ba5728141557d42a0fc562a25191bd85e0d7354c401b09e8b62cdc44b6dcd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010

Filesize
213KB

MD5
f942900ff0a10f251d338c612c456948

SHA1
4a283d3c8f3dc491e43c430d97c3489ee7a3d320

SHA256
38b76a54655aff71271a9ad376ac17f20187abd581bf5aced69ccde0fe6e2fd6

SHA512
9b393ce73598ed1997d28ceeddb23491a4d986c337984878ebb0ae06019e30ea77448d375d3d6563c774856d6bc98ee3ca0e0ba88ea5769a451a5e814f6ddb41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
648B

MD5
c7a4276308c63209baf4378140991fbb

SHA1
cd04ff65877f643f5d5fd373eaef7874625b6ae2

SHA256
58a1e4bb771d092256221a0e5624b67a64e7ad715f5eff71f8f3a62dd6921386

SHA512
680575f94e497abe9ea5c4e3d8bd5499ed7ccd8cfc973d24e9936169e7f472d357d98573fd0b36a04240c59f75414c2b474d31fe0ac4de54931a571f4e468f23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
c9e246a3794f02d9673aa24c9fa0e60e

SHA1
f2a8ad953e6d3a7e25c7e6a675392ec49f4a42c4

SHA256
6012998b626822a4b9c808138ec18542592408efd2add34e6aa0575d1d3d566f

SHA512
ee151610a6dc3c17754f4c0420f74c4453e8f20a18023515df98f33799f49a1f15cad7da7105878be0141adb398b3e8f8244ec62a541206381e5beb1383b5749

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
09e049c77cfe9749917aa8743b53fb98

SHA1
7407d03167162f2d017f746b482f32bc9a621e09

SHA256
e31df48625d0eeca634a6c79b1b42dddf46b211b0e56b450c3cdec1aaf7dd843

SHA512
63aec8be394131a41e1a28b7b84cac99e400837d964b7270ec0bed128b6afa98cd3dd150d3bdbd38001670127b3dfcd1ef6a01021e9a5bee178f9bbbd3f0d2bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5f7a3fbedc6690a6578126a59e1c5a55

SHA1
5504d275c5f520fa44b3ccb2527f35f37e39febe

SHA256
86effbecd8dd18c00442ccae066baf67edd96a772d0401f630a4baa471f65917

SHA512
6bcb5db5499a34333b9c29f8e229b7c7ff7a52f3b4c397ff25265bfd303e3cbd1863fab70a459c8e66e1e9bd73962980e89f5196b59e0514e452e1ece6f40976

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
382d2404de0cb734bd3651498d4cef44

SHA1
1acb7c12ddeae60b25632adec31005afebdccc79

SHA256
a6a5486d39cf4a07d89122bf08329f0fc19048a18c24fae4464082a8b5a18af7

SHA512
5f4018c8ddc84bbf324ff406bda6b534825be441e9529744dff9900f7745700d2fe9c12d79de60400275dce5986f2fc43480c2eef582a7591c42ab0b3002f24a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe583f65.TMP

Filesize
1KB

MD5
f8986fdf416380ba4c0a1d54cf0c46bc

SHA1
004cb59fad3cdc45f5a8bf233149f94091fbca32

SHA256
6d182e271c3c8fd72c604827a08a484d546ca59e039e285f3c3d158f67745f06

SHA512
6e46b70ab8b0dc6bd1c0d8a25faa03e7aba4ff3276951ecf27084f3f7ff59240766bf2b07e66fcd94db0774424052a5f4b84ef4804f4082b1ac3d8d69a9e4a6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
fdfdfc50a6220e61224698976c04e92b

SHA1
d7fba113d7cf0b7ce9151ec31a86d10086ec97c3

SHA256
0f74480f74dfcaf0a7ef460cf22b7fbed0212d530656b102a7fd5f099339cbde

SHA512
da0c604e9c65d9a71e72b9f470d81ae3b89ab468e2a6be48c31ec91b794761efe3a25cd187dbc98b1ed4bcf3300071ea013fa5545088219bcab07d935bcde523

Download Submit