a4e7934f506d24d2d4d47fc3618e4f6ee210eb4af7b9a98e6f5136ea32485546

Analysis

max time kernel
137s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
01-11-2024 02:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

83f41673425c73d4f1fc6293f72a2174_JaffaCakes118.exe
Size

253KB
MD5

83f41673425c73d4f1fc6293f72a2174
SHA1

ab5d32df9f836e09448ef3527538da462119dbc9
SHA256

a4e7934f506d24d2d4d47fc3618e4f6ee210eb4af7b9a98e6f5136ea32485546
SHA512

82063cfc55cabff138e2f8b1895b375a0268f7426fb99bb8f12bf84cae24007d011f8f54f856268f4a17a4d1253b5ba2f875bcd5e431e19e7154ceeec29d5c03
SSDEEP

6144:BN9Gm3BFqUjtE5yxlvwPzKoyQvtUzyUPuV4MkiEXu:L9Gmxkj5yXvwbK6vtUrWVlEe

Score

9^/10

defense_evasion discovery evasion exploit ransomware upx

Malware Config

Signatures

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

2212 bcdedit.exe
5544 bcdedit.exe

pid	process
2212	bcdedit.exe
5544	bcdedit.exe

Drops file in Drivers directory 7 IoCs

Processes:

83f41673425c73d4f1fc6293f72a2174_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\system32\drivers\tcpiprefresh1	83f41673425c73d4f1fc6293f72a2174_JaffaCakes118.exe
File opened for modification	C:\Windows\system32\drivers\tcpiprefresh1	83f41673425c73d4f1fc6293f72a2174_JaffaCakes118.exe
File opened for modification	C:\Windows\system32\drivers\tcpip.copy	83f41673425c73d4f1fc6293f72a2174_JaffaCakes118.exe
File opened for modification	C:\Windows\system32\drivers\tcpipreset	83f41673425c73d4f1fc6293f72a2174_JaffaCakes118.exe
File created	C:\Windows\system32\drivers\tcpip.copy	83f41673425c73d4f1fc6293f72a2174_JaffaCakes118.exe
File created	C:\Windows\system32\drivers\tcpipreset	83f41673425c73d4f1fc6293f72a2174_JaffaCakes118.exe
File created	C:\Windows\system32\drivers\tcpip.copy2	83f41673425c73d4f1fc6293f72a2174_JaffaCakes118.exe

Possible privilege escalation attempt 27 IoCs

exploit

Processes:

icacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exe

pid	process
2348	icacls.exe
3428	icacls.exe
1484	takeown.exe
1012	icacls.exe
4564	icacls.exe
4588	icacls.exe
4136	icacls.exe
4600	icacls.exe
2340	takeown.exe
1952	takeown.exe
4440	icacls.exe
4860	icacls.exe
4968	icacls.exe
3764	icacls.exe
4436	takeown.exe
3592	icacls.exe
1772	icacls.exe
3868	icacls.exe
4512	icacls.exe
2684	takeown.exe
4880	icacls.exe
4132	icacls.exe
3184	takeown.exe
740	takeown.exe
800	icacls.exe
3224	takeown.exe
1424	takeown.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

83f41673425c73d4f1fc6293f72a2174_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	83f41673425c73d4f1fc6293f72a2174_JaffaCakes118.exe

Modifies file permissions 1 TTPs 27 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

icacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exe

pid	process
4968	icacls.exe
2340	takeown.exe
740	takeown.exe
4136	icacls.exe
3592	icacls.exe
3868	icacls.exe
4436	takeown.exe
1772	icacls.exe
1484	takeown.exe
4880	icacls.exe
4564	icacls.exe
3224	takeown.exe
4600	icacls.exe
1952	takeown.exe
1012	icacls.exe
4440	icacls.exe
4132	icacls.exe
3184	takeown.exe
4588	icacls.exe
800	icacls.exe
3428	icacls.exe
2348	icacls.exe
4860	icacls.exe
4512	icacls.exe
2684	takeown.exe
1424	takeown.exe
3764	icacls.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

Drops file in System32 directory 35 IoCs

Processes:

83f41673425c73d4f1fc6293f72a2174_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\System32\de-de\user32copy.dll.mui	83f41673425c73d4f1fc6293f72a2174_JaffaCakes118.exe
File created	C:\Windows\System32\uk-ua\user32new.dll.mui	83f41673425c73d4f1fc6293f72a2174_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\es-es\user32new.dll.mui	83f41673425c73d4f1fc6293f72a2174_JaffaCakes118.exe
File created	C:\Windows\System32\fr-fr\user32new.dll.mui	83f41673425c73d4f1fc6293f72a2174_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\it-it\user32new.dll.mui	83f41673425c73d4f1fc6293f72a2174_JaffaCakes118.exe
File created	C:\Windows\System32\uk-ua\user32copy.dll.mui	83f41673425c73d4f1fc6293f72a2174_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\de-de\user32new.dll.mui	83f41673425c73d4f1fc6293f72a2174_JaffaCakes118.exe
File created	C:\Windows\System32\fr-fr\user32copy.dll.mui	83f41673425c73d4f1fc6293f72a2174_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\uk-ua\user32copy.dll.mui	83f41673425c73d4f1fc6293f72a2174_JaffaCakes118.exe
File created	C:\Windows\System32\fr-fr\user32.dll.mui	83f41673425c73d4f1fc6293f72a2174_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\it-it\user32copy.dll.mui	83f41673425c73d4f1fc6293f72a2174_JaffaCakes118.exe
File created	C:\Windows\System32\ja-jp\user32copy.dll.mui	83f41673425c73d4f1fc6293f72a2174_JaffaCakes118.exe
File created	C:\Windows\System32\ja-jp\user32new.dll.mui	83f41673425c73d4f1fc6293f72a2174_JaffaCakes118.exe
File created	C:\Windows\System32\en-us\user32.dll.mui	83f41673425c73d4f1fc6293f72a2174_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\de-de\user32copy.dll.mui	83f41673425c73d4f1fc6293f72a2174_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\en-us\user32new.dll.mui	83f41673425c73d4f1fc6293f72a2174_JaffaCakes118.exe
File created	C:\Windows\System32\es-es\user32new.dll.mui	83f41673425c73d4f1fc6293f72a2174_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\fr-fr\user32copy.dll.mui	83f41673425c73d4f1fc6293f72a2174_JaffaCakes118.exe
File created	C:\Windows\System32\uk-ua\user32.dll.mui	83f41673425c73d4f1fc6293f72a2174_JaffaCakes118.exe
File created	C:\Windows\System32\it-it\user32new.dll.mui	83f41673425c73d4f1fc6293f72a2174_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\ja-jp\user32copy.dll.mui	83f41673425c73d4f1fc6293f72a2174_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\uk-ua\user32new.dll.mui	83f41673425c73d4f1fc6293f72a2174_JaffaCakes118.exe
File created	C:\Windows\System32\it-it\user32.dll.mui	83f41673425c73d4f1fc6293f72a2174_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\en-us\user32copy.dll.mui	83f41673425c73d4f1fc6293f72a2174_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\es-es\user32copy.dll.mui	83f41673425c73d4f1fc6293f72a2174_JaffaCakes118.exe
File created	C:\Windows\System32\es-es\user32copy.dll.mui	83f41673425c73d4f1fc6293f72a2174_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\fr-fr\user32new.dll.mui	83f41673425c73d4f1fc6293f72a2174_JaffaCakes118.exe
File created	C:\Windows\System32\es-es\user32.dll.mui	83f41673425c73d4f1fc6293f72a2174_JaffaCakes118.exe
File created	C:\Windows\System32\en-us\user32copy.dll.mui	83f41673425c73d4f1fc6293f72a2174_JaffaCakes118.exe
File created	C:\Windows\System32\en-us\user32new.dll.mui	83f41673425c73d4f1fc6293f72a2174_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\ja-jp\user32new.dll.mui	83f41673425c73d4f1fc6293f72a2174_JaffaCakes118.exe
File created	C:\Windows\System32\de-de\user32.dll.mui	83f41673425c73d4f1fc6293f72a2174_JaffaCakes118.exe
File created	C:\Windows\System32\de-de\user32new.dll.mui	83f41673425c73d4f1fc6293f72a2174_JaffaCakes118.exe
File created	C:\Windows\System32\it-it\user32copy.dll.mui	83f41673425c73d4f1fc6293f72a2174_JaffaCakes118.exe
File created	C:\Windows\System32\ja-jp\user32.dll.mui	83f41673425c73d4f1fc6293f72a2174_JaffaCakes118.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4516-0-0x0000000000400000-0x00000000004C4000-memory.dmp	upx
behavioral2/memory/4516-188-0x0000000000400000-0x00000000004C4000-memory.dmp	upx
behavioral2/memory/4516-272-0x0000000000400000-0x00000000004C4000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

83f41673425c73d4f1fc6293f72a2174_JaffaCakes118.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 83f41673425c73d4f1fc6293f72a2174_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	83f41673425c73d4f1fc6293f72a2174_JaffaCakes118.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exe

pid	process
1320	msedge.exe
1320	msedge.exe
4840	msedge.exe
4840	msedge.exe
4796	identity_helper.exe
4796	identity_helper.exe
6036	msedge.exe
6036	msedge.exe
6036	msedge.exe
6036	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

Processes:

msedge.exe

pid process

4840 msedge.exe
4840 msedge.exe
4840 msedge.exe
4840 msedge.exe
4840 msedge.exe
4840 msedge.exe
4840 msedge.exe
4840 msedge.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4436	takeown.exe
Token: SeTakeOwnershipPrivilege	1484	takeown.exe
Token: SeTakeOwnershipPrivilege	2684	takeown.exe
Token: SeTakeOwnershipPrivilege	3184	takeown.exe
Token: SeTakeOwnershipPrivilege	2340	takeown.exe
Token: SeTakeOwnershipPrivilege	3224	takeown.exe
Token: SeTakeOwnershipPrivilege	1952	takeown.exe
Token: SeTakeOwnershipPrivilege	740	takeown.exe
Token: SeTakeOwnershipPrivilege	1424	takeown.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe
4840	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

83f41673425c73d4f1fc6293f72a2174_JaffaCakes118.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4516 wrote to memory of 4160	4516	83f41673425c73d4f1fc6293f72a2174_JaffaCakes118.exe	cmd.exe
PID 4516 wrote to memory of 4160	4516	83f41673425c73d4f1fc6293f72a2174_JaffaCakes118.exe	cmd.exe
PID 4516 wrote to memory of 3980	4516	83f41673425c73d4f1fc6293f72a2174_JaffaCakes118.exe	cmd.exe
PID 4516 wrote to memory of 3980	4516	83f41673425c73d4f1fc6293f72a2174_JaffaCakes118.exe	cmd.exe
PID 4516 wrote to memory of 2600	4516	83f41673425c73d4f1fc6293f72a2174_JaffaCakes118.exe	cmd.exe
PID 4516 wrote to memory of 2600	4516	83f41673425c73d4f1fc6293f72a2174_JaffaCakes118.exe	cmd.exe
PID 4516 wrote to memory of 3108	4516	83f41673425c73d4f1fc6293f72a2174_JaffaCakes118.exe	cmd.exe
PID 4516 wrote to memory of 3108	4516	83f41673425c73d4f1fc6293f72a2174_JaffaCakes118.exe	cmd.exe
PID 4516 wrote to memory of 4780	4516	83f41673425c73d4f1fc6293f72a2174_JaffaCakes118.exe	cmd.exe
PID 4516 wrote to memory of 4780	4516	83f41673425c73d4f1fc6293f72a2174_JaffaCakes118.exe	cmd.exe
PID 4516 wrote to memory of 4084	4516	83f41673425c73d4f1fc6293f72a2174_JaffaCakes118.exe	cmd.exe
PID 4516 wrote to memory of 4084	4516	83f41673425c73d4f1fc6293f72a2174_JaffaCakes118.exe	cmd.exe
PID 4160 wrote to memory of 4436	4160	cmd.exe	takeown.exe
PID 4160 wrote to memory of 4436	4160	cmd.exe	takeown.exe
PID 4516 wrote to memory of 1956	4516	83f41673425c73d4f1fc6293f72a2174_JaffaCakes118.exe	cmd.exe
PID 4516 wrote to memory of 1956	4516	83f41673425c73d4f1fc6293f72a2174_JaffaCakes118.exe	cmd.exe
PID 3980 wrote to memory of 1484	3980	cmd.exe	takeown.exe
PID 3980 wrote to memory of 1484	3980	cmd.exe	takeown.exe
PID 4516 wrote to memory of 5104	4516	83f41673425c73d4f1fc6293f72a2174_JaffaCakes118.exe	cmd.exe
PID 4516 wrote to memory of 5104	4516	83f41673425c73d4f1fc6293f72a2174_JaffaCakes118.exe	cmd.exe
PID 4516 wrote to memory of 4316	4516	83f41673425c73d4f1fc6293f72a2174_JaffaCakes118.exe	cmd.exe
PID 4516 wrote to memory of 4316	4516	83f41673425c73d4f1fc6293f72a2174_JaffaCakes118.exe	cmd.exe
PID 2600 wrote to memory of 2684	2600	cmd.exe	takeown.exe
PID 2600 wrote to memory of 2684	2600	cmd.exe	takeown.exe
PID 4160 wrote to memory of 4136	4160	cmd.exe	icacls.exe
PID 4160 wrote to memory of 4136	4160	cmd.exe	icacls.exe
PID 3108 wrote to memory of 3184	3108	cmd.exe	takeown.exe
PID 3108 wrote to memory of 3184	3108	cmd.exe	takeown.exe
PID 3980 wrote to memory of 3592	3980	cmd.exe	icacls.exe
PID 3980 wrote to memory of 3592	3980	cmd.exe	icacls.exe
PID 2600 wrote to memory of 4600	2600	cmd.exe	icacls.exe
PID 2600 wrote to memory of 4600	2600	cmd.exe	icacls.exe
PID 4084 wrote to memory of 2340	4084	cmd.exe	takeown.exe
PID 4084 wrote to memory of 2340	4084	cmd.exe	takeown.exe
PID 4160 wrote to memory of 1012	4160	cmd.exe	icacls.exe
PID 4160 wrote to memory of 1012	4160	cmd.exe	icacls.exe
PID 4780 wrote to memory of 1952	4780	cmd.exe	takeown.exe
PID 4780 wrote to memory of 1952	4780	cmd.exe	takeown.exe
PID 1956 wrote to memory of 3224	1956	cmd.exe	takeown.exe
PID 1956 wrote to memory of 3224	1956	cmd.exe	takeown.exe
PID 5104 wrote to memory of 740	5104	cmd.exe	takeown.exe
PID 5104 wrote to memory of 740	5104	cmd.exe	takeown.exe
PID 3108 wrote to memory of 4968	3108	cmd.exe	icacls.exe
PID 3108 wrote to memory of 4968	3108	cmd.exe	icacls.exe
PID 4316 wrote to memory of 1424	4316	cmd.exe	takeown.exe
PID 4316 wrote to memory of 1424	4316	cmd.exe	takeown.exe
PID 2600 wrote to memory of 4880	2600	cmd.exe	icacls.exe
PID 2600 wrote to memory of 4880	2600	cmd.exe	icacls.exe
PID 3980 wrote to memory of 4564	3980	cmd.exe	icacls.exe
PID 3980 wrote to memory of 4564	3980	cmd.exe	icacls.exe
PID 4084 wrote to memory of 4440	4084	cmd.exe	icacls.exe
PID 4084 wrote to memory of 4440	4084	cmd.exe	icacls.exe
PID 1956 wrote to memory of 3764	1956	cmd.exe	icacls.exe
PID 1956 wrote to memory of 3764	1956	cmd.exe	icacls.exe
PID 4780 wrote to memory of 4132	4780	cmd.exe	icacls.exe
PID 4780 wrote to memory of 4132	4780	cmd.exe	icacls.exe
PID 4316 wrote to memory of 1772	4316	cmd.exe	icacls.exe
PID 4316 wrote to memory of 1772	4316	cmd.exe	icacls.exe
PID 5104 wrote to memory of 2348	5104	cmd.exe	icacls.exe
PID 5104 wrote to memory of 2348	5104	cmd.exe	icacls.exe
PID 3108 wrote to memory of 4860	3108	cmd.exe	icacls.exe
PID 3108 wrote to memory of 4860	3108	cmd.exe	icacls.exe
PID 4084 wrote to memory of 3868	4084	cmd.exe	icacls.exe
PID 4084 wrote to memory of 3868	4084	cmd.exe	icacls.exe

C:\Users\Admin\AppData\Local\Temp\83f41673425c73d4f1fc6293f72a2174_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\83f41673425c73d4f1fc6293f72a2174_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4516

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""C:\Windows\system32\takeown.exe" /F "C:\Windows\System32\de-de\user32.dll.mui" /A&"C:\Windows\system32\icacls.exe" "C:\Windows\System32\de-de\user32.dll.mui" /reset&"C:\Windows\system32\icacls.exe" "C:\Windows\System32\de-de\user32.dll.mui" /grant "":f"
2⤵
- Suspicious use of WriteProcessMemory
PID:4160

C:\Windows\system32\takeown.exe
"C:\Windows\system32\takeown.exe" /F "C:\Windows\System32\de-de\user32.dll.mui" /A
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4436

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" "C:\Windows\System32\de-de\user32.dll.mui" /reset
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4136

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" "C:\Windows\System32\de-de\user32.dll.mui" /grant "":f
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1012

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""C:\Windows\system32\takeown.exe" /F "C:\Windows\System32\en-us\user32.dll.mui" /A&"C:\Windows\system32\icacls.exe" "C:\Windows\System32\en-us\user32.dll.mui" /reset&"C:\Windows\system32\icacls.exe" "C:\Windows\System32\en-us\user32.dll.mui" /grant "":f"
2⤵
- Suspicious use of WriteProcessMemory
PID:3980

C:\Windows\system32\takeown.exe
"C:\Windows\system32\takeown.exe" /F "C:\Windows\System32\en-us\user32.dll.mui" /A
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1484

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" "C:\Windows\System32\en-us\user32.dll.mui" /reset
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3592

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" "C:\Windows\System32\en-us\user32.dll.mui" /grant "":f
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4564

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""C:\Windows\system32\takeown.exe" /F "C:\Windows\System32\es-es\user32.dll.mui" /A&"C:\Windows\system32\icacls.exe" "C:\Windows\System32\es-es\user32.dll.mui" /reset&"C:\Windows\system32\icacls.exe" "C:\Windows\System32\es-es\user32.dll.mui" /grant "":f"
2⤵
- Suspicious use of WriteProcessMemory
PID:2600

C:\Windows\system32\takeown.exe
"C:\Windows\system32\takeown.exe" /F "C:\Windows\System32\es-es\user32.dll.mui" /A
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2684

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" "C:\Windows\System32\es-es\user32.dll.mui" /reset
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4600

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" "C:\Windows\System32\es-es\user32.dll.mui" /grant "":f
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4880

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""C:\Windows\system32\takeown.exe" /F "C:\Windows\System32\fr-fr\user32.dll.mui" /A&"C:\Windows\system32\icacls.exe" "C:\Windows\System32\fr-fr\user32.dll.mui" /reset&"C:\Windows\system32\icacls.exe" "C:\Windows\System32\fr-fr\user32.dll.mui" /grant "":f"
2⤵
- Suspicious use of WriteProcessMemory
PID:3108

C:\Windows\system32\takeown.exe
"C:\Windows\system32\takeown.exe" /F "C:\Windows\System32\fr-fr\user32.dll.mui" /A
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3184

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" "C:\Windows\System32\fr-fr\user32.dll.mui" /reset
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4968

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" "C:\Windows\System32\fr-fr\user32.dll.mui" /grant "":f
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4860

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""C:\Windows\system32\takeown.exe" /F "C:\Windows\System32\it-it\user32.dll.mui" /A&"C:\Windows\system32\icacls.exe" "C:\Windows\System32\it-it\user32.dll.mui" /reset&"C:\Windows\system32\icacls.exe" "C:\Windows\System32\it-it\user32.dll.mui" /grant "":f"
2⤵
- Suspicious use of WriteProcessMemory
PID:4780

C:\Windows\system32\takeown.exe
"C:\Windows\system32\takeown.exe" /F "C:\Windows\System32\it-it\user32.dll.mui" /A
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1952

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" "C:\Windows\System32\it-it\user32.dll.mui" /reset
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4132

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" "C:\Windows\System32\it-it\user32.dll.mui" /grant "":f
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4588

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""C:\Windows\system32\takeown.exe" /F "C:\Windows\System32\ja-jp\user32.dll.mui" /A&"C:\Windows\system32\icacls.exe" "C:\Windows\System32\ja-jp\user32.dll.mui" /reset&"C:\Windows\system32\icacls.exe" "C:\Windows\System32\ja-jp\user32.dll.mui" /grant "":f"
2⤵
- Suspicious use of WriteProcessMemory
PID:4084

C:\Windows\system32\takeown.exe
"C:\Windows\system32\takeown.exe" /F "C:\Windows\System32\ja-jp\user32.dll.mui" /A
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2340

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" "C:\Windows\System32\ja-jp\user32.dll.mui" /reset
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4440

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" "C:\Windows\System32\ja-jp\user32.dll.mui" /grant "":f
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3868

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""C:\Windows\system32\takeown.exe" /F "C:\Windows\System32\uk-ua\user32.dll.mui" /A&"C:\Windows\system32\icacls.exe" "C:\Windows\System32\uk-ua\user32.dll.mui" /reset&"C:\Windows\system32\icacls.exe" "C:\Windows\System32\uk-ua\user32.dll.mui" /grant "":f"
2⤵
- Suspicious use of WriteProcessMemory
PID:1956

C:\Windows\system32\takeown.exe
"C:\Windows\system32\takeown.exe" /F "C:\Windows\System32\uk-ua\user32.dll.mui" /A
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3224

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" "C:\Windows\System32\uk-ua\user32.dll.mui" /reset
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3764

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" "C:\Windows\System32\uk-ua\user32.dll.mui" /grant "":f
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3428

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""C:\Windows\system32\takeown.exe" /F "C:\Windows\System32\drivers\tcpip.sys" /A&"C:\Windows\system32\icacls.exe" "C:\Windows\System32\drivers\tcpip.sys" /reset&"C:\Windows\system32\icacls.exe" "C:\Windows\System32\drivers\tcpip.sys" /grant "Admin":f"
2⤵
- Suspicious use of WriteProcessMemory
PID:5104

C:\Windows\system32\takeown.exe
"C:\Windows\system32\takeown.exe" /F "C:\Windows\System32\drivers\tcpip.sys" /A
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:740

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" "C:\Windows\System32\drivers\tcpip.sys" /reset
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2348

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" "C:\Windows\System32\drivers\tcpip.sys" /grant "Admin":f
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:800

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""C:\Windows\system32\takeown.exe" /F "C:\Windows\rescache" /A&"C:\Windows\system32\icacls.exe" "C:\Windows\rescache" /reset&"C:\Windows\system32\icacls.exe" "C:\Windows\rescache" /grant "Admin":f"
2⤵
- Suspicious use of WriteProcessMemory
PID:4316

C:\Windows\system32\takeown.exe
"C:\Windows\system32\takeown.exe" /F "C:\Windows\rescache" /A
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1424

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" "C:\Windows\rescache" /reset
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1772

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" "C:\Windows\rescache" /grant "Admin":f
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4512

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /C "C:\Windows\System32\bcdedit.exe" /set TESTSIGNING Off
2⤵
PID:3440

C:\Windows\System32\bcdedit.exe
C:\Windows\System32\bcdedit.exe /set TESTSIGNING Off
3⤵
- Modifies boot configuration data using bcdedit
PID:2212

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://half-open.com/
2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4840

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbb5f746f8,0x7ffbb5f74708,0x7ffbb5f74718
3⤵
PID:2032

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1960,18426605602169412216,15516703139461052355,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2056 /prefetch:2
3⤵
PID:2988

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1960,18426605602169412216,15516703139461052355,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2308 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1320

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1960,18426605602169412216,15516703139461052355,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2804 /prefetch:8
3⤵
PID:5112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,18426605602169412216,15516703139461052355,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
3⤵
PID:4540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,18426605602169412216,15516703139461052355,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
3⤵
PID:3580

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,18426605602169412216,15516703139461052355,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5072 /prefetch:1
3⤵
PID:3524

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,18426605602169412216,15516703139461052355,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5336 /prefetch:1
3⤵
PID:5016

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1960,18426605602169412216,15516703139461052355,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5012 /prefetch:8
3⤵
PID:336

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1960,18426605602169412216,15516703139461052355,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5012 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4796

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,18426605602169412216,15516703139461052355,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4760 /prefetch:1
3⤵
PID:3176

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,18426605602169412216,15516703139461052355,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4868 /prefetch:1
3⤵
PID:3092

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,18426605602169412216,15516703139461052355,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5872 /prefetch:1
3⤵
PID:1180

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,18426605602169412216,15516703139461052355,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5820 /prefetch:1
3⤵
PID:3840

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1960,18426605602169412216,15516703139461052355,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1736 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:6036

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /C "C:\Windows\System32\bcdedit.exe" /set TESTSIGNING Off
2⤵
PID:5316

C:\Windows\System32\bcdedit.exe
C:\Windows\System32\bcdedit.exe /set TESTSIGNING Off
3⤵
- Modifies boot configuration data using bcdedit
PID:5544

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4852

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
34d2c4f40f47672ecdf6f66fea242f4a

SHA1
4bcad62542aeb44cae38a907d8b5a8604115ada2

SHA256
b214e3affb02a2ea4469a8bbdfa8a179e7cc57cababd83b4bafae9cdbe23fa33

SHA512
50fba54ec95d694211a005d0e3e6cf5b5677efa16989cbf854207a1a67e3a139f32b757c6f2ce824a48f621440b93fde60ad1dc790fcec4b76edddd0d92a75d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8749e21d9d0a17dac32d5aa2027f7a75

SHA1
a5d555f8b035c7938a4a864e89218c0402ab7cde

SHA256
915193bd331ee9ea7c750398a37fbb552b8c5a1d90edec6293688296bda6f304

SHA512
c645a41180ed01e854f197868283f9b40620dbbc813a1c122f6870db574ebc1c4917da4d320bdfd1cc67f23303a2c6d74e4f36dd9d3ffcfa92d3dfca3b7ca31a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
ac5132f4b9f97e12e07c87ff245458de

SHA1
c441e7fdc27dea1412413d256f47012d41f7fc19

SHA256
40f29251adc3c8c17c9a4b148726ad6b645e22ab899fe314be194a33be66e615

SHA512
3c01dda500cb9479a3a1855a0ffbc709780e0b7d3835b81db1ee836ba7c0d2f118201e779775d6fdcae9f299343a3f5ca5d8868cf3665cd56d56b7a5744ce1d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
882B

MD5
108db3ffec5fe956433f990df2fde617

SHA1
56c4ba3729dd52267c7d942a7f77db7800c964fc

SHA256
688a1280f955763b05f46ad8034b3fbeb02fb941b050cd1e691e348740b9fd07

SHA512
9652651f0a3ed190c5f83eeca329c2fb44b3a7d74e22ef093e75ce9795e70c1f88c530c79f698896565bcb120f465427a3b044cfe4f3f409de71bf223dcf518d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
81bb8938cfd2baa8560917a8282bf4c6

SHA1
a26dfafa5669ec5d0e90353f56e258164b47b61f

SHA256
d2099a01ca56e0d2dd32b8e2c4bd3c5f0e4581918e344052d69a56f2c7afa932

SHA512
a57a373d9bdbb8552631d1953b0f3402701858c4b02747ba90353c955f20c7201e19fa0e54226765e52e189a17fe886461a9738ff218e90cd24df412cc23cc3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
198ef8fe7b084b850e7e419ff32e1602

SHA1
72c093453972665231e7765058ef76934aa8de27

SHA256
5e1735b306a37de3a02f061598829012cd3b3ff0ccca84c9794ad7aa6ac1d7b1

SHA512
d1c8f491862080cdf2c54e6fb53e17fc0509c0a83dc131388ec61c31542755250077d638a304be9c5d7d6c9e193d0ad63ff034bc7e12af3b0b336a296f6375f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
4a28c37bb119cbdf017eabd68b140da1

SHA1
c49a62e6def8b87cdc0e2535a11136ec46cd2553

SHA256
058ee941a1f4bbcd8ead7d22b13fcaea0693f0de63d3e2d519e836f6de8de211

SHA512
6f16f0d097bfa9a634e5dc2cec973c76df44ddb784b0c1e5ad5096017632932f97258d27d55f69b6b80561298b4c1372ac6c03c6bc88ed2f2fdc39157b8446e0

Download Submit
C:\Windows\System32\de-DE\user32new.dll.mui

Filesize
19KB

MD5
f8d6dd4349b7f240c6cd4d04d21657f7

SHA1
744e7220be770ddce55fc6242fa3c5547725fcd7

SHA256
bd2c70e7e8720942b4bc3020929b894bfbe5e9d97082a821272b73f5d480e9b3

SHA512
96f3e427b735a63b49c07e7f14754b996324a58cc15cf99e55c1ba1555dfdbeb7734719b06d4a95c322b3a9bb31c0bb192d78b06981c03ba0678538dd4890f4f

Download Submit
C:\Windows\System32\drivers\tcpip.copy

Filesize
2.9MB

MD5
313dd64a73ab31797e7263bbc33b91b2

SHA1
540a838d3e6c8cae9280d0241f66a5a6a94359fa

SHA256
7c3096abccd98d710b9642c162e424e8cd1d1cb6fc1f8439431bf149ce09c9d2

SHA512
72d6d29aa630497f030553711b54fa087b5bc2a5b94c308b4304809392b9a5448f3f0e43e60a9df83c6f6f57e62e6a302ec787118d660bbff192bbb5f576c870

Download Submit
C:\Windows\System32\en-US\user32new.dll.mui

Filesize
17KB

MD5
90b43ec7eb2e379561b0efd0d93342bb

SHA1
efdc5321144229a02e2347ae71ef1e9a869d8d3c

SHA256
6921a8d82bd3586df770d2854dc9c538f6de996a64c63c29e31b1e84be040f4a

SHA512
5cc5f9045c90e8fd7d0ddbc242ef64df71b10e36c3a6e5d25db8dbc2608aa3ec48b2a6b71686fa4646e40eefec700e0b2c324e8bde7da9239be98f1416a58e4e

Download Submit
C:\Windows\System32\es-ES\user32new.dll.mui

Filesize
18KB

MD5
88e058f2f65a9ecfc4023f5d6512bfee

SHA1
c3a86890e1560d33309c0e019d573855028a811b

SHA256
a0fc551bc1fe60ecedc79c387a3311f9879d1f69509e61c6a6e472534d7b4448

SHA512
e51ac8a044bd5a0de3eb5128efccaa04ee54c5578c698b00bef3ffd9094e51e550b757916af4e7992407019614fd816dd9d78231b6821813bf3e9b4e217f807d

Download Submit
C:\Windows\System32\fr-FR\user32new.dll.mui

Filesize
19KB

MD5
3996e9a5f0cc85e93aa7ade49a892c5e

SHA1
fa2b4d88bc4b2efb7acd13a83003ec23c44c2664

SHA256
39519ade42cac753b5fd8586786e292ada3c4910041353b31730fa3079801c21

SHA512
99a84f565c0c730472ebb7940c260460f54b1c88c446c3869ce5e889f4fd14230b40c6267de751d93a3e1882d6ac6cd29a6026591aebb3600caa7b508bd5d414

Download Submit
C:\Windows\System32\it-IT\user32new.dll.mui

Filesize
18KB

MD5
c99c413b13017aa89431469764aab8cd

SHA1
a556fc89f96414c3d2b262841b207065a5e205c9

SHA256
da174e40ddc8260b809f6331a2d3aa37daa108acd09aef38048432bd1ca283f7

SHA512
da93ae0f081900c612c66967c27baf19b2d2054462971887d295b3db3ca5c1e5dbfd92bd258c4acc683b7ea3414466ded4d6ae85464a4eca7e08029fb4c1d615

Download Submit
C:\Windows\System32\ja-jp\user32new.dll.mui

Filesize
13KB

MD5
e69bdd36a3eb328b1af034c72f160495

SHA1
7615ada4ae284c46dd7ae5212e336aef597814ca

SHA256
9c8c73bd07a703b1561e611e8e0754e3070aca9780069016061986550c3da772

SHA512
f6fb9b3936b856548d2a728506898556048e0708be7803b50a12063db39943f9ebb5013a8f670e3e1c2ce1f4865b7cc6470c3b87bc01957b8749305cc4cc2ec8

Download Submit
C:\Windows\System32\uk-UA\user32new.dll.mui

Filesize
18KB

MD5
aa12a3301c30a46acd35972b04c0a71f

SHA1
56a6a8b5f74e1bddb382f70e8fafa84d2313e364

SHA256
4d8dadf1c2659434290a2e304f9e87a1bd7de443ec8c7599d44d6f9e1636e77e

SHA512
cd64db81fcc2129b73c864bc63f987b447b7c1cea3194bd48f9aa34fb905617e72c585885f3dc071063a08b760bb75ef57f0ae2bca261435c567b4ce8e6f80c3

Download Submit
\??\pipe\LOCAL\crashpad_4840_PVPWOAYEBNBOLAVW

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/4516-188-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/4516-194-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

Filesize
4KB

Download
memory/4516-272-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/4516-0-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/4516-1-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

Filesize
4KB

Download