ardamax | 6149855591c7e4babbaa357c87db758a16f8f593c79bc72c4696466b01e5a509

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
02-12-2024 22:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ba6865851d485da09c8bdec42d948462_JaffaCakes118.exe
Size

1.1MB
MD5

ba6865851d485da09c8bdec42d948462
SHA1

18e362f19436db3cc6866e404f144d50ddbe0515
SHA256

6149855591c7e4babbaa357c87db758a16f8f593c79bc72c4696466b01e5a509
SHA512

8db89b9701c14290d931b28424e1e039d0733f3d1ec6a0310160407a73be7e932d1293a765117e446fd3aada366b1ec84d3df27935b8ad816a2a06e70a1cf1de
SSDEEP

24576:3U4oT8KkjTGgGXL8aufWWYBPDIQjYiGyjZhn/19CPhrq9HDfMfGx8a:3ULTHETwXo+7cQEkjeBq9gZ

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023cd8-8.dat	family_ardamax

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	ba6865851d485da09c8bdec42d948462_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
2380	ENF.exe

Loads dropped DLL 1 IoCs

pid	Process
2380	ENF.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ENF Start = "C:\\Windows\\SysWOW64\\YKGKYD\\ENF.exe"	ENF.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\YKGKYD\ENF.004	ba6865851d485da09c8bdec42d948462_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\YKGKYD\ENF.001	ba6865851d485da09c8bdec42d948462_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\YKGKYD\ENF.002	ba6865851d485da09c8bdec42d948462_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\YKGKYD\AKV.exe	ba6865851d485da09c8bdec42d948462_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\YKGKYD\ENF.exe	ba6865851d485da09c8bdec42d948462_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\YKGKYD\	ENF.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ba6865851d485da09c8bdec42d948462_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ENF.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3288	msedge.exe
3288	msedge.exe
412	msedge.exe
412	msedge.exe
2192	identity_helper.exe
2192	identity_helper.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2380	ENF.exe
Token: SeIncBasePriorityPrivilege	2380	ENF.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2380	ENF.exe
2380	ENF.exe
2380	ENF.exe
2380	ENF.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4812 wrote to memory of 2380	4812	ba6865851d485da09c8bdec42d948462_JaffaCakes118.exe	83
PID 4812 wrote to memory of 2380	4812	ba6865851d485da09c8bdec42d948462_JaffaCakes118.exe	83
PID 4812 wrote to memory of 2380	4812	ba6865851d485da09c8bdec42d948462_JaffaCakes118.exe	83
PID 4812 wrote to memory of 412	4812	ba6865851d485da09c8bdec42d948462_JaffaCakes118.exe	84
PID 4812 wrote to memory of 412	4812	ba6865851d485da09c8bdec42d948462_JaffaCakes118.exe	84
PID 412 wrote to memory of 2376	412	msedge.exe	85
PID 412 wrote to memory of 2376	412	msedge.exe	85
PID 412 wrote to memory of 1056	412	msedge.exe	86
PID 412 wrote to memory of 1056	412	msedge.exe	86
PID 412 wrote to memory of 1056	412	msedge.exe	86
PID 412 wrote to memory of 1056	412	msedge.exe	86
PID 412 wrote to memory of 1056	412	msedge.exe	86
PID 412 wrote to memory of 1056	412	msedge.exe	86
PID 412 wrote to memory of 1056	412	msedge.exe	86
PID 412 wrote to memory of 1056	412	msedge.exe	86
PID 412 wrote to memory of 1056	412	msedge.exe	86
PID 412 wrote to memory of 1056	412	msedge.exe	86
PID 412 wrote to memory of 1056	412	msedge.exe	86
PID 412 wrote to memory of 1056	412	msedge.exe	86
PID 412 wrote to memory of 1056	412	msedge.exe	86
PID 412 wrote to memory of 1056	412	msedge.exe	86
PID 412 wrote to memory of 1056	412	msedge.exe	86
PID 412 wrote to memory of 1056	412	msedge.exe	86
PID 412 wrote to memory of 1056	412	msedge.exe	86
PID 412 wrote to memory of 1056	412	msedge.exe	86
PID 412 wrote to memory of 1056	412	msedge.exe	86
PID 412 wrote to memory of 1056	412	msedge.exe	86
PID 412 wrote to memory of 1056	412	msedge.exe	86
PID 412 wrote to memory of 1056	412	msedge.exe	86
PID 412 wrote to memory of 1056	412	msedge.exe	86
PID 412 wrote to memory of 1056	412	msedge.exe	86
PID 412 wrote to memory of 1056	412	msedge.exe	86
PID 412 wrote to memory of 1056	412	msedge.exe	86
PID 412 wrote to memory of 1056	412	msedge.exe	86
PID 412 wrote to memory of 1056	412	msedge.exe	86
PID 412 wrote to memory of 1056	412	msedge.exe	86
PID 412 wrote to memory of 1056	412	msedge.exe	86
PID 412 wrote to memory of 1056	412	msedge.exe	86
PID 412 wrote to memory of 1056	412	msedge.exe	86
PID 412 wrote to memory of 1056	412	msedge.exe	86
PID 412 wrote to memory of 1056	412	msedge.exe	86
PID 412 wrote to memory of 1056	412	msedge.exe	86
PID 412 wrote to memory of 1056	412	msedge.exe	86
PID 412 wrote to memory of 1056	412	msedge.exe	86
PID 412 wrote to memory of 1056	412	msedge.exe	86
PID 412 wrote to memory of 1056	412	msedge.exe	86
PID 412 wrote to memory of 1056	412	msedge.exe	86
PID 412 wrote to memory of 3288	412	msedge.exe	87
PID 412 wrote to memory of 3288	412	msedge.exe	87
PID 412 wrote to memory of 2744	412	msedge.exe	88
PID 412 wrote to memory of 2744	412	msedge.exe	88
PID 412 wrote to memory of 2744	412	msedge.exe	88
PID 412 wrote to memory of 2744	412	msedge.exe	88
PID 412 wrote to memory of 2744	412	msedge.exe	88
PID 412 wrote to memory of 2744	412	msedge.exe	88
PID 412 wrote to memory of 2744	412	msedge.exe	88
PID 412 wrote to memory of 2744	412	msedge.exe	88
PID 412 wrote to memory of 2744	412	msedge.exe	88
PID 412 wrote to memory of 2744	412	msedge.exe	88
PID 412 wrote to memory of 2744	412	msedge.exe	88
PID 412 wrote to memory of 2744	412	msedge.exe	88
PID 412 wrote to memory of 2744	412	msedge.exe	88
PID 412 wrote to memory of 2744	412	msedge.exe	88
PID 412 wrote to memory of 2744	412	msedge.exe	88

C:\Users\Admin\AppData\Local\Temp\ba6865851d485da09c8bdec42d948462_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ba6865851d485da09c8bdec42d948462_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4812
- C:\Windows\SysWOW64\YKGKYD\ENF.exe
  "C:\Windows\system32\YKGKYD\ENF.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\Meu X1.htm
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:412
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xdc,0x108,0x7ffedd6d46f8,0x7ffedd6d4708,0x7ffedd6d4718
    3⤵
    PID:2376
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,3102863319378952180,12762162669137515932,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
    3⤵
    PID:1056
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,3102863319378952180,12762162669137515932,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3288
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,3102863319378952180,12762162669137515932,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2908 /prefetch:8
    3⤵
    PID:2744
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,3102863319378952180,12762162669137515932,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
    3⤵
    PID:4496
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,3102863319378952180,12762162669137515932,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
    3⤵
    PID:1364
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,3102863319378952180,12762162669137515932,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5008 /prefetch:8
    3⤵
    PID:1824
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,3102863319378952180,12762162669137515932,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5008 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2192
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,3102863319378952180,12762162669137515932,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5264 /prefetch:1
    3⤵
    PID:1952
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,3102863319378952180,12762162669137515932,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5276 /prefetch:1
    3⤵
    PID:996
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,3102863319378952180,12762162669137515932,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4700 /prefetch:1
    3⤵
    PID:4520
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,3102863319378952180,12762162669137515932,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:1
    3⤵
    PID:4812
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,3102863319378952180,12762162669137515932,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2612 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4944

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4776

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c2d9eeb3fdd75834f0ac3f9767de8d6f

SHA1
4d16a7e82190f8490a00008bd53d85fb92e379b0

SHA256
1e5efb5f1d78a4cc269cb116307e9d767fc5ad8a18e6cf95c81c61d7b1da5c66

SHA512
d92f995f9e096ecc0a7b8b4aca336aeef0e7b919fe7fe008169f0b87da84d018971ba5728141557d42a0fc562a25191bd85e0d7354c401b09e8b62cdc44b6dcd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e55832d7cd7e868a2c087c4c73678018

SHA1
ed7a2f6d6437e907218ffba9128802eaf414a0eb

SHA256
a4d7777b980ec53de3a70aca8fb25b77e9b53187e7d2f0fa1a729ee9a35da574

SHA512
897fdebf1a9269a1bf1e3a791f6ee9ab7c24c9d75eeff65ac9599764e1c8585784e1837ba5321d90af0b004af121b2206081a6fb1b1ad571a0051ee33d3f5c5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
468B

MD5
1e157737aa045b1b2347e935ea0ca9fc

SHA1
bb6ea2b24e5aa98c080d4fd0eedf6ddc0401688f

SHA256
619e8da626e0d1339b657b92ce89e93e723e08c5c01fd32702d60dc5a24756bc

SHA512
eb074a1a4933b69d9113195b5935794c1b26a8b4186061956679fb253ba6187c676baacc3d0038dab9a8a7105c7b1b6500b4887c2d66b2557416c97c44437bc8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
6dac83094ab71433fb4d0fda7d64ef39

SHA1
88349f4c26ea7b2b74986a05b198553156e12eb5

SHA256
fcfc14b6155db0ab8747c0ef9a762f9eeeb7770036b2e596f3c734ef2fd5cd98

SHA512
231369334efe6b3cbd6a7dafb0fc9f60fd5210d17de9a506873f30a57af9871303bbdf0beb8c171857ef42372800f9bef434380da45799f9b6d9d59de0bc3ec8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b33682d9b66771106aaab802aebfffe6

SHA1
16f05bb20cc366eac0a72ea147b2eb0a2c690208

SHA256
7877f296a8d0b93c1116b0f38168e0c01d61cf92f0c2cdf8fc482bfbbf06233c

SHA512
bdcf971f40ee39934976f8cb9469e046fccadcab03602b8928ceccbf91a21d9a5755c7ee84373577c04e4c5cfb51b98cca147e53ba64418b44de6a54dde74ce0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
6674b58535f59e8e0a4d72be9829ec45

SHA1
983e3e2633c08ebe8afb7c80fe4207597c61da5f

SHA256
a670849bd3a9139a8e087498bd53c90c38e866f852e6b28aad1c96c4898fe8f3

SHA512
9011072e10ce411dad9fb9f522656437709e2c41d7889ed24d56eb3c9d643fe4616f1e17e3c5011e3fa3b74ab715eacb892daafa5d2749cd85bd110fb1863017

Download Submit
C:\Users\Admin\AppData\Local\Temp\Meu X1.htm

Filesize
1KB

MD5
25353579bd802fa2e39d2a9ba462bcde

SHA1
5d67321e57b8dc31e6e9760e5fae54155d07274f

SHA256
ee602e03640dd70aa69463e3aacb7c2e84ce297a1417e00fbcdb697f83295fcd

SHA512
473f7d6f79b99d489cdcb47ff74d7e72451b59919af2feffb4cb0b2128a667513c9b449ad0de434ad19038f36f860e99f64c03829d84e9bf5f5b2c6f87095c5e

Download Submit
C:\Windows\SysWOW64\YKGKYD\AKV.exe

Filesize
456KB

MD5
48cfaed4d566c34716326302b49bdad2

SHA1
566e0989b6bc7ed205f9ae250ea98e3a4d7fba52

SHA256
54c2e10de3ed7135d20c239a7f656c6ff57d1158607fa4c6779e042681de87ea

SHA512
96c871ed9af039142aab5904021d3ef3f75a58c5cc1fdf4d59e40e3699fd03e7cff384b788f7359a1de519ebdcafdad55891fef4f67e2c216ea89ebc945996a0

Download Submit
C:\Windows\SysWOW64\YKGKYD\ENF.001

Filesize
60KB

MD5
a15c556f17d7db8287e023138942d5db

SHA1
880bf8ec944120830dc2e2e040e5996e4e0e6c83

SHA256
f3716810ab011a4cb7693d31b69cd540380ef2a067724e0d568070c8a558694e

SHA512
930339711e3d73e5af0778367a648c94411c20d23bf4c27ec5d72222e76b8902eb3fc0992d70cc4141600c19087159514246d42f1e762c98dad306f8e0bd99cd

Download Submit
C:\Windows\SysWOW64\YKGKYD\ENF.002

Filesize
43KB

MD5
daabecdfba287a3333b60ae82211acd7

SHA1
e67b4c7bf0dd71ad47263a58bb60be4bce504b84

SHA256
12981c35adf6f00c7dddbc3ab23c04c30133cc5be107015dab9fd7ba4e8b4173

SHA512
937f551f959bd823292fe5983bbfb1c3a6dd86426a5da228dc7ddba38138c898599bc713d707b9d3463b20825cee0783d92c1c19019cd0328986a8aef5c1222f

Download Submit
C:\Windows\SysWOW64\YKGKYD\ENF.004

Filesize
1KB

MD5
154d24bd0642c39e1e3ea10ef3dd9f68

SHA1
7764cd4c590809bbe42a5f72655226dd934b11e1

SHA256
3f3e6bcfa0a3be2a972e4319333f296816218d48c90f9b54285dcfac7d1b04d5

SHA512
42b3aa93cb0c669ab78eeeca5c5caa882e2aa0c881176a656d52ce8d8ed0c7c89c25e11db6d2f63a8be09456fed123963b280444eadcfc913099d60dd19cbc1e

Download Submit
C:\Windows\SysWOW64\YKGKYD\ENF.exe

Filesize
1.7MB

MD5
f3819a6cab8ae058254c4abb3844d87e

SHA1
0f8b1a74af87f1823ec0d76e21a8d54d55a53a8b

SHA256
3d656d1364b4b2382020f64990a2c630b7b9422ca7b7fe2c30646fda3303e6c9

SHA512
dfe9d342f3ad543fec8bd278e21ac5059b1c36ed3f735734e9b92d639cb25609f9307862ab2b35ea3e88713f4a652abe5863871225f915462c79d493ac5e1f57

Download Submit
memory/2380-60-0x0000000000720000-0x0000000000721000-memory.dmp

Filesize
4KB

Download
memory/2380-19-0x0000000000720000-0x0000000000721000-memory.dmp

Filesize
4KB

Download