Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250211-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250211-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/02/2025, 01:38

General

  • Target

    JaffaCakes118_f29d5c214d1622dd9e6c65996c977f49.exe

  • Size

    856KB

  • MD5

    f29d5c214d1622dd9e6c65996c977f49

  • SHA1

    351501e74e937677ea36e0ee6f9bb0c0aa4f8b38

  • SHA256

    41e8e0e2c8852b21ececb4640336fef5e0c149462efac9ab63b2c16748c3eedb

  • SHA512

    94c4b6a60a81ff2d44c92b83c7700f04d1bfdced04ebbe19bf0315e8eade78e069fd3b266a9e9b43a447a417dde56ea155efc547cee616f7a6b0f8f3180d5c96

  • SSDEEP

    12288:xhNC6uHZO3sjBKPeOMencvemgLtnVaEb86IthTjDQ5DmjqYs:1K0Oecve9tPIZTjPjM

Malware Config

Signatures

  • Blackshades

    Blackshades is a remote access trojan with various capabilities.

  • Blackshades family
  • Blackshades payload 17 IoCs
  • Modifies firewall policy service 3 TTPs 10 IoCs
  • Adds policy Run key to start application 2 TTPs 2 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 11 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Downloads MZ/PE file 1 IoCs
  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

  • Executes dropped EXE 10 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • UPX packed file 19 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Modifies Internet Explorer settings 1 TTPs 26 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 64 IoCs
  • Modifies registry key 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 40 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 52 IoCs
  • System policy modification 1 TTPs 4 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f29d5c214d1622dd9e6c65996c977f49.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f29d5c214d1622dd9e6c65996c977f49.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2144
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f29d5c214d1622dd9e6c65996c977f49.exe
      C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f29d5c214d1622dd9e6c65996c977f49.exe
      2⤵
      • Adds policy Run key to start application
      • Boot or Logon Autostart Execution: Active Setup
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3548
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4948
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          4⤵
          • Modifies firewall policy service
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:2032
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f29d5c214d1622dd9e6c65996c977f49.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f29d5c214d1622dd9e6c65996c977f49.exe:*:Enabled:Windows Messanger" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3704
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f29d5c214d1622dd9e6c65996c977f49.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f29d5c214d1622dd9e6c65996c977f49.exe:*:Enabled:Windows Messanger" /f
          4⤵
          • Modifies firewall policy service
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:3444
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:5024
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          4⤵
          • Modifies firewall policy service
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:4504
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\svchost.exe:*:Enabled:Windows Messanger" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:5008
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\svchost.exe:*:Enabled:Windows Messanger" /f
          4⤵
          • Modifies firewall policy service
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:2472
  • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7REY3OTI5M0YtQ0JBQi00RUNFLTgzQ0EtRDlGNkRGQTY1QkQ4fSIgdXNlcmlkPSJ7RDVEQTY4RDQtNUQ1NS00MjNBLUFBNUQtODIzQ0E1OTBEODJEfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7MEZDMjRDQUYtNEVCQi00Nzc4LUE5NDMtOEEzRDU5RDYwNTY4fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIyIiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODM0MTAiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1NTUzNjg2NzAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MTM3NTg0MjUwIi8-PC9hcHA-PC9yZXF1ZXN0Pg
    1⤵
    • System Location Discovery: System Language Discovery
    • System Network Configuration Discovery: Internet Connection Discovery
    PID:4848
  • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{986364B3-E216-4CF4-8DAA-341623DD6587}\MicrosoftEdge_X64_133.0.3065.59.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{986364B3-E216-4CF4-8DAA-341623DD6587}\MicrosoftEdge_X64_133.0.3065.59.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2608
    • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{986364B3-E216-4CF4-8DAA-341623DD6587}\EDGEMITMP_B3D0A.tmp\setup.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{986364B3-E216-4CF4-8DAA-341623DD6587}\EDGEMITMP_B3D0A.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{986364B3-E216-4CF4-8DAA-341623DD6587}\MicrosoftEdge_X64_133.0.3065.59.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Installs/modifies Browser Helper Object
      • Drops file in Program Files directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:3272
      • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{986364B3-E216-4CF4-8DAA-341623DD6587}\EDGEMITMP_B3D0A.tmp\setup.exe
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{986364B3-E216-4CF4-8DAA-341623DD6587}\EDGEMITMP_B3D0A.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{986364B3-E216-4CF4-8DAA-341623DD6587}\EDGEMITMP_B3D0A.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff7c0c26a68,0x7ff7c0c26a74,0x7ff7c0c26a80
        3⤵
        • Executes dropped EXE
        PID:4236
      • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{986364B3-E216-4CF4-8DAA-341623DD6587}\EDGEMITMP_B3D0A.tmp\setup.exe
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{986364B3-E216-4CF4-8DAA-341623DD6587}\EDGEMITMP_B3D0A.tmp\setup.exe" --msedge --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious use of WriteProcessMemory
        PID:216
        • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{986364B3-E216-4CF4-8DAA-341623DD6587}\EDGEMITMP_B3D0A.tmp\setup.exe
          "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{986364B3-E216-4CF4-8DAA-341623DD6587}\EDGEMITMP_B3D0A.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{986364B3-E216-4CF4-8DAA-341623DD6587}\EDGEMITMP_B3D0A.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff7c0c26a68,0x7ff7c0c26a74,0x7ff7c0c26a80
          4⤵
          • Executes dropped EXE
          PID:184
      • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --msedge --channel=stable --register-package-identity --verbose-logging --system-level
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4888
        • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff78e5a6a68,0x7ff78e5a6a74,0x7ff78e5a6a80
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          PID:4488
      • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --msedge --channel=stable --remove-deprecated-packages --verbose-logging --system-level
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2168
        • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff78e5a6a68,0x7ff78e5a6a74,0x7ff78e5a6a80
          4⤵
          • Executes dropped EXE
          PID:1056
      • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --msedge --channel=stable --update-game-assist-package --verbose-logging --system-level
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Suspicious use of WriteProcessMemory
        PID:1784
        • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff78e5a6a68,0x7ff78e5a6a74,0x7ff78e5a6a80
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          PID:1344
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k AppReadiness -p -s AppReadiness
    1⤵
      PID:2096
    • C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe
      "C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe" /InvokerPRAID: Microsoft.MicrosoftOfficeHub prelaunch
      1⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2104
    • C:\Windows\system32\wwahost.exe
      "C:\Windows\system32\wwahost.exe" -ServerName:Microsoft.MicrosoftOfficeHub.wwa
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:3156

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{986364B3-E216-4CF4-8DAA-341623DD6587}\EDGEMITMP_B3D0A.tmp\setup.exe

      Filesize

      6.8MB

      MD5

      1b3e9c59f9c7a134ec630ada1eb76a39

      SHA1

      a7e831d392e99f3d37847dcc561dd2e017065439

      SHA256

      ce78ccfb0c9cdb06ea61116bc57e50690650b6b5cf37c1aebfb30c19458ee4ae

      SHA512

      c0e50410dc92d80ff7bc854907774fc551564e078a8d38ca6421f15cea50282c25efac4f357b52b066c4371f9b8d4900fa8122dd80ab06ecbd851c6e049f7a3e

    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

      Filesize

      3.9MB

      MD5

      ad5f7dc7ca3e67dce70c0a89c04519e0

      SHA1

      a10b03234627ca8f3f8034cd5637cda1b8246d83

      SHA256

      663fe0f4e090583e6aa5204b9a80b7a76f677259066e56a7345aebc6bc3e7d31

      SHA512

      ad5490e9865caa454c47ec2e96364b9c566b553e64801da60c295acd570017747be1aff6f22ca6c20c6eee6f6d05a058af72569fd6e656f66e48010978c7fd51

    • C:\Program Files\msedge_installer.log

      Filesize

      104KB

      MD5

      33f021a1ee621e528ec2a53b3f6d2e13

      SHA1

      2c791c9e820f9e3280c4a19942d8a81c770bba09

      SHA256

      957e15e21d87a5bdf351d2569a4bbccc9fb656d48fb8c239daa3f0ed3999fe70

      SHA512

      83facae5f79ac4303b22c836a94a5fc7a8f41287585ebc854a58314e97fb6b99dc882e375556ac94e42e6cddd3a17a0ee52a55f724f3c05ce630af427e9ba7f4

    • C:\Program Files\msedge_installer.log

      Filesize

      103KB

      MD5

      a3bcb0696d0a1cf3122ef7332585871d

      SHA1

      88031386f3b0e0dbb1cdc263baa39bcd14b4974e

      SHA256

      6c206f79d315a08246ba22c44fb0b37c00529d4c801955f529adc52c74c571ca

      SHA512

      ad4034bca7a085085cf392a61c49361386410b4b23dc6194dcfcfcb9da682e3aef0f7ec9585b2b690dac670da9ccce53132f039f166d9291ff4e4cf5e66f7b76

    • C:\Program Files\msedge_installer.log

      Filesize

      73KB

      MD5

      40c7cf24497a9a9472c3188efcea0f14

      SHA1

      debfdfca3b50718df625ef268616b5ccaf174bc6

      SHA256

      f186c0671d690a2f87e6302cb689834666bcb23a443c456040dca11446d5c43a

      SHA512

      2c511d02150bd07e9c6ed1ee863b5a527f80174e63ef9edab17966d76a03fbd2fd2123758220eff4d76417439542bd0bec8316d0bf4cce7f8a15e55eeb81a988

    • memory/2104-142-0x0000015262000000-0x0000015262249000-memory.dmp

      Filesize

      2.3MB

    • memory/2104-141-0x0000015260AA0000-0x0000015260AA8000-memory.dmp

      Filesize

      32KB

    • memory/2104-140-0x0000015260A70000-0x0000015260A7A000-memory.dmp

      Filesize

      40KB

    • memory/2104-139-0x0000015246560000-0x000001524656E000-memory.dmp

      Filesize

      56KB

    • memory/3548-25-0x0000000000400000-0x0000000000473000-memory.dmp

      Filesize

      460KB

    • memory/3548-73-0x0000000000400000-0x0000000000473000-memory.dmp

      Filesize

      460KB

    • memory/3548-40-0x0000000000400000-0x0000000000473000-memory.dmp

      Filesize

      460KB

    • memory/3548-43-0x0000000000400000-0x0000000000473000-memory.dmp

      Filesize

      460KB

    • memory/3548-46-0x0000000000400000-0x0000000000473000-memory.dmp

      Filesize

      460KB

    • memory/3548-53-0x0000000000400000-0x0000000000473000-memory.dmp

      Filesize

      460KB

    • memory/3548-56-0x0000000000400000-0x0000000000473000-memory.dmp

      Filesize

      460KB

    • memory/3548-60-0x0000000000400000-0x0000000000473000-memory.dmp

      Filesize

      460KB

    • memory/3548-32-0x0000000000400000-0x0000000000473000-memory.dmp

      Filesize

      460KB

    • memory/3548-35-0x0000000000400000-0x0000000000473000-memory.dmp

      Filesize

      460KB

    • memory/3548-29-0x0000000000400000-0x0000000000473000-memory.dmp

      Filesize

      460KB

    • memory/3548-2-0x0000000000400000-0x0000000000473000-memory.dmp

      Filesize

      460KB

    • memory/3548-21-0x0000000000400000-0x0000000000473000-memory.dmp

      Filesize

      460KB

    • memory/3548-14-0x0000000000400000-0x0000000000473000-memory.dmp

      Filesize

      460KB

    • memory/3548-136-0x0000000000400000-0x0000000000473000-memory.dmp

      Filesize

      460KB

    • memory/3548-13-0x0000000000400000-0x0000000000473000-memory.dmp

      Filesize

      460KB

    • memory/3548-12-0x0000000000400000-0x0000000000473000-memory.dmp

      Filesize

      460KB

    • memory/3548-6-0x0000000000400000-0x0000000000473000-memory.dmp

      Filesize

      460KB

    • memory/3548-4-0x0000000000400000-0x0000000000473000-memory.dmp

      Filesize

      460KB