pandastealer | e704c7f4d6181f8b15ec91a5263f8ce1d74db74cdd73490b9d167a170ad5ab37

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
29/03/2025, 20:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_96ca71d5635d5b0edd6ed0f716bc6928.exe
Size

1.9MB
MD5

96ca71d5635d5b0edd6ed0f716bc6928
SHA1

3ecd63a4d7ac4b82a04579e88121181743c281b1
SHA256

e704c7f4d6181f8b15ec91a5263f8ce1d74db74cdd73490b9d167a170ad5ab37
SHA512

b084a6ed4b5ae2d91688870dfb4cddf178499e2e524daf7287b207acde03b1a7cc263bc4c5d06d02f77b3d344add94e3ae148cf1f7cabd0d9fa4d380d855ba90
SSDEEP

49152:FMI8WYaH+8awlUMmyVD/oskLbVt6kImhsnwuswHZ6O:F8Vh83lY6buLbSmhyV

Score

10^/10

pandastealer discovery spyware stealer upx

Malware Config

Signatures

Panda Stealer payload 1 IoCs

resource	yara_rule
behavioral2/files/0x00070000000240b5-14.dat	family_pandastealer

PandaStealer
Panda Stealer is a fork of CollectorProject Stealer written in C++.
stealer pandastealer
Pandastealer family
pandastealer

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	extinst.exe

Executes dropped EXE 3 IoCs

pid	Process
516	JaffaCakes118_96ca71d5635d5b0edd6ed0f716bc6928.tmp
1988	extinst.exe
2764	SkypeSetup.exe

Loads dropped DLL 1 IoCs

pid	Process
2764	SkypeSetup.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000b0000000240f4-182.dat	upx
behavioral2/memory/2764-185-0x0000000000400000-0x0000000000704000-memory.dmp	upx
behavioral2/memory/2764-190-0x0000000000400000-0x0000000000704000-memory.dmp	upx
behavioral2/memory/2764-191-0x0000000000400000-0x0000000000704000-memory.dmp	upx
behavioral2/memory/2764-206-0x0000000000400000-0x0000000000704000-memory.dmp	upx

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2196_1113095230\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2196_1429337283\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2196_1429337283\office_endpoints_list.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2196_1429337283\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2196_1521270393\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2196_126006065\protocols.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2196_126006065\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2196_1113095230\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2196_1429337283\smart_switch_list.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2196_1521270393\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2196_126006065\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2196_1113095230\nav_config.json	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1240	1988	WerFault.exe	89

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SkypeSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_96ca71d5635d5b0edd6ed0f716bc6928.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_96ca71d5635d5b0edd6ed0f716bc6928.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extinst.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	msedge.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133877904310975068"	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3218366390-1258052702-4267193707-1000\{A2E45C83-BFCB-452B-A335-9FAEAFCCFCB6}	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Runs .reg file with regedit 1 IoCs

pid	Process
220	regedit.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3140	msedge.exe
3140	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2196	msedge.exe
2196	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3708 wrote to memory of 516	3708	JaffaCakes118_96ca71d5635d5b0edd6ed0f716bc6928.exe	88
PID 3708 wrote to memory of 516	3708	JaffaCakes118_96ca71d5635d5b0edd6ed0f716bc6928.exe	88
PID 3708 wrote to memory of 516	3708	JaffaCakes118_96ca71d5635d5b0edd6ed0f716bc6928.exe	88
PID 516 wrote to memory of 1988	516	JaffaCakes118_96ca71d5635d5b0edd6ed0f716bc6928.tmp	89
PID 516 wrote to memory of 1988	516	JaffaCakes118_96ca71d5635d5b0edd6ed0f716bc6928.tmp	89
PID 516 wrote to memory of 1988	516	JaffaCakes118_96ca71d5635d5b0edd6ed0f716bc6928.tmp	89
PID 1988 wrote to memory of 220	1988	extinst.exe	94
PID 1988 wrote to memory of 220	1988	extinst.exe	94
PID 1988 wrote to memory of 220	1988	extinst.exe	94
PID 516 wrote to memory of 2764	516	JaffaCakes118_96ca71d5635d5b0edd6ed0f716bc6928.tmp	100
PID 516 wrote to memory of 2764	516	JaffaCakes118_96ca71d5635d5b0edd6ed0f716bc6928.tmp	100
PID 516 wrote to memory of 2764	516	JaffaCakes118_96ca71d5635d5b0edd6ed0f716bc6928.tmp	100
PID 2196 wrote to memory of 2328	2196	msedge.exe	107
PID 2196 wrote to memory of 2328	2196	msedge.exe	107
PID 2196 wrote to memory of 1184	2196	msedge.exe	108
PID 2196 wrote to memory of 1184	2196	msedge.exe	108
PID 2196 wrote to memory of 3892	2196	msedge.exe	109
PID 2196 wrote to memory of 3892	2196	msedge.exe	109
PID 2196 wrote to memory of 1184	2196	msedge.exe	108
PID 2196 wrote to memory of 1184	2196	msedge.exe	108
PID 2196 wrote to memory of 1184	2196	msedge.exe	108
PID 2196 wrote to memory of 1184	2196	msedge.exe	108
PID 2196 wrote to memory of 1184	2196	msedge.exe	108
PID 2196 wrote to memory of 1184	2196	msedge.exe	108
PID 2196 wrote to memory of 1184	2196	msedge.exe	108
PID 2196 wrote to memory of 1184	2196	msedge.exe	108
PID 2196 wrote to memory of 1184	2196	msedge.exe	108
PID 2196 wrote to memory of 1184	2196	msedge.exe	108
PID 2196 wrote to memory of 1184	2196	msedge.exe	108
PID 2196 wrote to memory of 1184	2196	msedge.exe	108
PID 2196 wrote to memory of 1184	2196	msedge.exe	108
PID 2196 wrote to memory of 1184	2196	msedge.exe	108
PID 2196 wrote to memory of 1184	2196	msedge.exe	108
PID 2196 wrote to memory of 1184	2196	msedge.exe	108
PID 2196 wrote to memory of 1184	2196	msedge.exe	108
PID 2196 wrote to memory of 1184	2196	msedge.exe	108
PID 2196 wrote to memory of 1184	2196	msedge.exe	108
PID 2196 wrote to memory of 1184	2196	msedge.exe	108
PID 2196 wrote to memory of 1184	2196	msedge.exe	108
PID 2196 wrote to memory of 1184	2196	msedge.exe	108
PID 2196 wrote to memory of 1184	2196	msedge.exe	108
PID 2196 wrote to memory of 1184	2196	msedge.exe	108
PID 2196 wrote to memory of 1184	2196	msedge.exe	108
PID 2196 wrote to memory of 1184	2196	msedge.exe	108
PID 2196 wrote to memory of 1184	2196	msedge.exe	108
PID 2196 wrote to memory of 1184	2196	msedge.exe	108
PID 2196 wrote to memory of 1184	2196	msedge.exe	108
PID 2196 wrote to memory of 1184	2196	msedge.exe	108
PID 2196 wrote to memory of 1184	2196	msedge.exe	108
PID 2196 wrote to memory of 1184	2196	msedge.exe	108
PID 2196 wrote to memory of 1184	2196	msedge.exe	108
PID 2196 wrote to memory of 1184	2196	msedge.exe	108
PID 2196 wrote to memory of 1184	2196	msedge.exe	108
PID 2196 wrote to memory of 1184	2196	msedge.exe	108
PID 2196 wrote to memory of 1184	2196	msedge.exe	108
PID 2196 wrote to memory of 1184	2196	msedge.exe	108
PID 2196 wrote to memory of 1184	2196	msedge.exe	108
PID 2196 wrote to memory of 1184	2196	msedge.exe	108
PID 2196 wrote to memory of 1184	2196	msedge.exe	108
PID 2196 wrote to memory of 1184	2196	msedge.exe	108
PID 2196 wrote to memory of 1184	2196	msedge.exe	108
PID 2196 wrote to memory of 1184	2196	msedge.exe	108
PID 2196 wrote to memory of 1184	2196	msedge.exe	108
PID 2196 wrote to memory of 1184	2196	msedge.exe	108

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_96ca71d5635d5b0edd6ed0f716bc6928.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_96ca71d5635d5b0edd6ed0f716bc6928.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3708
- C:\Users\Admin\AppData\Local\Temp\is-90PTV.tmp\JaffaCakes118_96ca71d5635d5b0edd6ed0f716bc6928.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-90PTV.tmp\JaffaCakes118_96ca71d5635d5b0edd6ed0f716bc6928.tmp" /SL5="$602AC,1585041,114176,C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_96ca71d5635d5b0edd6ed0f716bc6928.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:516
- - C:\Users\Admin\AppData\Local\Temp\is-M629V.tmp\extinst.exe
    "C:\Users\Admin\AppData\Local\Temp\is-M629V.tmp\extinst.exe" /silent
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1988
  - - C:\Windows\SysWOW64\regedit.exe
      "C:\Windows\System32\regedit.exe" /s C:\Users\Admin\AppData\Local\Temp\\extension.reg
      4⤵
      System Location Discovery: System Language Discovery
      Runs .reg file with regedit
      PID:220
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 760
      4⤵
      Program crash
      PID:1240
- - C:\Users\Admin\AppData\Local\Temp\is-M629V.tmp\SkypeSetup.exe
    "C:\Users\Admin\AppData\Local\Temp\is-M629V.tmp\SkypeSetup.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1988 -ip 1988
1⤵
PID:1092

\??\c:\program files (x86)\microsoft\edge\application\msedge.exe
"c:\program files (x86)\microsoft\edge\application\msedge.exe" http://www.skype.com/go/downloading?source=lightinstaller&ver=6.2.0.106&LastError=12007
1⤵
- Drops file in Program Files directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2196
- \??\c:\program files (x86)\microsoft\edge\application\msedge.exe
  "c:\program files (x86)\microsoft\edge\application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=c:\program files (x86)\microsoft\edge\application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x2c8,0x2cc,0x2d0,0x2c4,0x2f0,0x7ff9a372f208,0x7ff9a372f214,0x7ff9a372f220
  2⤵
  PID:2328
- \??\c:\program files (x86)\microsoft\edge\application\msedge.exe
  "c:\program files (x86)\microsoft\edge\application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2844,i,15497005215357640040,7129891848653324083,262144 --variations-seed-version --mojo-platform-channel-handle=2832 /prefetch:2
  2⤵
  PID:1184
- \??\c:\program files (x86)\microsoft\edge\application\msedge.exe
  "c:\program files (x86)\microsoft\edge\application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1880,i,15497005215357640040,7129891848653324083,262144 --variations-seed-version --mojo-platform-channel-handle=2892 /prefetch:3
  2⤵
  PID:3892
- \??\c:\program files (x86)\microsoft\edge\application\msedge.exe
  "c:\program files (x86)\microsoft\edge\application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2324,i,15497005215357640040,7129891848653324083,262144 --variations-seed-version --mojo-platform-channel-handle=3108 /prefetch:8
  2⤵
  PID:3460
- \??\c:\program files (x86)\microsoft\edge\application\msedge.exe
  "c:\program files (x86)\microsoft\edge\application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3548,i,15497005215357640040,7129891848653324083,262144 --variations-seed-version --mojo-platform-channel-handle=3612 /prefetch:1
  2⤵
  PID:1132
- \??\c:\program files (x86)\microsoft\edge\application\msedge.exe
  "c:\program files (x86)\microsoft\edge\application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3556,i,15497005215357640040,7129891848653324083,262144 --variations-seed-version --mojo-platform-channel-handle=3620 /prefetch:1
  2⤵
  PID:1988
- \??\c:\program files (x86)\microsoft\edge\application\msedge.exe
  "c:\program files (x86)\microsoft\edge\application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4136,i,15497005215357640040,7129891848653324083,262144 --variations-seed-version --mojo-platform-channel-handle=4344 /prefetch:1
  2⤵
  PID:1852
- \??\c:\program files (x86)\microsoft\edge\application\msedge.exe
  "c:\program files (x86)\microsoft\edge\application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=4152,i,15497005215357640040,7129891848653324083,262144 --variations-seed-version --mojo-platform-channel-handle=4348 /prefetch:2
  2⤵
  PID:4756
- \??\c:\program files (x86)\microsoft\edge\application\msedge.exe
  "c:\program files (x86)\microsoft\edge\application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3948,i,15497005215357640040,7129891848653324083,262144 --variations-seed-version --mojo-platform-channel-handle=3936 /prefetch:8
  2⤵
  PID:1616
- \??\c:\program files (x86)\microsoft\edge\application\msedge.exe
  "c:\program files (x86)\microsoft\edge\application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4860,i,15497005215357640040,7129891848653324083,262144 --variations-seed-version --mojo-platform-channel-handle=4828 /prefetch:8
  2⤵
  PID:4112
- \??\c:\program files (x86)\microsoft\edge\application\msedge.exe
  "c:\program files (x86)\microsoft\edge\application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --always-read-main-dll --field-trial-handle=5308,i,15497005215357640040,7129891848653324083,262144 --variations-seed-version --mojo-platform-channel-handle=5420 /prefetch:1
  2⤵
  PID:5116
- \??\c:\program files (x86)\microsoft\edge\application\msedge.exe
  "c:\program files (x86)\microsoft\edge\application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3572,i,15497005215357640040,7129891848653324083,262144 --variations-seed-version --mojo-platform-channel-handle=4020 /prefetch:8
  2⤵
  PID:2180
- \??\c:\program files (x86)\microsoft\edge\application\msedge.exe
  "c:\program files (x86)\microsoft\edge\application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4740,i,15497005215357640040,7129891848653324083,262144 --variations-seed-version --mojo-platform-channel-handle=1884 /prefetch:8
  2⤵
  PID:1132
- \??\c:\program files (x86)\microsoft\edge\application\133.0.3065.69\identity_helper.exe
  "c:\program files (x86)\microsoft\edge\application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5324,i,15497005215357640040,7129891848653324083,262144 --variations-seed-version --mojo-platform-channel-handle=5848 /prefetch:8
  2⤵
  PID:1988
- \??\c:\program files (x86)\microsoft\edge\application\133.0.3065.69\identity_helper.exe
  "c:\program files (x86)\microsoft\edge\application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5324,i,15497005215357640040,7129891848653324083,262144 --variations-seed-version --mojo-platform-channel-handle=5848 /prefetch:8
  2⤵
  PID:1056
- \??\c:\program files (x86)\microsoft\edge\application\msedge.exe
  "c:\program files (x86)\microsoft\edge\application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5984,i,15497005215357640040,7129891848653324083,262144 --variations-seed-version --mojo-platform-channel-handle=6012 /prefetch:8
  2⤵
  PID:2932
- \??\c:\program files (x86)\microsoft\edge\application\msedge.exe
  "c:\program files (x86)\microsoft\edge\application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5996,i,15497005215357640040,7129891848653324083,262144 --variations-seed-version --mojo-platform-channel-handle=6164 /prefetch:8
  2⤵
  PID:2952
- \??\c:\program files (x86)\microsoft\edge\application\msedge.exe
  "c:\program files (x86)\microsoft\edge\application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6028,i,15497005215357640040,7129891848653324083,262144 --variations-seed-version --mojo-platform-channel-handle=6016 /prefetch:8
  2⤵
  PID:3240
- \??\c:\program files (x86)\microsoft\edge\application\msedge.exe
  "c:\program files (x86)\microsoft\edge\application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6096,i,15497005215357640040,7129891848653324083,262144 --variations-seed-version --mojo-platform-channel-handle=6216 /prefetch:8
  2⤵
  PID:532
- \??\c:\program files (x86)\microsoft\edge\application\msedge.exe
  "c:\program files (x86)\microsoft\edge\application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6572,i,15497005215357640040,7129891848653324083,262144 --variations-seed-version --mojo-platform-channel-handle=6500 /prefetch:8
  2⤵
  PID:3148
- \??\c:\program files (x86)\microsoft\edge\application\msedge.exe
  "c:\program files (x86)\microsoft\edge\application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6544,i,15497005215357640040,7129891848653324083,262144 --variations-seed-version --mojo-platform-channel-handle=6616 /prefetch:8
  2⤵
  PID:2992
- \??\c:\program files (x86)\microsoft\edge\application\msedge.exe
  "c:\program files (x86)\microsoft\edge\application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6768,i,15497005215357640040,7129891848653324083,262144 --variations-seed-version --mojo-platform-channel-handle=6576 /prefetch:8
  2⤵
  PID:1748
- \??\c:\program files (x86)\microsoft\edge\application\msedge.exe
  "c:\program files (x86)\microsoft\edge\application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6488,i,15497005215357640040,7129891848653324083,262144 --variations-seed-version --mojo-platform-channel-handle=6932 /prefetch:8
  2⤵
  PID:3604
- \??\c:\program files (x86)\microsoft\edge\application\msedge.exe
  "c:\program files (x86)\microsoft\edge\application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4396,i,15497005215357640040,7129891848653324083,262144 --variations-seed-version --mojo-platform-channel-handle=4720 /prefetch:8
  2⤵
  PID:3668
- \??\c:\program files (x86)\microsoft\edge\application\msedge.exe
  "c:\program files (x86)\microsoft\edge\application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5200,i,15497005215357640040,7129891848653324083,262144 --variations-seed-version --mojo-platform-channel-handle=6748 /prefetch:8
  2⤵
  PID:5772
- \??\c:\program files (x86)\microsoft\edge\application\msedge.exe
  "c:\program files (x86)\microsoft\edge\application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4348,i,15497005215357640040,7129891848653324083,262144 --variations-seed-version --mojo-platform-channel-handle=5132 /prefetch:8
  2⤵
  PID:2036
- \??\c:\program files (x86)\microsoft\edge\application\msedge.exe
  "c:\program files (x86)\microsoft\edge\application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5224,i,15497005215357640040,7129891848653324083,262144 --variations-seed-version --mojo-platform-channel-handle=6200 /prefetch:8
  2⤵
  PID:5292
- \??\c:\program files (x86)\microsoft\edge\application\msedge.exe
  "c:\program files (x86)\microsoft\edge\application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5792,i,15497005215357640040,7129891848653324083,262144 --variations-seed-version --mojo-platform-channel-handle=4064 /prefetch:8
  2⤵
  PID:5528
- \??\c:\program files (x86)\microsoft\edge\application\msedge.exe
  "c:\program files (x86)\microsoft\edge\application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6368,i,15497005215357640040,7129891848653324083,262144 --variations-seed-version --mojo-platform-channel-handle=6416 /prefetch:8
  2⤵
  PID:5600
- \??\c:\program files (x86)\microsoft\edge\application\msedge.exe
  "c:\program files (x86)\microsoft\edge\application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=864,i,15497005215357640040,7129891848653324083,262144 --variations-seed-version --mojo-platform-channel-handle=6936 /prefetch:8
  2⤵
  PID:1900
- \??\c:\program files (x86)\microsoft\edge\application\msedge.exe
  "c:\program files (x86)\microsoft\edge\application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4060,i,15497005215357640040,7129891848653324083,262144 --variations-seed-version --mojo-platform-channel-handle=6452 /prefetch:8
  2⤵
  PID:2252
- \??\c:\program files (x86)\microsoft\edge\application\msedge.exe
  "c:\program files (x86)\microsoft\edge\application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=6444,i,15497005215357640040,7129891848653324083,262144 --variations-seed-version --mojo-platform-channel-handle=7072 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3140

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:1892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
fed4ab68611c6ce720965bcb5dfbf546

SHA1
af33fc71721625645993be6fcba5c5852e210864

SHA256
c41acdf5d0a01d5e9720ef9f6d503099950791b6f975ba698ccd013c4defa8c4

SHA512
f9ab23b3b4052f7fda6c9a3e8cd68056f21da5d0fcf28061331900cac6f31ef081705804d9a9d4103ee7d9c9bdb6aa4237987b7e821d2d96cd52da24219e55ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
4013ebc7b496bf70ecf9f6824832d4ae

SHA1
cfdcdac5d8c939976c11525cf5e79c6a491c272a

SHA256
fb1a67bdc2761f1f9e72bbc41b6fc0bf89c068205ffd0689e4f7e2c34264b22a

SHA512
96822252f121fb358aa43d490bb5f5ce3a81c65c8de773c170f1d0e91da1e6beb83cb1fb9d4d656230344cd31c3dca51a6c421fda8e55598c364092232e0ad22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
57e4f363dcb1e464b91585dd02eebe34

SHA1
0be75e61b1ce339b3a39d97650954883a79d633f

SHA256
b5134d586f52bc41da3d90730bd8d64ed570319d99b3ca04181ad81952c18f2f

SHA512
8d9f1c6bb20215749ebfe2c1ac8cdc3d9b23f3b3f71c749a1fc4af4961b44316bf4479d713a1393a35658f2ce85192b878e1649e66ee1d56ff5e2f2aa00aa766

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe583c0a.TMP

Filesize
3KB

MD5
8ef50d1a5c7574c984095760bb2a0f51

SHA1
0c219d4ba0fb7d50e56ba7bb6a5ae9b296e5b653

SHA256
bebf9d0847d85d91580b3cbd01c0f011f1db48760818ad7514a207e89a674075

SHA512
d87ec976e796dcf6c633786e4fe2b3c5874313f088f1db284f2b0417c210d1bf53c45001402c2f82670d9f83159f00a865a1084f474c1f5e71fe9bd620deb1b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
69KB

MD5
164a788f50529fc93a6077e50675c617

SHA1
c53f6cd0531fd98d6abbd2a9e5fbb4319b221f48

SHA256
b305e470fb9f8b69a8cd53b5a8ffb88538c9f6a9c7c2c194a226e8f6c9b53c17

SHA512
ec7d173b55283f3e59a468a0037921dc4e1bf3fab1c693330b9d8e5826273c917b374c4b802f3234bbb5e5e210d55e52351426867e0eb8c9f6fba1a053cb05d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\jmjflgjpcpepeafmmgdpfkogkghcpiha\1.2.1_0\content.js

Filesize
9KB

MD5
3d20584f7f6c8eac79e17cca4207fb79

SHA1
3c16dcc27ae52431c8cdd92fbaab0341524d3092

SHA256
0d40a5153cb66b5bde64906ca3ae750494098f68ad0b4d091256939eea243643

SHA512
315d1b4cc2e70c72d7eb7d51e0f304f6e64ac13ae301fd2e46d585243a6c936b2ad35a0964745d291ae9b317c316a29760b9b9782c88cc6a68599db531f87d59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
458c17e677d7395b7aedcbe97a73755c

SHA1
cf603954bf5b3acc1b7e8cc7a37db492615687bb

SHA256
e42b9baf9a2ccd9b3193c5cd30feb93e5811ee33c912a6c39f5019516fb9ea4d

SHA512
1b0d76059107a4f546719dc52571bd7168b32bc3c7671a72cbc99b51e35b3192aab50a68e86db6e7b9883f636230932e0d58dc51600a891d56802822236f2855

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
14KB

MD5
d6f8d2eca19c6b3fdeebf2a55ac3838d

SHA1
6baf9b167aa2d6d68cd9da01b57dee6f1e1aeaf1

SHA256
b203953f407adf6156e009d3c415c76731e5e458af226c276fda6f975ef4a334

SHA512
b4f9ad6c6f7427ccb1a25d7c02e9e45bb823caf1f9bf7303e1c52573733d56c6622cf9618c5ebc4634aeac96b702959abf5b10679b3dc030313cfd2256d00096

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
36KB

MD5
9831a9c224f2c170d2a0ad7a66f893d0

SHA1
5fb11e2a45e86198364e813f2b393f05b37dc60a

SHA256
07d36390e5068b58e87148b562e56ffebf7d9a4bb1d0c34045b9ab89508ffcf5

SHA512
820cd00954de6809b75b43249fcebcdc607a0471670d7bb4e62bc56279218c3cf5dd8f30cb9474e7dc467756c0813f4b41a46db81d1f144447cdee8dcb45212a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
4KB

MD5
fdb44a97d075f9e5883638b244d11c26

SHA1
548f3839d3d080364e08ecc3f30910c203a706fe

SHA256
e83b3554f2b938ad8238f8ca5cff261d4c705495e22839fa20a8893dab33e5ae

SHA512
06e36aff1d385ec2b0d37e22a81c245a5c6ffe2db8ebe705cc55a0bfd4c5fcee4e307ef3e009dca037785e9626b623a8e00f164498afe6c6ce1d4d95a6985d44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\732eeecc-c30b-4764-9bb1-ca38fb5ccfc9.tmp

Filesize
22KB

MD5
56a63f182b2938fbe3e59fbf9681dc08

SHA1
b76578ca24fb20b8bd5dafad4296e5a46735a5e1

SHA256
36edc2510fb072092e4c6b95efe4521857d9dcb7f0b45afdf5e8ef02e5d19593

SHA512
b17246b7c61e26fce1f211311b578d6b3d22c03a042137bb2bb5b23018ce5290a8fbf7a34b2f66fa30b2027296b8a570478f66a144385c320d63c1cef64434f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
23KB

MD5
4f82915a9ec0846554c6e15d21755cdb

SHA1
b7cdcb0178dcdc3b72f6618d7aff19efd05d11fa

SHA256
cd78c31d19e8337cd1222f2bb381958295ecf38b58afb8c8f3c77c8b51657e01

SHA512
aa5e9e5fa8ac09bf047dec11c99aa36153d0310327ed4fe59c17933c9d883a8b0b91b9bcd8bc56e27f5403465a3eda94a2ac2edc3993d20807cbc3e821d905d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
876B

MD5
4b7f8a8e7527d99f2fce57fa5d6fc4bc

SHA1
44c9170a48cb8b86aeb0cfa51ab674c419b72f18

SHA256
a491bcab7c5a9ad72c448468b2e08ae6e8ea3a301a7ae83aeb53dfd7f1194647

SHA512
29c1e00898ed9c78cc8284effa826f01c9d3f80c68cb83a75e03a17fc4f1ebc06196165a8905a2991b975b82bc393ba836c4cb6b70ab2a2f890b71062c897c38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog~RFe58baa0.TMP

Filesize
467B

MD5
65142d4d0bf6c6567aac550b7af68c97

SHA1
e0f0448866c1add5d00d22b379dfee350d7467b7

SHA256
e38cf3c708affa60d870ed9a77e384242ab327f9b7ddf7c8f4236904ae46e724

SHA512
79237e54c17e7c536eecfaa2e4f5a0e7d8cad89b254d89583d0ff933a43549a28c82e2393a0a4be1dc11357a4e9f8937fa6e43efbb82d2976219b0b3dee612bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
6KB

MD5
7a35402ee2340f3630c56ac5031af5e1

SHA1
992725a0142e46bd82ad13fcb4c656a6fef4ff94

SHA256
416d71d45102f7f7c30d83c643e5fc54bbb400b6f5fa5c73fc0b9bd35ce09c1b

SHA512
f767372a67912148cd9279fe48c57f4af946364b8d80066dd00fa269d4518a2fc4b98f3e3484c1cb5d92bb3fed5e985d388b49604a1608293532b8ef11e89520

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
30KB

MD5
30f113f11d88e79cb80303ba2dd8aa17

SHA1
2724199e517b59cf0899aa002421baeefa1319a6

SHA256
de0f5d4cf9df4b40950bede6d8deefda89fae93f3ddcad3bbdb5c286254e1999

SHA512
664db1a128ce712d2e2f82db2f3143a94b6476112ab75b963f1a15b477023faeb5fb77307261e51a0f5bf0d6ca9010e8b7b9244fc3815d53862c9960259e9481

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\d8cb303b-a52b-403f-8890-792ff1a03f81.tmp

Filesize
39KB

MD5
741c673dce6aad33f36f025778b0ba3b

SHA1
32d8ecae0083a0fbe0425935774b3cb3c175bee1

SHA256
b50849d55bcd559bc78a28b5d41e08e94803fabed5ec07d566f094965d521b8a

SHA512
f20359ff97c9631f23134689d903fef8761e28a9d473829098308928bd1aec06d346f618e9459d59b70461c781905c30040cd838250da2220c0bcc4ac284a24b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\da70b9a4-4239-4a57-9879-0d88d520bc12.tmp

Filesize
7KB

MD5
2ef9208a1bff22f38fe35254c2849c1b

SHA1
e6a0ed9f6b0e90a27f9e146ccfc5e6876fd4a3e7

SHA256
0a4c115099cbbd1bb2d845625545a6cba327c0d8c5d539e90b65e70ae9a72733

SHA512
347ebda91613e4e66845c8bd5033a472877e7be764ce896a8c0137c4d36c5f0cb0ab737dbb0352129a90255faf11b07293477ae8e7f77c3d3193dc33aee3e703

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

Filesize
2KB

MD5
d59a4ba1fc03e82f155482d75097c3aa

SHA1
741cd16e721c4e1e0d7a55f6f92cb57734ce2141

SHA256
f2baa9ab4b9bf6c58864e4cb33546a74c361a89940f37006df62dc56bc79bed8

SHA512
bd862b754edcb42b0f9c3f97b26426b6336374cd901b0c69c3d69a250495f3ee05646a7f8165f2bbec5f7f79e3c1786e75623c4bd0d39be02e322b2e5fff914a

Download Submit
C:\Users\Admin\AppData\Local\Temp\9d802b3b-f19f-4368-8119-0455d7935033.tmp

Filesize
10KB

MD5
78e47dda17341bed7be45dccfd89ac87

SHA1
1afde30e46997452d11e4a2adbbf35cce7a1404f

SHA256
67d161098be68cd24febc0c7b48f515f199dda72f20ae3bbb97fcf2542bb0550

SHA512
9574a66d3756540479dc955c4057144283e09cae11ce11ebce801053bb48e536e67dc823b91895a9e3ee8d3cb27c065d5e9030c39a26cbf3f201348385b418a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DefaultPackOffer.dll

Filesize
574KB

MD5
f9804e2ae39f73ef538883e57cb1e66f

SHA1
fa9ba19b20412aa7174d2e335182c6306f4eac55

SHA256
ab5eb4107888155e4f4cd63ff94e09ab2048505382b2495dfd3775b33bd324a5

SHA512
208ea94ca341116c304e23190ec38d4f37fed57b062b295c5a96e55a2c3d87315ba62a615322f2b55b869f9b1f38381f2f46f04b630f596184ca384ef9d8a847

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb5b903f-6d31-44e2-8b88-ab95d0c1d5f3.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Temp\extension.reg

Filesize
708B

MD5
4e9c9691ff2973b65934078f98b1a24a

SHA1
e14a20b1f58cdc7cbc144cc11f66e6fde626435e

SHA256
76e6f242bc6473188e185f9364f69d247717b00115603ef2da7ba50da1958e28

SHA512
0c0b2d1b8ffc3234045f7a61d33dfea09b017f699e342317055d9ac9f902c7b42327a2d35ad99fd3381fddd873b81a6f4b67c2f74a0a7f6b7eff22f00fb542d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\extension.xpi

Filesize
186KB

MD5
cff7efce24809714fcfa54368a736b24

SHA1
8f0e211caa0a123d80986b360adc8ec1a649a932

SHA256
dd2550934f8ff7f0d81db46a97a68a717cb9f00bf9a08849296e8400def53a10

SHA512
4ecb9c49e6424cddba1ff3818b9a92eab0b1cdd06407cecb63c3da695b9f63fd592c4001476f71dfcc0650d938daf02b60bee73be1a584a0770856e4105ecab1

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-90PTV.tmp\JaffaCakes118_96ca71d5635d5b0edd6ed0f716bc6928.tmp

Filesize
1.1MB

MD5
f120c361b527a9d090782300aa8f1ce5

SHA1
ed82441da0dc7a5695ef96839fc2aea0f0c7e376

SHA256
9209a83ac4b0127081327b6e03960e2a4325dbb31f0bba2b56dfb785583f9825

SHA512
60fc418c4296f67b923e1fff4e6034ed41eeba61604b14d560cfd84e7476b59311c6029aee7ee602d8fdc635107855e5c05dcf6a0137c6ba89db7134e63e5555

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-M629V.tmp\SkypeSetup.exe

Filesize
1.3MB

MD5
eca425e76b572f27b41945ed00fc1f9d

SHA1
a15d33080eb76eb2fc5ccd2b59210cff801a499b

SHA256
ca47b37d095706d5138621373c3f8d85c4c2052ccf6b85a9830755d3b136540d

SHA512
6d7f558f3ccf5b19c3c57f8829c23b0a6de37e80edd1f6fa78194f32adf4e540197d6c30445c9b47d96a9611887643ad33407b75458e5204aca0f0aee7769731

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-M629V.tmp\extinst.exe

Filesize
661KB

MD5
0ddf620a5b532a27f86fd2221efce3c3

SHA1
30cb5f4951f2fad6afd9915dce83427dfe4dfeb1

SHA256
dae55c6229bdd1211cb999c4472d9062d5e73f030bb6ac9a55067ffa19a51429

SHA512
55403cc0e81655ee2c13e6f3d994f72e256b5163b39e5c15c725eba94b2a4cedcc46a6910df8392c3a1f9a401c2c6868810ea0e50ef6346cd119f4d44b1f71bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2196_2036144667\d79bd727-10e7-46a2-a912-2dbab112ac27.tmp

Filesize
152KB

MD5
dd9bf8448d3ddcfd067967f01e8bf6d7

SHA1
d7829475b2bd6a3baa8fabfaf39af57c6439b35e

SHA256
fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

SHA512
65347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de

Download Submit
memory/516-7-0x0000000000400000-0x0000000000529000-memory.dmp

Filesize
1.2MB

Download
memory/516-188-0x0000000000400000-0x0000000000529000-memory.dmp

Filesize
1.2MB

Download
memory/1132-240-0x00007FF9C14A0000-0x00007FF9C14A1000-memory.dmp

Filesize
4KB

Download
memory/1184-230-0x00007FF9C14A0000-0x00007FF9C14A1000-memory.dmp

Filesize
4KB

Download
memory/1184-867-0x0000020E0DF40000-0x0000020E0E055000-memory.dmp

Filesize
1.1MB

Download
memory/1184-822-0x0000020E0DF40000-0x0000020E0E055000-memory.dmp

Filesize
1.1MB

Download
memory/2764-190-0x0000000000400000-0x0000000000704000-memory.dmp

Filesize
3.0MB

Download
memory/2764-185-0x0000000000400000-0x0000000000704000-memory.dmp

Filesize
3.0MB

Download
memory/2764-191-0x0000000000400000-0x0000000000704000-memory.dmp

Filesize
3.0MB

Download
memory/2764-206-0x0000000000400000-0x0000000000704000-memory.dmp

Filesize
3.0MB

Download
memory/3140-1030-0x000001C020FC0000-0x000001C020FC1000-memory.dmp

Filesize
4KB

Download
memory/3140-1024-0x000001C020FC0000-0x000001C020FC1000-memory.dmp

Filesize
4KB

Download
memory/3140-1031-0x000001C020FC0000-0x000001C020FC1000-memory.dmp

Filesize
4KB

Download
memory/3140-1029-0x000001C020FC0000-0x000001C020FC1000-memory.dmp

Filesize
4KB

Download
memory/3140-1025-0x000001C020FC0000-0x000001C020FC1000-memory.dmp

Filesize
4KB

Download
memory/3140-1023-0x000001C020FC0000-0x000001C020FC1000-memory.dmp

Filesize
4KB

Download
memory/3460-238-0x00007FF9C1250000-0x00007FF9C1251000-memory.dmp

Filesize
4KB

Download
memory/3460-237-0x00007FF9BFFF0000-0x00007FF9BFFF1000-memory.dmp

Filesize
4KB

Download
memory/3708-2-0x0000000000401000-0x0000000000410000-memory.dmp

Filesize
60KB

Download
memory/3708-189-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3708-0-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download