modiloader | 89918f59012bfe8868fb7c72ba38c82c714123c605590eba3ce4563e86e131b9

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
28-06-2024 02:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

188733e806b624d1326cc1696b57cdf5_JaffaCakes118.exe
Size

728KB
MD5

188733e806b624d1326cc1696b57cdf5
SHA1

5be9beef75c55c533717acec241812ffeb845d94
SHA256

89918f59012bfe8868fb7c72ba38c82c714123c605590eba3ce4563e86e131b9
SHA512

01af6622cb4b6296ad8efdade7686c14eeeefdf64e593a50784abdc1cbc36fa52578ad973a8ede339ce8f3fc0cd02a3344552efe47d536ed9e4801db3fac60ce
SSDEEP

12288:RRKnmnC853ZRRJVBMU0lmMq41V2kI8v+lmMq4hU71:RRU6C853fR1MU0lmMq410MWlmMq4hU7

Score

10^/10

modiloader persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
ModiLoader Second Stage 1 IoCs

Processes:

resource yara_rule

behavioral2/memory/1588-22-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

188733e806b624d1326cc1696b57cdf5_JaffaCakes118.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation 188733e806b624d1326cc1696b57cdf5_JaffaCakes118.exe
Executes dropped EXE 2 IoCs

Processes:

server.exeGlasTivaZ_V4zzzz.exe

pid process

5036 server.exe
1048 GlasTivaZ_V4zzzz.exe

resource	yara_rule
behavioral2/memory/1588-22-0x0000000000400000-0x00000000004BD000-memory.dmp	modiloader_stage2

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	188733e806b624d1326cc1696b57cdf5_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

server.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe"	server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

server.exe

pid	process
5036	server.exe
5036	server.exe
5036	server.exe
5036	server.exe
5036	server.exe
5036	server.exe
5036	server.exe
5036	server.exe
5036	server.exe
5036	server.exe
5036	server.exe
5036	server.exe
5036	server.exe
5036	server.exe
5036	server.exe
5036	server.exe
5036	server.exe
5036	server.exe
5036	server.exe
5036	server.exe
5036	server.exe
5036	server.exe
5036	server.exe
5036	server.exe
5036	server.exe
5036	server.exe
5036	server.exe
5036	server.exe
5036	server.exe
5036	server.exe
5036	server.exe
5036	server.exe
5036	server.exe
5036	server.exe
5036	server.exe
5036	server.exe
5036	server.exe
5036	server.exe
5036	server.exe
5036	server.exe
5036	server.exe
5036	server.exe
5036	server.exe
5036	server.exe
5036	server.exe
5036	server.exe
5036	server.exe
5036	server.exe
5036	server.exe
5036	server.exe
5036	server.exe
5036	server.exe
5036	server.exe
5036	server.exe
5036	server.exe
5036	server.exe
5036	server.exe
5036	server.exe
5036	server.exe
5036	server.exe
5036	server.exe
5036	server.exe
5036	server.exe
5036	server.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

server.exe

pid process

5036 server.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid process

4812 msedge.exe
4812 msedge.exe
4812 msedge.exe
4812 msedge.exe
4812 msedge.exe
4812 msedge.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

AUDIODG.EXEserver.exe

description pid process

Token: 33 3172 AUDIODG.EXE
Token: SeIncBasePriorityPrivilege 3172 AUDIODG.EXE
Token: SeDebugPrivilege 5036 server.exe

description	pid	process
Token: 33	3172	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3172	AUDIODG.EXE
Token: SeDebugPrivilege	5036	server.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

GlasTivaZ_V4zzzz.exeserver.exe

pid process

1048 GlasTivaZ_V4zzzz.exe
1048 GlasTivaZ_V4zzzz.exe
5036 server.exe

pid	process
1048	GlasTivaZ_V4zzzz.exe
1048	GlasTivaZ_V4zzzz.exe
5036	server.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

188733e806b624d1326cc1696b57cdf5_JaffaCakes118.exeGlasTivaZ_V4zzzz.exemsedge.exe

description	pid	process	target process
PID 1588 wrote to memory of 5036	1588	188733e806b624d1326cc1696b57cdf5_JaffaCakes118.exe	server.exe
PID 1588 wrote to memory of 5036	1588	188733e806b624d1326cc1696b57cdf5_JaffaCakes118.exe	server.exe
PID 1588 wrote to memory of 1048	1588	188733e806b624d1326cc1696b57cdf5_JaffaCakes118.exe	GlasTivaZ_V4zzzz.exe
PID 1588 wrote to memory of 1048	1588	188733e806b624d1326cc1696b57cdf5_JaffaCakes118.exe	GlasTivaZ_V4zzzz.exe
PID 1588 wrote to memory of 1048	1588	188733e806b624d1326cc1696b57cdf5_JaffaCakes118.exe	GlasTivaZ_V4zzzz.exe
PID 1048 wrote to memory of 4812	1048	GlasTivaZ_V4zzzz.exe	msedge.exe
PID 1048 wrote to memory of 4812	1048	GlasTivaZ_V4zzzz.exe	msedge.exe
PID 4812 wrote to memory of 3316	4812	msedge.exe	msedge.exe
PID 4812 wrote to memory of 3316	4812	msedge.exe	msedge.exe
PID 4812 wrote to memory of 2792	4812	msedge.exe	msedge.exe
PID 4812 wrote to memory of 2792	4812	msedge.exe	msedge.exe
PID 4812 wrote to memory of 2792	4812	msedge.exe	msedge.exe
PID 4812 wrote to memory of 2792	4812	msedge.exe	msedge.exe
PID 4812 wrote to memory of 2792	4812	msedge.exe	msedge.exe
PID 4812 wrote to memory of 2792	4812	msedge.exe	msedge.exe
PID 4812 wrote to memory of 2792	4812	msedge.exe	msedge.exe
PID 4812 wrote to memory of 2792	4812	msedge.exe	msedge.exe
PID 4812 wrote to memory of 2792	4812	msedge.exe	msedge.exe
PID 4812 wrote to memory of 2792	4812	msedge.exe	msedge.exe
PID 4812 wrote to memory of 2792	4812	msedge.exe	msedge.exe
PID 4812 wrote to memory of 2792	4812	msedge.exe	msedge.exe
PID 4812 wrote to memory of 2792	4812	msedge.exe	msedge.exe
PID 4812 wrote to memory of 2792	4812	msedge.exe	msedge.exe
PID 4812 wrote to memory of 2792	4812	msedge.exe	msedge.exe
PID 4812 wrote to memory of 2792	4812	msedge.exe	msedge.exe
PID 4812 wrote to memory of 2792	4812	msedge.exe	msedge.exe
PID 4812 wrote to memory of 2792	4812	msedge.exe	msedge.exe
PID 4812 wrote to memory of 2792	4812	msedge.exe	msedge.exe
PID 4812 wrote to memory of 2792	4812	msedge.exe	msedge.exe
PID 4812 wrote to memory of 2792	4812	msedge.exe	msedge.exe
PID 4812 wrote to memory of 2792	4812	msedge.exe	msedge.exe
PID 4812 wrote to memory of 2792	4812	msedge.exe	msedge.exe
PID 4812 wrote to memory of 2792	4812	msedge.exe	msedge.exe
PID 4812 wrote to memory of 2792	4812	msedge.exe	msedge.exe
PID 4812 wrote to memory of 2792	4812	msedge.exe	msedge.exe
PID 4812 wrote to memory of 2792	4812	msedge.exe	msedge.exe
PID 4812 wrote to memory of 2792	4812	msedge.exe	msedge.exe
PID 4812 wrote to memory of 2792	4812	msedge.exe	msedge.exe
PID 4812 wrote to memory of 2792	4812	msedge.exe	msedge.exe
PID 4812 wrote to memory of 2792	4812	msedge.exe	msedge.exe
PID 4812 wrote to memory of 2792	4812	msedge.exe	msedge.exe
PID 4812 wrote to memory of 2792	4812	msedge.exe	msedge.exe
PID 4812 wrote to memory of 2792	4812	msedge.exe	msedge.exe
PID 4812 wrote to memory of 2792	4812	msedge.exe	msedge.exe
PID 4812 wrote to memory of 2792	4812	msedge.exe	msedge.exe
PID 4812 wrote to memory of 2792	4812	msedge.exe	msedge.exe
PID 4812 wrote to memory of 2792	4812	msedge.exe	msedge.exe
PID 4812 wrote to memory of 2792	4812	msedge.exe	msedge.exe
PID 4812 wrote to memory of 2792	4812	msedge.exe	msedge.exe
PID 4812 wrote to memory of 4868	4812	msedge.exe	msedge.exe
PID 4812 wrote to memory of 4868	4812	msedge.exe	msedge.exe
PID 4812 wrote to memory of 3224	4812	msedge.exe	msedge.exe
PID 4812 wrote to memory of 3224	4812	msedge.exe	msedge.exe
PID 4812 wrote to memory of 3224	4812	msedge.exe	msedge.exe
PID 4812 wrote to memory of 3224	4812	msedge.exe	msedge.exe
PID 4812 wrote to memory of 3224	4812	msedge.exe	msedge.exe
PID 4812 wrote to memory of 3224	4812	msedge.exe	msedge.exe
PID 4812 wrote to memory of 3224	4812	msedge.exe	msedge.exe
PID 4812 wrote to memory of 3224	4812	msedge.exe	msedge.exe
PID 4812 wrote to memory of 3224	4812	msedge.exe	msedge.exe
PID 4812 wrote to memory of 3224	4812	msedge.exe	msedge.exe
PID 4812 wrote to memory of 3224	4812	msedge.exe	msedge.exe
PID 4812 wrote to memory of 3224	4812	msedge.exe	msedge.exe
PID 4812 wrote to memory of 3224	4812	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\188733e806b624d1326cc1696b57cdf5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\188733e806b624d1326cc1696b57cdf5_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1588

C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5036

C:\Users\Admin\AppData\Local\Temp\GlasTivaZ_V4zzzz.exe
"C:\Users\Admin\AppData\Local\Temp\GlasTivaZ_V4zzzz.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1048

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://cvg-bhlsk.blogspot.com/
3⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4812

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe592c46f8,0x7ffe592c4708,0x7ffe592c4718
4⤵
PID:3316

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1996,8701352191359621279,17256273532336501674,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2012 /prefetch:2
4⤵
PID:2792

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1996,8701352191359621279,17256273532336501674,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2484 /prefetch:3
4⤵
PID:4868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1996,8701352191359621279,17256273532336501674,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2832 /prefetch:8
4⤵
PID:3224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,8701352191359621279,17256273532336501674,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
4⤵
PID:1676

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,8701352191359621279,17256273532336501674,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
4⤵
PID:548

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1996,8701352191359621279,17256273532336501674,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5136 /prefetch:8
4⤵
PID:216

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1996,8701352191359621279,17256273532336501674,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5136 /prefetch:8
4⤵
PID:2368

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,8701352191359621279,17256273532336501674,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5188 /prefetch:1
4⤵
PID:948

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,8701352191359621279,17256273532336501674,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5248 /prefetch:1
4⤵
PID:3840

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,8701352191359621279,17256273532336501674,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3948 /prefetch:1
4⤵
PID:1196

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,8701352191359621279,17256273532336501674,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
4⤵
PID:700

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1996,8701352191359621279,17256273532336501674,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2060 /prefetch:2
4⤵
PID:5048

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4e0 0x154
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3172

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1604

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3156

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
87f7abeb82600e1e640b843ad50fe0a1

SHA1
045bbada3f23fc59941bf7d0210fb160cb78ae87

SHA256
b35d6906050d90a81d23646f86c20a8f5d42f058ffc6436fb0a2b8bd71ee1262

SHA512
ea8e7f24ab823ad710ce079c86c40aa957353a00d2775732c23e31be88a10d212e974c4691279aa86016c4660f5795febf739a15207833df6ed964a9ed99d618

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
f61fa5143fe872d1d8f1e9f8dc6544f9

SHA1
df44bab94d7388fb38c63085ec4db80cfc5eb009

SHA256
284a24b5b40860240db00ef3ae6a33c9fa8349ab5490a634e27b2c6e9a191c64

SHA512
971000784a6518bb39c5cf043292c7ab659162275470f5f6b632ea91a6bcae83bc80517ceb983dd5abfe8fb4e157344cb65c27e609a879eec00b33c5fad563a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
144B

MD5
6ce6407a7591adf0f3a03cd8d6faa3be

SHA1
26f14bd3015dc8365499144d5a6b767467a5e02c

SHA256
46003d6047f4b3994c9467e8b47c1e73a632a8a05ceba438ea20db964ed77778

SHA512
375aaecfa1b8a5d06487feac6cb4c89396177ce9fba62998098e354b28cd4f4f5c3cce6cee524eff4be2c497ca1d22bbf42bdda10ca8771d39f859abeb575c21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
1KB

MD5
bc85b7ff2b3700e20f616c76cf2cb467

SHA1
fce2c7d16ff5363ec1fd16ff4a5ae194179f90b4

SHA256
46343e98b020c11cc8c1542016b68645ae19656c5011ef4f5e6f478ea05846cb

SHA512
bb4e6b08675011b86f5404cfe66decb3a3c34af8e2a636892c2fe7f4affb31e7d122d0149e7d5ef720db3ce355c764891bcac47532a583841b3137ee1a3d230e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
1KB

MD5
5bce2e556ef0e1492cd7f0cad887fc76

SHA1
4a9a12be3ff298ea842432dc905119c56eb1acc8

SHA256
05742e2f9f730523b1fe422b0a98bcbb958ad191c3a9e390a054214140dac7b5

SHA512
c83debeac8a97e71ad3dc2a2630911bdf72f97b8255ec09c1770c709a35849ea45cb91cc3da8488fa075a2489c5bc3b73d32cf15bf8992932e8f33131620f3cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
fd6c9c07aa5afd613d676cc10ed024a4

SHA1
090e424c8219b068d748d58fb2ca584f7ed77237

SHA256
71dc259c9d0321ac1c93a03de09db9b89b1ba01db9ccd8f9fd37eedb694b1615

SHA512
1dff7be9ab995e5d41b9c34c78c1b6c83441b72227882b649a9dde51e19fcf3d64587b0ac20824688fd0ea47fd7efbe6624b6ab6721ad55e30aeab03bc2e9ad2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
cc965eb31d500860f3ade837b4529670

SHA1
c4c41f05cb523e69bdfa64c060889d10bad724e6

SHA256
5d3ee664b857e93b6ae37f6bb4eb2511bd1fb7a8f95b4c89001de44dc22cce28

SHA512
37ea52e894ecfae42239716fed3ccb55a5180c5360ffe23996fb3c8b9eb9545ee7bd87fa0c0921c32280e5621436a823ec3478324ef1e8d717bb1cc1b371e59a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
b8c5eafcae379e1d5ceba3700ce8d5f6

SHA1
69b3b0cc6fe66823ee548571aaabba67fa861477

SHA256
b9d18ddc165c7673bb309841b717f7b0c4dd21f9b51659ce6317f938ae681e07

SHA512
030f2a87b5c137dfef209d0725841a8a87f18cb146fc9cc57072519e2b1105d192d66d5af158ddbbd4f862d9b9a5f00c796735bcb633f51e8ebedfcdad17300b

Download Submit
C:\Users\Admin\AppData\Local\Temp\GlasTivaZ_V4zzzz.exe
Filesize
564KB

MD5
beb514f205d5e3518d60ea6026010fdc

SHA1
605e5b9689b2eb7ed080999071ea12e7aca3d410

SHA256
64ccda1260bdd01763d2f2db929ce275e18ac5fd415226aa54a594b74c836694

SHA512
c019f3845d5e5cf6338d2a008dcbc290fb25a36f2b02df9999b5b890c695540aa5245a0752ae3fbf82c7a793373bf2850bc7c51a933afb48d60a34a8b3d95cbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe
Filesize
154KB

MD5
7d69b308a6e7bcf054e65333f28e3f6b

SHA1
335e77a91206201bb463883e8a8614eafdd49157

SHA256
655bcc23e3240b3b1d61eac6ec5c381b060e565103d310e449dc1be0fad37f0b

SHA512
e6212cdf3239f25f3e18d410f095f315413bb106ac2165b38536a127faa80e22dbc3672792880a7971bf8173a9caa6f018dc23571616d2a5990a1c108f2b85e9

Download Submit
\??\pipe\LOCAL\crashpad_4812_YKIXDSEFEUUQFPKG
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1588-22-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/5036-28-0x00007FFE5AFA0000-0x00007FFE5B941000-memory.dmp

Filesize
9.6MB

Download
memory/5036-33-0x000000001BDC0000-0x000000001BE0C000-memory.dmp

Filesize
304KB

Download
memory/5036-32-0x000000001B140000-0x000000001B148000-memory.dmp

Filesize
32KB

Download
memory/5036-31-0x000000001BC60000-0x000000001BCFC000-memory.dmp

Filesize
624KB

Download
memory/5036-30-0x00007FFE5AFA0000-0x00007FFE5B941000-memory.dmp

Filesize
9.6MB

Download
memory/5036-104-0x00007FFE5B255000-0x00007FFE5B256000-memory.dmp

Filesize
4KB

Download
memory/5036-29-0x000000001B640000-0x000000001BB0E000-memory.dmp

Filesize
4.8MB

Download
memory/5036-110-0x00007FFE5AFA0000-0x00007FFE5B941000-memory.dmp

Filesize
9.6MB

Download
memory/5036-27-0x000000001B060000-0x000000001B106000-memory.dmp

Filesize
664KB

Download
memory/5036-23-0x00007FFE5B255000-0x00007FFE5B256000-memory.dmp

Filesize
4KB

Download