Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
28-06-2024 02:53
Behavioral task
behavioral1
Sample
188733e806b624d1326cc1696b57cdf5_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
188733e806b624d1326cc1696b57cdf5_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
188733e806b624d1326cc1696b57cdf5_JaffaCakes118.exe
-
Size
728KB
-
MD5
188733e806b624d1326cc1696b57cdf5
-
SHA1
5be9beef75c55c533717acec241812ffeb845d94
-
SHA256
89918f59012bfe8868fb7c72ba38c82c714123c605590eba3ce4563e86e131b9
-
SHA512
01af6622cb4b6296ad8efdade7686c14eeeefdf64e593a50784abdc1cbc36fa52578ad973a8ede339ce8f3fc0cd02a3344552efe47d536ed9e4801db3fac60ce
-
SSDEEP
12288:RRKnmnC853ZRRJVBMU0lmMq41V2kI8v+lmMq4hU71:RRU6C853fR1MU0lmMq410MWlmMq4hU7
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1588-22-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
188733e806b624d1326cc1696b57cdf5_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation 188733e806b624d1326cc1696b57cdf5_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
Processes:
server.exeGlasTivaZ_V4zzzz.exepid process 5036 server.exe 1048 GlasTivaZ_V4zzzz.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
server.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe" server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
server.exepid process 5036 server.exe 5036 server.exe 5036 server.exe 5036 server.exe 5036 server.exe 5036 server.exe 5036 server.exe 5036 server.exe 5036 server.exe 5036 server.exe 5036 server.exe 5036 server.exe 5036 server.exe 5036 server.exe 5036 server.exe 5036 server.exe 5036 server.exe 5036 server.exe 5036 server.exe 5036 server.exe 5036 server.exe 5036 server.exe 5036 server.exe 5036 server.exe 5036 server.exe 5036 server.exe 5036 server.exe 5036 server.exe 5036 server.exe 5036 server.exe 5036 server.exe 5036 server.exe 5036 server.exe 5036 server.exe 5036 server.exe 5036 server.exe 5036 server.exe 5036 server.exe 5036 server.exe 5036 server.exe 5036 server.exe 5036 server.exe 5036 server.exe 5036 server.exe 5036 server.exe 5036 server.exe 5036 server.exe 5036 server.exe 5036 server.exe 5036 server.exe 5036 server.exe 5036 server.exe 5036 server.exe 5036 server.exe 5036 server.exe 5036 server.exe 5036 server.exe 5036 server.exe 5036 server.exe 5036 server.exe 5036 server.exe 5036 server.exe 5036 server.exe 5036 server.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
server.exepid process 5036 server.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
Processes:
msedge.exepid process 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
AUDIODG.EXEserver.exedescription pid process Token: 33 3172 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 3172 AUDIODG.EXE Token: SeDebugPrivilege 5036 server.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
GlasTivaZ_V4zzzz.exeserver.exepid process 1048 GlasTivaZ_V4zzzz.exe 1048 GlasTivaZ_V4zzzz.exe 5036 server.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
188733e806b624d1326cc1696b57cdf5_JaffaCakes118.exeGlasTivaZ_V4zzzz.exemsedge.exedescription pid process target process PID 1588 wrote to memory of 5036 1588 188733e806b624d1326cc1696b57cdf5_JaffaCakes118.exe server.exe PID 1588 wrote to memory of 5036 1588 188733e806b624d1326cc1696b57cdf5_JaffaCakes118.exe server.exe PID 1588 wrote to memory of 1048 1588 188733e806b624d1326cc1696b57cdf5_JaffaCakes118.exe GlasTivaZ_V4zzzz.exe PID 1588 wrote to memory of 1048 1588 188733e806b624d1326cc1696b57cdf5_JaffaCakes118.exe GlasTivaZ_V4zzzz.exe PID 1588 wrote to memory of 1048 1588 188733e806b624d1326cc1696b57cdf5_JaffaCakes118.exe GlasTivaZ_V4zzzz.exe PID 1048 wrote to memory of 4812 1048 GlasTivaZ_V4zzzz.exe msedge.exe PID 1048 wrote to memory of 4812 1048 GlasTivaZ_V4zzzz.exe msedge.exe PID 4812 wrote to memory of 3316 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 3316 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 2792 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 2792 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 2792 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 2792 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 2792 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 2792 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 2792 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 2792 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 2792 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 2792 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 2792 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 2792 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 2792 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 2792 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 2792 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 2792 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 2792 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 2792 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 2792 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 2792 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 2792 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 2792 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 2792 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 2792 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 2792 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 2792 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 2792 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 2792 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 2792 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 2792 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 2792 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 2792 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 2792 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 2792 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 2792 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 2792 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 2792 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 2792 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 2792 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 2792 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 4868 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 4868 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 3224 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 3224 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 3224 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 3224 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 3224 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 3224 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 3224 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 3224 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 3224 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 3224 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 3224 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 3224 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 3224 4812 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\188733e806b624d1326cc1696b57cdf5_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\188733e806b624d1326cc1696b57cdf5_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\GlasTivaZ_V4zzzz.exe"C:\Users\Admin\AppData\Local\Temp\GlasTivaZ_V4zzzz.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://cvg-bhlsk.blogspot.com/3⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe592c46f8,0x7ffe592c4708,0x7ffe592c47184⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1996,8701352191359621279,17256273532336501674,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2012 /prefetch:24⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1996,8701352191359621279,17256273532336501674,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2484 /prefetch:34⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1996,8701352191359621279,17256273532336501674,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2832 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,8701352191359621279,17256273532336501674,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,8701352191359621279,17256273532336501674,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1996,8701352191359621279,17256273532336501674,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5136 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1996,8701352191359621279,17256273532336501674,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5136 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,8701352191359621279,17256273532336501674,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5188 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,8701352191359621279,17256273532336501674,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5248 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,8701352191359621279,17256273532336501674,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3948 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,8701352191359621279,17256273532336501674,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1996,8701352191359621279,17256273532336501674,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2060 /prefetch:24⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4e0 0x1541⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD587f7abeb82600e1e640b843ad50fe0a1
SHA1045bbada3f23fc59941bf7d0210fb160cb78ae87
SHA256b35d6906050d90a81d23646f86c20a8f5d42f058ffc6436fb0a2b8bd71ee1262
SHA512ea8e7f24ab823ad710ce079c86c40aa957353a00d2775732c23e31be88a10d212e974c4691279aa86016c4660f5795febf739a15207833df6ed964a9ed99d618
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5f61fa5143fe872d1d8f1e9f8dc6544f9
SHA1df44bab94d7388fb38c63085ec4db80cfc5eb009
SHA256284a24b5b40860240db00ef3ae6a33c9fa8349ab5490a634e27b2c6e9a191c64
SHA512971000784a6518bb39c5cf043292c7ab659162275470f5f6b632ea91a6bcae83bc80517ceb983dd5abfe8fb4e157344cb65c27e609a879eec00b33c5fad563a6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
144B
MD56ce6407a7591adf0f3a03cd8d6faa3be
SHA126f14bd3015dc8365499144d5a6b767467a5e02c
SHA25646003d6047f4b3994c9467e8b47c1e73a632a8a05ceba438ea20db964ed77778
SHA512375aaecfa1b8a5d06487feac6cb4c89396177ce9fba62998098e354b28cd4f4f5c3cce6cee524eff4be2c497ca1d22bbf42bdda10ca8771d39f859abeb575c21
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
1KB
MD5bc85b7ff2b3700e20f616c76cf2cb467
SHA1fce2c7d16ff5363ec1fd16ff4a5ae194179f90b4
SHA25646343e98b020c11cc8c1542016b68645ae19656c5011ef4f5e6f478ea05846cb
SHA512bb4e6b08675011b86f5404cfe66decb3a3c34af8e2a636892c2fe7f4affb31e7d122d0149e7d5ef720db3ce355c764891bcac47532a583841b3137ee1a3d230e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
1KB
MD55bce2e556ef0e1492cd7f0cad887fc76
SHA14a9a12be3ff298ea842432dc905119c56eb1acc8
SHA25605742e2f9f730523b1fe422b0a98bcbb958ad191c3a9e390a054214140dac7b5
SHA512c83debeac8a97e71ad3dc2a2630911bdf72f97b8255ec09c1770c709a35849ea45cb91cc3da8488fa075a2489c5bc3b73d32cf15bf8992932e8f33131620f3cd
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD5fd6c9c07aa5afd613d676cc10ed024a4
SHA1090e424c8219b068d748d58fb2ca584f7ed77237
SHA25671dc259c9d0321ac1c93a03de09db9b89b1ba01db9ccd8f9fd37eedb694b1615
SHA5121dff7be9ab995e5d41b9c34c78c1b6c83441b72227882b649a9dde51e19fcf3d64587b0ac20824688fd0ea47fd7efbe6624b6ab6721ad55e30aeab03bc2e9ad2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5cc965eb31d500860f3ade837b4529670
SHA1c4c41f05cb523e69bdfa64c060889d10bad724e6
SHA2565d3ee664b857e93b6ae37f6bb4eb2511bd1fb7a8f95b4c89001de44dc22cce28
SHA51237ea52e894ecfae42239716fed3ccb55a5180c5360ffe23996fb3c8b9eb9545ee7bd87fa0c0921c32280e5621436a823ec3478324ef1e8d717bb1cc1b371e59a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
10KB
MD5b8c5eafcae379e1d5ceba3700ce8d5f6
SHA169b3b0cc6fe66823ee548571aaabba67fa861477
SHA256b9d18ddc165c7673bb309841b717f7b0c4dd21f9b51659ce6317f938ae681e07
SHA512030f2a87b5c137dfef209d0725841a8a87f18cb146fc9cc57072519e2b1105d192d66d5af158ddbbd4f862d9b9a5f00c796735bcb633f51e8ebedfcdad17300b
-
C:\Users\Admin\AppData\Local\Temp\GlasTivaZ_V4zzzz.exeFilesize
564KB
MD5beb514f205d5e3518d60ea6026010fdc
SHA1605e5b9689b2eb7ed080999071ea12e7aca3d410
SHA25664ccda1260bdd01763d2f2db929ce275e18ac5fd415226aa54a594b74c836694
SHA512c019f3845d5e5cf6338d2a008dcbc290fb25a36f2b02df9999b5b890c695540aa5245a0752ae3fbf82c7a793373bf2850bc7c51a933afb48d60a34a8b3d95cbe
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
154KB
MD57d69b308a6e7bcf054e65333f28e3f6b
SHA1335e77a91206201bb463883e8a8614eafdd49157
SHA256655bcc23e3240b3b1d61eac6ec5c381b060e565103d310e449dc1be0fad37f0b
SHA512e6212cdf3239f25f3e18d410f095f315413bb106ac2165b38536a127faa80e22dbc3672792880a7971bf8173a9caa6f018dc23571616d2a5990a1c108f2b85e9
-
\??\pipe\LOCAL\crashpad_4812_YKIXDSEFEUUQFPKGMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1588-22-0x0000000000400000-0x00000000004BD000-memory.dmpFilesize
756KB
-
memory/5036-28-0x00007FFE5AFA0000-0x00007FFE5B941000-memory.dmpFilesize
9.6MB
-
memory/5036-33-0x000000001BDC0000-0x000000001BE0C000-memory.dmpFilesize
304KB
-
memory/5036-32-0x000000001B140000-0x000000001B148000-memory.dmpFilesize
32KB
-
memory/5036-31-0x000000001BC60000-0x000000001BCFC000-memory.dmpFilesize
624KB
-
memory/5036-30-0x00007FFE5AFA0000-0x00007FFE5B941000-memory.dmpFilesize
9.6MB
-
memory/5036-104-0x00007FFE5B255000-0x00007FFE5B256000-memory.dmpFilesize
4KB
-
memory/5036-29-0x000000001B640000-0x000000001BB0E000-memory.dmpFilesize
4.8MB
-
memory/5036-110-0x00007FFE5AFA0000-0x00007FFE5B941000-memory.dmpFilesize
9.6MB
-
memory/5036-27-0x000000001B060000-0x000000001B106000-memory.dmpFilesize
664KB
-
memory/5036-23-0x00007FFE5B255000-0x00007FFE5B256000-memory.dmpFilesize
4KB