Overview

overview

10

Static

static

3

ed69746aa4...18.exe

windows7-x64

10

ed69746aa4...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    80s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-09-2024 10:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ed69746aa446d81ec40535f048806a4c_JaffaCakes118.exe

  • Size

    276KB

  • MD5

    ed69746aa446d81ec40535f048806a4c

  • SHA1

    083afb28943d6e75245a9a5a8d598fedb572d651

  • SHA256

    99a0be7e62206f74468ce3b6a6c6e307133a8dc5f51da3d43d7b017d51db0d60

  • SHA512

    8bfe12e54eb1ce2aa1d7b0dabb4890fb0d141bc43d5fef0f7f6575e5fc72a9703a828cad6fea8af9c428352f7c1352d78f11eb41d420126d13df75a239775599

  • SSDEEP

    6144:mGj01tuAV3qkskU8ywoyz6Bk1j2wdPVfXNpkJWv/bEf2HYfuj8:tcvMkUs/uk0mP/k8vT6wY9

Score
10/10
ponycredential_accessdiscoveryevasionpersistenceratspywarestealerupx

Malware Config

Signatures

  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 13 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Disables taskbar notifications via registry modification
    evasion
  • Executes dropped EXE 1 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 20 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 22 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\ed69746aa446d81ec40535f048806a4c_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ed69746aa446d81ec40535f048806a4c_JaffaCakes118.exe"
    1⤵
    • Modifies security service
    • Adds Run key to start application
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1952
    • C:\Users\Admin\AppData\Local\Temp\ed69746aa446d81ec40535f048806a4c_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\ed69746aa446d81ec40535f048806a4c_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\3C030\E5AD1.exe%C:\Users\Admin\AppData\Roaming\3C030
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1192
    • C:\Users\Admin\AppData\Local\Temp\ed69746aa446d81ec40535f048806a4c_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\ed69746aa446d81ec40535f048806a4c_JaffaCakes118.exe startC:\Program Files (x86)\30DAA\lvvm.exe%C:\Program Files (x86)\30DAA
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1696
    • C:\Program Files (x86)\LP\D113\F3E5.tmp
      "C:\Program Files (x86)\LP\D113\F3E5.tmp"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:4308
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1644
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Enumerates connected drives
    • Checks SCSI registry key(s)
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:3764
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:3268
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Enumerates connected drives
    • Checks SCSI registry key(s)
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:4808
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:2596
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Enumerates connected drives
    • Checks SCSI registry key(s)
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:320
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:1048
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:3916
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Enumerates connected drives
    • Checks SCSI registry key(s)
    • Suspicious use of SendNotifyMessage
    PID:3268
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:2280
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:948
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Enumerates connected drives
    • Checks SCSI registry key(s)
    • Modifies registry class
    PID:744
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:3664
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:2920
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Enumerates connected drives
    • Checks SCSI registry key(s)
    • Modifies registry class
    PID:1504
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:5064
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:3292
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Enumerates connected drives
    • Checks SCSI registry key(s)
    • Modifies registry class
    PID:4320
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:4364
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:4208
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Enumerates connected drives
    • Checks SCSI registry key(s)
    PID:5016
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:3292
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:2292
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Enumerates connected drives
    • Checks SCSI registry key(s)
    • Modifies registry class
    PID:1672
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:3152
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:4672
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Enumerates connected drives
    • Checks SCSI registry key(s)
    • Modifies registry class
    PID:4084
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:3752
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:2768
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Enumerates connected drives
    • Checks SCSI registry key(s)
    • Modifies registry class
    PID:3636
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:3836
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:4836
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Enumerates connected drives
    • Checks SCSI registry key(s)
    • Modifies registry class
    PID:4444
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:2880
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:3612
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Modifies registry class
    PID:3280
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
      PID:3696
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
        PID:1732

      Network

      MITRE ATT&CK Enterprise v15

      Reconnaissance

      Resource Development

      Initial Access

      Execution

      Persistence

      Boot or Logon Autostart Execution

      2
      T1547

      Active Setup

      1
      T1547.014

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Create or Modify System Process

      1
      T1543

      Windows Service

      1
      T1543.003

      Privilege Escalation

      Boot or Logon Autostart Execution

      2
      T1547

      Active Setup

      1
      T1547.014

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Create or Modify System Process

      1
      T1543

      Windows Service

      1
      T1543.003

      Defense Evasion

      Modify Registry

      5
      T1112

      Credential Access

      Credentials from Password Stores

      1
      T1555

      Credentials from Web Browsers

      1
      T1555.003

      Unsecured Credentials

      3
      T1552

      Credentials In Files

      3
      T1552.001

      Discovery

      Peripheral Device Discovery

      2
      T1120

      Query Registry

      4
      T1012

      System Information Discovery

      2
      T1082

      System Location Discovery

      1
      T1614

      System Language Discovery

      1
      T1614.001

      Lateral Movement

      Collection

      Data from Local System

      2
      T1005

      Command and Control

      Exfiltration

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\LP\D113\F3E5.tmp
        Filesize

        97KB

        MD5

        ba97344303629a238cfca2f532434690

        SHA1

        5b33b602f875e3eb825c2832a2e7d3e4901c8771

        SHA256

        796a4920cfdc6e3d28d115ff6bb442a0e3be3b9ed4ee67d75ee35b4ffce537a9

        SHA512

        e78ffa32be0be8d0ae345ba008c94bb9cc474660e64b7134df67500bfdeb95ba747e637918cf1d190bd663efa6de331b3955213fba99d875687df97d4b0d9c89

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9
        Filesize

        471B

        MD5

        109b0900e7476ed981f16034b342d64b

        SHA1

        7abe77549520d523d52115a4bc97d78357af6699

        SHA256

        97a89e0b088fcaf6c8e44cbb2b05701b99c4e12619539e91dd0303a58b282257

        SHA512

        1afc2e959942ff517a35f47b5cce3fc7dbc731a61922acc5c0522854e7aac6f428e467609c88f93db3ba01efe83f18a165c5e2b5f7497fbfeb6de0b8eb3f3e63

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9
        Filesize

        420B

        MD5

        f03f8d5962893de0ec16cc2535a789a4

        SHA1

        2d9be56c7a3ce3da009c3c1302c8ce815ae964df

        SHA256

        066ea74063f7fd890358c5db21f7182423327ef0842457ab1dd4a60e2ebce58a

        SHA512

        55f30e27b844efdf9b1208044a80cdf7c63fa71318a191c0c336af3b18b8ba1e3e10024458f031923be7f7001f8e8fa68f6bfe11342a8c0f89fe55a7b3168ee2

        Download Submit

      • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbres
        Filesize

        2KB

        MD5

        5ed5afa7107d985fc3c7d7ac88c5c0f9

        SHA1

        c1d6047e6c6ab96ed6af274e6e7d7f5fd84b09ac

        SHA256

        992f085881dbf2049e7b0b355b3eefb708a58cd49b4a78b214fc749ffd11e1c6

        SHA512

        ede5dcf50d143eb0fcfe36cedaa8f08bd936322fb47e8b542aff721991acb51a42014faaf156557d6364a22daf1cf1cd01cc04ae0f0f903ea1b4bf2a8cb6d293

        Download Submit

      • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133713026206594424.txt
        Filesize

        74KB

        MD5

        8b691622d0ceb8f78c41747cb518ad3a

        SHA1

        b1c3bd716212e72c1f2f03414b400b050a243659

        SHA256

        686f35a4f707fe1b479a05a2fc453890aaa661182d44e5fdce074ba0e22bf26f

        SHA512

        dd4feecd37b5c214942cc6625862b305e24ce0f1d8b41974a5e5e8d82aeb1583520597e08991cdbbcba11798248157400cca46643180255a828aba791f8e6193

        Download Submit

      • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\QKJHZK6M\microsoft.windows[1].xml
        Filesize

        96B

        MD5

        c80e07f2e2bce84e8f3380b42ba6bd94

        SHA1

        33e20b05fc67a22ac3f3c214a32057254f97f2e7

        SHA256

        14808d37f1d44780098ddc2af07f7862b3c0c5ab1bfed6b267621e0a332a8bbd

        SHA512

        f5adf8b7bbc1b450249034376f7df69eaf2a7be8e516d511bb82828c19efddbee9247d20e4b4c629b7fe58c9391c31fbf48bdb1b857ca13e5f52b80cb7883f24

        Download Submit

      • C:\Users\Admin\AppData\Roaming\3C030\0DAA.C03
        Filesize

        996B

        MD5

        0c87f2389a890a60b85662532d34c728

        SHA1

        717abf949376e88cc8406bf858dbdd0e43145594

        SHA256

        7e3374da29f1ee8b09f9f14e5550bbbd6988cb5fcef6011134e7cc96f172cb69

        SHA512

        3197fa42bbf3e4f4635182824cb08d1a25dabee29d8c6d676a1ae15bb0718a0599e594ec39c72cdd981d9d3cd3ff5c47562f3db5d8a6c6114c928a1ff5a6a840

        Download Submit

      • C:\Users\Admin\AppData\Roaming\3C030\0DAA.C03
        Filesize

        1KB

        MD5

        3903cf55cf6e97243a4ae85884674595

        SHA1

        c7e49bfdca9bf0a83483f73998068578c19b68e4

        SHA256

        42ed4cab25e4f71902a8d4af7c154913283500def6d736b23b4483969886aa84

        SHA512

        36b642b20cdfa3759fceb7ad789a38250ebad9a05a3db86983fbea0156e71aad7e45fe5ca48211e8309198f438807eeb2af95c33ca5e3036e771e36570ac58c5

        Download Submit

      • C:\Users\Admin\AppData\Roaming\3C030\0DAA.C03
        Filesize

        600B

        MD5

        0ae7e0d93f527279d4acd6db49674b9f

        SHA1

        42a3aa1b2d2b2758ce4ab66da0964e6f550a86a8

        SHA256

        eb7c56411d24061ec101d3c6a11998733800d93ed3d3a0d7b7847009a6ab17b9

        SHA512

        2060864f6884657dd3b3792430a8c3552a07366c253b77d8a096e3633e1e024675b303c9b33500487c52ad61196afcb78facee0782db1e9ac1881e5bde2909e5

        Download Submit

      • C:\Users\Admin\AppData\Roaming\3C030\0DAA.C03
        Filesize

        300B

        MD5

        23ca9b27a34fe208ee6781c1e408c027

        SHA1

        4eec69bcf7fbfe0a94494bccf901d46a51a59886

        SHA256

        e6f33797d86f04ad82cf8c1379dd228818f6188400061ddb3fc02fb683006f90

        SHA512

        13cb8da58165e97142bb95ef808b6f642fb3913ef8f2a675a07a037c64eb148b340ec4e2b536c99bb693f0284d49935d0079c7ebe0cfe61f03706aa45c26107c

        Download Submit

      • memory/320-326-0x0000000003030000-0x0000000003031000-memory.dmp

        Filesize

        4KB

        Download

      • memory/744-628-0x0000000004BF0000-0x0000000004BF1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/948-490-0x000001C340040000-0x000001C340140000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/948-491-0x000001C340040000-0x000001C340140000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/948-495-0x000001C341190000-0x000001C3411B0000-memory.dmp

        Filesize

        128KB

        Download

      • memory/948-521-0x000001C341560000-0x000001C341580000-memory.dmp

        Filesize

        128KB

        Download

      • memory/948-508-0x000001C341150000-0x000001C341170000-memory.dmp

        Filesize

        128KB

        Download

      • memory/1192-39-0x0000000000400000-0x0000000000469000-memory.dmp

        Filesize

        420KB

        Download

      • memory/1192-37-0x0000000000400000-0x0000000000469000-memory.dmp

        Filesize

        420KB

        Download

      • memory/1192-36-0x0000000000400000-0x0000000000469000-memory.dmp

        Filesize

        420KB

        Download

      • memory/1504-776-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1672-1215-0x0000000004A90000-0x0000000004A91000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1696-150-0x0000000000400000-0x0000000000469000-memory.dmp

        Filesize

        420KB

        Download

      • memory/1952-3-0x0000000000400000-0x0000000000469000-memory.dmp

        Filesize

        420KB

        Download

      • memory/1952-626-0x0000000000400000-0x0000000000469000-memory.dmp

        Filesize

        420KB

        Download

      • memory/1952-924-0x0000000000400000-0x0000000000469000-memory.dmp

        Filesize

        420KB

        Download

      • memory/1952-33-0x0000000000400000-0x0000000000469000-memory.dmp

        Filesize

        420KB

        Download

      • memory/1952-34-0x0000000000400000-0x0000000000467000-memory.dmp

        Filesize

        412KB

        Download

      • memory/1952-2-0x0000000000400000-0x0000000000467000-memory.dmp

        Filesize

        412KB

        Download

      • memory/1952-148-0x0000000000400000-0x0000000000469000-memory.dmp

        Filesize

        420KB

        Download

      • memory/1952-0-0x0000000000400000-0x0000000000469000-memory.dmp

        Filesize

        420KB

        Download

      • memory/2292-1074-0x00000183A5200000-0x00000183A5300000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2292-1073-0x00000183A5200000-0x00000183A5300000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2292-1078-0x00000183A5FE0000-0x00000183A6000000-memory.dmp

        Filesize

        128KB

        Download

      • memory/2292-1110-0x00000183A66B0000-0x00000183A66D0000-memory.dmp

        Filesize

        128KB

        Download

      • memory/2292-1091-0x00000183A5FA0000-0x00000183A5FC0000-memory.dmp

        Filesize

        128KB

        Download

      • memory/2292-1075-0x00000183A5200000-0x00000183A5300000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2768-1348-0x0000020163900000-0x0000020163A00000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2768-1349-0x0000020163900000-0x0000020163A00000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2920-631-0x0000016685800000-0x0000016685900000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2920-667-0x0000016687BE0000-0x0000016687C00000-memory.dmp

        Filesize

        128KB

        Download

      • memory/2920-647-0x00000166873D0000-0x00000166873F0000-memory.dmp

        Filesize

        128KB

        Download

      • memory/2920-635-0x0000016687620000-0x0000016687640000-memory.dmp

        Filesize

        128KB

        Download

      • memory/2920-630-0x0000016685800000-0x0000016685900000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/3268-488-0x0000000004B30000-0x0000000004B31000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3292-779-0x000001E7D0200000-0x000001E7D0300000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/3292-783-0x000001E7D1340000-0x000001E7D1360000-memory.dmp

        Filesize

        128KB

        Download

      • memory/3292-780-0x000001E7D0200000-0x000001E7D0300000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/3292-778-0x000001E7D0200000-0x000001E7D0300000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/3292-810-0x000001E7D1710000-0x000001E7D1730000-memory.dmp

        Filesize

        128KB

        Download

      • memory/3292-796-0x000001E7D1300000-0x000001E7D1320000-memory.dmp

        Filesize

        128KB

        Download

      • memory/3916-330-0x000002926A800000-0x000002926A900000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/3916-364-0x000002926BCF0000-0x000002926BD10000-memory.dmp

        Filesize

        128KB

        Download

      • memory/3916-329-0x000002926A800000-0x000002926A900000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/3916-328-0x000002926A800000-0x000002926A900000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/3916-333-0x000002926B920000-0x000002926B940000-memory.dmp

        Filesize

        128KB

        Download

      • memory/3916-344-0x000002926B5E0000-0x000002926B600000-memory.dmp

        Filesize

        128KB

        Download

      • memory/4084-1346-0x0000000004550000-0x0000000004551000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4208-946-0x0000024973A50000-0x0000024973A70000-memory.dmp

        Filesize

        128KB

        Download

      • memory/4208-928-0x0000024972B40000-0x0000024972C40000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/4208-933-0x0000024973A90000-0x0000024973AB0000-memory.dmp

        Filesize

        128KB

        Download

      • memory/4208-930-0x0000024972B40000-0x0000024972C40000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/4208-965-0x0000024974060000-0x0000024974080000-memory.dmp

        Filesize

        128KB

        Download

      • memory/4308-625-0x0000000000400000-0x000000000041C000-memory.dmp

        Filesize

        112KB

        Download

      • memory/4320-926-0x0000000004300000-0x0000000004301000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4672-1219-0x000001AC02500000-0x000001AC02600000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/4672-1235-0x000001AC03290000-0x000001AC032B0000-memory.dmp

        Filesize

        128KB

        Download

      • memory/4672-1222-0x000001AC032D0000-0x000001AC032F0000-memory.dmp

        Filesize

        128KB

        Download

      • memory/4672-1246-0x000001AC038A0000-0x000001AC038C0000-memory.dmp

        Filesize

        128KB

        Download

      • memory/4672-1218-0x000001AC02500000-0x000001AC02600000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/4672-1217-0x000001AC02500000-0x000001AC02600000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/5016-1072-0x0000000004A00000-0x0000000004A01000-memory.dmp

        Filesize

        4KB

        Download