ardamax | 1558335060381a3a45cbd49ea18742a4d1f2bb7660905ba07fc01a215cc792d9

Analysis

max time kernel
93s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2024 09:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a112e40270437a236bdd9dfcc948a571_JaffaCakes118.exe
Size

1.2MB
MD5

a112e40270437a236bdd9dfcc948a571
SHA1

8a986bdf5b0271e563879d322f4cb0cb9baba466
SHA256

1558335060381a3a45cbd49ea18742a4d1f2bb7660905ba07fc01a215cc792d9
SHA512

943099e0d4a2f13437eef1a7b0dcdf72a3b3a7c78d5daaf9882b0433f2b5a06e53964b470b47a0585c2999707cdb663a460515360bbc82af83cdb827f273b48e
SSDEEP

24576:8RWbHmsmKbRL6lzZXgfWDzyMM65tkU3ytel:8AbHmsXRePXgfWDOMjkU3KQ

Score

10^/10

ardamax adware discovery keylogger stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023c97-31.dat	family_ardamax

Loads dropped DLL 29 IoCs

pid	Process
3512	regsvr32.exe
3512	regsvr32.exe
3512	regsvr32.exe
3512	regsvr32.exe
3512	regsvr32.exe
3512	regsvr32.exe
3512	regsvr32.exe
3512	regsvr32.exe
3512	regsvr32.exe
3512	regsvr32.exe
3512	regsvr32.exe
3736	IEXPLORE.EXE
3736	IEXPLORE.EXE
3736	IEXPLORE.EXE
3736	IEXPLORE.EXE
3736	IEXPLORE.EXE
3736	IEXPLORE.EXE
3736	IEXPLORE.EXE
3736	IEXPLORE.EXE
3736	IEXPLORE.EXE
3736	IEXPLORE.EXE
3736	IEXPLORE.EXE
3736	IEXPLORE.EXE
3736	IEXPLORE.EXE
3736	IEXPLORE.EXE
3736	IEXPLORE.EXE
3736	IEXPLORE.EXE
3736	IEXPLORE.EXE
3736	IEXPLORE.EXE

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E69F62B9-AE72-43EB-990C-3E4D8590E17D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E69F62B9-AE72-43EB-990C-3E4D8590E17D}\ = "TBSB08725"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E69F62B9-AE72-43EB-990C-3E4D8590E17D}\NoExplorer = "1"	regsvr32.exe

Drops file in Program Files directory 45 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\CommuniComm Internet Toolbar\fdb.bin	a112e40270437a236bdd9dfcc948a571_JaffaCakes118.exe
File created	C:\Program Files (x86)\CommuniComm Internet Toolbar\sscebr2.clx	a112e40270437a236bdd9dfcc948a571_JaffaCakes118.exe
File created	C:\Program Files (x86)\CommuniComm Internet Toolbar\userdic.tlx	a112e40270437a236bdd9dfcc948a571_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\CommuniComm Internet Toolbar\accent.tlx	a112e40270437a236bdd9dfcc948a571_JaffaCakes118.exe
File created	C:\Program Files (x86)\CommuniComm Internet Toolbar\communicomm.crc	a112e40270437a236bdd9dfcc948a571_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\CommuniComm Internet Toolbar\communicomm.crc	a112e40270437a236bdd9dfcc948a571_JaffaCakes118.exe
File created	C:\Program Files (x86)\CommuniComm Internet Toolbar\fdb.bin	a112e40270437a236bdd9dfcc948a571_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\CommuniComm Internet Toolbar\spellchecker_plugin.dll	a112e40270437a236bdd9dfcc948a571_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\CommuniComm Internet Toolbar\ssceam.tlx	a112e40270437a236bdd9dfcc948a571_JaffaCakes118.exe
File created	C:\Program Files (x86)\CommuniComm Internet Toolbar\ssceam2.clx	a112e40270437a236bdd9dfcc948a571_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\CommuniComm Internet Toolbar\userdic.tlx	a112e40270437a236bdd9dfcc948a571_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\CommuniComm Internet Toolbar\autofill.cfg	a112e40270437a236bdd9dfcc948a571_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\CommuniComm Internet Toolbar\autofill_plugin.dll	a112e40270437a236bdd9dfcc948a571_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\CommuniComm Internet Toolbar\icons.bmp	a112e40270437a236bdd9dfcc948a571_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\CommuniComm Internet Toolbar\basis.xml	a112e40270437a236bdd9dfcc948a571_JaffaCakes118.exe
File created	C:\Program Files (x86)\CommuniComm Internet Toolbar\correct.tlx	a112e40270437a236bdd9dfcc948a571_JaffaCakes118.exe
File created	C:\Program Files (x86)\CommuniComm Internet Toolbar\descdb.bin	a112e40270437a236bdd9dfcc948a571_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\CommuniComm Internet Toolbar\scengine.dll	a112e40270437a236bdd9dfcc948a571_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\CommuniComm Internet Toolbar\spyrem.exe	a112e40270437a236bdd9dfcc948a571_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\CommuniComm Internet Toolbar\ssceam2.clx	a112e40270437a236bdd9dfcc948a571_JaffaCakes118.exe
File created	C:\Program Files (x86)\CommuniComm Internet Toolbar\autofill.cfg	a112e40270437a236bdd9dfcc948a571_JaffaCakes118.exe
File created	C:\Program Files (x86)\CommuniComm Internet Toolbar\autofill_plugin.dll	a112e40270437a236bdd9dfcc948a571_JaffaCakes118.exe
File created	C:\Program Files (x86)\CommuniComm Internet Toolbar\version.txt	a112e40270437a236bdd9dfcc948a571_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\CommuniComm Internet Toolbar\sscebr2.clx	a112e40270437a236bdd9dfcc948a571_JaffaCakes118.exe
File created	C:\Program Files (x86)\CommuniComm Internet Toolbar\tbhelper.dll	a112e40270437a236bdd9dfcc948a571_JaffaCakes118.exe
File created	C:\Program Files (x86)\CommuniComm Internet Toolbar\basis.xml	a112e40270437a236bdd9dfcc948a571_JaffaCakes118.exe
File created	C:\Program Files (x86)\CommuniComm Internet Toolbar\icons.bmp	a112e40270437a236bdd9dfcc948a571_JaffaCakes118.exe
File created	C:\Program Files (x86)\CommuniComm Internet Toolbar\spyrem.exe	a112e40270437a236bdd9dfcc948a571_JaffaCakes118.exe
File created	C:\Program Files (x86)\CommuniComm Internet Toolbar\sscebr.tlx	a112e40270437a236bdd9dfcc948a571_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\CommuniComm Internet Toolbar\sñengine.ini	a112e40270437a236bdd9dfcc948a571_JaffaCakes118.exe
File created	C:\Program Files (x86)\CommuniComm Internet Toolbar\tech.tlx	a112e40270437a236bdd9dfcc948a571_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\CommuniComm Internet Toolbar\communicomm.dll	a112e40270437a236bdd9dfcc948a571_JaffaCakes118.exe
File created	C:\Program Files (x86)\CommuniComm Internet Toolbar\spellchecker_plugin.dll	a112e40270437a236bdd9dfcc948a571_JaffaCakes118.exe
File created	C:\Program Files (x86)\CommuniComm Internet Toolbar\ssceam.tlx	a112e40270437a236bdd9dfcc948a571_JaffaCakes118.exe
File created	C:\Program Files (x86)\CommuniComm Internet Toolbar\sñengine.ini	a112e40270437a236bdd9dfcc948a571_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\CommuniComm Internet Toolbar\tbhelper.dll	a112e40270437a236bdd9dfcc948a571_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\CommuniComm Internet Toolbar\version.txt	a112e40270437a236bdd9dfcc948a571_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\CommuniComm Internet Toolbar\correct.tlx	a112e40270437a236bdd9dfcc948a571_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\CommuniComm Internet Toolbar\regdb.bin	a112e40270437a236bdd9dfcc948a571_JaffaCakes118.exe
File created	C:\Program Files (x86)\CommuniComm Internet Toolbar\regdb.bin	a112e40270437a236bdd9dfcc948a571_JaffaCakes118.exe
File created	C:\Program Files (x86)\CommuniComm Internet Toolbar\scengine.dll	a112e40270437a236bdd9dfcc948a571_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\CommuniComm Internet Toolbar\sscebr.tlx	a112e40270437a236bdd9dfcc948a571_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\CommuniComm Internet Toolbar\tech.tlx	a112e40270437a236bdd9dfcc948a571_JaffaCakes118.exe
File created	C:\Program Files (x86)\CommuniComm Internet Toolbar\accent.tlx	a112e40270437a236bdd9dfcc948a571_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\CommuniComm Internet Toolbar\descdb.bin	a112e40270437a236bdd9dfcc948a571_JaffaCakes118.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a112e40270437a236bdd9dfcc948a571_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 59 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\MAO Settings	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3120127992"	iexplore.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{6AE02E1C-8859-4F57-9097-5A55A56A4CAF}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\URLSearchHooks\	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3120284285"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\MAO Settings\DiscardLoadTimes = d1c6ceecd318db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Enable Browser Extensions = "yes"	a112e40270437a236bdd9dfcc948a571_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Toolbar	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{6AE02E1C-8859-4F57-9097-5A55A56A4CAF} = 1c2ee06a5988574f90975a55a56a4caf	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bb73de6dedeff944803e966ed33631240000000002000000000010660000000100002000000021efbeff3e3e0033b24a6d0816917e0080f35c333f9b4d6d294284b593ff4a76000000000e8000000002000020000000e1196cc374bd9b3eb2d637dab37ca2de1f3c6621e3695308082b827e5c7af81a20000000a1d3ddaa3955a160de61fd5137b92ac9db764532b7a7a13f8e786d5dde2d410c400000003a2a3b4289db33255735372807a44f7fe0355792641461c0311d93f7434c7bead0edceb48e1f363e2040650e135341828ef2933f90024aaccf31082aa3611cff	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBar7Layout = 13000000000000000000000020000000100001001600000001000000000700005e0100000600000001030000590400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001c2ee06a5988574f90975a55a56a4caf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBar7Height = "22"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\MAO Settings\SuppressPerfBarUntil = 51f469d7ac40db01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{E580B639-ABD6-11EF-B9B6-520873AEBE93} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31145955"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3120284285"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 506f8fbae33fdb01	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31145955"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe = "0"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3120127992"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31145955"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bb73de6dedeff944803e966ed336312400000000020000000000106600000001000020000000694d127062cb700c34bf04e9f8261ef3e0b7cf65ea5bfa0e0f333b8da16395cc000000000e8000000002000020000000b74b3a99427727f5c3f8eab9c53c807ea1988b8ef6e88f53c3929e06f2634cd92000000037c8b96237358431a6df39401f2f34ee104fc03b305a183977384ff3d3cd57d240000000a30fa5723b84e204bd0f56d4f551f8b65c4472625e2ffc701010016b27c203f66e473ae7a4fc7cf9c7d205d4da014e488be6aece69d3f657081a494bacc1bc72	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60b48abae33fdb01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBar7Layout = 13000000000000000000000020000000100001002d00000001000000000700005e0100000600000001030000590400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001c2ee06a5988574f90975a55a56a4caf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31145955"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "439377467"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000000700005e0100000600000009030000590400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001c2ee06a5988574f90975a55a56a4caf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\Main	a112e40270437a236bdd9dfcc948a571_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{6AE02E1C-8859-4F57-9097-5A55A56A4CAF} = 00	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6AE02E1C-8859-4F57-9097-5A55A56A4CAF}\VersionIndependentProgID\ = "TBSB08725.TBSB08725"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TBSB08725.IEToolbar.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TBSB08725.IEToolbar\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6AE02E1C-8859-4F57-9097-5A55A56A4CAF}\ProgID\ = "TBSB08725.IEToolbar.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ = "IToolbarURLSearchHook"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TBSB08725.TBSB08725\ = "CommuniComm Internet Toolbar"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TBSB08725.IEToolbar\CurVer\ = "TBSB08725.IEToolbar.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BD5C32AE-9FB0-4FC3-BA34-BA0808A74387}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook.1\CLSID\ = "{CA3EB689-8F09-4026-AA10-B9534C691CE0}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\TypeLib\ = "{4509D3CC-B642-4745-B030-645B79522C6D}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9BB149A-DC7B-4E5B-825B-156CB84AE980}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9BB149A-DC7B-4E5B-825B-156CB84AE980}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib\ = "{4509D3CC-B642-4745-B030-645B79522C6D}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6AE02E1C-8859-4F57-9097-5A55A56A4CAF}\TypeLib\ = "{77AA25E8-6083-4949-A831-9CB11861DC10}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6AE02E1C-8859-4F57-9097-5A55A56A4CAF}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9BB149A-DC7B-4E5B-825B-156CB84AE980}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TBSB08725.TBSB08725\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\0\win32\ = "C:\\Program Files (x86)\\CommuniComm Internet Toolbar\\tbhelper.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E69F62B9-AE72-43EB-990C-3E4D8590E17D}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9534F437-EE92-47C4-836E-D316DDB426B7}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C9BB149A-DC7B-4E5B-825B-156CB84AE980}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9534F437-EE92-47C4-836E-D316DDB426B7}\1.0\0\win32\ = "C:\\Program Files (x86)\\CommuniComm Internet Toolbar\\communicomm.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BD5C32AE-9FB0-4FC3-BA34-BA0808A74387}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BD5C32AE-9FB0-4FC3-BA34-BA0808A74387}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TBSB08725.TBSB08725.3\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6AE02E1C-8859-4F57-9097-5A55A56A4CAF}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar3.TBSB08725.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BD5C32AE-9FB0-4FC3-BA34-BA0808A74387}\ = "IPosBHO"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BD5C32AE-9FB0-4FC3-BA34-BA0808A74387}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BD5C32AE-9FB0-4FC3-BA34-BA0808A74387}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\ = "URLSearchHook 1.0 Type Library"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TBSB08725.IEToolbar.1\ = "IE Toolbar"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar3.TBSB08725\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9534F437-EE92-47C4-836E-D316DDB426B7}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C9BB149A-DC7B-4E5B-825B-156CB84AE980}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TBSB08725.TBSB08725.3\ = "CommuniComm Internet Toolbar"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TBSB08725.IEToolbar\CLSID\ = "{6AE02E1C-8859-4F57-9097-5A55A56A4CAF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E69F62B9-AE72-43EB-990C-3E4D8590E17D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E69F62B9-AE72-43EB-990C-3E4D8590E17D}\TypeLib\ = "{9534F437-EE92-47C4-836E-D316DDB426B7}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9534F437-EE92-47C4-836E-D316DDB426B7}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BD5C32AE-9FB0-4FC3-BA34-BA0808A74387}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TBSB08725.TBSB08725\CLSID\ = "{6AE02E1C-8859-4F57-9097-5A55A56A4CAF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6AE02E1C-8859-4F57-9097-5A55A56A4CAF}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E69F62B9-AE72-43EB-990C-3E4D8590E17D}\ = "TBSB08725 Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook\ = "ToolbarURLSearchHook Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TBSB08725.TBSB08725\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TBSB08725.IEToolbar	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6AE02E1C-8859-4F57-9097-5A55A56A4CAF}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E69F62B9-AE72-43EB-990C-3E4D8590E17D}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9534F437-EE92-47C4-836E-D316DDB426B7}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BD5C32AE-9FB0-4FC3-BA34-BA0808A74387}\TypeLib\ = "{9534F437-EE92-47C4-836E-D316DDB426B7}"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
4072	msedge.exe
4072	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4848	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
4848	iexplore.exe
4848	iexplore.exe
3736	IEXPLORE.EXE
3736	IEXPLORE.EXE
3736	IEXPLORE.EXE
3736	IEXPLORE.EXE
3736	IEXPLORE.EXE
3736	IEXPLORE.EXE
3736	IEXPLORE.EXE
3736	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 220 wrote to memory of 3512	220	a112e40270437a236bdd9dfcc948a571_JaffaCakes118.exe	97
PID 220 wrote to memory of 3512	220	a112e40270437a236bdd9dfcc948a571_JaffaCakes118.exe	97
PID 220 wrote to memory of 3512	220	a112e40270437a236bdd9dfcc948a571_JaffaCakes118.exe	97
PID 3512 wrote to memory of 4848	3512	regsvr32.exe	98
PID 3512 wrote to memory of 4848	3512	regsvr32.exe	98
PID 4848 wrote to memory of 3736	4848	iexplore.exe	99
PID 4848 wrote to memory of 3736	4848	iexplore.exe	99
PID 4848 wrote to memory of 3736	4848	iexplore.exe	99
PID 3736 wrote to memory of 4252	3736	IEXPLORE.EXE	102
PID 3736 wrote to memory of 4252	3736	IEXPLORE.EXE	102
PID 4252 wrote to memory of 4284	4252	ie_to_edge_stub.exe	103
PID 4252 wrote to memory of 4284	4252	ie_to_edge_stub.exe	103
PID 4284 wrote to memory of 3204	4284	msedge.exe	104
PID 4284 wrote to memory of 3204	4284	msedge.exe	104
PID 4284 wrote to memory of 392	4284	msedge.exe	105
PID 4284 wrote to memory of 392	4284	msedge.exe	105
PID 4284 wrote to memory of 392	4284	msedge.exe	105
PID 4284 wrote to memory of 392	4284	msedge.exe	105
PID 4284 wrote to memory of 392	4284	msedge.exe	105
PID 4284 wrote to memory of 392	4284	msedge.exe	105
PID 4284 wrote to memory of 392	4284	msedge.exe	105
PID 4284 wrote to memory of 392	4284	msedge.exe	105
PID 4284 wrote to memory of 392	4284	msedge.exe	105
PID 4284 wrote to memory of 392	4284	msedge.exe	105
PID 4284 wrote to memory of 392	4284	msedge.exe	105
PID 4284 wrote to memory of 392	4284	msedge.exe	105
PID 4284 wrote to memory of 392	4284	msedge.exe	105
PID 4284 wrote to memory of 392	4284	msedge.exe	105
PID 4284 wrote to memory of 392	4284	msedge.exe	105
PID 4284 wrote to memory of 392	4284	msedge.exe	105
PID 4284 wrote to memory of 392	4284	msedge.exe	105
PID 4284 wrote to memory of 392	4284	msedge.exe	105
PID 4284 wrote to memory of 392	4284	msedge.exe	105
PID 4284 wrote to memory of 392	4284	msedge.exe	105
PID 4284 wrote to memory of 392	4284	msedge.exe	105
PID 4284 wrote to memory of 392	4284	msedge.exe	105
PID 4284 wrote to memory of 392	4284	msedge.exe	105
PID 4284 wrote to memory of 392	4284	msedge.exe	105
PID 4284 wrote to memory of 392	4284	msedge.exe	105
PID 4284 wrote to memory of 392	4284	msedge.exe	105
PID 4284 wrote to memory of 392	4284	msedge.exe	105
PID 4284 wrote to memory of 392	4284	msedge.exe	105
PID 4284 wrote to memory of 392	4284	msedge.exe	105
PID 4284 wrote to memory of 392	4284	msedge.exe	105
PID 4284 wrote to memory of 392	4284	msedge.exe	105
PID 4284 wrote to memory of 392	4284	msedge.exe	105
PID 4284 wrote to memory of 392	4284	msedge.exe	105
PID 4284 wrote to memory of 392	4284	msedge.exe	105
PID 4284 wrote to memory of 392	4284	msedge.exe	105
PID 4284 wrote to memory of 392	4284	msedge.exe	105
PID 4284 wrote to memory of 392	4284	msedge.exe	105
PID 4284 wrote to memory of 392	4284	msedge.exe	105
PID 4284 wrote to memory of 392	4284	msedge.exe	105
PID 4284 wrote to memory of 392	4284	msedge.exe	105
PID 4284 wrote to memory of 4072	4284	msedge.exe	106
PID 4284 wrote to memory of 4072	4284	msedge.exe	106
PID 4284 wrote to memory of 4508	4284	msedge.exe	107
PID 4284 wrote to memory of 4508	4284	msedge.exe	107
PID 4284 wrote to memory of 4508	4284	msedge.exe	107
PID 4284 wrote to memory of 4508	4284	msedge.exe	107
PID 4284 wrote to memory of 4508	4284	msedge.exe	107
PID 4284 wrote to memory of 4508	4284	msedge.exe	107
PID 4284 wrote to memory of 4508	4284	msedge.exe	107
PID 4284 wrote to memory of 4508	4284	msedge.exe	107

C:\Users\Admin\AppData\Local\Temp\a112e40270437a236bdd9dfcc948a571_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a112e40270437a236bdd9dfcc948a571_JaffaCakes118.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:220
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32 /s "C:\Program Files (x86)\CommuniComm Internet Toolbar\communicomm.dll"
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3512
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://www.communicomm.com/toolbar.php?action=installed
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4848
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4848 CREDAT:17410 /prefetch:2
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3736
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\ie_to_edge_stub.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\ie_to_edge_stub.exe" --from-ie-to-edge=3 --ie-frame-hwnd=502b4
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4252
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --from-ie-to-edge=3 --ie-frame-hwnd=502b4
        6⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4284
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffeaf8b46f8,0x7ffeaf8b4708,0x7ffeaf8b4718
        7⤵
        
        PID:3204
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1912,5597025881351124061,2338558299880811081,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2052 /prefetch:2
        7⤵
        
        PID:392
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1912,5597025881351124061,2338558299880811081,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:3
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4072
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1912,5597025881351124061,2338558299880811081,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2592 /prefetch:8
        7⤵
        
        PID:4508

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2900

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\CommuniComm Internet Toolbar\accent.tlx

Filesize
2KB

MD5
81e9319284bebf4a64a1ae1aa9297d30

SHA1
3c7b8bfb0340a138974dc96dd2a42488e908b3db

SHA256
0ac1ead0c74e500a0f78d3f4b2bad09385c02f962974ac77e26d5ae9c62d129e

SHA512
8ff8b1110a9480c8b3a3ec9321f183a8e2aff48f6889328a2656974d3944eba37ef6ee410a61040e2d4684d9f3fa17f094172b9a5527ba0057006c81757487c9

Download Submit
C:\Program Files (x86)\CommuniComm Internet Toolbar\autofill.cfg

Filesize
18KB

MD5
3513969eb5048e2560c0116f09cc511e

SHA1
30a5e57f5cde04cbb5db6478922182787470ba17

SHA256
755a5d5165d43c17217795db944b0f01e03b96325bb83ddf6e50f909eab4e6b1

SHA512
9a03f3811b2d49f544d60b6cd27dc1c1e5570c7af2c7e4d3adb9b023289a1b51f98a38ed061c876b7a2f94265c730bbcf05b36f5110ac1518e1c2e9659737718

Download Submit
C:\Program Files (x86)\CommuniComm Internet Toolbar\autofill_plugin.dll

Filesize
244KB

MD5
f43d684c3673aeb364e4549f62cf6a7e

SHA1
eb0448cf354d3b1abe767e80a115e1712734e967

SHA256
ebf969fec0e8c9ab5d2dd1b9a809615e5bbca0437cae20ea50b2925b17f72a97

SHA512
886cc9c778734b939faf9e3202ad8e120adafeba4f9937fc33bbadf723c65bc1c5e1b9070f7ac60d4a9639512282feb08c2d92425fb71e85ddb50ac78013a6df

Download Submit
C:\Program Files (x86)\CommuniComm Internet Toolbar\basis.xml

Filesize
12KB

MD5
8ed64ed7d3927743920ff39c77e177e6

SHA1
e90c0fa21791d19a3cd23f51e19cb0fba57607bc

SHA256
f9629550f54d2229e6f734c1f5ba9c7b3b48ee94681b76ec3b6ef8d695641881

SHA512
014cc9c102bb575157274b3cbc9a6ec4267de2db2f7b92c92f0c22830df01d24d57b4fa57637585d10d15c2e0ca1e43f9f8f2f033763c8e01a51387b6ff33c65

Download Submit
C:\Program Files (x86)\CommuniComm Internet Toolbar\communicomm.crc

Filesize
330B

MD5
61903c42486c2062581b0d227e62edd2

SHA1
98dbbee5c59df00fd20fffca031cd85222ef94f2

SHA256
5890aff1507448bc1d444fe56a7673d095accbbf52677d0173d485f6257318a0

SHA512
57222ce03c2ec7aa118476787a19c5aa256e73be00ccac584d51f8466fa7e4e1bd14085aaf15e3b3709ff718960556c3a97086803b33b4611b69ef2605da0d5d

Download Submit
C:\Program Files (x86)\CommuniComm Internet Toolbar\communicomm.dll

Filesize
1.2MB

MD5
c20c1fd1a46880d06736b43e5ff0062b

SHA1
10161a72c9f25270bc56c09f453e9d8fbb0a3849

SHA256
f711613ee8f75abf45cd3f3b20e57785e69fd709ab3db9890729e9791d4b6be0

SHA512
e47a4f88f1b23a46917eea788544254e45d1168a31f95ed09cbfa7a0b8f8201656bd203765706d4a8ee4616b4cdcc78a4c20485a5dd2f053a14b6ce58494922a

Download Submit
C:\Program Files (x86)\CommuniComm Internet Toolbar\correct.tlx

Filesize
21KB

MD5
92448b12999c1826957b714104d620ce

SHA1
657cd7e51326f2e0bc2514426948e76c25d9b82f

SHA256
1d3a8990fe7af3365acf9bdb78552a8508a2ecc553ccffd68a91e9e000b242b0

SHA512
2ce037025ef20f774acb68c40a53b65914443156ea86485ad58abfaeace13bd9e4aafb55f26e00f08be0536690e58dcf7e6d32cf88d4f562ec5d4f6761d5bfee

Download Submit
C:\Program Files (x86)\CommuniComm Internet Toolbar\descdb.bin

Filesize
115KB

MD5
7bb096d53d9ca88388254afae9068995

SHA1
f877bbc27707547db79bc2a1fb05489104b05168

SHA256
c171108e3d59968b9de54565a732c5a87e90f83e079156b3c92386c192768e17

SHA512
901a05a0ba94ade6d9b90836bebd01c4af131457630cfd059ce6a1eba40c7b654c7b9f83079df6d08160e21e8a1842571bef6d077328fae097ac88cd9a6c5b97

Download Submit
C:\Program Files (x86)\CommuniComm Internet Toolbar\fdb.bin

Filesize
496KB

MD5
20a6062a938e56319ecc28fcbf71c191

SHA1
da5096492160899b52a5a3414ec0829a38764600

SHA256
8718d1d8154d0e4fcd0e2c84d02f580af677b96dac589426b0ed7e327f550a58

SHA512
14bcec751dae012d35f25aae59dcec9dbaf0b8674035328cfa3a586228e40ffb6d2bbd3d4b068cae587f47f4f233ccea452ca016ecc4fc92b48a7a1a0baf3da4

Download Submit
C:\Program Files (x86)\CommuniComm Internet Toolbar\icons.bmp

Filesize
60KB

MD5
0540c76a162cf8aea5b333a6e183bdbc

SHA1
10650aed77cafd0e0e10a98a67343157abe93652

SHA256
6f00271baba262330950c748e67f41f0d2c98d5e0a5ef7cf099d864d7d9891c0

SHA512
7acbe3537f07ef6dc4a2dff809b8cc74edbf7d02ee4a75d0f399725d2dda28c5fa1f407495a23301f322e1655cfef83271be05e8062aab022538fddd6b001ee4

Download Submit
C:\Program Files (x86)\CommuniComm Internet Toolbar\regdb.bin

Filesize
717KB

MD5
a9ea14a1fd7dbd79e7fc81c73b97a1b8

SHA1
46351d7552860351cd5cfb66a5056de3eb616157

SHA256
9c2ab69190aeb45e65faf317cbb752beb43895a29eac69dba12b7d6fa035a582

SHA512
1d0a15b2d128679c8275dea4a371e7b669a80d4d3e2d8a4c2f52d9987a2c589a7179f2885dc330cb58962bdbebb454513fab532405234a418b65b46e01dc4949

Download Submit
C:\Program Files (x86)\CommuniComm Internet Toolbar\scengine.dll

Filesize
208KB

MD5
6577a80ad844076a70603b44f44ba1e3

SHA1
b5b060fda75a6c95225644f137e1e65cbc10b77e

SHA256
244c821688564bcb683592bd84fbfdd8e8ce54be699d48648f164c029ec66035

SHA512
f4623dfa538fc72b4f739ed8eb054ec6618cfe46784df170c1d7186b3ca6eff6730aeb6bdbd6acf860625ec6a95e73db8164563d215492bd80d8454518bbeac0

Download Submit
C:\Program Files (x86)\CommuniComm Internet Toolbar\spellchecker_plugin.dll

Filesize
120KB

MD5
a7e0e5c28cdf9b0822fc33e073552a36

SHA1
0090f0be61ed98e24f5781686f73c5585e344fd8

SHA256
04165d906495ce8b1413cd22cd25aff21bf2b6f7f5ee3a197b24975edd8b073d

SHA512
0fa604a5b563a61ce52ee0d541e5fc9a25c7c4c891ebb4b23f0d3cb9a4c9a98fe0913a42718e744532fae03ee17c241262bcad3f76e386394b96c357c3984400

Download Submit
C:\Program Files (x86)\CommuniComm Internet Toolbar\spyrem.exe

Filesize
280KB

MD5
83d5b6f29c5686bce69aa6999f4e074d

SHA1
b98cc07896b1d313e85aa839447d679d86176aba

SHA256
ad5ad2fe1229db247dcdd5b64fe49a588cbdc58d53e840c540cfaf9da53ce0c7

SHA512
5a718249d27380fdb51e1a7b9dc077c4edc528ae4aea2ab12b1a9f8740e61febc8086174195fd2a849b55866a918bc08913fb70f516b286c86b103981772fb9d

Download Submit
C:\Program Files (x86)\CommuniComm Internet Toolbar\ssceam.tlx

Filesize
7KB

MD5
77eed4b296856a919e68bc23c57580a6

SHA1
9800e40738eeada502730fcbf8e27e98e38da592

SHA256
924ef798579f1798b9ab6e7492fb3449b81c47b0af47c11c87be14e4dfab41fc

SHA512
37267059dd6232cd9b56333082b02f164b51cfa30296c1870367fad70bb0083848c7da600553de9e5e48536885ed9231fc75618388c460eeb9926307ede60f8b

Download Submit
C:\Program Files (x86)\CommuniComm Internet Toolbar\ssceam2.clx

Filesize
407KB

MD5
3e7ff0511befe21dccdb0e92dce5ff75

SHA1
e175b61e4ea90730777c4ad3b457e7ae2e5d93e3

SHA256
f07f5f4c8d4fe3496748b5964fff157fc85d3fd8e57140e2c21ffdee1e554f32

SHA512
ca292aa364b035bed016f9c3324fd53f4627aa4ff6014f500b7875f9bd67e5c99267edf707e9405caaef4e3d5a4734406466bb14c4d87fd5b742305fc871c75e

Download Submit
C:\Program Files (x86)\CommuniComm Internet Toolbar\sscebr.tlx

Filesize
7KB

MD5
ee5c480aa68de03df03d0c8ef20bbf49

SHA1
968a06ce6362b2611bea5d104148fefc70f64e6a

SHA256
029354cff3194df395eaf2c08d30b75c256c44716c65a12ba6abbdd0910edd15

SHA512
08192820d289e59d1b0b6895ed9cebdf25a62d0a9a689c26c883b83030578e841e785f3032eec6e691976c4a4360727220eae69054f69dd3a4953ce54c19d83f

Download Submit
C:\Program Files (x86)\CommuniComm Internet Toolbar\sscebr2.clx

Filesize
317KB

MD5
05b9bf1427c773c90281dc839978b0f6

SHA1
5c718b18b03060c6b2be25be350bb6511a3d10b9

SHA256
9f4b3686e888aef337e35c2c9041cbfade51e3939ab16c487064795047ee5035

SHA512
9681a3792e9e6fcc4cf3a3aa8b13310581f39cc439de5c2be68d30e9cd7939565758c8592ff06d0c1e0d78b3b9f221de45c128e7049f57edbf74ff660eb48416

Download Submit
C:\Program Files (x86)\CommuniComm Internet Toolbar\sñengine.ini

Filesize
730B

MD5
cc20ee690736984301a8b1e8ec2841e1

SHA1
dcdd623475a70594e10e30d52700990111b28717

SHA256
7d132a41263d8fe38c18a8ae80efb4745321ab7df8282d89195dc6dcd9d58c58

SHA512
a88f22bd6a336c8d79d3b5add2400b728150e2749a0f952956dc5a76e2be26f2ed6706528c0a5f098a8287a2451f5b345f5c662474db3c0d0e444fca76dbf306

Download Submit
C:\Program Files (x86)\CommuniComm Internet Toolbar\tbhelper.dll

Filesize
372KB

MD5
c4407679a570bef1b0171c93abd61361

SHA1
629eb29ca00268704ee73be12ca281c93f6c5fd9

SHA256
bf07e43e9ac1f11c650235b32e0e048a4f2fcd95c7787b6f61f0028467a4a3a7

SHA512
ee1de941dd9b5574bf15eb80e9d0b5ef552e95bfac249d1240de5bbec70a0b8dde0526ac62286c6f89024ff0fc95d1735c980f6335375de6e58314cda8bdae05

Download Submit
C:\Program Files (x86)\CommuniComm Internet Toolbar\tech.tlx

Filesize
3KB

MD5
45650425e248e3d5a68f7d1121235d6b

SHA1
1fb95004c991137a52523a33c85a488ce614c3fc

SHA256
60a37df177a6e6b7fe294aa394438cb6514bacd8201a3e18f4b914a6105a8555

SHA512
181a12c0fe19d276401bc74dd13ad6f6961bbc3fe5cde88b531a48832c96017ba3f0bab4f148bb3f22996bf3c94ed7c0037312bfb98490a64b8eb2c6c547895c

Download Submit
C:\Program Files (x86)\CommuniComm Internet Toolbar\userdic.tlx

Filesize
135B

MD5
2e6979e2b3af0d3b1af0e7a266c13184

SHA1
22602b8d04c16cb21d3051a074957dbbbcaa43f5

SHA256
1d7336dc906ffba986f9c2e3cd2899153b2c2f68381e36976c7afd278f4190be

SHA512
e40726345300b9bec6d9897bff6d742937a3d26de256d080bf8745bb074381c12ea8bb52883be35ab18dbeca89c8e045b752c118c2f6776fa1cf18bb3d71787f

Download Submit
C:\Program Files (x86)\CommuniComm Internet Toolbar\version.txt

Filesize
60B

MD5
477918939d0d15ce41b8510f4a9dcdaa

SHA1
4b7376fd44a01f0d353872cb5dc3df825afb04f0

SHA256
098e8d90526bde71724bfd4369a0a96e2fcfbc5c60b7222779ea15bae0454b58

SHA512
b21b8f693b95fa75e03251c8208829604ef24c986a8e3e83e51ba4a9e980583c4c608e4904857d2be558ca1177b2ff40ea5a6ce91ca42deb8680b5c6c6a33b71

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
a6dfcf513cd338ab2640f399e560ba31

SHA1
cbc6ea36eef4c8e6e8524b2aa220b9c0017a9145

SHA256
fac20d9c0f5375b23b8932cb8ecb0839245962b4b2cd91924cfc0d9206e4fabf

SHA512
7b2dc6f8ac8fc1503caa508e8efb767a99448c35ab4714c46c034536b4b7b9067b2bf3170798130fe5a9d2763f38308aba868ca301791d0abf60e169d17acd12

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
2aa073ba2ec526e6ac4185fd0e11e0f8

SHA1
0696aafffd1f45886e4f1af8042d3e5d5d8fd20b

SHA256
7b9aaf14909187e84bcbcce1cd2b918db0473b3ff066089d8b0fc1b3f62f61ac

SHA512
973268048eae6167d0df222304f614d0a074c5907454ff84fbb136ae002d9c66f004dc50736f4607df5911e3251340ffbf90e968dbb767c509cae4d36f0941f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d22073dea53e79d9b824f27ac5e9813e

SHA1
6d8a7281241248431a1571e6ddc55798b01fa961

SHA256
86713962c3bb287964678b148ee08ea83fb83483dff8be91c8a6085ca560b2a6

SHA512
97152091ee24b6e713b8ec8123cb62511f8a7e8a6c6c3f2f6727d0a60497be28814613b476009b853575d4931e5df950e28a41afbf6707cb672206f1219c4413

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
7a09f7154c7abf7414e8f7d30ebd3e5d

SHA1
81c3d56dd38acb19aeea19ecabe944d130f5ce9a

SHA256
b09fe7e47e4b678b1abf6d0bc4b814666bc17fe2511d3f1dc31b845b5f5a199a

SHA512
e81553d33c8c2da808aff0f259f7fe75973c6d39ccd0f0e2b6bbe45f66072a04e702f8104ef3b4ffcb4851085f3cf249e90ca7f81abfe86c6b0ee5538dfae30f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
65e8c9de0b42bcc5896805e668613c20

SHA1
61d442e5a428c71db816883095a7828278293dd5

SHA256
c6f5d03ef85e755a71e4de20bf8c1e8b2532861e157b05e6fe3ab19665b01f61

SHA512
4bbb05c93164933e2090b5065fd95c3fe414e6c8c2d2ced3046df961a62210028006f929a604a2f65b852d434fe352bf4b87909a50c0ece2e7cace052a5134b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
dddb4870f96bc2cb1828f4c5c2c40ecf

SHA1
f778254180b889bb48e78b04fff3a3175cd520e6

SHA256
dbc5edcc66a91406f067b360980a286661f766f026d91fc56397abd2f2e594c3

SHA512
22eb6894b73e42d02f375173326a4ba4f4c3308d6b94e097493550cef9d3f9dd03977a76d3073ac6461482ea87f8aafccd326376ade8ab6380593d8ff00eacd7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
b2760995f1ee243d77ecd63690c9a8ea

SHA1
0c30384a45cd3d95ec5fa1cd95e04097aa3073e3

SHA256
cdf95ccfd77a8367cc475f9d6a3d5ba41028bbd26616632369153aead56556f4

SHA512
c7bb223b709cbb6ab9fa53cd0c141876e904a84c590a3c4ab6d5378e1e961a45d2c4123c5192dba5a5a84ba7cc248036df0bdd59eac48356a8f5dd57ba375a48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver6731.tmp

Filesize
15KB

MD5
1a545d0052b581fbb2ab4c52133846bc

SHA1
62f3266a9b9925cd6d98658b92adec673cbe3dd3

SHA256
557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

SHA512
bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GRYMSCZU\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\UV4TX9UP\v1[1].xml

Filesize
742KB

MD5
25a40f949855471562a1a9e465cfed7c

SHA1
c3a563c56fb8323e6c2ee7fa417c45d8384a4156

SHA256
075f1f4ec57dcfdbb2f1b60ffbf9efe0286216c43d0a65f82eae86af66b36127

SHA512
e5b4ed8df62488e7bb9ccb77f1daac251f65cd3251257ab94094df1316fa50a96901b32e7e76e47a4616d763ae54d7134f5d29f030ee7d2399bbe728498fedd4

Download Submit
memory/3512-47-0x0000000002430000-0x000000000248F000-memory.dmp

Filesize
380KB

Download
memory/3512-63-0x0000000002580000-0x00000000025DF000-memory.dmp

Filesize
380KB

Download
memory/3512-60-0x0000000002430000-0x0000000002450000-memory.dmp

Filesize
128KB

Download
memory/3512-56-0x0000000002430000-0x0000000002469000-memory.dmp

Filesize
228KB

Download
memory/3512-51-0x0000000002430000-0x000000000246F000-memory.dmp

Filesize
252KB

Download