Resubmissions

13-01-2025 04:29

250113-e39casyldr 10

Analysis

  • max time kernel
    60s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-01-2025 04:29

General

  • Target

    JaffaCakes118_20f133b0b3407b5d0c441aaf448a5f87.exe

  • Size

    274KB

  • MD5

    20f133b0b3407b5d0c441aaf448a5f87

  • SHA1

    46d646d569357f08f730d254b0f2a2ad4adf19d9

  • SHA256

    1a290a15b5d12f5e023f6c9575ac5d94342e13baa84fe93a202e172b96a2455b

  • SHA512

    77e50a9e51fb5303ceff573a1b64588500b170eff81cceb52a18d67682d4ce01b9f5f0f5976535bcc92c4539c259fd182347da5f5d6a0075dedbd3fce5955b6c

  • SSDEEP

    6144:/hsLoKMqEzfhk8El5WzhdkGlPPCYj3L8yKt:psLiqkhk8EDWkiSYTQBt

Malware Config

Signatures

  • Cycbot

    Cycbot is a backdoor and trojan written in C++..

  • Cycbot family
  • Detects Cycbot payload 6 IoCs

    Cycbot is a backdoor and trojan written in C++.

  • Modifies security service 2 TTPs 1 IoCs
  • Pony family
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 9 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Disables taskbar notifications via registry modification
  • Executes dropped EXE 1 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates connected drives 3 TTPs 16 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 12 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • System policy modification 1 TTPs 2 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_20f133b0b3407b5d0c441aaf448a5f87.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_20f133b0b3407b5d0c441aaf448a5f87.exe"
    1⤵
    • Modifies security service
    • Adds Run key to start application
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2524
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_20f133b0b3407b5d0c441aaf448a5f87.exe
      C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_20f133b0b3407b5d0c441aaf448a5f87.exe startC:\Users\Admin\AppData\Roaming\62BAD\58F2D.exe%C:\Users\Admin\AppData\Roaming\62BAD
      2⤵
        PID:408
      • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_20f133b0b3407b5d0c441aaf448a5f87.exe
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_20f133b0b3407b5d0c441aaf448a5f87.exe startC:\Program Files (x86)\AD050\lvvm.exe%C:\Program Files (x86)\AD050
        2⤵
          PID:5024
        • C:\Program Files (x86)\LP\2D96\1CAB.tmp
          "C:\Program Files (x86)\LP\2D96\1CAB.tmp"
          2⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:1416
      • C:\Windows\system32\msiexec.exe
        C:\Windows\system32\msiexec.exe /V
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2144
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1388
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:3984
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1796
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
        • Suspicious use of SetWindowsHookEx
        PID:4292
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:664
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
        • Suspicious use of SetWindowsHookEx
        PID:1164
      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
        1⤵
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:4720
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Suspicious use of SendNotifyMessage
        PID:3044
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
        • Suspicious use of SetWindowsHookEx
        PID:3828
      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
        1⤵
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:1304
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies registry class
        PID:3580
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
        • Suspicious use of SetWindowsHookEx
        PID:436
      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
        1⤵
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:1948
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies registry class
        PID:4644
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
          PID:2460
        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
          1⤵
          • Modifies Internet Explorer settings
          • Modifies registry class
          • Suspicious use of SetWindowsHookEx
          PID:3960
        • C:\Windows\explorer.exe
          explorer.exe
          1⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Enumerates connected drives
          • Checks SCSI registry key(s)
          • Modifies registry class
          PID:408
        • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
          "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
          1⤵
          • Suspicious use of SetWindowsHookEx
          PID:3280
        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
          1⤵
          • Modifies Internet Explorer settings
          • Modifies registry class
          • Suspicious use of SetWindowsHookEx
          PID:784
        • C:\Windows\explorer.exe
          explorer.exe
          1⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Enumerates connected drives
          • Checks SCSI registry key(s)
          • Modifies registry class
          PID:844
        • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
          "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
          1⤵
          • Suspicious use of SetWindowsHookEx
          PID:4000
        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
          1⤵
          • Modifies Internet Explorer settings
          • Modifies registry class
          • Suspicious use of SetWindowsHookEx
          PID:3248
        • C:\Windows\explorer.exe
          explorer.exe
          1⤵
          • Boot or Logon Autostart Execution: Active Setup
          PID:4772
        • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
          "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
          1⤵
            PID:3432
          • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
            "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
            1⤵
              PID:1944
            • C:\Windows\explorer.exe
              explorer.exe
              1⤵
                PID:2548
              • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                1⤵
                  PID:4972
                • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                  1⤵
                    PID:2516
                  • C:\Windows\explorer.exe
                    explorer.exe
                    1⤵
                      PID:4584
                    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                      1⤵
                        PID:5044
                      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                        1⤵
                          PID:3220
                        • C:\Windows\explorer.exe
                          explorer.exe
                          1⤵
                            PID:4328
                          • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                            "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                            1⤵
                              PID:4888
                            • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                              "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                              1⤵
                                PID:4216
                              • C:\Windows\explorer.exe
                                explorer.exe
                                1⤵
                                  PID:3980
                                • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                  1⤵
                                    PID:3856
                                  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                    1⤵
                                      PID:2652
                                    • C:\Windows\explorer.exe
                                      explorer.exe
                                      1⤵
                                        PID:4640
                                      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                        1⤵
                                          PID:3304
                                        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                          1⤵
                                            PID:4328
                                          • C:\Windows\explorer.exe
                                            explorer.exe
                                            1⤵
                                              PID:3548
                                            • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                              "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                              1⤵
                                                PID:3496
                                              • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                1⤵
                                                  PID:1792
                                                • C:\Windows\explorer.exe
                                                  explorer.exe
                                                  1⤵
                                                    PID:716
                                                  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                    1⤵
                                                      PID:3248
                                                    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                      1⤵
                                                        PID:4308
                                                      • C:\Windows\explorer.exe
                                                        explorer.exe
                                                        1⤵
                                                          PID:2460
                                                        • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                          "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                          1⤵
                                                            PID:3744
                                                          • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                            "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                            1⤵
                                                              PID:2512

                                                            Network

                                                            MITRE ATT&CK Enterprise v15

                                                            Replay Monitor

                                                            Loading Replay Monitor...

                                                            Downloads

                                                            • C:\Program Files (x86)\LP\2D96\1CAB.tmp

                                                              Filesize

                                                              97KB

                                                              MD5

                                                              b5ea3a02245a0dcead8fab5351d1cf81

                                                              SHA1

                                                              cf63d395d4e9f658ea3e73e0d9407dd4dd3aedf9

                                                              SHA256

                                                              9a9a5d6cbd12bfca01c9f5bf0fb16b750815c54ed99c81f387578e05efe2dd88

                                                              SHA512

                                                              59e0c251aade2dae3fa228aa0fc31c1ce3a29a17d8c7267db8fb77dfbaad75da8d1766c514088726d3c9df8e7ff7679151d099cb0123deeb2cc585a0b84a46fc

                                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

                                                              Filesize

                                                              471B

                                                              MD5

                                                              33b6a15b1397a410fb5624043946dbdf

                                                              SHA1

                                                              142c35062d9b18d960e3eeaf947b86fffd8803a5

                                                              SHA256

                                                              6c230484759e30e5fa400fa608b58ccd2c0faaa37b245068fb961dc95d39a998

                                                              SHA512

                                                              27d4e2643a2b5bf28a07c137c9a6dcabb251f5b433b9f38c3bd9a616d55f6dc7a659f3c9e05e6a3f91c6dd96cd9988bcdabd39d3a7a550ad72cac48bdff7be0b

                                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

                                                              Filesize

                                                              412B

                                                              MD5

                                                              6944b7193abdac56d3336e36922c4246

                                                              SHA1

                                                              45d583091def85a769cf841204f57462d048352b

                                                              SHA256

                                                              aba911d8f8307c9a948a994aa7902fb0dc0bcbfdcc9364973ac193b68f745811

                                                              SHA512

                                                              694491c74135ea3c90dcceb07836b7468d32b54ae30ff26c1f253e71ad4656119de1dee1a1f51e9b8dc14deaef77888584fb5532454467616db201fc430662f8

                                                            • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbres

                                                              Filesize

                                                              2KB

                                                              MD5

                                                              768d97442c274037bafa06e8b98040fc

                                                              SHA1

                                                              444a78b403defa9da1e464f34a6d1bfa291f155b

                                                              SHA256

                                                              e18c88ab7225a9292b095089c4c600c32632e751020787c5cb80a9ba33b9a000

                                                              SHA512

                                                              c5808b499fecdfd1f55b2450da902d341d5386ad4ef105722f132b318ba630515514fa24d1bd65ca029ea72fa47b23729793451efb0b092f6a332277856b6d6e

                                                            • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133812162582520425.txt

                                                              Filesize

                                                              75KB

                                                              MD5

                                                              041c9806b46b128fd91cbb3d7f60eed2

                                                              SHA1

                                                              a4716af29568ad8cdff71ee3bfec4ec1376a2cc3

                                                              SHA256

                                                              df15c39108381cdc5a36f42f2407b98ac55cf7178a02b3e76ff65078f82fdc09

                                                              SHA512

                                                              75bfe77999b127afbe6db99e1968161d2dd97f0d4ab7add8435aa0139c010af45382510a5b32e039d7059dba1e8af1a881f13f4229ab07235742f4102eff196d

                                                            • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\2C1DWAXK\microsoft.windows[1].xml

                                                              Filesize

                                                              96B

                                                              MD5

                                                              e348d00fe7b19d8e8f6efc5cd8f3be59

                                                              SHA1

                                                              de85b87da07da2e4b4215ef312d318f1b329ca6e

                                                              SHA256

                                                              4ee26da36e3b7d5c9f14f2ed8d6c75c10434acec949dc6e550f176b9acb84dd7

                                                              SHA512

                                                              a0a9a671e08cb35904098426cf1b50a11d6a0c7be57f684f9808f5c953ac2732dd1f090c3d12260870056a1ee5f9097ad9872715c798fba196d7212a536afcbe

                                                            • C:\Users\Admin\AppData\Roaming\62BAD\D050.2BA

                                                              Filesize

                                                              996B

                                                              MD5

                                                              d17c786d9fc367c13bc350aeb6f96ab2

                                                              SHA1

                                                              62751f9b91e1a5f5a545f506fabc0d2447acc44d

                                                              SHA256

                                                              bbb7b001cde315d8c4d1b633d0703a07c68dfbd4cf7dd500e840b09d458de4dd

                                                              SHA512

                                                              c521ec63a7b110c4f28df5f0a376be05cbaffcd79d9af774ac95944cf1cc26a784683bd6fd7ace25f2a162b9449d6c3e0c0f85cfdadb90f361cc28855fc20778

                                                            • C:\Users\Admin\AppData\Roaming\62BAD\D050.2BA

                                                              Filesize

                                                              600B

                                                              MD5

                                                              5ede1e9af757241e86687b1272238b33

                                                              SHA1

                                                              c4003e102817a32bde80482bbd72827d4e80a028

                                                              SHA256

                                                              195d54a697d67928135559400a08d27cb6cd4f8ad62267fa4de39d59498fd553

                                                              SHA512

                                                              e4374f6daff533ac8c072f369f215ea41cdd0799fd040b4c7fcf6706902618fa7f10688fffb79c68901902d95c0301889f34eef60251f035c8a27db6a0bed26f

                                                            • C:\Users\Admin\AppData\Roaming\62BAD\D050.2BA

                                                              Filesize

                                                              1KB

                                                              MD5

                                                              8ec711ea88ec349b42ec884eac8aaba6

                                                              SHA1

                                                              3f6968740c403071e512674689cd2393f7ce583f

                                                              SHA256

                                                              4edf58c6fc5b75040d82a9cb23814b711e0d09acb59cfd8e205cb58b71cfa70f

                                                              SHA512

                                                              dda84d35fb98ae33adf5e4072195832610959935085f93ac795857d22dac745fba4c3470501035a48404f568268a8674d54d1216e97aeff94b01247d0b1c82c5

                                                            • memory/408-17-0x0000000000400000-0x000000000046A000-memory.dmp

                                                              Filesize

                                                              424KB

                                                            • memory/408-902-0x0000000004E30000-0x0000000004E31000-memory.dmp

                                                              Filesize

                                                              4KB

                                                            • memory/408-16-0x0000000000400000-0x000000000046A000-memory.dmp

                                                              Filesize

                                                              424KB

                                                            • memory/664-298-0x0000000004E30000-0x0000000004E31000-memory.dmp

                                                              Filesize

                                                              4KB

                                                            • memory/784-933-0x000001F73DEA0000-0x000001F73DEC0000-memory.dmp

                                                              Filesize

                                                              128KB

                                                            • memory/784-922-0x000001F73D890000-0x000001F73D8B0000-memory.dmp

                                                              Filesize

                                                              128KB

                                                            • memory/784-904-0x000001F73CA00000-0x000001F73CB00000-memory.dmp

                                                              Filesize

                                                              1024KB

                                                            • memory/784-909-0x000001F73D8D0000-0x000001F73D8F0000-memory.dmp

                                                              Filesize

                                                              128KB

                                                            • memory/844-1037-0x00000000049B0000-0x00000000049B1000-memory.dmp

                                                              Filesize

                                                              4KB

                                                            • memory/1304-461-0x000001ED4F420000-0x000001ED4F520000-memory.dmp

                                                              Filesize

                                                              1024KB

                                                            • memory/1304-466-0x000001ED50580000-0x000001ED505A0000-memory.dmp

                                                              Filesize

                                                              128KB

                                                            • memory/1304-462-0x000001ED4F420000-0x000001ED4F520000-memory.dmp

                                                              Filesize

                                                              1024KB

                                                            • memory/1304-483-0x000001ED50950000-0x000001ED50970000-memory.dmp

                                                              Filesize

                                                              128KB

                                                            • memory/1304-468-0x000001ED50540000-0x000001ED50560000-memory.dmp

                                                              Filesize

                                                              128KB

                                                            • memory/1416-609-0x0000000000400000-0x000000000041C000-memory.dmp

                                                              Filesize

                                                              112KB

                                                            • memory/1944-1184-0x0000015652020000-0x0000015652120000-memory.dmp

                                                              Filesize

                                                              1024KB

                                                            • memory/1944-1221-0x0000015653550000-0x0000015653570000-memory.dmp

                                                              Filesize

                                                              128KB

                                                            • memory/1944-1186-0x0000015652020000-0x0000015652120000-memory.dmp

                                                              Filesize

                                                              1024KB

                                                            • memory/1944-1198-0x0000015653140000-0x0000015653160000-memory.dmp

                                                              Filesize

                                                              128KB

                                                            • memory/1944-1189-0x0000015653180000-0x00000156531A0000-memory.dmp

                                                              Filesize

                                                              128KB

                                                            • memory/1944-1185-0x0000015652020000-0x0000015652120000-memory.dmp

                                                              Filesize

                                                              1024KB

                                                            • memory/1948-620-0x00000165FD290000-0x00000165FD2B0000-memory.dmp

                                                              Filesize

                                                              128KB

                                                            • memory/1948-645-0x00000165FD660000-0x00000165FD680000-memory.dmp

                                                              Filesize

                                                              128KB

                                                            • memory/1948-632-0x00000165FD250000-0x00000165FD270000-memory.dmp

                                                              Filesize

                                                              128KB

                                                            • memory/2516-1328-0x00000230AF000000-0x00000230AF100000-memory.dmp

                                                              Filesize

                                                              1024KB

                                                            • memory/2516-1327-0x00000230AF000000-0x00000230AF100000-memory.dmp

                                                              Filesize

                                                              1024KB

                                                            • memory/2516-1332-0x00000230B0160000-0x00000230B0180000-memory.dmp

                                                              Filesize

                                                              128KB

                                                            • memory/2516-1346-0x00000230B0120000-0x00000230B0140000-memory.dmp

                                                              Filesize

                                                              128KB

                                                            • memory/2524-611-0x0000000000400000-0x000000000046A000-memory.dmp

                                                              Filesize

                                                              424KB

                                                            • memory/2524-0-0x0000000000400000-0x000000000046A000-memory.dmp

                                                              Filesize

                                                              424KB

                                                            • memory/2524-134-0x0000000000400000-0x000000000046A000-memory.dmp

                                                              Filesize

                                                              424KB

                                                            • memory/2524-15-0x0000000000400000-0x0000000000467000-memory.dmp

                                                              Filesize

                                                              412KB

                                                            • memory/2524-13-0x0000000000400000-0x000000000046A000-memory.dmp

                                                              Filesize

                                                              424KB

                                                            • memory/2524-3-0x0000000000400000-0x000000000046A000-memory.dmp

                                                              Filesize

                                                              424KB

                                                            • memory/2524-2-0x0000000000400000-0x0000000000467000-memory.dmp

                                                              Filesize

                                                              412KB

                                                            • memory/2548-1325-0x0000000004160000-0x0000000004161000-memory.dmp

                                                              Filesize

                                                              4KB

                                                            • memory/3044-459-0x00000000042C0000-0x00000000042C1000-memory.dmp

                                                              Filesize

                                                              4KB

                                                            • memory/3248-1039-0x0000016468B00000-0x0000016468C00000-memory.dmp

                                                              Filesize

                                                              1024KB

                                                            • memory/3248-1057-0x0000016469800000-0x0000016469820000-memory.dmp

                                                              Filesize

                                                              128KB

                                                            • memory/3248-1044-0x0000016469840000-0x0000016469860000-memory.dmp

                                                              Filesize

                                                              128KB

                                                            • memory/3248-1071-0x000001646A000000-0x000001646A020000-memory.dmp

                                                              Filesize

                                                              128KB

                                                            • memory/3580-612-0x0000000004BA0000-0x0000000004BA1000-memory.dmp

                                                              Filesize

                                                              4KB

                                                            • memory/3960-763-0x000001FD62820000-0x000001FD62920000-memory.dmp

                                                              Filesize

                                                              1024KB

                                                            • memory/3960-782-0x000001FD63930000-0x000001FD63950000-memory.dmp

                                                              Filesize

                                                              128KB

                                                            • memory/3960-767-0x000001FD63970000-0x000001FD63990000-memory.dmp

                                                              Filesize

                                                              128KB

                                                            • memory/3960-762-0x000001FD62820000-0x000001FD62920000-memory.dmp

                                                              Filesize

                                                              1024KB

                                                            • memory/3960-799-0x000001FD63D80000-0x000001FD63DA0000-memory.dmp

                                                              Filesize

                                                              128KB

                                                            • memory/4644-760-0x0000000004F00000-0x0000000004F01000-memory.dmp

                                                              Filesize

                                                              4KB

                                                            • memory/4720-335-0x00000187BA170000-0x00000187BA190000-memory.dmp

                                                              Filesize

                                                              128KB

                                                            • memory/4720-313-0x00000187B9D60000-0x00000187B9D80000-memory.dmp

                                                              Filesize

                                                              128KB

                                                            • memory/4720-304-0x00000187B9DA0000-0x00000187B9DC0000-memory.dmp

                                                              Filesize

                                                              128KB

                                                            • memory/4720-300-0x00000187B8D80000-0x00000187B8E80000-memory.dmp

                                                              Filesize

                                                              1024KB

                                                            • memory/4720-299-0x00000187B8D80000-0x00000187B8E80000-memory.dmp

                                                              Filesize

                                                              1024KB

                                                            • memory/4772-1183-0x0000000004800000-0x0000000004801000-memory.dmp

                                                              Filesize

                                                              4KB

                                                            • memory/5024-137-0x0000000000400000-0x000000000046A000-memory.dmp

                                                              Filesize

                                                              424KB

                                                            • memory/5024-136-0x0000000000400000-0x000000000046A000-memory.dmp

                                                              Filesize

                                                              424KB