Malware Analysis Report

2025-03-14 21:49

Sample ID 250123-et1zkasqgl
Target JaffaCakes118_139fe589e46d20919cff2c174895f8a8
SHA256 56561ecc97b07f026accd876f9b6ea0c74194be554ce3015efbf1ca6792771ef
Tags
discovery google phishing
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

56561ecc97b07f026accd876f9b6ea0c74194be554ce3015efbf1ca6792771ef

Threat Level: Known bad

The file JaffaCakes118_139fe589e46d20919cff2c174895f8a8 was found to be: Known bad.

Malicious Activity Summary

discovery google phishing

Detected google phishing page

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Browser Information Discovery

Unsigned PE

Modifies registry class

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of SendNotifyMessage

Modifies Internet Explorer settings

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-23 04:14

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-23 04:14

Reported

2025-01-23 04:17

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_139fe589e46d20919cff2c174895f8a8.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_139fe589e46d20919cff2c174895f8a8.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A sites.google.com N/A N/A
N/A sites.google.com N/A N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_139fe589e46d20919cff2c174895f8a8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3383D1F1-029B-43B1-8733-289322EA85FA}\1.0\0 C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3383D1F1-029B-43B1-8733-289322EA85FA}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\~sfx00272874FD\\GIFviewer.ocx" C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3383D1F1-029B-43B1-8733-289322EA85FA}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\~sfx00272874FD" C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\TypeLib C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\MiscStatus\ = "0" C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3383D1F1-029B-43B1-8733-289322EA85FA}\1.0 C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\TypeLib\ = "{3383D1F1-029B-43B1-8733-289322EA85FA}" C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\ = "ucAniGIF" C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{08D24088-19F0-490A-93C8-84B68381D155} C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\TypeLib\ = "{3383D1F1-029B-43B1-8733-289322EA85FA}" C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WelchGIFviewer.ucAniGIF\Clsid\ = "{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}" C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0} C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\ProxyStubClsid C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\ = "ucAniGIF" C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{08D24088-19F0-490A-93C8-84B68381D155} C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\ProgID\ = "WelchGIFviewer.ucAniGIF" C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WelchGIFviewer.ucAniGIF C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352} C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C40DE621-5879-4553-882A-EA3F1109E290} C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\TypeLib C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\TypeLib\ = "{3383D1F1-029B-43B1-8733-289322EA85FA}" C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\Implemented Categories C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3383D1F1-029B-43B1-8733-289322EA85FA} C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\ToolboxBitmap32 C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\TypeLib C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\ProgID C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WelchGIFviewer.ucAniGIF\Clsid C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C40DE621-5879-4553-882A-EA3F1109E290} C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\TypeLib\ = "{3383D1F1-029B-43B1-8733-289322EA85FA}" C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WelchGIFviewer.ucAniGIF\ = "WelchGIFviewer.ucAniGIF" C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\ProxyStubClsid C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352} C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\ = "_ucAniGIF" C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\VERSION\ = "1.0" C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\ = "__ucAniGIF" C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\~sfx00272874FD\\GIFviewer.ocx" C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\Control C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3383D1F1-029B-43B1-8733-289322EA85FA}\1.0\ = "WelchGIFviewer" C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3383D1F1-029B-43B1-8733-289322EA85FA}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\ = "_ucAniGIF" C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\TypeLib C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\ = "__ucAniGIF" C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\TypeLib C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502} C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3383D1F1-029B-43B1-8733-289322EA85FA}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\MiscStatus\1\ = "147857" C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352} C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3383D1F1-029B-43B1-8733-289322EA85FA}\1.0\FLAGS\ = "2" C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\ = "WelchGIFviewer.ucAniGIF" C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\Control\ C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\ToolboxBitmap32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\~sfx00272874FD\\GIFviewer.ocx, 30000" C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1680 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_139fe589e46d20919cff2c174895f8a8.exe C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe
PID 1680 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_139fe589e46d20919cff2c174895f8a8.exe C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe
PID 1680 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_139fe589e46d20919cff2c174895f8a8.exe C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe
PID 4236 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4236 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4804 wrote to memory of 1592 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4804 wrote to memory of 1592 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4236 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4236 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3756 wrote to memory of 3440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3756 wrote to memory of 3440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3756 wrote to memory of 5008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3756 wrote to memory of 5008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3756 wrote to memory of 5008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3756 wrote to memory of 5008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3756 wrote to memory of 5008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3756 wrote to memory of 5008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3756 wrote to memory of 5008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3756 wrote to memory of 5008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3756 wrote to memory of 5008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3756 wrote to memory of 5008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3756 wrote to memory of 5008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3756 wrote to memory of 5008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3756 wrote to memory of 5008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3756 wrote to memory of 5008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3756 wrote to memory of 5008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3756 wrote to memory of 5008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3756 wrote to memory of 5008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3756 wrote to memory of 5008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3756 wrote to memory of 5008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3756 wrote to memory of 5008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3756 wrote to memory of 5008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3756 wrote to memory of 5008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3756 wrote to memory of 5008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3756 wrote to memory of 5008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3756 wrote to memory of 5008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3756 wrote to memory of 5008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3756 wrote to memory of 5008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3756 wrote to memory of 5008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3756 wrote to memory of 5008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3756 wrote to memory of 5008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3756 wrote to memory of 5008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3756 wrote to memory of 5008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3756 wrote to memory of 5008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3756 wrote to memory of 5008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3756 wrote to memory of 5008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3756 wrote to memory of 5008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3756 wrote to memory of 5008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3756 wrote to memory of 5008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3756 wrote to memory of 5008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3756 wrote to memory of 5008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3756 wrote to memory of 3324 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3756 wrote to memory of 3324 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4804 wrote to memory of 224 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4804 wrote to memory of 224 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4804 wrote to memory of 224 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4804 wrote to memory of 224 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4804 wrote to memory of 224 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4804 wrote to memory of 224 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4804 wrote to memory of 224 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4804 wrote to memory of 224 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4804 wrote to memory of 224 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4804 wrote to memory of 224 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4804 wrote to memory of 224 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_139fe589e46d20919cff2c174895f8a8.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_139fe589e46d20919cff2c174895f8a8.exe"

C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe

"C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x390 0x2f4

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.cybercrime-community.blogspot.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9f6a646f8,0x7ff9f6a64708,0x7ff9f6a64718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/pages/CyberCrime-Community/282353635172491

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xdc,0xe0,0xd4,0xd8,0x104,0x7ff9f6a646f8,0x7ff9f6a64708,0x7ff9f6a64718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,9916396133976410950,4037462654603078670,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,9916396133976410950,4037462654603078670,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,5114158719376422948,10106088342066043480,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,5114158719376422948,10106088342066043480,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,5114158719376422948,10106088342066043480,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2744 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,5114158719376422948,10106088342066043480,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,5114158719376422948,10106088342066043480,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,5114158719376422948,10106088342066043480,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3924 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,5114158719376422948,10106088342066043480,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4716 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,5114158719376422948,10106088342066043480,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4280 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,5114158719376422948,10106088342066043480,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5344 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,5114158719376422948,10106088342066043480,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5344 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,5114158719376422948,10106088342066043480,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,5114158719376422948,10106088342066043480,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,5114158719376422948,10106088342066043480,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4152 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,5114158719376422948,10106088342066043480,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5704 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,5114158719376422948,10106088342066043480,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5080 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,5114158719376422948,10106088342066043480,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4804 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,5114158719376422948,10106088342066043480,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5788 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,5114158719376422948,10106088342066043480,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6160 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,5114158719376422948,10106088342066043480,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6364 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 27.252.100.95.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 184.115.23.2.in-addr.arpa udp
US 8.8.8.8:53 www.facebook.com udp
US 8.8.8.8:53 www.cybercrime-community.blogspot.com udp
GB 142.250.187.193:80 www.cybercrime-community.blogspot.com tcp
GB 142.250.187.193:80 www.cybercrime-community.blogspot.com tcp
GB 157.240.221.35:443 www.facebook.com tcp
US 8.8.8.8:53 cybercrime-community.blogspot.com udp
GB 142.250.187.193:80 cybercrime-community.blogspot.com tcp
US 8.8.8.8:53 static.xx.fbcdn.net udp
DE 157.240.210.14:443 static.xx.fbcdn.net tcp
DE 157.240.210.14:443 static.xx.fbcdn.net tcp
DE 157.240.210.14:443 static.xx.fbcdn.net tcp
DE 157.240.210.14:443 static.xx.fbcdn.net tcp
DE 157.240.210.14:443 static.xx.fbcdn.net tcp
DE 157.240.210.14:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 www.blogger.com udp
US 8.8.8.8:53 ajax.googleapis.com udp
GB 216.58.212.233:443 www.blogger.com tcp
GB 142.250.200.10:80 fonts.googleapis.com tcp
GB 216.58.204.74:80 ajax.googleapis.com tcp
US 8.8.8.8:53 rizqi.moehamed.googlepages.com udp
US 8.8.8.8:53 193.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 35.221.240.157.in-addr.arpa udp
US 8.8.8.8:53 14.210.240.157.in-addr.arpa udp
GB 142.250.179.227:80 fonts.gstatic.com tcp
US 8.8.8.8:53 apis.google.com udp
US 8.8.8.8:53 jmkjs.googlecode.com udp
GB 142.250.200.19:80 rizqi.moehamed.googlepages.com tcp
GB 142.250.187.238:443 apis.google.com tcp
GB 64.233.166.82:80 jmkjs.googlecode.com tcp
US 8.8.8.8:53 sites.google.com udp
GB 216.58.201.110:80 sites.google.com tcp
US 8.8.8.8:53 radarurl.com udp
GB 216.58.201.110:443 sites.google.com tcp
US 8.8.8.8:53 cdn.wibiya.com udp
US 104.21.16.1:80 cdn.wibiya.com tcp
DE 157.240.210.14:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 www.tealdit.com udp
US 104.21.72.39:80 www.tealdit.com tcp
US 8.8.8.8:53 scontent.xx.fbcdn.net udp
GB 216.58.212.233:443 www.blogger.com udp
US 8.8.8.8:53 blogger.googleusercontent.com udp
US 104.21.72.39:443 www.tealdit.com tcp
GB 172.217.16.225:443 blogger.googleusercontent.com tcp
US 8.8.8.8:53 233.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 10.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 74.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 227.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 238.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 19.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 82.166.233.64.in-addr.arpa udp
US 8.8.8.8:53 110.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 1.16.21.104.in-addr.arpa udp
US 8.8.8.8:53 39.72.21.104.in-addr.arpa udp
GB 64.233.166.82:80 jmkjs.googlecode.com tcp
US 8.8.8.8:53 i1138.photobucket.com udp
US 8.8.8.8:53 adf.ly udp
US 8.8.8.8:53 adfoc.us udp
DE 143.204.215.71:80 i1138.photobucket.com tcp
US 8.8.8.8:53 divine-music.info udp
US 8.8.8.8:53 www.addtoany.com udp
US 8.8.8.8:53 twitter.com udp
GB 157.240.221.35:443 www.facebook.com tcp
US 8.8.8.8:53 www.divine-music.info udp
US 8.8.8.8:53 www.filesin.com udp
US 8.8.8.8:53 iyenkrasta.blogspot.com udp
US 8.8.8.8:53 maxcdn.bootstrapcdn.com udp
US 8.8.8.8:53 a7x-maker.blogspot.com udp
US 8.8.8.8:53 add.my.yahoo.com udp
DE 143.204.215.71:443 i1138.photobucket.com tcp
US 8.8.8.8:53 andi-cools.blogspot.com udp
US 104.18.11.207:443 maxcdn.bootstrapcdn.com tcp
US 8.8.8.8:53 forum.us-net.org udp
US 8.8.8.8:53 gbcg.blogspot.com udp
US 8.8.8.8:53 khobil.net udp
GB 216.58.212.233:80 www.blogger.com tcp
US 8.8.8.8:53 nyit-nyit.net udp
US 8.8.8.8:53 repo.antihackerlink.or.id udp
US 8.8.8.8:53 the-kress.blogspot.com udp
US 8.8.8.8:53 thekingoffire.co.cc udp
US 8.8.8.8:53 www.maincit.net udp
US 8.8.8.8:53 www.netvibes.com udp
GB 172.217.16.225:443 blogger.googleusercontent.com udp
US 8.8.8.8:53 www.planetwork.web.id udp
US 8.8.8.8:53 225.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 71.215.204.143.in-addr.arpa udp
US 8.8.8.8:53 207.11.18.104.in-addr.arpa udp
US 8.8.8.8:53 59.82.161.3.in-addr.arpa udp
US 8.8.8.8:53 www.scarletzer.us udp
US 8.8.8.8:53 www.siaga-online.blogspot.com udp
US 8.8.8.8:53 x-kil.blogspot.com udp
US 8.8.8.8:53 www.mediafire.com udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 69.16.230.165:80 www.filesin.com tcp
US 104.21.74.4:80 www.divine-music.info tcp
US 104.21.74.4:80 www.divine-music.info tcp
US 104.21.74.4:443 www.divine-music.info tcp
US 8.8.8.8:53 img1.blogblog.com udp
GB 216.58.212.233:80 img1.blogblog.com tcp
US 8.8.8.8:53 165.230.16.69.in-addr.arpa udp
US 8.8.8.8:53 4.74.21.104.in-addr.arpa udp
US 8.8.8.8:53 a.nel.cloudflare.com udp
US 8.8.8.8:53 1.bp.blogspot.com udp
US 8.8.8.8:53 lh6.ggpht.com udp
US 35.190.80.1:443 a.nel.cloudflare.com tcp
GB 142.250.187.193:80 1.bp.blogspot.com tcp
US 8.8.8.8:53 lh3.ggpht.com udp
GB 142.250.178.1:80 lh6.ggpht.com tcp
GB 142.250.187.193:80 lh3.ggpht.com tcp
US 8.8.8.8:53 lh4.ggpht.com udp
US 35.190.80.1:443 a.nel.cloudflare.com udp
US 8.8.8.8:53 images.cooltext.com udp
US 8.8.8.8:53 i55.tinypic.com udp
CA 51.79.72.17:80 images.cooltext.com tcp
GB 142.250.187.193:80 lh4.ggpht.com tcp
US 8.8.8.8:53 img443.imageshack.us udp
US 38.99.77.16:80 img443.imageshack.us tcp
US 8.8.8.8:53 i1134.photobucket.com udp
US 38.99.77.16:80 img443.imageshack.us tcp
US 8.8.8.8:53 ares2.cooltext.com udp
DE 143.204.215.78:80 i1134.photobucket.com tcp
CA 51.79.72.17:80 ares2.cooltext.com tcp
US 8.8.8.8:53 i1109.photobucket.com udp
US 8.8.8.8:53 1.80.190.35.in-addr.arpa udp
US 8.8.8.8:53 1.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 17.72.79.51.in-addr.arpa udp
US 8.8.8.8:53 16.77.99.38.in-addr.arpa udp
US 8.8.8.8:53 78.215.204.143.in-addr.arpa udp
DE 143.204.215.89:80 i1109.photobucket.com tcp
US 8.8.8.8:53 i1238.photobucket.com udp
DE 143.204.215.54:80 i1238.photobucket.com tcp
US 8.8.8.8:53 89.215.204.143.in-addr.arpa udp
US 8.8.8.8:53 54.215.204.143.in-addr.arpa udp
US 8.8.8.8:53 cdn.nyit-nyit.net udp
US 8.8.8.8:53 resources.blogblog.com udp
GB 216.58.212.233:443 resources.blogblog.com tcp
GB 216.58.212.233:443 resources.blogblog.com udp
GB 142.250.187.238:443 apis.google.com udp
GB 142.250.180.2:80 pagead2.googlesyndication.com tcp
US 8.8.8.8:53 connect.facebook.net udp
US 8.8.8.8:53 developers.google.com udp
DE 157.240.210.14:80 connect.facebook.net tcp
GB 142.250.200.46:80 developers.google.com tcp
US 8.8.8.8:53 ssl.gstatic.com udp
GB 142.250.187.238:443 apis.google.com udp
US 8.8.8.8:53 lh3.googleusercontent.com udp
GB 142.250.200.46:443 developers.google.com tcp
US 8.8.8.8:53 platform.twitter.com udp
US 8.8.8.8:53 static.addtoany.com udp
US 8.8.8.8:53 cdn.viglink.com udp
GB 142.250.178.3:443 ssl.gstatic.com tcp
GB 172.217.16.225:443 lh3.googleusercontent.com udp
GB 151.101.188.157:80 platform.twitter.com tcp
US 104.22.70.197:80 static.addtoany.com tcp
DE 143.204.215.42:80 cdn.viglink.com tcp
US 104.22.70.197:443 static.addtoany.com tcp
GB 151.101.188.157:443 platform.twitter.com tcp
US 8.8.8.8:53 2.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 3.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 3.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 157.188.101.151.in-addr.arpa udp
US 8.8.8.8:53 197.70.22.104.in-addr.arpa udp
US 8.8.8.8:53 42.215.204.143.in-addr.arpa udp
US 104.22.70.197:443 static.addtoany.com tcp
BE 142.251.173.84:443 accounts.google.com tcp
US 8.8.8.8:53 i877.photobucket.com udp
US 8.8.8.8:53 d35m0nfeeqvaj5.cloudfront.net udp
DE 143.204.215.89:80 i877.photobucket.com tcp
DE 18.66.137.123:443 d35m0nfeeqvaj5.cloudfront.net tcp
US 8.8.8.8:53 comparisons.sovrn.com udp
DE 18.66.147.39:443 comparisons.sovrn.com tcp
US 8.8.8.8:53 syndication.twitter.com udp
GB 142.250.178.3:443 ssl.gstatic.com tcp
US 104.244.42.136:443 syndication.twitter.com tcp
US 8.8.8.8:53 crt.rootg2.amazontrust.com udp
DE 65.9.66.92:80 crt.rootg2.amazontrust.com tcp
US 8.8.8.8:53 84.173.251.142.in-addr.arpa udp
US 8.8.8.8:53 123.137.66.18.in-addr.arpa udp
US 8.8.8.8:53 39.147.66.18.in-addr.arpa udp
US 8.8.8.8:53 136.42.244.104.in-addr.arpa udp
US 8.8.8.8:53 92.66.9.65.in-addr.arpa udp
US 8.8.8.8:53 www.underconsideration.com udp
US 216.92.206.238:80 www.underconsideration.com tcp
US 8.8.8.8:53 api.viglink.com udp
IE 52.49.59.146:443 api.viglink.com tcp
US 216.92.206.238:443 www.underconsideration.com tcp
IE 52.49.59.146:443 api.viglink.com tcp
IE 52.49.59.146:443 api.viglink.com tcp
IE 52.49.59.146:443 api.viglink.com tcp
US 8.8.8.8:53 iepv.exe udp
US 8.8.8.8:53 mailpv.exe udp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 mobile.resto-lincontournable.com udp
US 8.8.8.8:53 moblie.resto-lincontournable.com udp
US 8.8.8.8:53 mspass.exe udp
US 8.8.8.8:53 passwordfox.exe udp
US 8.8.8.8:53 pspv.exe udp
US 8.8.8.8:53 238.206.92.216.in-addr.arpa udp
US 8.8.8.8:53 146.59.49.52.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
GB 216.58.212.206:443 play.google.com tcp
GB 216.58.212.206:443 play.google.com udp
US 8.8.8.8:53 206.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 26.252.100.95.in-addr.arpa udp
US 35.190.80.1:443 a.nel.cloudflare.com udp
GB 216.58.212.233:443 resources.blogblog.com udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 170.117.168.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe

MD5 34af6c2eb5611b438ccee96322e95cf6
SHA1 130af140d5797a6294770aa8087196982d338865
SHA256 e79f4b31112216e976b9caac58056c438c1ac3a94079db49e5b6ca02bf90c10e
SHA512 d392715012bc8b5277b08d192f612c8e2533dfdef7e28f9a266cf1b6c3a1fe392aaa7d180f5607714a1f8baa7a0db078d4be37a10becb4139f1ab5fa9adf662c

C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\GIFviewer.ocx

MD5 73404435b36b8cb9ea68be6d4249488e
SHA1 ecd6f0e28c4f4ac6c1943a7647f42a5d91c14f02
SHA256 2123cadad9f7da81601c5e09105a569fedda561b4b12e87f0c0f6b4afa286e5c
SHA512 e260099024bdc4711ef068455e350cb400042f5fd5066b07b024e49b8a13b6c058347f2e4e68ff73704358b51db851e4e06c28cb2f3cd36b64d9023c748dcad7

C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\CyberCrime.wav

MD5 6cf10c336dc0da94bd115c5ba40f9d27
SHA1 362ff39674b2ee616e31d1df1434f5fd99a5e3fd
SHA256 8c2e455cf6601f37c655616457950cad00d1d924dac07d02c901efac8591f871
SHA512 eb5c2dec8a5ae4fdcfa3f1b72d97d8f62256577a7e4481ee15fcf4c2ba0f01b55fb407a0de3275a2b0abf361211b968ef755f316d8167be91a234c5bc5898203

memory/4236-25-0x0000000004480000-0x0000000004481000-memory.dmp

memory/4236-26-0x0000000005D20000-0x0000000005D21000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 37f660dd4b6ddf23bc37f5c823d1c33a
SHA1 1c35538aa307a3e09d15519df6ace99674ae428b
SHA256 4e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8
SHA512 807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 d7cb450b1315c63b1d5d89d98ba22da5
SHA1 694005cd9e1a4c54e0b83d0598a8a0c089df1556
SHA256 38355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031
SHA512 df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8

\??\pipe\LOCAL\crashpad_4804_DKZIDPAKYMUSQDZO

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 0e91bfdd9c8105957d22ef63775305fb
SHA1 fb292cd07b9f5784a4bd249d03c1885855452687
SHA256 17ec36a74bc422cc8b422e41badd9995901306f3a070b4656c3549c49bbca71b
SHA512 9ea8e813cba400dcd8bd85adb61a5dfddc645e9e85a9ca4392154a029fc69af63ea2d645d847c39a780104ddaf1a8360ed19fad4967a7d6b44591a792502adb7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 be5ec9a7f5da7b50fa2760c697434445
SHA1 e50c9958108b9d52392ec03d570b9334dbaa75eb
SHA256 133ac6cc4abc893342dfe65ade2ebc6b7bd0caae2e5394212936540923576cbe
SHA512 7cb3e7a2380a925d42d5c1030bd9e65636b3513c47f5e1c88831f8a93e8a404e1202f15dce3dc6497eb6c28bf07e20dc0cbef9f5aa1d0a0fc49a75e5ada266d5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

memory/1680-177-0x0000000000400000-0x0000000000514000-memory.dmp

memory/4236-197-0x0000000005D20000-0x0000000005D21000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\d2ef2d2e-a3b9-444a-a447-56f8d7cee5d1.tmp

MD5 3de7d5ff996d793140580f6eeacdd023
SHA1 a6fab34189dccdf119e3eac9e1da3a83b08a6dda
SHA256 b514ce6dfc1f822f8b1f6b03c0e99b6eee5d45c89b29755632356979af7ca98f
SHA512 6796b3a7fd4f7f30c957d83299a49b498d261e4ba5ba09e33d532df45803196dad4fb02361762905a5804740007c8dd1a596df84c9f641e7959751a0f85cdb9d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 15a95f87d231c059ec556bce8b2a4974
SHA1 4737170fff850033d016f689430068c999c78ad4
SHA256 669b7f6697d84fefcdeb2c65bc7678a2fa772fbd3f80142bb19c2d268d5ce0a3
SHA512 24a6500f8d5f4c261fbc1c47bbdfbb3cc9706913bd272d438175706127463236bbdd2d8a416430692a21c7087c9605cee32cc76ec4b737acc7628841273460a4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000032

MD5 1da8deabd421929fa1a865599f43aad8
SHA1 88af7573c39022643333f85b523a329cb6448675
SHA256 07b01330c36ae322ea1f1e2ea70e60b629b292b3f7ee7aae5a9968dcf341e685
SHA512 0be3f8d02397c3cc32164b116c807115c42a310fd70c72c94b3b523732422ea2b222d8762e81d91ef0c36a8328df4f7ae8e4570c4bc46ab94cbed5131389ea3d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 5e697103692d56a7b408f8446b863b45
SHA1 7e332f2664931f2dc05ca89765de6e96651c9470
SHA256 58351909955ccd1510c1e4a24dc914f1b8195d240edafd3b25288d461ca57173
SHA512 d160bd5f4e6ec4134e5554c3cf34e5f12aa1ca7b6129032ebd4bdcd1758f4a3dae7c084489aada696c14f1a997f7f2b0296e00ad85f090d4f1d3d42f9f327d68

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 4d7faaa3919b149f5d297d24a89ca0a5
SHA1 8a12e072e0dc294176d11701e4d89ca924771398
SHA256 1f7e0f061dd611761fb6c4aed938999ef9daf35b1dfec2d185b888a96205948a
SHA512 2b10a701d11df7e007fef6692dc54d84a9c1913870bf462d8e46329afce85195850e027aaa974112572363353e8f467c1298896493ed35793b76f0a038330667

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57ed1f.TMP

MD5 6f92e88fbc1b522c56c0f929178c2538
SHA1 db33c7fef3d9b057f05f6e9321b5c08371823152
SHA256 f7d0d219873533fc9701f12eedba54f4d5132fe2d32e31543098c869bc1bc0ee
SHA512 fbb8f37fb6d0f09d1c118b978b70e0e0f4f48d88fffbdf929e24540465f3f20858e00bff7a350d4e0846931f4e9aae3aa86787327c4fc478ab71953d9755c3fa

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 9518670b8fc936004f4501b13178bccb
SHA1 c588788a0f93697024125c727343e7dfab3477c3
SHA256 b4db3a274c7846b63faea973203a9142ec19670491f5f0256d1dc3bae587cfa7
SHA512 927290cf1822632f80d43a46acb264f16d43d4942df51dee361a884839e65747200fcea91de577662c4be775d39082035107b297693e7101eb9b21ab234c8c98

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 9375e1755870a4cbeef3133deb856b2c
SHA1 19c657cf216d10ed8606bb9f578dc13ef5cb99cf
SHA256 85d44734fda68b4427e3e3b8657e620b309a66632e366a6b1ff1d4169b645b42
SHA512 67f271b1c0e8d6dcf5c802c9aca1e7a73d46edc33ca504d2983dd831f6ca599b204b20511575cda619c256be1b69fa26ca72bce60d13158d045655dba7e9b4c5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 311227d9fe6f58617688658376b89d84
SHA1 8d6f00a2d7303ae350b21c7f9424c6bed467b259
SHA256 e619a6bb328e84822abeea4243b74a89ca933dbd1011ad0a652d2cf63ee49e48
SHA512 9c612c713f75fe00e6b62aa0249b6667b9263694f7493ecdca54a7ce1f43f285cf957fea214e13654226f532f4eac48002b5f411ea4ec1573607fa5ac884b8ba

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 c78554f2d3e7c60177503bc06c04519e
SHA1 17c5ef80e830b149cf4b4bfd278b5dc43f99967b
SHA256 cc8bc942239c058f9365c08a251a3c1bf310f3bf9853fec065f1e939c6908628
SHA512 f0c69cdce7b88cd7fe7345dbbcb1fc00e1748903242e1776baac53ee40210a3a9c7e4fc8176b5af139b237b4e05dbad0833a5fab5b3e4171db2d3f02fb788119

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 1d27d09ae502c8901a2e557798b25d2f
SHA1 3fb956b2805fda46fd7faa053521629687aa6d30
SHA256 c3574433020734ae9b6461c75fcecb8390eec79ee6aa8123bd994afe76e9804b
SHA512 f691df5e17b8642d55b9f1df9a6f70c1ebb0978bf2c31b89c8c35d30787d967806e7e66e829e9fa4ef8de26523bb7a7fd7f71c69bfe2ea33abe8104ad01d0761

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-23 04:14

Reported

2025-01-23 04:17

Platform

win7-20240903-en

Max time kernel

141s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_139fe589e46d20919cff2c174895f8a8.exe"

Signatures

Detected google phishing page

phishing google

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A sites.google.com N/A N/A
N/A sites.google.com N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_139fe589e46d20919cff2c174895f8a8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007afce29af4a9c3498ea86f797b3c183d00000000020000000000106600000001000020000000bda75d281bb46239e761df859f9a7c1e1c88d9e4f1fb878b229f50b5139c0241000000000e80000000020000200000004ab6d596a00dced0d35efdcc47a340f2dc00f2a4eba614f977890c8a40b96d1e90000000320efc1f31f3ac45a2efbfc9fd0bcd4de474940cb132cb729d5a62524cfb4c42f26411b33da8508e751a87a69e870920a1044e9c91a1623c910adf4a83dda8cbe8ccee911313468467dfe93033ec02d95d56205f19d578b3a35d8562f676fde054a3c42bbb8368ad02b14ab9efef1dd9be58ebcd514a23bb4209a1e6dd482214125fd5815e61f8a8063f37de69273a1340000000bf2185ea17b0b9a1f517f8bd52db8cf432f702e1bea43953d8612a2903d6605ad26735db3873e16d360fc8cb88d364d03547ad3ae29dce2cbfcb31cfc1f956f5 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{93B88321-D940-11EF-854E-7ED3796B1EC0} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "443767553" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007afce29af4a9c3498ea86f797b3c183d000000000200000000001066000000010000200000002c9f5d627331f2489f14d4cc15eaea670d7cf2364614c9f1199060aeee0478b9000000000e800000000200002000000019cb230b5d33986cdc35dacbe5370bd5e06a804597d347988b5eba294bfb2d2a20000000890930e405d617d4db30b7d6a318cf1e160aa975fa6204feb45e0f644e517d4e400000006e0c3fd3c23bb398bd36f244c5e8d1ba64eafe8a5fa1c666151cb86c7e803083eb0604972fa91b6cc8d5c944ac34ddf6626e252bf1e0b733b1f05625f966b6be C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 701cda6a4d6ddb01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{93B575E1-D940-11EF-854E-7ED3796B1EC0} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{08D24088-19F0-490A-93C8-84B68381D155} C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\ = "__ucAniGIF" C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\ProgID\ = "WelchGIFviewer.ucAniGIF" C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\MiscStatus\1\ = "147857" C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{3383D1F1-029B-43B1-8733-289322EA85FA}\1.0 C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{3383D1F1-029B-43B1-8733-289322EA85FA}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\Control C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\Control\ C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\VERSION C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WelchGIFviewer.ucAniGIF\ = "WelchGIFviewer.ucAniGIF" C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\TypeLib\ = "{3383D1F1-029B-43B1-8733-289322EA85FA}" C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\TypeLib\ = "{3383D1F1-029B-43B1-8733-289322EA85FA}" C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\ProxyStubClsid C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352} C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{3383D1F1-029B-43B1-8733-289322EA85FA}\1.0\FLAGS\ = "2" C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{3383D1F1-029B-43B1-8733-289322EA85FA}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\~sfx00272874FD" C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\MiscStatus\ = "0" C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\ = "ucAniGIF" C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\TypeLib C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\MiscStatus C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\ToolboxBitmap32 C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\ProxyStubClsid\ = "{00020420-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\TypeLib C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\ProxyStubClsid C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{3383D1F1-029B-43B1-8733-289322EA85FA} C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{3383D1F1-029B-43B1-8733-289322EA85FA}\1.0\ = "WelchGIFviewer" C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WelchGIFviewer.ucAniGIF\Clsid C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\Implemented Categories C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\TypeLib C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{3383D1F1-029B-43B1-8733-289322EA85FA}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\TypeLib\ = "{3383D1F1-029B-43B1-8733-289322EA85FA}" C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C40DE621-5879-4553-882A-EA3F1109E290} C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\TypeLib C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\ = "WelchGIFviewer.ucAniGIF" C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\VERSION\ = "1.0" C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\ = "ucAniGIF" C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{3383D1F1-029B-43B1-8733-289322EA85FA}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\~sfx00272874FD\\GIFviewer.ocx" C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\TypeLib\ = "{3383D1F1-029B-43B1-8733-289322EA85FA}" C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\ = "__ucAniGIF" C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WelchGIFviewer.ucAniGIF C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\ = "_ucAniGIF" C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\TypeLib C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\~sfx00272874FD\\GIFviewer.ocx" C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\TypeLib\ = "{3383D1F1-029B-43B1-8733-289322EA85FA}" C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0} C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\ToolboxBitmap32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\~sfx00272874FD\\GIFviewer.ocx, 30000" C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\MiscStatus\1 C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352} C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\ = "_ucAniGIF" C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C40DE621-5879-4553-882A-EA3F1109E290} C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\ProgID C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WelchGIFviewer.ucAniGIF\Clsid\ = "{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}" C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2512 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_139fe589e46d20919cff2c174895f8a8.exe C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe
PID 2512 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_139fe589e46d20919cff2c174895f8a8.exe C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe
PID 2512 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_139fe589e46d20919cff2c174895f8a8.exe C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe
PID 2512 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_139fe589e46d20919cff2c174895f8a8.exe C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe
PID 2636 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2636 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2636 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2636 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2636 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2636 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2636 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2636 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2872 wrote to memory of 2556 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2872 wrote to memory of 2556 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2872 wrote to memory of 2556 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2872 wrote to memory of 2556 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2772 wrote to memory of 2588 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2772 wrote to memory of 2588 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2772 wrote to memory of 2588 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2772 wrote to memory of 2588 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_139fe589e46d20919cff2c174895f8a8.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_139fe589e46d20919cff2c174895f8a8.exe"

C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe

"C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://www.cybercrime-community.blogspot.com/

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://www.facebook.com/pages/CyberCrime-Community/282353635172491

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2872 CREDAT:275457 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2772 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.cybercrime-community.blogspot.com udp
US 8.8.8.8:53 www.facebook.com udp
GB 157.240.221.35:443 www.facebook.com tcp
GB 157.240.221.35:443 www.facebook.com tcp
GB 142.250.187.193:80 www.cybercrime-community.blogspot.com tcp
GB 142.250.187.193:80 www.cybercrime-community.blogspot.com tcp
US 8.8.8.8:53 cybercrime-community.blogspot.com udp
GB 142.250.187.193:80 cybercrime-community.blogspot.com tcp
GB 142.250.187.193:80 cybercrime-community.blogspot.com tcp
US 8.8.8.8:53 www.blogger.com udp
US 8.8.8.8:53 ajax.googleapis.com udp
US 8.8.8.8:53 rizqi.moehamed.googlepages.com udp
US 8.8.8.8:53 apis.google.com udp
US 8.8.8.8:53 jmkjs.googlecode.com udp
US 8.8.8.8:53 blogger.googleusercontent.com udp
US 8.8.8.8:53 i1138.photobucket.com udp
GB 172.217.169.10:80 ajax.googleapis.com tcp
GB 172.217.169.10:80 ajax.googleapis.com tcp
GB 216.58.212.233:443 www.blogger.com tcp
GB 216.58.212.233:443 www.blogger.com tcp
GB 216.58.212.233:80 www.blogger.com tcp
US 8.8.8.8:53 radarurl.com udp
US 8.8.8.8:53 cdn.wibiya.com udp
US 8.8.8.8:53 www.filesin.com udp
US 8.8.8.8:53 divine-music.info udp
GB 142.250.200.10:80 fonts.googleapis.com tcp
GB 142.250.200.10:80 fonts.googleapis.com tcp
US 8.8.8.8:53 img1.blogblog.com udp
GB 142.250.187.238:443 apis.google.com tcp
DE 143.204.215.78:80 i1138.photobucket.com tcp
GB 142.250.187.238:443 apis.google.com tcp
DE 143.204.215.78:80 i1138.photobucket.com tcp
GB 64.233.166.82:80 jmkjs.googlecode.com tcp
GB 64.233.166.82:80 jmkjs.googlecode.com tcp
US 8.8.8.8:53 1.bp.blogspot.com udp
US 8.8.8.8:53 lh3.ggpht.com udp
US 8.8.8.8:53 lh4.ggpht.com udp
US 8.8.8.8:53 lh6.ggpht.com udp
GB 172.217.16.225:443 blogger.googleusercontent.com tcp
GB 172.217.16.225:443 blogger.googleusercontent.com tcp
GB 172.217.16.225:443 blogger.googleusercontent.com tcp
GB 172.217.16.225:443 blogger.googleusercontent.com tcp
GB 172.217.16.225:443 blogger.googleusercontent.com tcp
GB 172.217.16.225:443 blogger.googleusercontent.com tcp
US 8.8.8.8:53 forum.us-net.org udp
US 8.8.8.8:53 images.cooltext.com udp
US 8.8.8.8:53 img443.imageshack.us udp
US 8.8.8.8:53 i1134.photobucket.com udp
US 8.8.8.8:53 i55.tinypic.com udp
GB 142.250.200.19:80 rizqi.moehamed.googlepages.com tcp
GB 142.250.200.19:80 rizqi.moehamed.googlepages.com tcp
US 8.8.8.8:53 i1109.photobucket.com udp
US 8.8.8.8:53 i1238.photobucket.com udp
US 8.8.8.8:53 cdn.nyit-nyit.net udp
US 8.8.8.8:53 resources.blogblog.com udp
GB 216.58.212.233:443 resources.blogblog.com tcp
US 172.67.194.56:80 divine-music.info tcp
US 172.67.194.56:80 divine-music.info tcp
US 38.99.77.16:80 img443.imageshack.us tcp
US 38.99.77.16:80 img443.imageshack.us tcp
US 104.21.96.1:80 cdn.wibiya.com tcp
US 104.21.96.1:80 cdn.wibiya.com tcp
GB 142.250.187.193:80 lh4.ggpht.com tcp
GB 142.250.187.193:80 lh4.ggpht.com tcp
GB 216.58.212.233:80 resources.blogblog.com tcp
GB 216.58.212.233:80 resources.blogblog.com tcp
GB 142.250.187.193:80 lh4.ggpht.com tcp
GB 142.250.187.193:80 lh4.ggpht.com tcp
GB 142.250.178.1:80 lh6.ggpht.com tcp
GB 142.250.178.1:80 lh6.ggpht.com tcp
CA 51.79.72.17:80 images.cooltext.com tcp
CA 51.79.72.17:80 images.cooltext.com tcp
DE 143.204.215.78:80 i1238.photobucket.com tcp
DE 143.204.215.78:80 i1238.photobucket.com tcp
DE 143.204.215.71:80 i1238.photobucket.com tcp
DE 143.204.215.78:80 i1238.photobucket.com tcp
DE 143.204.215.78:80 i1238.photobucket.com tcp
DE 143.204.215.71:80 i1238.photobucket.com tcp
GB 216.58.212.233:443 resources.blogblog.com tcp
GB 142.250.187.193:80 lh4.ggpht.com tcp
GB 216.58.212.233:443 resources.blogblog.com tcp
GB 142.250.187.193:80 lh4.ggpht.com tcp
GB 216.58.212.233:443 resources.blogblog.com tcp
GB 216.58.212.233:443 resources.blogblog.com tcp
US 8.8.8.8:53 sites.google.com udp
DE 143.204.215.78:443 i1238.photobucket.com tcp
US 69.16.230.165:80 www.filesin.com tcp
US 69.16.230.165:80 www.filesin.com tcp
US 172.67.194.56:443 divine-music.info tcp
US 172.67.194.56:443 divine-music.info tcp
GB 216.58.201.110:80 sites.google.com tcp
DE 143.204.215.78:443 i1238.photobucket.com tcp
DE 143.204.215.71:443 i1238.photobucket.com tcp
DE 143.204.215.78:443 i1238.photobucket.com tcp
GB 216.58.201.110:80 sites.google.com tcp
US 8.8.8.8:53 static.xx.fbcdn.net udp
DE 157.240.210.14:443 static.xx.fbcdn.net tcp
DE 157.240.210.14:443 static.xx.fbcdn.net tcp
DE 157.240.210.14:443 static.xx.fbcdn.net tcp
DE 157.240.210.14:443 static.xx.fbcdn.net tcp
DE 157.240.210.14:443 static.xx.fbcdn.net tcp
DE 157.240.210.14:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 ares2.cooltext.com udp
US 8.8.8.8:53 c.pki.goog udp
US 8.8.8.8:53 c.pki.goog udp
US 8.8.8.8:53 c.pki.goog udp
US 8.8.8.8:53 c.pki.goog udp
US 8.8.8.8:53 c.pki.goog udp
US 8.8.8.8:53 c.pki.goog udp
GB 216.58.201.110:443 sites.google.com tcp
US 8.8.8.8:53 c.pki.goog udp
US 8.8.8.8:53 c.pki.goog udp
US 8.8.8.8:53 c.pki.goog udp
US 8.8.8.8:53 c.pki.goog udp
US 8.8.8.8:53 c.pki.goog udp
US 8.8.8.8:53 c.pki.goog udp
CA 51.79.72.17:80 ares2.cooltext.com tcp
CA 51.79.72.17:80 ares2.cooltext.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 172.217.16.227:80 c.pki.goog tcp
GB 172.217.16.227:80 c.pki.goog tcp
GB 172.217.16.227:80 c.pki.goog tcp
GB 172.217.16.227:80 c.pki.goog tcp
GB 172.217.16.227:80 c.pki.goog tcp
US 8.8.8.8:53 www.tealdit.com udp
GB 172.217.16.227:80 c.pki.goog tcp
GB 172.217.16.227:80 c.pki.goog tcp
GB 172.217.16.227:80 c.pki.goog tcp
GB 172.217.16.227:80 c.pki.goog tcp
GB 172.217.16.227:80 c.pki.goog tcp
GB 172.217.16.227:80 c.pki.goog tcp
GB 172.217.16.227:80 c.pki.goog tcp
GB 172.217.16.227:80 c.pki.goog tcp
GB 172.217.16.227:80 c.pki.goog tcp
GB 172.217.16.227:80 c.pki.goog tcp
GB 172.217.16.227:80 c.pki.goog tcp
GB 172.217.16.227:80 c.pki.goog tcp
US 104.21.72.39:80 www.tealdit.com tcp
US 104.21.72.39:80 www.tealdit.com tcp
GB 172.217.16.225:443 blogger.googleusercontent.com tcp
GB 172.217.16.225:443 blogger.googleusercontent.com tcp
US 8.8.8.8:53 o.pki.goog udp
US 8.8.8.8:53 o.pki.goog udp
US 8.8.8.8:53 o.pki.goog udp
US 69.16.230.165:80 www.filesin.com tcp
US 69.16.230.165:80 www.filesin.com tcp
US 8.8.8.8:53 o.pki.goog udp
US 8.8.8.8:53 o.pki.goog udp
GB 172.217.16.227:80 o.pki.goog tcp
GB 172.217.16.227:80 o.pki.goog tcp
GB 172.217.16.227:80 o.pki.goog tcp
GB 172.217.16.227:80 o.pki.goog tcp
GB 172.217.16.227:80 o.pki.goog tcp
GB 172.217.16.227:80 o.pki.goog tcp
US 104.21.72.39:443 www.tealdit.com tcp
GB 172.217.16.227:80 o.pki.goog tcp
GB 172.217.16.227:80 o.pki.goog tcp
GB 172.217.16.227:80 o.pki.goog tcp
GB 172.217.16.227:80 o.pki.goog tcp
GB 172.217.16.227:80 o.pki.goog tcp
GB 172.217.16.227:80 o.pki.goog tcp
GB 172.217.16.227:80 o.pki.goog tcp
GB 172.217.16.227:80 o.pki.goog tcp
GB 172.217.16.227:80 o.pki.goog tcp
GB 172.217.16.227:80 o.pki.goog tcp
GB 172.217.16.227:80 o.pki.goog tcp
GB 172.217.16.227:80 o.pki.goog tcp
US 8.8.8.8:53 accounts.google.com udp
BE 142.251.173.84:443 accounts.google.com tcp
BE 142.251.173.84:443 accounts.google.com tcp
US 69.16.230.165:80 www.filesin.com tcp
US 69.16.230.165:80 www.filesin.com tcp
GB 172.217.16.225:443 blogger.googleusercontent.com tcp
GB 172.217.16.225:443 blogger.googleusercontent.com tcp
US 69.16.230.165:80 www.filesin.com tcp
US 69.16.230.165:80 www.filesin.com tcp
GB 142.250.179.227:80 fonts.gstatic.com tcp
GB 142.250.179.227:80 fonts.gstatic.com tcp
GB 142.250.178.2:80 pagead2.googlesyndication.com tcp
GB 142.250.178.2:80 pagead2.googlesyndication.com tcp
US 8.8.8.8:53 radarurl.com udp
US 8.8.8.8:53 maxcdn.bootstrapcdn.com udp
US 8.8.8.8:53 connect.facebook.net udp
US 8.8.8.8:53 platform.twitter.com udp
US 8.8.8.8:53 static.addtoany.com udp
US 8.8.8.8:53 cdn.viglink.com udp
GB 151.101.188.157:80 platform.twitter.com tcp
GB 151.101.188.157:80 platform.twitter.com tcp
US 104.18.11.207:443 maxcdn.bootstrapcdn.com tcp
US 104.18.11.207:443 maxcdn.bootstrapcdn.com tcp
US 104.22.71.197:80 static.addtoany.com tcp
US 104.22.71.197:80 static.addtoany.com tcp
DE 143.204.215.65:80 cdn.viglink.com tcp
DE 143.204.215.65:80 cdn.viglink.com tcp
DE 157.240.210.14:80 connect.facebook.net tcp
DE 157.240.210.14:80 connect.facebook.net tcp
US 104.22.71.197:443 static.addtoany.com tcp
DE 157.240.210.14:443 connect.facebook.net tcp
US 8.8.8.8:53 d35m0nfeeqvaj5.cloudfront.net udp
US 8.8.8.8:53 comparisons.sovrn.com udp
DE 18.66.147.119:443 comparisons.sovrn.com tcp
DE 18.66.147.119:443 comparisons.sovrn.com tcp
DE 18.66.137.155:443 d35m0nfeeqvaj5.cloudfront.net tcp
DE 18.66.137.155:443 d35m0nfeeqvaj5.cloudfront.net tcp
GB 157.240.221.35:80 www.facebook.com tcp
GB 157.240.221.35:80 www.facebook.com tcp
GB 142.250.187.238:443 apis.google.com tcp
GB 142.250.187.238:443 apis.google.com tcp
GB 157.240.221.35:443 www.facebook.com tcp
DE 18.66.147.119:443 comparisons.sovrn.com tcp
DE 18.66.147.119:443 comparisons.sovrn.com tcp
US 104.22.71.197:443 static.addtoany.com tcp
US 104.22.71.197:443 static.addtoany.com tcp
US 8.8.8.8:53 ssl.gstatic.com udp
DE 18.66.147.119:443 comparisons.sovrn.com tcp
DE 18.66.147.119:443 comparisons.sovrn.com tcp
GB 142.250.178.3:443 ssl.gstatic.com tcp
GB 142.250.178.3:443 ssl.gstatic.com tcp
US 8.8.8.8:53 developers.google.com udp
DE 18.66.147.119:443 comparisons.sovrn.com tcp
DE 18.66.147.119:443 comparisons.sovrn.com tcp
GB 142.250.200.46:80 developers.google.com tcp
GB 142.250.200.46:80 developers.google.com tcp
DE 157.240.210.14:443 connect.facebook.net tcp
DE 157.240.210.14:443 connect.facebook.net tcp
GB 142.250.200.46:443 developers.google.com tcp
US 8.8.8.8:53 api.viglink.com udp
IE 34.246.148.211:443 api.viglink.com tcp
US 8.8.8.8:53 ocsp.r2m02.amazontrust.com udp
DE 18.245.74.139:80 ocsp.r2m02.amazontrust.com tcp
IE 34.246.148.211:443 api.viglink.com tcp
IE 34.246.148.211:443 api.viglink.com tcp
US 8.8.8.8:53 crl.microsoft.com udp
FR 95.101.134.51:80 crl.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
FR 2.21.225.223:80 www.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\Afterhack.exe

MD5 34af6c2eb5611b438ccee96322e95cf6
SHA1 130af140d5797a6294770aa8087196982d338865
SHA256 e79f4b31112216e976b9caac58056c438c1ac3a94079db49e5b6ca02bf90c10e
SHA512 d392715012bc8b5277b08d192f612c8e2533dfdef7e28f9a266cf1b6c3a1fe392aaa7d180f5607714a1f8baa7a0db078d4be37a10becb4139f1ab5fa9adf662c

C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\GIFviewer.ocx

MD5 73404435b36b8cb9ea68be6d4249488e
SHA1 ecd6f0e28c4f4ac6c1943a7647f42a5d91c14f02
SHA256 2123cadad9f7da81601c5e09105a569fedda561b4b12e87f0c0f6b4afa286e5c
SHA512 e260099024bdc4711ef068455e350cb400042f5fd5066b07b024e49b8a13b6c058347f2e4e68ff73704358b51db851e4e06c28cb2f3cd36b64d9023c748dcad7

C:\Users\Admin\AppData\Local\Temp\~sfx00272874FD\CyberCrime.wav

MD5 6cf10c336dc0da94bd115c5ba40f9d27
SHA1 362ff39674b2ee616e31d1df1434f5fd99a5e3fd
SHA256 8c2e455cf6601f37c655616457950cad00d1d924dac07d02c901efac8591f871
SHA512 eb5c2dec8a5ae4fdcfa3f1b72d97d8f62256577a7e4481ee15fcf4c2ba0f01b55fb407a0de3275a2b0abf361211b968ef755f316d8167be91a234c5bc5898203

memory/2636-25-0x0000000003D70000-0x0000000003D71000-memory.dmp

memory/2636-28-0x0000000004A50000-0x0000000004A51000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{93B88321-D940-11EF-854E-7ED3796B1EC0}.dat

MD5 539912cf44a75d79959bed3d0b0fbae1
SHA1 4823752a6cc6df30bbecd1da5bb1a2221217e3bb
SHA256 93f1ee23011200f3e8ede8763b4b8a2c4770911eea8440d15f3751269ee1c66e
SHA512 2bd569ad2a6e7d3054f7f7e0e018b271561738e98a2e0b756952867ee767477f20ed24a55fb30be96cb9b319e6b17065333b25e29282720163daaa3150c8047b

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{93B575E1-D940-11EF-854E-7ED3796B1EC0}.dat

MD5 ff59f4e4938ae38304e1a1bfd1ccc750
SHA1 83af0c16233699dc36a4444f41c0d6ce2d0e93e1
SHA256 4e42cd6eeb3bef361dec0d4815be2627fea62359a43987b65694307693573cee
SHA512 691c81705bf07c9abf563ea9be1c0561a72479c3e997096a070d838b254a82c6548fa3e3f06fc7eda1186f2bd0b5a8542b9432f654deec7e0460d157a2cbfb48

C:\Users\Admin\AppData\Local\Temp\CabE38D.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarE44C.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7c72747b7a09139a115db1dfae702f1d
SHA1 f7b7dcbff4c49a6342d0c8f4e1e290e0363624f6
SHA256 7bcc090d1a4bcb9f8709cb1b4266ce48c404f79c4f305ad50cbe5a85a446f876
SHA512 e66e09be71598c386084f06e9e7d08dec86e5d21d28ed1afdea2a48851b05ce3aa61e36db414ddf687bbf7c2c7d458c6c6c48ae25d2134fad32b3d73bac86319

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 886089496c22a48435f408534745b693
SHA1 14e0d5951b49e4c16fa24bae0cc19b9e677c568f
SHA256 a86e3518fa9f893bf528fda13bdc6105bdcb4b329b194515fd799db5de65a9a6
SHA512 39ac0ed7df74d6bfd38da309489563ddb887bf2235958d853cb963e1788571c27852c045d6cdf393cb9c9726434ca7ca9a4c4e797762db2882505473b0e29108

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 7cdd119ab3938766cae747a29ef4084d
SHA1 d8ef6f99abdeccf2e1e9db1fe0d61c15f04d29b2
SHA256 00ad42fc9ccb3c79e3b75f8f7d0bd6bab4eac8a7c321ba2587c4f548613bc244
SHA512 1093a5eccb0950cb0eb78ec6626f0a0559f0510be6956e22f89b3d6c99a6289ba9ee4a6d3479b2f73a07f075c37e8c99b647eb9d6e31c97365ee6fabe1706d69

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 ce37c51d71c60d5d9f03db8025d8e5ce
SHA1 47eb3cd61e4fd5938c7ea606219279f934ed6864
SHA256 563313d082349125749e28bb16894d34b51d310a1744d886594fb2e4bf346dea
SHA512 b0c1be3d94eb374b94b24239ad010e29f627b4e3e2250172e8d8c220699246b0d92971463ed82493a1c1c3cac214e758b40baaa6075f3d66e622fb8adb2aa41f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 9c874357a4f13f8a20154c21a077ec60
SHA1 c61e6bbadf0f7ad56ac0e9560be9606167f1f3b2
SHA256 f31af54f01bfb058f9ebbc054647c87f127f3449a6c7d2ea724e8f6a990ba105
SHA512 dc038fee26816b6eda524d57f95c1492268a8fa0bf29a8d886176cd27b2e624db09731e7f4f59e1d9bcfc069bf499295a25ce583834dc566c9f445a5cd3d48c5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199

MD5 573e7acfed8ddb6e68db873c153ec76c
SHA1 346d72d1dbf59650093032e5ab46a4f33e9c55b1
SHA256 2ce39b2689605ae5791b24e5c661750a6e5a76f919073901e45fbd1ab90e204c
SHA512 d53442c77bbb50ca26767ab05f54e5cc8c7d8e0e3eca3a555d10cc969099fe85b163e99390d5880bef6d94e9e2476cb121ebd2c65f6a6abdff070b95423ec978

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199

MD5 e935bc5762068caf3e24a2683b1b8a88
SHA1 82b70eb774c0756837fe8d7acbfeec05ecbf5463
SHA256 a8accfcfeb51bd73df23b91f4d89ff1a9eb7438ef5b12e8afda1a6ff1769e89d
SHA512 bed4f6f5357b37662623f1f8afed1a3ebf3810630b2206a0292052a2e754af9dcfe34ee15c289e3d797a8f33330e47c14cbefbc702f74028557ace29bf855f9e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 eab9011c6c65ce98ffc78c6515ea93cd
SHA1 7c0b0d1c9851a8ac0ab1ae4d4d5592f77db3dd79
SHA256 1aa0d4d6f7c42ace85781f5125ab377685b0cfb3815c4bc7b9666cb4829a0465
SHA512 6ce847e4663e70d77528132215754b8acb514dfd06bbfe01f4f941ecd895734ad163d16f83cc088db3f30694aa773b30629ef34af277c864fc0c72733defd926

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199

MD5 1a2929ac4cdc4cd9b815c3580871b9e3
SHA1 9fdbfae484686ff5bd79eb59f362d26d11b3a258
SHA256 166e56d076009287342ec9d3f40710452c4f767dda6270f900ceaff251b1d0f3
SHA512 3419652b8d252931c897b1b9226222167c2e1c257c23a54b5612b9e3ee31080bcdc043f6d0fe75bc2dc50cded0f4b3cf517e3f3e16b2c611407ae263c1ce38fe

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6DA548C7E5915679F87E910D6581DEF1_CF0CBB3D0D6F86153E0774F3F89E134C

MD5 dc569ef3093f89b3f78103a27456f257
SHA1 994a1c165ce6d8d673ac3f3c50e129102ab645db
SHA256 e79afa9940a84714344fbe0de0a65fe4b6b9aa44ee6d87b738c9951a4c030fe6
SHA512 a5b9b2783eb3a0c3637c38aa6b8241d43dabfdae9b65af52632ec7426a54af18a8eed5e3d47aa3c9f9a240c86c4ba945c99bf67551b5303b852df52dc2d72e5e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 76ccf95e0d67d16d564cf95595392956
SHA1 4efe993630d5c757414dfa4cd6fb9182d1889294
SHA256 6b29e748af8072c53a213535dfebd2b9f15c654f204a5a0e9ffac04c28257f5a
SHA512 b08eedc63cf1c416fd28bb3a3910d01270ee9337176986d7005c3452723f0615cedf69373121e83e515e1336027e7a0b66f2559769424d077b5eab0a1780ff15

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6DA548C7E5915679F87E910D6581DEF1_CF0CBB3D0D6F86153E0774F3F89E134C

MD5 dc8865f24f22e59b6952db3a1a5d1dcb
SHA1 1665fd87b8ceb5339530af0e9dcc552cd7386427
SHA256 308c7d9893f7f5acdb8254c0fa15abcfb9534ccf5a7d97cbf91f3efd54787423
SHA512 55bf8ead3a6de822f1552c0c4e9717d4a8bb350f8dd343a6286648eee1f3c3a5b51a2e0e272f4785a9bd4c94a70a730bf86a7371923d6c148f921d9cbc7f5880

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6DA548C7E5915679F87E910D6581DEF1_DA783F5F6B4EACF017C07E5A0C9B6E7D

MD5 988f859494a37fa264f0748d4fe52874
SHA1 9a8d8a13e6f14639508fdabea52ed186c4563e6e
SHA256 69338d886a23d07ce4089b560174a488b294e6608b25515c15b6b892fa77a5de
SHA512 6c8858fadfd1ed321416704d2bf0fe61b4531b63d40d4c035e1b92358f6cb7e4e56d8d056650fe01d2c670711920c409f60796c6c3ee5f3ecfe240a16f38e6c4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6DA548C7E5915679F87E910D6581DEF1_DA783F5F6B4EACF017C07E5A0C9B6E7D

MD5 ae3b5bbd98df96ee7988eb0c5a60c9e6
SHA1 d12aa268655d5eaf6312866cd60ee8a69c7f45bc
SHA256 eeb0148989bd80019901eb3a4c3157896568e6dc5829252f5548b59b3c498776
SHA512 eb295f91dbd1e6081f1410936077b284fa7e84efba5da887a1cd42afe4ae672da3ee62f79350a5f2ff2073034589366e521b282c01ea964bbc270ea3a1f19aca

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6abbf7f54a7b739aca20330866e1881f
SHA1 3ffcee1b6d06bfb392a80ef8a2eca9c5bf0fb2f5
SHA256 25cfec0c17d769da6b534d6ada04b42404f615eea53ccc285e664da5b69ae664
SHA512 0b8fd0b906c5b71b64b9e0d637f8260469897c2c3fd9e1ab138d5fdb6cf8bcb28c050dbbcf9e75b968fb89a1f7ad312ea9c0d9d30d166eb35513d5931b96f54c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416

MD5 d5ce42ef149a60b82ebf16cc52f18c25
SHA1 d80db4ffd4ccb0374e87574913edbc4b60986e26
SHA256 c38baddaa79930562dacba574332d24095d59c0bf8b274d5ad1b969f785750ce
SHA512 b34fa7db1ce004d1d5b79faf2f3c75f311f8893f3c94b202a3967a0028e6fbb344512b43d8b44fc3f052da8795e02bf8c835ccc7374c7db623a8d34cb7efe7e6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

MD5 55540a230bdab55187a841cfe1aa1545
SHA1 363e4734f757bdeb89868efe94907774a327695e
SHA256 d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb
SHA512 c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fe1358b84da8c0304fc79d3c17efc067
SHA1 59198a30eb80e44859e0e0af633aec0a0e282c0a
SHA256 74603e240b77193af8e309b6da54c29d1ad20aab30a276c6954b4848f9e95bfc
SHA512 782c86e700017877a63af7e2debae6cedff3fcf8406f8df257d61dc25becdded3953f28972daa275ca95079b2217ed4c8d5488fb65303b6a0b5ad89536ab3526

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 247e69894c07ba34a4e46cd1176182cd
SHA1 1f51bdba20a4beef2cc8b121d3127f5c02ca237c
SHA256 8099bd4d4020c86fb1492cd8ddaa27c83c3ad445ed7b5ac1f21865f858cfe09b
SHA512 20dff42ef684100bf6c21ed0e7f87c3029db5de305ed7c84ce976bfd21e6302326f80a4f8a324a07cf750b7480a6b4fe0be5ff2b1a61aa6aff92411d318a7df5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 85cfc0b2cb5d294f698d6493ab81b4cb
SHA1 4967373b42402aecb0c529aab966df380d45075a
SHA256 0cd0427ee8c1fab32b756da1b2ef8c047302ce750f3086c5151edfd009b750d6
SHA512 39a4b191ba75e96e68d6e4a1cb6d195aa43767926dd0ddcd750da435b1c51a95370a96021ac1c5f055d063243212b33787abd0f565cf4ac1368a6fb9b2bdc6e9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 966f53bd867430c4bb1e6b6f12b8712e
SHA1 345351008d0f5025eb6be88375c967df3efd4f2b
SHA256 824581d340c97f61d2cf2672621cc963aa0007fbea13e62d7839f48f0fbf97e6
SHA512 748c96167ff17d2b4f1dc59d8057145db5ef4dbd5ece21ec1b794de43f19fd693cf671769f888cb7dd7a64646cc3182901a9d33adefa62c0ace8877ebae0df3b

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BQQODH7V\aGT3gskzWBf[1].ico

MD5 3e764f0f737767b30a692fab1de3ce49
SHA1 58fa0755a8ee455819769ee0e77c23829bf488dd
SHA256 88ae5454a7c32c630703440849d35c58f570d8eecc23c071dbe68d63ce6a40d7
SHA512 2831536a2ca9a2562b7be1053df21c2ed51807c9d332878cf349dc0b718d09eeb587423b488c415672c89e42d98d9a9218face1fcf8e773492535cb5bd67e278

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\anyweax\imagestore.dat

MD5 2e3cfb127122500a38b9153e87dc576c
SHA1 187acb0085a75c51da3adccb67bfd0bf326d5968
SHA256 ac0fec1bb63a23064eff651f4650dc3170e75fba7461214cbbecf32e9c15c76a
SHA512 1f631ee11a68a2d882266bdf8e0b47385143f9562903a07770d84f8d161b10d8694ba04566df6cd6b2df91c266c47d96f00f74725304214e8479b5c1614ba3e9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3ce444ba7a1625a18ce51f9a6e8b4552
SHA1 40565d05676df9a4e97e7fd85d9b126d2cd1d1c6
SHA256 c565f64342f9f9611034eb7debcb17478b4fd1029024913ead1643ffd96d772e
SHA512 cee02beed3bc6e95f3704a0c7b82c463a1d927d5264bc08553ea94e18740a77ca43ca955bd8a019828f734a7783a7a4fe6f9fb60387c499e438a422043c1c7a2

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BQQODH7V\platform[1].js

MD5 78e3220eb2fca6a62ca8477767757151
SHA1 8bdbd661f5046a761fc1f24c3124851a15b66709
SHA256 975033c5186c254b228ab70f69b5c1529acc426cc34934422da20da93ebfc9f6
SHA512 6375ca8a2aa701d91d9b23edcced8f1900c6dd26a66b18fc6b3314591a6820e036738a87b290c000a8a82e4ffd9c57ffc3d536253ce3046420c201a26157fe1e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\35DDEDF268117918D1D277A171D8DF7B_F9307D60FE547838F7C712B97BEECBE3

MD5 2041a1741c29dab8a663a9abc0af14bf
SHA1 8a1d86dea9cc074d64e07d7ff1aaa589099f4ec4
SHA256 bd62f76367c82b1776e85dffd03f4a8c8ace287e6befe6c21e97059dc341d8b6
SHA512 3b3ae166491ab183f4ec0facbbf2c23e33ddff84b4ecf057a4e206ab56202c849dc17612e27dc6302ee0ddf28f4e6fef6b17ea7db84cd4b0013f83093fe4f79d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\35DDEDF268117918D1D277A171D8DF7B_F9307D60FE547838F7C712B97BEECBE3

MD5 d97a050a6b18c6398d6a8563bfc44494
SHA1 826f63a8e6c9ee6775d40d5d6d17834805bc6c80
SHA256 74c9b7d5df556ffa50310d699cd20ccf0de64978077a9c745a1b40f5f9efdda9
SHA512 d4cb910c9cf6a10efac3b8f5f13cc329f7fc09b2bb580c2d4d591e2a1c322741bf5ff3eb2cee55736f026871b7fdb7bd2476a3979ccf3cdba6614e5dd2b138b2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5AB

MD5 43eebcd9c3ee9fac9a68672f44e660e8
SHA1 b9426c9134971333c3563535947585dc5b68ed14
SHA256 f5b7503e50a5bc29bf71f01141c6875916259e33cf49a7f6aad1ce8e2c2f33e7
SHA512 96f0a37d074f26d677282368a4d39a97c42994719111129ffd0603abfad77f9ba7b788cf9e4110e30ae7f27d967f011a044149d2e59680146e86023703ae407e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5AB

MD5 83cc557c3f9e4d6cb101712b3feaba19
SHA1 1680c5dced38674de623dd296dc14d637111e028
SHA256 0712592048e74ef428ad5937385bd606dcde0a4eafd478ebcea7c5950665d21b
SHA512 45169450a21608ec17229f8a16b38c2b14737a0d3a804dfae88dc59500a8105716504769360bc331c39c5284a2e24272c9d74a05523f536828b43adfcaf266f1

memory/2512-1053-0x0000000000400000-0x0000000000514000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROLMKJ86\cb=gapi[3].js

MD5 b103bb58d9e7cecaa60bdf377d328918
SHA1 0f094c307bceef833a64f408d2f749a10f79de44
SHA256 81dcd274347bd909cf132d3c8bcc9924e41921c33eca07fd6fe5e2a59ca4f5b7
SHA512 b1a4fa329b76df7c861771e1dc36749155895dff623cd916811f2af8c95f3bcf9fe75a3b9a56833f066a227444982ff4883459e24f7eead79b521c2ffdcaa844

memory/2636-1078-0x0000000004A50000-0x0000000004A51000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fe3eed24138836f420672d9603222a3a
SHA1 7684c531a59b38d558cc4439ef66ef2804ed97e2
SHA256 61cf9fb5d859219e57ba9e72384488e9f177d003506d83df4c21d25623086d9e
SHA512 2e6d642f67edf89844390df148ec4a5e039d9966660f68fc614db5b34d4cba6e13b0736665868568ff8a2fb1f5c3bcdd894a533173ea29e76799b5b496c24e4f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0c2ccfdfb7259daa4a05755600df3bbd
SHA1 2b2b353112f377b6b5b8a491a9137d2dcc19d297
SHA256 2547f394867c901d9b45b26e29dc779b7507eced1b4dd447438adb53fa86fd5c
SHA512 005f6aaccb0100b6c948b73ca2debf039f771eb5051c9a58a7cb62eff902dd37bc50e937d11005d82603469ca235fe2bc50a5966e8ab1d1b69a59310bf653853

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b55d7cc9de18ea8fef53e9b2aad43ea5
SHA1 efc9f1c92ce4c167dcfa63c7b440536650494dfe
SHA256 56a015ae2d3d809c8f0642163408041ba618a71f01a201fd0e718b1a6ca6060e
SHA512 a12d4d44921a166d9e42f46a0b365cbcfe0bba31b07aa35e1705d6fb51761954005e77f07ebe7e33f5ca60a7fff8a6b6f26452c76f16a4557ac3b3c444991c5e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4417bc4ff3b0921987d666154d04f241
SHA1 5fa6276905b7dc7a6a0ec04ae9a2cfe4ea0cfefe
SHA256 807790109fbe905cef6f9b9a287fffee5d77f3cf724dd4d82f3714e731781aa6
SHA512 8eaf3b321eef85fa2b3823ee1748740b512f1b1d465fce679c90052380ee62a8a99cf597a0695e522c7e9c7cf5be620b2b903063210c9cbdd6ebd9914fcdf5ce

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f71c6a154567fb0961ce29c1004f18a4
SHA1 587a653309a56716466710cdb97d132470cf2682
SHA256 6e67420f7c69791db00ea20894e503a52d0a82f2daeb8c40fc85b315906ab3f5
SHA512 ead831f1d32fc47519d09f1f9fda052307bda8c4175d1e0e12e74298961b1bef1718aa6b510b4adf87d78d4d6df6207c5dbc8580c9d251b5e3e185b65ca3ea9e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3c8ed8e5384795e30cdeb8183f111a4a
SHA1 956ab57a241f54a5a05d6c189e085bc176d4f534
SHA256 9d1a4a9e815052d0dc6996c84eebc75ff39d85ed2a8665c4d5cf096b005624f4
SHA512 ef517eb45b56cfbb642f14a20dde34a3533a3636b2fc2a42bf16a20244f88f9793f02c1e95b6fe055d0f5f0af6e1a2308126195aab5f14309cb5e3a35f0429ae

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 407eaf28e9655b0aa6b55a4c1423c8ee
SHA1 f24f7ce03fbe8c25622d2ce8a579cc53ee0dfb8c
SHA256 4e35ee120f308f0b94f6551493584a5cc402ae6a2a44eb5a3c22dbd83caefba3
SHA512 21f7045ff6cb9b16c51362453872f67532609217cc90dbf3f2c32a97f50997c7247060d3a5220d9d44114b7ef533911a3174a714c3fb7cf42b13185d27715b54

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bd3c16d151287a0276519fc31641345a
SHA1 18006eee1c03d98ef90ed2a5dbc2d911e5aaaf26
SHA256 449a5f5b28fb3700ac7451c25f6c39522f0aaaba582bb2b7a03637dc1f2bf41f
SHA512 707b3cff640000e4b9fc560f4b465648232f61a375c3a39e6fc1dc87f2cd04e66a647aad0722296134426106c7e97806f3b30d7a92c23409c2501bea3aa6d2fe

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d105bb3a7385fd644f087fc4e30e8b62
SHA1 da3d33d32087297110e6772ccb4d1b1f876d568a
SHA256 d6f1f260d30a6bf24014c6211381931b89bb7665993dd6282b8e183cd3caad07
SHA512 d4687706005a261e95a76b62f881a96282bc31b1c76e1f136e96cb33807814e2eed0c2caebf57f4a20ee04127b557a6a0515b69a025f8bb764be03c3f997af62

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5950e3e732c1688d4820e7059062eecc
SHA1 9b6655ec9eefae63377761ed26caf6ed4ea26647
SHA256 f779b830634555614641b61793707af9dc01e95c4b69dc0d85175209fec2b289
SHA512 ba5467bda603382be0a25c5c33be0c5dc7ec7e1db0b8b5967f18d48ef274e94ca81c4cfc1993a2a110c8b33eebd8a4e72b6c760a0fcf387af83f8fc925a1f2c6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8ede18ef631504558cd02667f9a960ac
SHA1 12908ae627e300a6337dcbb0ed4e5c84106631a0
SHA256 1643434b6ab7776898be22b8f52b4d61495bac8e56f4722fa60608bca594892c
SHA512 04d67a6fda7ded37b6a3b6994cc8c5cc532840fd279bf7308d4c7e944fe39e22dfe08068dac71053f878d4c1165d6eaa546a96f290fd2ead970b687a1cbc0546

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 ab675cc06bd573fe007475856b8a610b
SHA1 a2723dfff423565f90d1d41114843f6f4ad7c53d
SHA256 f277d7d13c0680c9e5481e96de855e5358028883c839a395597168f50de4f3ea
SHA512 64118c07e16f95c26614ebf6d1d7dfa491d372c42163feb1b7a47a5da3bcaf7489faa079695bfabd495ac41845abf5e83c953c59bbc0d53bd48b58667301afc8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 219799b21c1532b8a55c3c3a6621814f
SHA1 0b12cb30717ae3fffed310b00664a493c6d520e2
SHA256 c11d151cf1eeab19ea0bab1316eb7ecfe1586c4090e390cd71f5c7729790bfbc
SHA512 83782b0264ac63dac361d01ff7ad386a9a321a6a2f921e9436d0bcef6198a3836b4bf004100526962eed85e2ce61d0ceb5153d716ff9abfe624f581bd340243c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9ad4688461dd9381e1d49eee8447e2c9
SHA1 cdb843308d3594886ae9260b0d0a0de8763b7fd5
SHA256 17e2aa1f66fd8241b3521b71ac5fc707d053c0b9e7f66d611f20d24af39762ff
SHA512 281afa91e45a89f92138e04804e5db9241fec550d45839be9f947dee72cc9a5812106fc3cd577db0e2f2e229f7d58388486bdaf279a3b0c8af6de2b827efd1d2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dc25100f22c2d75f1264ae37645bfb32
SHA1 0232fa6fd8d79e089cfb96e092f264c050016c17
SHA256 a854b9d008b8b4465999a45e0418d35b703aa1d97ac421f316237af7af361afb
SHA512 d9c83aa77a34697bc74952af10527475c5da13edb2725693d5dfe2e1e535362bbc31b3158343a58d7385c9045eac94f80dcab027a26a61f3e90d69e3e5050ae8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a18f19ea9149a28b3b4dcb5d3202f2b7
SHA1 14c8028ac66b69397cc55ba3101210f56138de10
SHA256 089ff892d093d2aadd28c044c0faa27fd34a517fcdba4e518c8b478082d0c005
SHA512 139bfcabb37bb3393f266e986bb03ef9b89abc9d3ca0cdbd2c777ef3d33abf6367696c8d966fcad277b5d00837fbf5cf7e8a717e97f1886f9d7d3519e2dc8e5a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c7154009988c451ed04ac5f70ba17413
SHA1 a83cde575e5f2fae0d9c51b58fdd0682d8a24ca8
SHA256 39a77cbc8516cc29cb56c6fa5b19208fa335b3cb5da316b3517a9cee95034edb
SHA512 566be10847a74e5667bf9aeb3921d492b98d0e066efed3154f34be5533d019d3106c656f39ffa67ed58fee2369fb5fcee11db928fb0538339cef55382573a0cf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f38d5ae7b2b004b5cd189431aabfbb8e
SHA1 3c071da9c5131e4d8d4c81f4f61e830ae1788882
SHA256 31601a9c6a705f325776fe7ec2bce40e32c59d187743f6b330b96993b544f436
SHA512 abf637641e32dbc7bf624539ea635e4477034092866119dcb74b0ec5bbc8a7a044ad5746b349af2321b6518119fd6c563064af8b605b7e42c597305cbf8f888e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 fcc369ca30648b91b4859e2e737aef72
SHA1 5027d6dc62c1a582c8564d9c7152f352341c8f1f
SHA256 6fc36139ff5913c0cdf0af7159fbb9e9b7aec6bb25c45c2e2c5b7f6245172114
SHA512 f5688477c6c10e7d30def36dcfc13cb0e1b2176c7436165546793d61d132aff4fbdb05b14efec79629041940e04e5d71091133550a368b1be1fe634086f52b8f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5c1ae713556a89eeda163504c617ca69
SHA1 cdefa5d58773df2f6d95f9587e978af6d452dc3c
SHA256 60f3cc7e3f9e79671a0faeafbe40e14e9bf91a8b939972dc048ca2a60c06fa52
SHA512 9777b1685cc8a66e04d558148dc28ac278de081b4af75f6761f8928e71533f4d2ce22f13864824f2a20fd38195216f03010b31683d82b41ae5b3b2e671616bfe