Analysis
-
max time kernel
136s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
01-07-2024 10:03
Static task
static1
Behavioral task
behavioral1
Sample
1adf0d560866732a66a6c227fa3765a0_JaffaCakes118.dll
Resource
win7-20240220-en
General
-
Target
1adf0d560866732a66a6c227fa3765a0_JaffaCakes118.dll
-
Size
885KB
-
MD5
1adf0d560866732a66a6c227fa3765a0
-
SHA1
64f91d3f02b829e6e6844391937886a7f5c5a5f1
-
SHA256
2474d389b05dd2d08b201de73548d3acd8fbf0e2df76259be3e0264b34b23a38
-
SHA512
35082be2e70baf12b4f903a3459eb3ed457b2dfa3b2b0a17e108e9244b689bc8e66b5460bbac54639522c895190fde637c00b02e53c54ef2a08349b713eb168f
-
SSDEEP
24576:qL5/rmRsmDWDPNuFhPvYrpLYHSfcoopooLY9Nu0P+Fhp1:QK5hPILYHSfeY9nWFhz
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
rundll32mgr.exeWaterMark.exepid process 1764 rundll32mgr.exe 1284 WaterMark.exe -
Processes:
resource yara_rule behavioral2/memory/1764-7-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1764-11-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1764-17-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1764-16-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1764-14-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1764-10-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1764-8-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1284-31-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1284-41-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1284-42-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Drops file in System32 directory 1 IoCs
Processes:
rundll32.exedescription ioc process File created C:\Windows\SysWOW64\rundll32mgr.exe rundll32.exe -
Drops file in Program Files directory 3 IoCs
Processes:
rundll32mgr.exedescription ioc process File created C:\Program Files (x86)\Microsoft\WaterMark.exe rundll32mgr.exe File opened for modification C:\Program Files (x86)\Microsoft\WaterMark.exe rundll32mgr.exe File opened for modification C:\Program Files (x86)\Microsoft\px33CD.tmp rundll32mgr.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 5020 4336 WerFault.exe svchost.exe -
Processes:
iexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "600205078" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "600205078" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31116190" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31116190" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{4DE8ECC0-3791-11EF-B9F7-E27D0092C90A} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "688329685" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{4DE1E0F8-3791-11EF-B9F7-E27D0092C90A} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "426593254" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31116190" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "600205078" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31116190" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "688329685" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "600360824" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31116190" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31116190" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
WaterMark.exepid process 1284 WaterMark.exe 1284 WaterMark.exe 1284 WaterMark.exe 1284 WaterMark.exe 1284 WaterMark.exe 1284 WaterMark.exe 1284 WaterMark.exe 1284 WaterMark.exe 1284 WaterMark.exe 1284 WaterMark.exe 1284 WaterMark.exe 1284 WaterMark.exe 1284 WaterMark.exe 1284 WaterMark.exe 1284 WaterMark.exe 1284 WaterMark.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WaterMark.exedescription pid process Token: SeDebugPrivilege 1284 WaterMark.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
iexplore.exeiexplore.exepid process 2388 iexplore.exe 2744 iexplore.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
Processes:
iexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEpid process 2388 iexplore.exe 2388 iexplore.exe 2744 iexplore.exe 2744 iexplore.exe 3288 IEXPLORE.EXE 3752 IEXPLORE.EXE 3288 IEXPLORE.EXE 3752 IEXPLORE.EXE 3288 IEXPLORE.EXE 3288 IEXPLORE.EXE -
Suspicious use of UnmapMainImage 2 IoCs
Processes:
rundll32mgr.exeWaterMark.exepid process 1764 rundll32mgr.exe 1284 WaterMark.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
rundll32.exerundll32.exerundll32mgr.exeWaterMark.exeiexplore.exeiexplore.exedescription pid process target process PID 784 wrote to memory of 4232 784 rundll32.exe rundll32.exe PID 784 wrote to memory of 4232 784 rundll32.exe rundll32.exe PID 784 wrote to memory of 4232 784 rundll32.exe rundll32.exe PID 4232 wrote to memory of 1764 4232 rundll32.exe rundll32mgr.exe PID 4232 wrote to memory of 1764 4232 rundll32.exe rundll32mgr.exe PID 4232 wrote to memory of 1764 4232 rundll32.exe rundll32mgr.exe PID 1764 wrote to memory of 1284 1764 rundll32mgr.exe WaterMark.exe PID 1764 wrote to memory of 1284 1764 rundll32mgr.exe WaterMark.exe PID 1764 wrote to memory of 1284 1764 rundll32mgr.exe WaterMark.exe PID 1284 wrote to memory of 4336 1284 WaterMark.exe svchost.exe PID 1284 wrote to memory of 4336 1284 WaterMark.exe svchost.exe PID 1284 wrote to memory of 4336 1284 WaterMark.exe svchost.exe PID 1284 wrote to memory of 4336 1284 WaterMark.exe svchost.exe PID 1284 wrote to memory of 4336 1284 WaterMark.exe svchost.exe PID 1284 wrote to memory of 4336 1284 WaterMark.exe svchost.exe PID 1284 wrote to memory of 4336 1284 WaterMark.exe svchost.exe PID 1284 wrote to memory of 4336 1284 WaterMark.exe svchost.exe PID 1284 wrote to memory of 4336 1284 WaterMark.exe svchost.exe PID 1284 wrote to memory of 2388 1284 WaterMark.exe iexplore.exe PID 1284 wrote to memory of 2388 1284 WaterMark.exe iexplore.exe PID 1284 wrote to memory of 2744 1284 WaterMark.exe iexplore.exe PID 1284 wrote to memory of 2744 1284 WaterMark.exe iexplore.exe PID 2388 wrote to memory of 3288 2388 iexplore.exe IEXPLORE.EXE PID 2744 wrote to memory of 3752 2744 iexplore.exe IEXPLORE.EXE PID 2388 wrote to memory of 3288 2388 iexplore.exe IEXPLORE.EXE PID 2388 wrote to memory of 3288 2388 iexplore.exe IEXPLORE.EXE PID 2744 wrote to memory of 3752 2744 iexplore.exe IEXPLORE.EXE PID 2744 wrote to memory of 3752 2744 iexplore.exe IEXPLORE.EXE
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1adf0d560866732a66a6c227fa3765a0_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1adf0d560866732a66a6c227fa3765a0_JaffaCakes118.dll,#12⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32mgr.exeC:\Windows\SysWOW64\rundll32mgr.exe3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4336 -s 2046⤵
- Program crash
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2388 CREDAT:17410 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2744 CREDAT:17410 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4336 -ip 43361⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3144 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776Filesize
471B
MD5df3b51cc5929f3af03350336b1afc568
SHA148453c44facbbea059f9da8565cf25b1c2cb9ce0
SHA2562375353160c5f8c4cadce5954ff4a7cc5b9c403890f0404791ff85c8ec0dd748
SHA512d8eaa0761def6d74462748aa794198b5f32fa593662bf373c81e1d300f3f76ecc1c723cef52774caa6482527f26524fd2677a5e2253285cb6d0984b044347e8a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776Filesize
404B
MD533407d3ed4dedd23b914dd1c7526e3b0
SHA1314a9159286d764c1236165ad2ccbf0354cff0bc
SHA2567bcb547c158eef1b25d6578b203b56f211ed7de91f82fb050b27e0ce113b7da7
SHA512efa4af30f69af9d1cc460ba094404f93234a8ef3825567bfbdaeb9649d22854ff610a64bbeafd68870aad25e600d58404592b865ba3bb61fd37b7ecf9919ec1c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776Filesize
404B
MD5ef139db68ccd30a9ee0d6b48d31ddd80
SHA1a6059cf48a06a7680b722be1c60778ed36b1a623
SHA256a02d8bbbae895ab209cd2c1de4a7d014052206e7940bee883844f6c8a81481ed
SHA512d465c14f4b48560f747b17ea5d9f18e4c1f241f32b5920d64386a9a5b1f488f04fc940d0ba5cfdf963ff59874cd2273194062b6f2962dab839e1953636cbbbec
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{4DE1E0F8-3791-11EF-B9F7-E27D0092C90A}.datFilesize
5KB
MD50a01a932cec52c1e26ed63c6938ec884
SHA1d81daaa5fc446409e31cbe572d226d02813b49f6
SHA256cb3d87db7e636fa98fd46d256d650d6204368d52859e26cda68f40c4cfd7801f
SHA5122c4137dafd25ce53ee81f29a6866d39d43c895cf2a0913ec72e8b78f89a73d94da355b3d6e825cdd6861da33f1024da3f4da532346980ffa996465738f9194c9
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{4DE8ECC0-3791-11EF-B9F7-E27D0092C90A}.datFilesize
3KB
MD5064d04a89c6084bc4c86b35f2deb9531
SHA13fb845ef226a5c5f6dccbc02049dea131c9caf89
SHA256ebbaf86a92682e4b821c8548171d0525c66ed1bcd311a34e313229646dbad38f
SHA512957fd499fe5a981bf7c30ef3ff7e9661c59ed80bc1fa998de78be9cb0c56a5fecbab9119a5e9d9454e0378d73377341e5da89646b6074107cd19f0af15232b8e
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verC416.tmpFilesize
15KB
MD51a545d0052b581fbb2ab4c52133846bc
SHA162f3266a9b9925cd6d98658b92adec673cbe3dd3
SHA256557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1
SHA512bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\O8VM10HV\suggestions[1].en-USFilesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
C:\Windows\SysWOW64\rundll32mgr.exeFilesize
115KB
MD550a0e1f79e2c4a873576fde02f8bb90b
SHA111596d44af32a1ae6d74435b3c070b6a47e8ac78
SHA25658134ebb29f8d9f7bc6cfb1319a1f50054e138ede45f111feb081ff15e11b655
SHA512f7627b15264ef3122bbf1217f81ac1ca077a811225d8d1b850d78272ffd2ef5b828be6015866207952c76e81dbd21648e4998c5d3680b55ff1874b8acb70f3c3
-
memory/1284-32-0x0000000000060000-0x0000000000061000-memory.dmpFilesize
4KB
-
memory/1284-33-0x00000000772D2000-0x00000000772D3000-memory.dmpFilesize
4KB
-
memory/1284-42-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1284-41-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1284-38-0x0000000000170000-0x0000000000171000-memory.dmpFilesize
4KB
-
memory/1284-31-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1284-37-0x00000000772D2000-0x00000000772D3000-memory.dmpFilesize
4KB
-
memory/1764-11-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1764-8-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1764-5-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/1764-6-0x0000000000401000-0x0000000000404000-memory.dmpFilesize
12KB
-
memory/1764-23-0x0000000000401000-0x0000000000404000-memory.dmpFilesize
12KB
-
memory/1764-16-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1764-17-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1764-7-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1764-10-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1764-14-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1764-12-0x00000000005B0000-0x00000000005B1000-memory.dmpFilesize
4KB
-
memory/4232-0-0x0000000074C50000-0x0000000074D31000-memory.dmpFilesize
900KB
-
memory/4336-35-0x0000000000AC0000-0x0000000000AC1000-memory.dmpFilesize
4KB
-
memory/4336-36-0x0000000000AA0000-0x0000000000AA1000-memory.dmpFilesize
4KB