ec60beee43104003bc410371ae1ef8e846e17ff5733556dbd8e7acae68058200

Analysis

max time kernel
139s
max time network
133s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
26/04/2024, 15:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

01181a8e0bc4def08284efb5ac9f840a_JaffaCakes118.exe
Size

2.4MB
MD5

01181a8e0bc4def08284efb5ac9f840a
SHA1

68c761c2ccda1836051e20c5cf50b99efe6d3b77
SHA256

ec60beee43104003bc410371ae1ef8e846e17ff5733556dbd8e7acae68058200
SHA512

ede6e43c5e4dd56a68a15c06717241464ad9091ca30bd8092f9b10146156a1ae1b761b40bf20acd28a8be3038da7511d6fe3b21c6bb1f7e5d7794f667ff53f44
SSDEEP

49152:TZZuTCbQ4pPiwlugX+JmaSNzY/9rqYv4/QQB6xcz9fT++Y9H7FCD:dZ+Cbgwl1+J3K09O/dB6GxTKFg

Score

8^/10

discovery evasion spyware stealer

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	01181a8e0bc4def08284efb5ac9f840a_JaffaCakes118.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 15 IoCs

pid	Process
2496	certutil.exe
2768	certutil.exe
2948	certutil.exe
1912	certutil.exe
1864	certutil.exe
2088	certutil.exe
2904	certutil.exe
2908	certutil.exe
1584	certutil.exe
1132	certutil.exe
1956	certutil.exe
968	certutil.exe
2324	SoftwareUpdate.exe
2044	SoftwareUpdate.exe
2124	SoftwareUpdate.exe

Loads dropped DLL 64 IoCs

pid	Process
1684	01181a8e0bc4def08284efb5ac9f840a_JaffaCakes118.exe
1684	01181a8e0bc4def08284efb5ac9f840a_JaffaCakes118.exe
1684	01181a8e0bc4def08284efb5ac9f840a_JaffaCakes118.exe
2588	cmd.exe
2588	cmd.exe
2496	certutil.exe
2496	certutil.exe
2496	certutil.exe
2496	certutil.exe
2496	certutil.exe
2496	certutil.exe
2496	certutil.exe
2496	certutil.exe
2496	certutil.exe
2496	certutil.exe
2496	certutil.exe
2588	cmd.exe
2588	cmd.exe
2768	certutil.exe
2768	certutil.exe
2768	certutil.exe
2768	certutil.exe
2768	certutil.exe
2768	certutil.exe
2768	certutil.exe
2768	certutil.exe
2768	certutil.exe
2768	certutil.exe
2768	certutil.exe
2588	cmd.exe
2588	cmd.exe
2948	certutil.exe
2948	certutil.exe
2948	certutil.exe
2948	certutil.exe
2948	certutil.exe
2948	certutil.exe
2948	certutil.exe
2948	certutil.exe
2948	certutil.exe
2948	certutil.exe
2948	certutil.exe
2588	cmd.exe
2588	cmd.exe
1912	certutil.exe
1912	certutil.exe
1912	certutil.exe
1912	certutil.exe
1912	certutil.exe
1912	certutil.exe
1912	certutil.exe
1912	certutil.exe
1912	certutil.exe
1912	certutil.exe
1912	certutil.exe
2588	cmd.exe
2588	cmd.exe
1864	certutil.exe
1864	certutil.exe
1864	certutil.exe
1864	certutil.exe
1864	certutil.exe
1864	certutil.exe
1864	certutil.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 19 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\browser\defaults\Profile\cert8.db	cmd.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\defaults\Profile\key3.db	cmd.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\defaults\Profile\pkcs11.txt	certutil.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\defaults\Profile\cert9.db	certutil.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\defaults\Profile\cert8.db	certutil.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\defaults\Profile\cert8.db	certutil.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\defaults\Profile\key3.db	certutil.exe
File created	C:\Program Files (x86)\TopShape-B4\uninstall.exe	01181a8e0bc4def08284efb5ac9f840a_JaffaCakes118.exe
File created	C:\Program Files\Mozilla Firefox\browser\defaults\Profile\cert8.db	cmd.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\defaults\Profile\secmod.db	cmd.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\defaults\Profile\key3.db	certutil.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\defaults\Profile\cert9.db-journal	certutil.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\defaults\Profile\key4.db-journal	certutil.exe
File created	C:\Program Files\Mozilla Firefox\browser\defaults\Profile\key3.db	cmd.exe
File created	C:\Program Files\Mozilla Firefox\browser\defaults\Profile\secmod.db	cmd.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\defaults\Profile\key4.db	certutil.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\defaults\Profile\cert9.db	certutil.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\defaults\Profile\key4.db	certutil.exe
File created	C:\Program Files (x86)\TopShape-B4\1060	01181a8e0bc4def08284efb5ac9f840a_JaffaCakes118.exe

Launches sc.exe 8 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2920	sc.exe
2136	sc.exe
604	sc.exe
1908	sc.exe
1588	sc.exe
1224	sc.exe
2560	sc.exe
2644	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 60 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DOMStorage\watchonline.world	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DOMStorage\watchonline.world\Total = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DOMStorage\watchonline.world\Total = "6"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "6"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001f0870816b829e45b8813e9018d79bb200000000020000000000106600000001000020000000c365d02f69baf55b7859bc3d7464eda81b69038bd12e80af5d920b8e16835044000000000e8000000002000020000000594a16da1b2038080a38dfa0d2a9a7e523927abb790694d135ab4b00b515c851200000003dcd9d58fa3ba6617d4e78fcd1ba2833515d135fda2aba4e473ab6864d4f92874000000025dc3cd7c1eca9a72b7903e9b78de05cf527c80499685d0a5c72d679e224636e33029ac90cbf2e6c67ca81d9b74bd34898c184e5e2e450c4682c3d7db938ffaa	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DOMStorage\watchonline.world\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DOMStorage\watchonline.world	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DOMStorage\watchonline.world\Total = "6"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "6"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DOMStorage\watchonline.world\ = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40857278ef97da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DOMStorage\watchonline.world\Total = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001f0870816b829e45b8813e9018d79bb2000000000200000000001066000000010000200000001082a4f5f0f7f6a89d21e5c1f0764bd18825b91c52d8aa390823f010093459a2000000000e80000000020000200000001c986a4d4c25b78cb1a6fd350cd6c044a5a48abcad00212f79ba911aee4475a790000000e0032c9c954bf13ee07a0875da0c34a340c857ae4d0ed22c8e6bdb51c161053a41609f3ca78594ed7150de194a146ed060fe19b829edd37d83c9513d7818e0df34bca0e04cdc4cd5674e949e3bc76416db6db2b6464ee985dfbe1e8ff6b41c971ad8d26318fc29ffcc1fe056f8cafdc7d4fc109b411861b8835241eae820a099b86c35c52f6ec7b0a11de7bf4dc046f640000000b61fb1a83299baef177bf162303f0feb44640e9879011ad0cfe157769719794fd943cd2314ea1f4b7ece8c93232ba16b991617b7afa6f6cdaaa31410a7293a3f	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "420307628"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{AF20CF71-03E2-11EF-9066-F6F8CE09FCD4} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DOMStorage\watchonline.world\ = "6"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DOMStorage\watchonline.world\ = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DOMStorage\watchonline.world\ = "6"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}	iexplore.exe

Modifies system certificate store 2 TTPs 10 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\FB62F2C07F02E76881C6984B688279E307C10836	01181a8e0bc4def08284efb5ac9f840a_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\FB62F2C07F02E76881C6984B688279E307C10836\Blob = 030000000100000014000000fb62f2c07f02e76881c6984b688279e307c10836200000000100000002060000308205fe308203e6a0030201020209009094f5e7e0c73583300d06092a864886f70d01010b050030818b310b30090603550406130247423110300e06035504080c07456e676c616e6431183016060355040a0c0f4361756c69666c6f776572204c7464312e302c060355040b0c254361756c69666c6f776572204c746420436572746966696361746520417574686f726974793120301e06035504030c174361756c69666c6f776572204c746420526f6f74204341301e170d3138303831333133323334335a170d3338303830383133323334335a30818b310b30090603550406130247423110300e06035504080c07456e676c616e6431183016060355040a0c0f4361756c69666c6f776572204c7464312e302c060355040b0c254361756c69666c6f776572204c746420436572746966696361746520417574686f726974793120301e06035504030c174361756c69666c6f776572204c746420526f6f7420434130820222300d06092a864886f70d01010105000382020f003082020a0282020100d6e394345618de5fa18914d04dd63ec2987abd0236846b8d86a7c343fc95dd3bc38abd2633df46ea30e0f3a82c1de49bbe105e9dfee8aaa1e546a2678d628ef87ad2d2abac1bc9828ca98bebb86572075bb5ee182f60aa7fb3098e5a0a89f41bed98b4463a98013102659b30971a5ca436e21ac9780aadbbebee3f220f296245c91e328ce6106e89ea3f1461ddc3703c1e80679feeaff003a5594206b3c4826bfdcf09922b38b6b044bf49f532cc342b4335a786c6c7cfdafbadc7e3af94b2504ecdd6116789840709c6e951a4bc7400d7f897eb8ffa7734c77c9acb4a108cdaf711054bc2b326057090ed2a13ef71fbd8305c58040814e475cd844bd7ad0afa049de0d73ec1e29ad052672029db370c15252c1d44f49b608b43546d5733b64e92aa89c52e078f5876b803077c5066c878362a7747918795f6236f65edd762c5ed26fd968f010ea040a0f007ce2d92ddf8fed3908d3ca3f1205ddc5cba890e33d145628bfc7f9b5fbed62dd7ee10ba6ef0dbafa25dfa0a69e0b28ea1be59ba2bf3be163633530edfe89a1c49fe83768ba72ffcd9aecc0cabccc781da7b4e281e1d141394f8c633a1f3c09fdd5e301c65ba1c793ef6d655bc922672a39c1309fd60bddb01897d6d68b65c79b05e7180cf6282bf3856ac0ba00e08a9a2a29a817ce478ddf980ad1f917f0e5004ca4f42a0b3b0c8024b33084c585d2873cbe46eef0203010001a3633061301d0603551d0e04160414b37ca2e8f1bea6a3925ddef9b2d7046994542981301f0603551d23041830168014b37ca2e8f1bea6a3925ddef9b2d7046994542981300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186300d06092a864886f70d01010b050003820201006fa571fa2cb9ec0f2ce0f0df5bd731f784223d6e24535d8701557f0bd0c524baa228117e3f6ceb38b04c4bae8eae9840063881ccef6c1df562b85ef56d4ad5dd0e01a33f99ccb53cca1317ea36f45e60c3230d8ab3d27cfd661c2f5fe0c61e9b7b6c2c19db3f3e5c1790f967b926296e69f813f85220d9a29958a0856422af683b78bb0f7529168866bdfd31e7276bb655b298198bc297d09fa0b954a00736fef381a43169c8c62e93349cdf2bf11478c2a2b873fdb2134ef00cd5da091d5d1a53c512e0dd7f5b6eb102b0a3f4a41a76fa9a23545bf04cf9ce07ffc6e01eb1d7f602a50e4c1ee049080c6bfe7738f881f96300c897708c31ae4044b96fe4b5adc1baa38eedb41ece892f12dd1cd30fbf12d1b54f914fcd8094c242bf30c2856198e7e8bc39839704cb212d787cc736db487dc620e04a71ca8efdf9702cfd94453eeb7e3079bdc344e7305923a3a0dff606f5ec6b5710f7f47bc96aecd57a0648f47767de8f688549765a73140f4759b2c33f4654e880862af6cb50112a08bbb44c7c2f381211345887d04e20e840b33b4952aea2a741673abf4e3b3fb450182260988014c8e9ab6909dc97366cdae80fc5a0e6240d8c153efb8e28b8ba701699530d0f4abdbd13167055d7b20d2d4a8f64862996cbd1e839a6c9d9ee3f17e609394f60015e83c9228ab43dc3e03f07b5e42e722b22b8a8e2d638b3c3e8f51c68	01181a8e0bc4def08284efb5ac9f840a_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\FB62F2C07F02E76881C6984B688279E307C10836\Blob = 1900000001000000100000007e28c7d2b1e19189c2d9d507522e8bea0f00000001000000200000007d718e849531e8d7667b7efff0a7d4584acf9a7c01746a0d61de2442edc50ac4030000000100000014000000fb62f2c07f02e76881c6984b688279e307c10836140000000100000014000000b37ca2e8f1bea6a3925ddef9b2d7046994542981200000000100000002060000308205fe308203e6a0030201020209009094f5e7e0c73583300d06092a864886f70d01010b050030818b310b30090603550406130247423110300e06035504080c07456e676c616e6431183016060355040a0c0f4361756c69666c6f776572204c7464312e302c060355040b0c254361756c69666c6f776572204c746420436572746966696361746520417574686f726974793120301e06035504030c174361756c69666c6f776572204c746420526f6f74204341301e170d3138303831333133323334335a170d3338303830383133323334335a30818b310b30090603550406130247423110300e06035504080c07456e676c616e6431183016060355040a0c0f4361756c69666c6f776572204c7464312e302c060355040b0c254361756c69666c6f776572204c746420436572746966696361746520417574686f726974793120301e06035504030c174361756c69666c6f776572204c746420526f6f7420434130820222300d06092a864886f70d01010105000382020f003082020a0282020100d6e394345618de5fa18914d04dd63ec2987abd0236846b8d86a7c343fc95dd3bc38abd2633df46ea30e0f3a82c1de49bbe105e9dfee8aaa1e546a2678d628ef87ad2d2abac1bc9828ca98bebb86572075bb5ee182f60aa7fb3098e5a0a89f41bed98b4463a98013102659b30971a5ca436e21ac9780aadbbebee3f220f296245c91e328ce6106e89ea3f1461ddc3703c1e80679feeaff003a5594206b3c4826bfdcf09922b38b6b044bf49f532cc342b4335a786c6c7cfdafbadc7e3af94b2504ecdd6116789840709c6e951a4bc7400d7f897eb8ffa7734c77c9acb4a108cdaf711054bc2b326057090ed2a13ef71fbd8305c58040814e475cd844bd7ad0afa049de0d73ec1e29ad052672029db370c15252c1d44f49b608b43546d5733b64e92aa89c52e078f5876b803077c5066c878362a7747918795f6236f65edd762c5ed26fd968f010ea040a0f007ce2d92ddf8fed3908d3ca3f1205ddc5cba890e33d145628bfc7f9b5fbed62dd7ee10ba6ef0dbafa25dfa0a69e0b28ea1be59ba2bf3be163633530edfe89a1c49fe83768ba72ffcd9aecc0cabccc781da7b4e281e1d141394f8c633a1f3c09fdd5e301c65ba1c793ef6d655bc922672a39c1309fd60bddb01897d6d68b65c79b05e7180cf6282bf3856ac0ba00e08a9a2a29a817ce478ddf980ad1f917f0e5004ca4f42a0b3b0c8024b33084c585d2873cbe46eef0203010001a3633061301d0603551d0e04160414b37ca2e8f1bea6a3925ddef9b2d7046994542981301f0603551d23041830168014b37ca2e8f1bea6a3925ddef9b2d7046994542981300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186300d06092a864886f70d01010b050003820201006fa571fa2cb9ec0f2ce0f0df5bd731f784223d6e24535d8701557f0bd0c524baa228117e3f6ceb38b04c4bae8eae9840063881ccef6c1df562b85ef56d4ad5dd0e01a33f99ccb53cca1317ea36f45e60c3230d8ab3d27cfd661c2f5fe0c61e9b7b6c2c19db3f3e5c1790f967b926296e69f813f85220d9a29958a0856422af683b78bb0f7529168866bdfd31e7276bb655b298198bc297d09fa0b954a00736fef381a43169c8c62e93349cdf2bf11478c2a2b873fdb2134ef00cd5da091d5d1a53c512e0dd7f5b6eb102b0a3f4a41a76fa9a23545bf04cf9ce07ffc6e01eb1d7f602a50e4c1ee049080c6bfe7738f881f96300c897708c31ae4044b96fe4b5adc1baa38eedb41ece892f12dd1cd30fbf12d1b54f914fcd8094c242bf30c2856198e7e8bc39839704cb212d787cc736db487dc620e04a71ca8efdf9702cfd94453eeb7e3079bdc344e7305923a3a0dff606f5ec6b5710f7f47bc96aecd57a0648f47767de8f688549765a73140f4759b2c33f4654e880862af6cb50112a08bbb44c7c2f381211345887d04e20e840b33b4952aea2a741673abf4e3b3fb450182260988014c8e9ab6909dc97366cdae80fc5a0e6240d8c153efb8e28b8ba701699530d0f4abdbd13167055d7b20d2d4a8f64862996cbd1e839a6c9d9ee3f17e609394f60015e83c9228ab43dc3e03f07b5e42e722b22b8a8e2d638b3c3e8f51c68	01181a8e0bc4def08284efb5ac9f840a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	01181a8e0bc4def08284efb5ac9f840a_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	01181a8e0bc4def08284efb5ac9f840a_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	01181a8e0bc4def08284efb5ac9f840a_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\FB62F2C07F02E76881C6984B688279E307C10836\Blob = 0f00000001000000200000007d718e849531e8d7667b7efff0a7d4584acf9a7c01746a0d61de2442edc50ac4030000000100000014000000fb62f2c07f02e76881c6984b688279e307c10836200000000100000002060000308205fe308203e6a0030201020209009094f5e7e0c73583300d06092a864886f70d01010b050030818b310b30090603550406130247423110300e06035504080c07456e676c616e6431183016060355040a0c0f4361756c69666c6f776572204c7464312e302c060355040b0c254361756c69666c6f776572204c746420436572746966696361746520417574686f726974793120301e06035504030c174361756c69666c6f776572204c746420526f6f74204341301e170d3138303831333133323334335a170d3338303830383133323334335a30818b310b30090603550406130247423110300e06035504080c07456e676c616e6431183016060355040a0c0f4361756c69666c6f776572204c7464312e302c060355040b0c254361756c69666c6f776572204c746420436572746966696361746520417574686f726974793120301e06035504030c174361756c69666c6f776572204c746420526f6f7420434130820222300d06092a864886f70d01010105000382020f003082020a0282020100d6e394345618de5fa18914d04dd63ec2987abd0236846b8d86a7c343fc95dd3bc38abd2633df46ea30e0f3a82c1de49bbe105e9dfee8aaa1e546a2678d628ef87ad2d2abac1bc9828ca98bebb86572075bb5ee182f60aa7fb3098e5a0a89f41bed98b4463a98013102659b30971a5ca436e21ac9780aadbbebee3f220f296245c91e328ce6106e89ea3f1461ddc3703c1e80679feeaff003a5594206b3c4826bfdcf09922b38b6b044bf49f532cc342b4335a786c6c7cfdafbadc7e3af94b2504ecdd6116789840709c6e951a4bc7400d7f897eb8ffa7734c77c9acb4a108cdaf711054bc2b326057090ed2a13ef71fbd8305c58040814e475cd844bd7ad0afa049de0d73ec1e29ad052672029db370c15252c1d44f49b608b43546d5733b64e92aa89c52e078f5876b803077c5066c878362a7747918795f6236f65edd762c5ed26fd968f010ea040a0f007ce2d92ddf8fed3908d3ca3f1205ddc5cba890e33d145628bfc7f9b5fbed62dd7ee10ba6ef0dbafa25dfa0a69e0b28ea1be59ba2bf3be163633530edfe89a1c49fe83768ba72ffcd9aecc0cabccc781da7b4e281e1d141394f8c633a1f3c09fdd5e301c65ba1c793ef6d655bc922672a39c1309fd60bddb01897d6d68b65c79b05e7180cf6282bf3856ac0ba00e08a9a2a29a817ce478ddf980ad1f917f0e5004ca4f42a0b3b0c8024b33084c585d2873cbe46eef0203010001a3633061301d0603551d0e04160414b37ca2e8f1bea6a3925ddef9b2d7046994542981301f0603551d23041830168014b37ca2e8f1bea6a3925ddef9b2d7046994542981300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186300d06092a864886f70d01010b050003820201006fa571fa2cb9ec0f2ce0f0df5bd731f784223d6e24535d8701557f0bd0c524baa228117e3f6ceb38b04c4bae8eae9840063881ccef6c1df562b85ef56d4ad5dd0e01a33f99ccb53cca1317ea36f45e60c3230d8ab3d27cfd661c2f5fe0c61e9b7b6c2c19db3f3e5c1790f967b926296e69f813f85220d9a29958a0856422af683b78bb0f7529168866bdfd31e7276bb655b298198bc297d09fa0b954a00736fef381a43169c8c62e93349cdf2bf11478c2a2b873fdb2134ef00cd5da091d5d1a53c512e0dd7f5b6eb102b0a3f4a41a76fa9a23545bf04cf9ce07ffc6e01eb1d7f602a50e4c1ee049080c6bfe7738f881f96300c897708c31ae4044b96fe4b5adc1baa38eedb41ece892f12dd1cd30fbf12d1b54f914fcd8094c242bf30c2856198e7e8bc39839704cb212d787cc736db487dc620e04a71ca8efdf9702cfd94453eeb7e3079bdc344e7305923a3a0dff606f5ec6b5710f7f47bc96aecd57a0648f47767de8f688549765a73140f4759b2c33f4654e880862af6cb50112a08bbb44c7c2f381211345887d04e20e840b33b4952aea2a741673abf4e3b3fb450182260988014c8e9ab6909dc97366cdae80fc5a0e6240d8c153efb8e28b8ba701699530d0f4abdbd13167055d7b20d2d4a8f64862996cbd1e839a6c9d9ee3f17e609394f60015e83c9228ab43dc3e03f07b5e42e722b22b8a8e2d638b3c3e8f51c68	01181a8e0bc4def08284efb5ac9f840a_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\FB62F2C07F02E76881C6984B688279E307C10836\Blob = 140000000100000014000000b37ca2e8f1bea6a3925ddef9b2d7046994542981030000000100000014000000fb62f2c07f02e76881c6984b688279e307c108360f00000001000000200000007d718e849531e8d7667b7efff0a7d4584acf9a7c01746a0d61de2442edc50ac4200000000100000002060000308205fe308203e6a0030201020209009094f5e7e0c73583300d06092a864886f70d01010b050030818b310b30090603550406130247423110300e06035504080c07456e676c616e6431183016060355040a0c0f4361756c69666c6f776572204c7464312e302c060355040b0c254361756c69666c6f776572204c746420436572746966696361746520417574686f726974793120301e06035504030c174361756c69666c6f776572204c746420526f6f74204341301e170d3138303831333133323334335a170d3338303830383133323334335a30818b310b30090603550406130247423110300e06035504080c07456e676c616e6431183016060355040a0c0f4361756c69666c6f776572204c7464312e302c060355040b0c254361756c69666c6f776572204c746420436572746966696361746520417574686f726974793120301e06035504030c174361756c69666c6f776572204c746420526f6f7420434130820222300d06092a864886f70d01010105000382020f003082020a0282020100d6e394345618de5fa18914d04dd63ec2987abd0236846b8d86a7c343fc95dd3bc38abd2633df46ea30e0f3a82c1de49bbe105e9dfee8aaa1e546a2678d628ef87ad2d2abac1bc9828ca98bebb86572075bb5ee182f60aa7fb3098e5a0a89f41bed98b4463a98013102659b30971a5ca436e21ac9780aadbbebee3f220f296245c91e328ce6106e89ea3f1461ddc3703c1e80679feeaff003a5594206b3c4826bfdcf09922b38b6b044bf49f532cc342b4335a786c6c7cfdafbadc7e3af94b2504ecdd6116789840709c6e951a4bc7400d7f897eb8ffa7734c77c9acb4a108cdaf711054bc2b326057090ed2a13ef71fbd8305c58040814e475cd844bd7ad0afa049de0d73ec1e29ad052672029db370c15252c1d44f49b608b43546d5733b64e92aa89c52e078f5876b803077c5066c878362a7747918795f6236f65edd762c5ed26fd968f010ea040a0f007ce2d92ddf8fed3908d3ca3f1205ddc5cba890e33d145628bfc7f9b5fbed62dd7ee10ba6ef0dbafa25dfa0a69e0b28ea1be59ba2bf3be163633530edfe89a1c49fe83768ba72ffcd9aecc0cabccc781da7b4e281e1d141394f8c633a1f3c09fdd5e301c65ba1c793ef6d655bc922672a39c1309fd60bddb01897d6d68b65c79b05e7180cf6282bf3856ac0ba00e08a9a2a29a817ce478ddf980ad1f917f0e5004ca4f42a0b3b0c8024b33084c585d2873cbe46eef0203010001a3633061301d0603551d0e04160414b37ca2e8f1bea6a3925ddef9b2d7046994542981301f0603551d23041830168014b37ca2e8f1bea6a3925ddef9b2d7046994542981300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186300d06092a864886f70d01010b050003820201006fa571fa2cb9ec0f2ce0f0df5bd731f784223d6e24535d8701557f0bd0c524baa228117e3f6ceb38b04c4bae8eae9840063881ccef6c1df562b85ef56d4ad5dd0e01a33f99ccb53cca1317ea36f45e60c3230d8ab3d27cfd661c2f5fe0c61e9b7b6c2c19db3f3e5c1790f967b926296e69f813f85220d9a29958a0856422af683b78bb0f7529168866bdfd31e7276bb655b298198bc297d09fa0b954a00736fef381a43169c8c62e93349cdf2bf11478c2a2b873fdb2134ef00cd5da091d5d1a53c512e0dd7f5b6eb102b0a3f4a41a76fa9a23545bf04cf9ce07ffc6e01eb1d7f602a50e4c1ee049080c6bfe7738f881f96300c897708c31ae4044b96fe4b5adc1baa38eedb41ece892f12dd1cd30fbf12d1b54f914fcd8094c242bf30c2856198e7e8bc39839704cb212d787cc736db487dc620e04a71ca8efdf9702cfd94453eeb7e3079bdc344e7305923a3a0dff606f5ec6b5710f7f47bc96aecd57a0648f47767de8f688549765a73140f4759b2c33f4654e880862af6cb50112a08bbb44c7c2f381211345887d04e20e840b33b4952aea2a741673abf4e3b3fb450182260988014c8e9ab6909dc97366cdae80fc5a0e6240d8c153efb8e28b8ba701699530d0f4abdbd13167055d7b20d2d4a8f64862996cbd1e839a6c9d9ee3f17e609394f60015e83c9228ab43dc3e03f07b5e42e722b22b8a8e2d638b3c3e8f51c68	01181a8e0bc4def08284efb5ac9f840a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	01181a8e0bc4def08284efb5ac9f840a_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	01181a8e0bc4def08284efb5ac9f840a_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1684	01181a8e0bc4def08284efb5ac9f840a_JaffaCakes118.exe
1684	01181a8e0bc4def08284efb5ac9f840a_JaffaCakes118.exe
1684	01181a8e0bc4def08284efb5ac9f840a_JaffaCakes118.exe
1684	01181a8e0bc4def08284efb5ac9f840a_JaffaCakes118.exe
1684	01181a8e0bc4def08284efb5ac9f840a_JaffaCakes118.exe
1684	01181a8e0bc4def08284efb5ac9f840a_JaffaCakes118.exe
1684	01181a8e0bc4def08284efb5ac9f840a_JaffaCakes118.exe
1684	01181a8e0bc4def08284efb5ac9f840a_JaffaCakes118.exe
1684	01181a8e0bc4def08284efb5ac9f840a_JaffaCakes118.exe
1684	01181a8e0bc4def08284efb5ac9f840a_JaffaCakes118.exe
1684	01181a8e0bc4def08284efb5ac9f840a_JaffaCakes118.exe
1684	01181a8e0bc4def08284efb5ac9f840a_JaffaCakes118.exe
1684	01181a8e0bc4def08284efb5ac9f840a_JaffaCakes118.exe
1684	01181a8e0bc4def08284efb5ac9f840a_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1684	01181a8e0bc4def08284efb5ac9f840a_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1080	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
1080	iexplore.exe
1080	iexplore.exe
2972	IEXPLORE.EXE
2972	IEXPLORE.EXE
2076	IEXPLORE.EXE
2076	IEXPLORE.EXE
2364	IEXPLORE.EXE
2364	IEXPLORE.EXE
2364	IEXPLORE.EXE
2364	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1684 wrote to memory of 2588	1684	01181a8e0bc4def08284efb5ac9f840a_JaffaCakes118.exe	28
PID 1684 wrote to memory of 2588	1684	01181a8e0bc4def08284efb5ac9f840a_JaffaCakes118.exe	28
PID 1684 wrote to memory of 2588	1684	01181a8e0bc4def08284efb5ac9f840a_JaffaCakes118.exe	28
PID 1684 wrote to memory of 2588	1684	01181a8e0bc4def08284efb5ac9f840a_JaffaCakes118.exe	28
PID 2588 wrote to memory of 2496	2588	cmd.exe	30
PID 2588 wrote to memory of 2496	2588	cmd.exe	30
PID 2588 wrote to memory of 2496	2588	cmd.exe	30
PID 2588 wrote to memory of 2496	2588	cmd.exe	30
PID 2588 wrote to memory of 2768	2588	cmd.exe	31
PID 2588 wrote to memory of 2768	2588	cmd.exe	31
PID 2588 wrote to memory of 2768	2588	cmd.exe	31
PID 2588 wrote to memory of 2768	2588	cmd.exe	31
PID 2588 wrote to memory of 2948	2588	cmd.exe	32
PID 2588 wrote to memory of 2948	2588	cmd.exe	32
PID 2588 wrote to memory of 2948	2588	cmd.exe	32
PID 2588 wrote to memory of 2948	2588	cmd.exe	32
PID 2588 wrote to memory of 1912	2588	cmd.exe	33
PID 2588 wrote to memory of 1912	2588	cmd.exe	33
PID 2588 wrote to memory of 1912	2588	cmd.exe	33
PID 2588 wrote to memory of 1912	2588	cmd.exe	33
PID 2588 wrote to memory of 1864	2588	cmd.exe	34
PID 2588 wrote to memory of 1864	2588	cmd.exe	34
PID 2588 wrote to memory of 1864	2588	cmd.exe	34
PID 2588 wrote to memory of 1864	2588	cmd.exe	34
PID 2588 wrote to memory of 2088	2588	cmd.exe	35
PID 2588 wrote to memory of 2088	2588	cmd.exe	35
PID 2588 wrote to memory of 2088	2588	cmd.exe	35
PID 2588 wrote to memory of 2088	2588	cmd.exe	35
PID 2588 wrote to memory of 2904	2588	cmd.exe	36
PID 2588 wrote to memory of 2904	2588	cmd.exe	36
PID 2588 wrote to memory of 2904	2588	cmd.exe	36
PID 2588 wrote to memory of 2904	2588	cmd.exe	36
PID 2588 wrote to memory of 2908	2588	cmd.exe	37
PID 2588 wrote to memory of 2908	2588	cmd.exe	37
PID 2588 wrote to memory of 2908	2588	cmd.exe	37
PID 2588 wrote to memory of 2908	2588	cmd.exe	37
PID 2588 wrote to memory of 1584	2588	cmd.exe	38
PID 2588 wrote to memory of 1584	2588	cmd.exe	38
PID 2588 wrote to memory of 1584	2588	cmd.exe	38
PID 2588 wrote to memory of 1584	2588	cmd.exe	38
PID 2588 wrote to memory of 1132	2588	cmd.exe	39
PID 2588 wrote to memory of 1132	2588	cmd.exe	39
PID 2588 wrote to memory of 1132	2588	cmd.exe	39
PID 2588 wrote to memory of 1132	2588	cmd.exe	39
PID 2588 wrote to memory of 1956	2588	cmd.exe	40
PID 2588 wrote to memory of 1956	2588	cmd.exe	40
PID 2588 wrote to memory of 1956	2588	cmd.exe	40
PID 2588 wrote to memory of 1956	2588	cmd.exe	40
PID 2588 wrote to memory of 1056	2588	cmd.exe	41
PID 2588 wrote to memory of 1056	2588	cmd.exe	41
PID 2588 wrote to memory of 1056	2588	cmd.exe	41
PID 2588 wrote to memory of 1056	2588	cmd.exe	41
PID 2588 wrote to memory of 968	2588	cmd.exe	42
PID 2588 wrote to memory of 968	2588	cmd.exe	42
PID 2588 wrote to memory of 968	2588	cmd.exe	42
PID 2588 wrote to memory of 968	2588	cmd.exe	42
PID 2588 wrote to memory of 2116	2588	cmd.exe	43
PID 2588 wrote to memory of 2116	2588	cmd.exe	43
PID 2588 wrote to memory of 2116	2588	cmd.exe	43
PID 2588 wrote to memory of 2116	2588	cmd.exe	43
PID 1684 wrote to memory of 2920	1684	01181a8e0bc4def08284efb5ac9f840a_JaffaCakes118.exe	44
PID 1684 wrote to memory of 2920	1684	01181a8e0bc4def08284efb5ac9f840a_JaffaCakes118.exe	44
PID 1684 wrote to memory of 2920	1684	01181a8e0bc4def08284efb5ac9f840a_JaffaCakes118.exe	44
PID 1684 wrote to memory of 2920	1684	01181a8e0bc4def08284efb5ac9f840a_JaffaCakes118.exe	44

C:\Users\Admin\AppData\Local\Temp\01181a8e0bc4def08284efb5ac9f840a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\01181a8e0bc4def08284efb5ac9f840a_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\nstDB8.tmp\FF\add-certs.cmd
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:2588
- - C:\Users\Admin\AppData\Local\Temp\nstDB8.tmp\FF\bin\certutil.exe
    "C:\Users\Admin\AppData\Local\Temp\nstDB8.tmp\FF\bin\certutil.exe" -A -n "AddedByUser ca.cert" -i "C:\Users\Admin\AppData\Local\Temp\nstDB8.tmp\FF\cacert\ca.cert.pem" -t "cTC,cTC,cTC", -d "C:\Program Files\Mozilla Firefox\browser\defaults\Profile"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    PID:2496
- - C:\Users\Admin\AppData\Local\Temp\nstDB8.tmp\FF\bin\certutil.exe
    "C:\Users\Admin\AppData\Local\Temp\nstDB8.tmp\FF\bin\certutil.exe" -A -n "AddedByUser ca.cert" -i "C:\Users\Admin\AppData\Local\Temp\nstDB8.tmp\FF\cacert\ca.cert.pem" -t "cTC,cTC,cTC", -d sql:"C:\Program Files\Mozilla Firefox\browser\defaults\Profile"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    PID:2768
- - C:\Users\Admin\AppData\Local\Temp\nstDB8.tmp\FF\bin\certutil.exe
    "C:\Users\Admin\AppData\Local\Temp\nstDB8.tmp\FF\bin\certutil.exe" -A -n "AddedByUser ca.cert" -i "C:\Users\Admin\AppData\Local\Temp\nstDB8.tmp\FF\cacert\ca.cert.pem" -t "cTC,cTC,cTC", -d "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lf4jobx9.Admin"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2948
- - C:\Users\Admin\AppData\Local\Temp\nstDB8.tmp\FF\bin\certutil.exe
    "C:\Users\Admin\AppData\Local\Temp\nstDB8.tmp\FF\bin\certutil.exe" -A -n "AddedByUser ca.cert" -i "C:\Users\Admin\AppData\Local\Temp\nstDB8.tmp\FF\cacert\ca.cert.pem" -t "cTC,cTC,cTC", -d sql:"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lf4jobx9.Admin"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1912
- - C:\Users\Admin\AppData\Local\Temp\nstDB8.tmp\FF\bin\certutil.exe
    "C:\Users\Admin\AppData\Local\Temp\nstDB8.tmp\FF\bin\certutil.exe" -A -n "AddedByUser ca.cert" -i "C:\Users\Admin\AppData\Local\Temp\nstDB8.tmp\FF\cacert\ca.cert.pem" -t "cTC,cTC,cTC", -d "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lf4jobx9.default-release"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1864
- - C:\Users\Admin\AppData\Local\Temp\nstDB8.tmp\FF\bin\certutil.exe
    "C:\Users\Admin\AppData\Local\Temp\nstDB8.tmp\FF\bin\certutil.exe" -A -n "AddedByUser ca.cert" -i "C:\Users\Admin\AppData\Local\Temp\nstDB8.tmp\FF\cacert\ca.cert.pem" -t "cTC,cTC,cTC", -d sql:"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lf4jobx9.default-release"
    3⤵
    - Executes dropped EXE
    PID:2088
- - C:\Users\Admin\AppData\Local\Temp\nstDB8.tmp\FF\bin\certutil.exe
    "C:\Users\Admin\AppData\Local\Temp\nstDB8.tmp\FF\bin\certutil.exe" -A -n "AddedByUser ca.cert" -i "C:\Users\Admin\AppData\Local\Temp\nstDB8.tmp\FF\cacert\ca.cert.pem" -t "cTC,cTC,cTC", -d "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lf4jobx9.Admin"
    3⤵
    - Executes dropped EXE
    PID:2904
- - C:\Users\Admin\AppData\Local\Temp\nstDB8.tmp\FF\bin\certutil.exe
    "C:\Users\Admin\AppData\Local\Temp\nstDB8.tmp\FF\bin\certutil.exe" -A -n "AddedByUser ca.cert" -i "C:\Users\Admin\AppData\Local\Temp\nstDB8.tmp\FF\cacert\ca.cert.pem" -t "cTC,cTC,cTC", -d sql:"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lf4jobx9.Admin"
    3⤵
    - Executes dropped EXE
    PID:2908
- - C:\Users\Admin\AppData\Local\Temp\nstDB8.tmp\FF\bin\certutil.exe
    "C:\Users\Admin\AppData\Local\Temp\nstDB8.tmp\FF\bin\certutil.exe" -A -n "AddedByUser ca.cert" -i "C:\Users\Admin\AppData\Local\Temp\nstDB8.tmp\FF\cacert\ca.cert.pem" -t "cTC,cTC,cTC", -d "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lf4jobx9.default-release"
    3⤵
    - Executes dropped EXE
    PID:1584
- - C:\Users\Admin\AppData\Local\Temp\nstDB8.tmp\FF\bin\certutil.exe
    "C:\Users\Admin\AppData\Local\Temp\nstDB8.tmp\FF\bin\certutil.exe" -A -n "AddedByUser ca.cert" -i "C:\Users\Admin\AppData\Local\Temp\nstDB8.tmp\FF\cacert\ca.cert.pem" -t "cTC,cTC,cTC", -d sql:"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lf4jobx9.default-release"
    3⤵
    - Executes dropped EXE
    PID:1132
- - C:\Users\Admin\AppData\Local\Temp\nstDB8.tmp\FF\bin\certutil.exe
    "C:\Users\Admin\AppData\Local\Temp\nstDB8.tmp\FF\bin\certutil.exe" -L -d "C:\Program Files\Mozilla Firefox\browser\defaults\Profile"
    3⤵
    - Executes dropped EXE
    PID:1956
- - C:\Windows\SysWOW64\findstr.exe
    findstr /i "AddedByUser ca.cert"
    3⤵
    PID:1056
- - C:\Users\Admin\AppData\Local\Temp\nstDB8.tmp\FF\bin\certutil.exe
    "C:\Users\Admin\AppData\Local\Temp\nstDB8.tmp\FF\bin\certutil.exe" -L -d sql:"C:\Program Files\Mozilla Firefox\browser\defaults\Profile"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:968
- - C:\Windows\SysWOW64\findstr.exe
    findstr /i "AddedByUser ca.cert"
    3⤵
    PID:2116
- C:\Windows\SysWOW64\sc.exe
  sc stop TopShape
  2⤵
  - Launches sc.exe
  PID:2920
- C:\Windows\SysWOW64\sc.exe
  sc stop TopShape.me
  2⤵
  - Launches sc.exe
  PID:2136
- C:\Windows\SysWOW64\sc.exe
  sc stop Software Updater
  2⤵
  - Launches sc.exe
  PID:604
- C:\Windows\SysWOW64\sc.exe
  sc stop TopShape
  2⤵
  - Launches sc.exe
  PID:1908
- C:\Windows\SysWOW64\sc.exe
  sc stop TopShape.me
  2⤵
  - Launches sc.exe
  PID:1588
- C:\Windows\SysWOW64\sc.exe
  sc stop Software Updater
  2⤵
  - Launches sc.exe
  PID:1224
- C:\Users\Admin\AppData\Roaming\TopShape-B4\SoftwareUpdate.exe
  C:\Users\Admin\AppData\Roaming\TopShape-B4\SoftwareUpdate.exe /uninstall
  2⤵
  - Executes dropped EXE
  PID:2324
- C:\Users\Admin\AppData\Roaming\TopShape-B4\SoftwareUpdate.exe
  C:\Users\Admin\AppData\Roaming\TopShape-B4\SoftwareUpdate.exe /install
  2⤵
  - Executes dropped EXE
  PID:2044
- C:\Windows\SysWOW64\sc.exe
  sc failure "Software Updater Service" actions= restart/60000/restart/60000// reset= 86400
  2⤵
  - Launches sc.exe
  PID:2560
- C:\Windows\SysWOW64\sc.exe
  sc start "Software Updater Service"
  2⤵
  - Launches sc.exe
  PID:2644

C:\Users\Admin\AppData\Roaming\TopShape-B4\SoftwareUpdate.exe
"C:\Users\Admin\AppData\Roaming\TopShape-B4\SoftwareUpdate.exe" /run "/aff_id=1002" "/app_id=1"
1⤵
- Executes dropped EXE
PID:2124

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.topshape.me/thankyou.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1080
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1080 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2972
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1080 CREDAT:340994 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2076
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1080 CREDAT:799750 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Mozilla Firefox\browser\defaults\Profile\cert8.db

Filesize
64KB

MD5
f246333f077ea7b490a063eeb7e22913

SHA1
bf10c0615b50279b3d75ef83fe8c594d4868f95f

SHA256
3af11109e80d49b16554050e2d90565d1e849512f4279445b6b8f6a80bc41dc6

SHA512
da7abc23817a8cfebe3b970a28eaef0eb97b6750439c56bcabb1e6e85056050c8291a17ecab6f7b98193ac30c0554d673321eff138ca03c379860113c85f9c45

Download Submit
C:\Program Files\Mozilla Firefox\browser\defaults\Profile\key4.db

Filesize
9KB

MD5
e45c3fb0f28fe6590e3d75c785e65c1f

SHA1
d96690392e6428cac59bbaa9b2bcdbac27e683e5

SHA256
020b3c13b4dc97a12af70e1330d364ff2b17d08b6e4f607f3527ebcf962a2421

SHA512
be49505abd641bfd4a1bf6698578dab5951dbd1b254cf540f863f586a76576833d9f52f82810b047582ff379884d7452085b277132e6627c7fbc4733a0246e2f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
952f834e83797110398b65029c84e409

SHA1
b28ae0a542e9edf3fae4284ce4fbce85b866483a

SHA256
e2cd5459a4ca3522998bae6589819903d07108c2151dd8af4a995a9a42267313

SHA512
ea0b95c89d7bddd0ad8c916da994de2b919761b5652ce989b00e302885b60877470406c3a09bbb1c323c6d744d9a5e9e453ed5a0c638654f8b228a6dee5f935c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
eab647813bcca774def8f32cb95d1384

SHA1
a1ed9523fe6bf72d2374418a26cc3594c6a2446d

SHA256
d71ef2a82829a80a1b5ade5e08d3b99051d569ce1a23903660f964caa36b9c08

SHA512
a7f0e6555478e6d98851ef4342995458bba4978d2c8d98184d1428e5651f86fcbcca55b618836516f262a761b5657da570ff5108374b8e0034fa6d13b071d888

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0cc61edc3a3ebfc91c456f5a6980396f

SHA1
7d16ebad6760fbeccb0412cbd366116a89635bc9

SHA256
7b5d0b464f85ee41f027a9bed18d7c62abb6a3a82c6ba71e4ff74d915cdeeded

SHA512
ef3f27cc6eeebaef731d05aac13d35130c77b137c86d824456b5484870633fd843ce24822c5e59d49d765940732badad46397ec30ea37a775be814ba83544129

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5a198f1f00d00b45e3e98628d2cfb8a3

SHA1
a71840c93259cd242b4a2971b4c964c4453b8a94

SHA256
5cd06aa5ca3db39a1ce430100d07bc0739ebe31e4735c888cd007c8bd1e83e32

SHA512
45c01c84c95b1d8e3add82fd8b540895307d20f3204122d4e05bca25019f52224d25f06f3821d099a8b5e1e8921c16d46af391ee613d1b75ececa48f2e35aabb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
21a51086e3139d53fa18d65dc7874dde

SHA1
c4ed77932c0ecc1049739362fcaa741dccd25cf8

SHA256
a92ae869752d5da5afb2470f9a9d96c0fcf651e411e36066da0412b04774e94d

SHA512
7f5b6b53c81c26d7b57bcd310926821f34a167940d11f59bc5e8682478cdfdce7ee84d77784979d0d3c444cb7715a6c030927885d69396fde0d0275828de16ee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cdedb7f5c0c12885bbac408793ab17fa

SHA1
12ac5fce87a75d27fca8b12f828533e226653584

SHA256
53887715bfc15d7552745939bdb78ddd963182e2a1a2dbd1f0c715676c498c72

SHA512
d6be913e9147b055df07ab805b4839db4ee247f2af291a5112a8565ed045991f9050900ace4932e1f282d341158f99515937d19705405cfba23abd3065654d26

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d6b41792efc6ea13171de674970a8682

SHA1
7194378a8e31922fad83f2f6b02a32a5fe6df137

SHA256
e1913a7a63fc54bbf3ecc93dc145690e7c4c3f7e071c5a026a3b4699ca730f1a

SHA512
8a0c1da271c7174e012135ef4d69e3a24b6cffa9bce813ec482b6fe1f05c4fd18bc8718e9b8cc979af23ded9468301886985edf71133c74a178b5f14f239011f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a2d1fd31a40a5e0b80880c703c4a8838

SHA1
6fa3889db3620014a201a01c60553bb9446185d6

SHA256
f44c478c3c0c17a28f233d8367bf37bafc12419bec9c5aa1768dab82ce457d84

SHA512
7edbf441921b1a8ea0d67b56ffb1382e6f0b2c23a917eaa692c3bffb7239cc55b98de9e2a31c85a341ba7e49b914722a8d2af334d07ae50f32d15557a34ca43b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ff00e66855d03f4372d2092d7accd1fe

SHA1
e369bc4504a23fc44cb33718a2ae1db1ae26d1a3

SHA256
4fff77bd858ccd950db296fec6cd7e177a68ce1d7602cf09534917e62f4e9109

SHA512
e67b95419aa0a408a3727591e619187a96d45317ba5338aad282dd1715c72b9099317cf71b4aa92f27b1e45e2273de1f47c5034df9fdb1321fb2b8d14b590425

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b1a61651bb260cbbfa2346faf8af4a19

SHA1
61adec21f84d41ae151f921d66dd066cdb5f959b

SHA256
d3cdf1da542d5891751724098c414ed70bda4e84a7197ed5c79c510657c0ec4b

SHA512
2c5dba756c7bd5582a102296087597e41882f6988c0e7bda275fdb815a910934aa119183c61c43aa42237d987b3ed7a40f07695bd92808bfac31493c54a81f7a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4f3173180ee23114a5578773f860d9de

SHA1
9e26ce902969fd8188197afe9932696853a127b9

SHA256
3392770045445668feddeb96196b30fa8bf854aa1204aeaf74eaf796c09e01fc

SHA512
763282b4723098d16c30c1fd21badc86556043e50ae811a92c0c2e990ffba3b7d31b01714ef7251e888495c54bc7f49d89f9423a0da61f14b65f08c1c8f2e1f2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5ed70ff8b26e83a6b7c160ee6992194d

SHA1
7fbdf3f3676430248c58ea61be35e729806d8a3e

SHA256
a828320b98cc9c7de4394966ad10121a8e9f74db617a08260a9d916cfa39d6e3

SHA512
1e152267b2d7a7c14ca8342903033c618cfe2394fbff459553a7df2bfd8eee769d3892f54b6d410305be4e3c1dfdad4fb1b45e73755b5f738c105803b0c5d898

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2064a36b81995300686c7bdbeaeea7e8

SHA1
723713db8958a0d7f040562792941c5bf6705b69

SHA256
8dead7d31c9550dd387e836aac364214c83ab303d7d62ba86495c0b5ea6b89ba

SHA512
778625b16e8d899aa528545d5d2967fbbd3b3f216442c00e8546a1ccb6fe1f68f7d28aa259dbcc029ea9aabc99edb15d29f032057c5ff15a57424d1f3550d655

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c30d3f4127b61b6ae45baa61e00059c0

SHA1
3497d2a3e7c09791a54b33e8163e576db2679512

SHA256
7191c7414dd210afa577e5e1559db180c50c28363bafb428ddedc05f810fbd0e

SHA512
1ad3ce41a657fe709ca0b4df067f9f11ea6c7f267d4c983a01a993bb2d14bd0f0894aa08e032da271cd7806b23f3ee502aaf3a5502bebb2de3b63f4d6123b5e1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
dac51bac978f910ba8fd208ee5d07c92

SHA1
b6119ae9ebd2b149cdbcc7d1c444c2cb176c44e7

SHA256
0f9c45d05f5e4f10e4bf4bd7844af57086d9fbb63a7ce114288296d1d3abd739

SHA512
125c46281db5aa61aaa8b502be4497fa7f7df66233c1e53c1270c668bf22a7c7e0394d8ecdafa546a2d2dc0d2e824673658aaf1496448b2f90effffbf3578ea2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5315e1dd700f4c1494cf66aacfd67d1c

SHA1
efb6976748765d8ee71422977d77054e18ed9e42

SHA256
a5759db8837507b88ba6a93e791598ed088eb64eaebb5c675515fc581a81653c

SHA512
b8609417bdacdb067979150223e53f2e25f5e61caf0b96f08f7550e69d3d47ff1958e8bea042f5677bd9fc6796e9ca023bcac27bb9f62e6aefd7450de71269a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
35171d9939272c7c851083b435b95c26

SHA1
3f54b2d4231bdbfca45aa45daac1d60f75986cb1

SHA256
6f186bb6b9a42b585eb8244ffed38e87002ea80267fc9b5f781c6f03e19aa23b

SHA512
5ac54154890999981fc35a91f1f14ae693ae67d0449a71a1c03e3bceba47fce634af995a2aa7ec1f68a15210bfbbf32d3e5578404ff5ebc99f06ff0d1ee9d0ff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a4849dd0846dd81b1557536311c31df8

SHA1
0e57484747b0d60d43a3e0b5b0ddc4090534d109

SHA256
3105543b59c5069b2ffa1d1b5ee75b678e739820faa790eef4e10c3ccaa30812

SHA512
33b0ff23276ac382659aef40a547ca7d123a4728d26546a5546ac782309fb0b09442d0705be73d51f11b52022e71ba41d6c434ff0d6c300a8ab674797e8df130

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2c5914af1f17443e195734de6fb826a2

SHA1
fd1acf7eac06f9270ffb740368dcf7521f027615

SHA256
a375588f746e6eef69cc66f2d272971651fa9297c50b1314c3aaa3d6511a14a0

SHA512
75fdaa91e7f97b29b861d7d0e81d57ac80f6150ab90d9d8ccdedf22eeb1f82f964a6e43effb929060755185b744f700059ff3a15eb2a39b35b7c4aeb6a8eb723

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b249bc522022853c4abd2982dba6684a

SHA1
89b94cd8858a51bc38a4991cd0cfd8626ab77724

SHA256
57b32d75d352522e4b0203067d0dbcbeddb876a88c4c71c5d7d981276ad50c4a

SHA512
a76707b3c85a5f38791a727bd1180013afe87f94e682e4c2420de4978fa7b16400f5d168027ba4a38bfa56348b7d03fed8887ee7552a0c990cc762dd7089cd05

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7c6ad9ef21f4cc84a6740ab3784eab04

SHA1
5190d34689b47ff7bde94ed2da505ed8b505e3c6

SHA256
8fdaa27ac0ea9a9f2933d2fdec7964cdc58decfde9997c5e1b49660ef6e5d321

SHA512
f9e82c88826e98506d68d74d6a105b45cd3f41f83807ee4ce0b265915e7c6ca8b2358dfbc3d97da4869cbde4b9bfc64501a60503d9d2901f0dd067210e1ef12d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
848b2ba26ea3d67a32f050726afdbae0

SHA1
9997c6aaa7ef4ff6c941dd89b61c6f22dcbe64de

SHA256
72893462191d5932078160a94c4423639a38c98b0ebf7868b14b9329198ca4fe

SHA512
93b30e507f33455cfc1dc37cd0d01a573a9df92a5ccb49802ed2dc12988340ce928246956af3feee5743dbe5b9288a80abb8c6ef14aed2ee3aaca408ba12c0c2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6e2337ae01154960a0ae2e0b503fd6b4

SHA1
3227c7c185d0c9dabb2b04e916b86b7b0ad2c31a

SHA256
ec264df67802014fa4dd821056c3cc7822bf0deb21594b2ca6e33bc7f54af0a4

SHA512
a49d0fa7249e47a0c71ad4e6cafc8d6a7c9243acd1e401caf9445568c151131dfb0097b74e753fdc196d0bd9bb813851e5faf1e8ca5fe5771b46a13d0faede4d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0cc1ebaeeee965061fc5ef7c6820db38

SHA1
20ec56bc36ab5a46acc8274bfeda2a74669f4f11

SHA256
58c3be2a73eb72a2338d88dac81eb1bf15549ac8a175cad0ccfbc5d4359c2104

SHA512
b7f65eb814087dd584dc6b11363ee01b1ce9ef9f92f00119fe2e5f7affebce083940cbf4e498a21c05079cd422e704966dfa280bcc6219f2330cbaaffc9eb1f1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9491ebd4498ca7ca9f4cf7cc160cd45b

SHA1
51160df54805c368a511e7c0d65121bed33e0b2e

SHA256
cffed6b7b1e7e1d619f6a679c28ce8a57c56478b102924131a233dd1ccc99440

SHA512
2b805b262faa06285d8055b36cef12ade1c7247688c44416de3bc1bf8359c964b19300572cfd41e6749d1fca0dc6ab4fd5b1c39112437dadeb39093bbc459c75

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d2048a8a4999624c5b56d4d50df03bd4

SHA1
15543b97f2d2f435d65f089891d525ade6dcd81e

SHA256
48843bc0439f2a03a179db4212266cfc2762af7cfa6a3e7c2f7623f2f6ce7769

SHA512
fd83f4f22a72cc2801a7ab27aeefc456a5a190c6a127fc8011d687721bf50110c23a39a75d5ec96f22de34f4d8c9d341958a25e2132cf660a4beb82dd1744dd7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ed046d824ad3aee0dccd3c9382455190

SHA1
27b979d95d3f77487f3cab8eacba6ec4e29ddb8f

SHA256
6b467aa515dbb20c2b80edc66f82ff841a823e70a5f9c569f168f966fb2af13f

SHA512
37dedef9d363168a2035628a96280384d60fb23b7a0b5b424b91ff29cf9c76b8930216a0321f26447855efc5b27ed3c9ca2898ca72547c15429ee5151061e12c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
55f31d433857c2f32c084024a861469c

SHA1
3f6dc3ceaf9c4a6fd8bc7ad9f89a58d0e15290b5

SHA256
587a7fb3068615d29552f4e48eddd85f64842e8ba75650ff4a0444e5aee8b3c5

SHA512
057230b6d392971a1ca9c69056e1befcc2151222175728f1d6a27485f8b1b898aeebf65484a615679978519b89fb3c79f2d19d89c71bbd0a5f403154048bac6c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d9267722c641643bcd2dc64d83ffc3dc

SHA1
6401a48f826cb0d5258fe6b194002c66a9054b13

SHA256
702d0e9ee5738776109a9a6531c98172feea8ac0da20fffd47a00af50c9b9e97

SHA512
52701376c9bd2c3a7df0969299e9ca1185972699cf093f385e9844846820f3610e59a35072245ef1fa5379c33267feb93d6388d5a9569e3b6d0ae56c6094068d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4b317640c14b3930d20874308fb2c4e9

SHA1
e1d60fff65968585e6f498d6445d669a4cf8b4de

SHA256
8b074580e7d5c6675a65ad80b3229bd685dcba06acc4dce6a6d49eb0e2868373

SHA512
201d1b50e23a96d402678c6dc341c7df2c9d5cf2f205b1ef8b735d7fb3d22925fd1ddf5de0846844b29bf66b86925ca41deed0da17cac2c44c0136c9e4519251

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

Filesize
4KB

MD5
da597791be3b6e732f0bc8b20e38ee62

SHA1
1125c45d285c360542027d7554a5c442288974de

SHA256
5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

SHA512
d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\AV9NHNH2\watchonline[1].xml

Filesize
13B

MD5
c1ddea3ef6bbef3e7060a1a9ad89e4c5

SHA1
35e3224fcbd3e1af306f2b6a2c6bbea9b0867966

SHA256
b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db

SHA512
6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1DD4.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstDB8.tmp\FF\add-certs.cmd

Filesize
3KB

MD5
5ac423d78077c6ec8d99974dd9681d11

SHA1
0d91d80de298fb008f522ed95842932bb92f6099

SHA256
664e3b7b27995e01fd31dff1699b39b995c0e9efebaefa16247669eafce08e08

SHA512
dce34c3dc7bb2cec567be2e12c0362be260c59b940efc869a2421f647af9ce847c4793c86f5a155206c2d41c40ee07144b81992f629ba8d9d2644834effdbda9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstDB8.tmp\FF\bin\MSVCR120.dll

Filesize
948KB

MD5
034ccadc1c073e4216e9466b720f9849

SHA1
f19e9d8317161edc7d3e963cc0fc46bd5e4a55a1

SHA256
86e39b5995af0e042fcdaa85fe2aefd7c9ddc7ad65e6327bd5e7058bc3ab615f

SHA512
5f11ef92d936669ee834a5cef5c7d0e7703bf05d03dc4f09b9dcfe048d7d5adfaab6a9c7f42e8080a5e9aad44a35f39f3940d5cca20623d9cafe373c635570f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstDB8.tmp\FF\bin\freebl3.dll

Filesize
314KB

MD5
f474dd91bb12f230209ec3163ce7e6c4

SHA1
04ff682e527a1c132f73bd836b7880dfa1128528

SHA256
f63b2cab4b77ac63a1beca66872a991e1f8233f2c513d42460dbf28c733b138c

SHA512
01f1feaacda301b013f5e097fa5816b0075b7389ee0522e8fe350802093f6cdfe6ade24ff2a0350896b333e44a77901bbcead85f8cf98bfa91fb110c18adbfee

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstDB8.tmp\FF\bin\nspr4.dll

Filesize
155KB

MD5
bd0e897dbc2dcc0cf1287ffd7c734cf0

SHA1
5c9c6c6082127d106520ff2e88d4cd4b665d134f

SHA256
2d2096447b366d6640f2670edb474ab208d8d85b5650db5e80cc985d1189f911

SHA512
db21b151b9877c9b5a5dc2eda3afa6a75a827ce1f340032427b7de1d9f9803767aecc582862b58885f456c78fc75ee529581089b725975600e45c6af785280a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstDB8.tmp\FF\bin\nss3.dll

Filesize
788KB

MD5
54f3932864eed803bd1cb82df43f0c76

SHA1
675960acfed6df22ae0a41973b08494554b37f1a

SHA256
96e068e6162a98d212b57c86b14fc539f1bbdccd363f68efd8cdfecc90c699d3

SHA512
3e1eccb33b8371dbe4801c5c3909130eb4e2a8a9aec80d2c7b2528b00dd137c5ffe672095963d207b48e10f8e024c34fe841aa7ed22c7b7fa6e058165fce90b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstDB8.tmp\FF\bin\nssutil3.dll

Filesize
108KB

MD5
c19416e9cf9e571068ca14276c6e0620

SHA1
b5e8ee4659b678fb3b234055b1eeda920eb20b30

SHA256
ba9341807b42e90bb0380d51a83d3d6a0de7d57b6820a8b0cbe5e36e978860fa

SHA512
5cde579f66e0677f1419dc11723e1f7b5a7d408b4b3250e26aa0c0863a46b6fd86f17813416769f1eec89375f3c9c83fed468a17d1ef80f83ff1744927e7da79

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstDB8.tmp\FF\bin\plc4.dll

Filesize
13KB

MD5
88b4df8d7d536a195f866b70c48ed534

SHA1
a385bcd411c3dfad1c08cf56977c1ba45ecbf2f9

SHA256
09f01488a002915b8472a4e82adb7a3e8cb43bd77db347b0178eae614f846a0a

SHA512
b8291cc96a40391d69a75dd348204083f2e21a752a8af3339fd524f8dbb9947575c33eb8ecf77fc177cf2e3568777b2de267cf63301034b28adcfef40ab821c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstDB8.tmp\FF\bin\plds4.dll

Filesize
11KB

MD5
b7ed50495d311cf6e7ad247968dd2079

SHA1
3364725821ea012f8fa99df102677befc5ff929f

SHA256
20166e281b31ae60672b9d87cb69fcba0c38cc5e18a8ba081c5601ccfab7589f

SHA512
a783f0a00d016a5974f87399637bddd5a5821e3a79c5acb2f6b3f097c9bffefb8a1dee7d968c0646faa2d854a105c57988d244d9c47fb9c189d8383c00a8d2fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstDB8.tmp\FF\bin\smime3.dll

Filesize
96KB

MD5
94624bbab23a92e0a5f90cce9a5a340d

SHA1
a81d1e0a2c75657f698cee9346fa85423b9b365f

SHA256
b0104ea7aaa257b111982bd0763c1c47fff76bd70249f84dcad834d50444df1a

SHA512
d623e4d271a0dcc0f16e4a2dc4d10422de42445d6da60a5fdb149c511b5e5363de448696592e11dce118f950eed2e92cffb78056c80e1a8e3a42d44ec54cb9f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstDB8.tmp\FF\bin\softokn3.dll

Filesize
166KB

MD5
6832b9a7ab871d81be42054f117b8299

SHA1
935c0fe7e6cb356a8854e3b7046fd7fc0aa29c61

SHA256
b1316e04b3bf464906f4e015d3e71b4e06a65cc6e59a20a96984ee1e862dcb0e

SHA512
e6579f7df7b3c43219e47630a6b51a576d2ffa9902ddb0f309f5ccb210242dd16ebec75439b2bac22e5cb0b62984386cb6eb4190b2914827b79e3e4afbbdee9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstDB8.tmp\FF\bin\sqlite3.dll

Filesize
467KB

MD5
3a58690aff7051bb18ea9d764a450551

SHA1
5ce859b3229da70925ffa25564cb6d7c84dd6c36

SHA256
d2d0b729837574d2eb6adac4f819bc4f8534ac9a43b17663942b2401a02db02a

SHA512
299634094a624ee8ad2898d3f2bdf8fee23f234c160992e68d087af828a16ff18e3d1fb1ca5755e82f592d6e3e335c63a9c8dad04ef003d2127bbfcdbec649d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstDB8.tmp\FF\certificate.cer

Filesize
2KB

MD5
1363185d42f410daefe74f2f9b932c7d

SHA1
e62700d8e30658c75600100ec2bab95fe27d3095

SHA256
609bcc31872e361c41c9e3ce6882c5245e052e6bb695d5682a964593fce9b429

SHA512
abadbece11f0c185c6b17d022b6a509ca3904438a1cdd8ca08d768f5c3298335b4c5425c67852397bb7dc60490071f8b617fbf771d9eb179e46e3cda8083fa5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstDB8.tmp\FF\db\empty\cert8.db

Filesize
64KB

MD5
54026638677f2ed4d24a452821a5be4c

SHA1
9653ec968c1c2595a343f9106a3e7546bc454df0

SHA256
2522bb7036f417d293f7c978c414bc463efd281d218d51f90b6d973e3da104cd

SHA512
9fe10855179f52dd2f7d3be1fb10f84c9e707b8b6580753f5a21c3ead859463d800906da0424b8ff3ee1f59c734d7ee65c31a2af0701f2e2c6627978b7fefa81

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstDB8.tmp\FF\db\empty\key3.db

Filesize
16KB

MD5
f6cd36aaa8773caf03a15628d8943951

SHA1
b473fae3265f2023f91396529dce3224dd2b505f

SHA256
ae6d6cb4716eceb1447850ee6105e982718c8710c1488bb709338cd074715222

SHA512
f32fb28353590c98d61d79afeef7415023542f2833bec43d4df68ee696c5a95ad10160d9d94d3434792b0301a942037bf61f021f82941231ed043a9b43dda7f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstDB8.tmp\FF\db\empty\secmod.db

Filesize
16KB

MD5
02a3b00dafc8c7fb117bfcb1de9859cb

SHA1
c0dbc33717ea22ca740e6039fd3459d614599a74

SHA256
38ada995217652d8e48eb6b8eb49e84a0b246ca336254b669285207db61622c1

SHA512
b9e425df73287de15714930e8236cd4e4624887d6193d6ccb5f37850b31e94bfbd737992817bd8b47ecacfc04948207e6bb71a3ff5e30caa41472826d7d44a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstDB8.tmp\INetC.dll

Filesize
21KB

MD5
92ec4dd8c0ddd8c4305ae1684ab65fb0

SHA1
d850013d582a62e502942f0dd282cc0c29c4310e

SHA256
5520208a33e6409c129b4ea1270771f741d95afe5b048c2a1e6a2cc2ad829934

SHA512
581351aef694f2489e1a0977ebca55c4d7268ca167127cefb217ed0d2098136c7eb433058469449f75be82b8e5d484c9e7b6cf0b32535063709272d7810ec651

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstDB8.tmp\ShellExecAsUser.dll

Filesize
7KB

MD5
86a81b9ab7de83aa01024593a03d1872

SHA1
8fd7c645e6e2cb1f1bcb97b3b5f85ce1660b66be

SHA256
27d61cacd2995f498ba971b3b2c53330bc0e9900c9d23e57b2927aadfdee8115

SHA512
cc37bd5d74d185077bdf6c4a974fb29922e3177e2c5971c664f46c057aad1236e6f3f856c5d82f1d677c29896f0e3e71283ef04f886db58abae151cb27c827ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstDB8.tmp\nsProcess.dll

Filesize
4KB

MD5
05450face243b3a7472407b999b03a72

SHA1
ffd88af2e338ae606c444390f7eaaf5f4aef2cd9

SHA256
95fe9d92512ff2318cc2520311ef9145b2cee01209ab0e1b6e45c7ce1d4d0e89

SHA512
f4cbe30166aff20a226a7150d93a876873ba699d80d7e9f46f32a9b4753fa7966c3113a3124340b39ca67a13205463a413e740e541e742903e3f89af5a53ad3b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lf4jobx9.Admin\key4.db

Filesize
13KB

MD5
a7dbf45a570fc6c5e5a0f84fa0361b37

SHA1
e836975a5ab2fce5c4d36a0752e3185c092eeb37

SHA256
3c7d8bb7159bd440abc6b95d4948c0948873a690967b3c33a77fb0ef95079c56

SHA512
79e1d07c5e9aa73befc44de2d17df7c003fc57def4813d804e739ecd0ec7cc1a485f8af5cb5eeac94553add963faaa1bede5b649d977eb5be632dc14698f95aa

Download Submit
C:\Users\Admin\AppData\Roaming\TopShape-B4\SoftwareUpdate.exe

Filesize
896KB

MD5
5efa3a66b87d70a06dd95e03879702c7

SHA1
4d452010762f7e3669f33405e97273f2f325e499

SHA256
ce6a8bb9070ee46c5a02c825103d61caccca221edcb590297316055733b7d1f2

SHA512
8a7bbe63abd86468ec5eb3c6f431ce44efc0ca05dafd37797954c46281a1f126e05683d0aeabb4e12239ca42370be826be6299e99fe3ea8d3e5826b50896acbc

Download Submit
\Users\Admin\AppData\Local\Temp\nstDB8.tmp\FF\bin\certutil.exe

Filesize
112KB

MD5
f8da06687fb47ca2c355c38ca2766262

SHA1
4b6bc2776a07cef559e2d9260ee7e3873d2b25d9

SHA256
64ad18f4d9bef01b86e39ca1e774dfa37db46bc8267453c418dd7f723d6d014c

SHA512
128605c51fd15599d69a2713f461605f069a71387ce176bd5afcc65c04a4ca240056b4c1e63846b7e02c29ecd2d163f7ca3b502d881c319203e2110c6fc05862

Download Submit
\Users\Admin\AppData\Local\Temp\nstDB8.tmp\FF\bin\nssdbm3.dll

Filesize
100KB

MD5
8cc6a31974a175a65d6c090feed39f42

SHA1
30dfeddc8a4a59aeb7198d8cc9c712f3248a1e51

SHA256
f64111faa9966d7b7859c6467bedbd64559284b049f55ffadc54dfc50a3a4264

SHA512
597b2fb5ba96fe656e2c81d3d411adfc4e693510f130872e16c9cc70355b41fccfc0b9dbc16171af76e2caa7945fdf2519cea40b9ef1a161ed967346df595d5e

Download Submit
\Users\Admin\AppData\Local\Temp\nstDB8.tmp\System.dll

Filesize
11KB

MD5
55a26d7800446f1373056064c64c3ce8

SHA1
80256857e9a0a9c8897923b717f3435295a76002

SHA256
904fd5481d72f4e03b01a455f848dedd095d0fb17e33608e0d849f5196fb6ff8

SHA512
04b8ab7a85c26f188c0a06f524488d6f2ac2884bf107c860c82e94ae12c3859f825133d78338fd2b594dfc48f7dc9888ae76fee786c6252a5c77c88755128a5b

Download Submit
\Users\Admin\AppData\Local\Temp\nstDB8.tmp\nsExec.dll

Filesize
6KB

MD5
b38561661a7164e3bbb04edc3718fe89

SHA1
f13c873c8db121ba21244b1e9a457204360d543f

SHA256
c2c88e4a32c734b0cb4ae507c1a9a1b417a2375079111fb1b35fab23aedd41d9

SHA512
fedcaac20722de3519382011ccf22314af3edcd11b69f814db14710966853b69b9b5fc98383edcdb64d050ff825264eaba27b1c5adfe61d1fc9d77f13a052ced

Download Submit
\Users\Admin\AppData\Local\Temp\nstDB8.tmp\nsis7z.dll

Filesize
403KB

MD5
d3850d9ef1d81d2ee2e0a1583e3292f8

SHA1
36a88c987ac8fff6d97f5eea9af5c7421f0496ae

SHA256
47ee083861b20a03a751593073dfb533a0aa447833bfb190a73732c7efb2a2b2

SHA512
3af395aeb470f4f5f26d2072811be2d15e90597ed40d5f1a6ab53e6b66f8a143785868db0476cbf129751cee2ae070ddad179848830e1215393c826101f9caac

Download Submit
memory/1684-412-0x0000000003810000-0x0000000003812000-memory.dmp

Filesize
8KB

Download