b474b15d0895ef9f6bd317c0aa884878360701f96e98ed5006529e2c53acb8cd

Analysis

max time kernel
148s
max time network
150s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
16-06-2024 02:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b155bc0fe5e27121ec1a6f8a23992726_JaffaCakes118.exe
Size

4.0MB
MD5

b155bc0fe5e27121ec1a6f8a23992726
SHA1

d0c4345974ceede74670036a89af9061f6f42e56
SHA256

b474b15d0895ef9f6bd317c0aa884878360701f96e98ed5006529e2c53acb8cd
SHA512

b27dfcbe1530dba99247d4f5386564e7db304b7520cfe5fa6daa1cabfac322ee5f1d28b8221f430db0b933d3f20eac500152cc033873a8e4545b1275b9334a90
SSDEEP

98304:X7J54jjrClrspscKRdyhr4Ntw+IWWbVF22fzf2B:X7EGlrOThCnoFX2B

Score

8^/10

persistence spyware stealer

Malware Config

Signatures

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\usbhubsvc4\Parameters\ServiceDLL = "C:\\Users\\Admin\\AppData\\Roaming\\NTLocalData\\msimg32.dll"	SkypeC0SvcService.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\International\Geo\Nation	SkypeC0SvcService.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Update Manager.lnk	SkypeC0SvcService.exe

Executes dropped EXE 1 IoCs

pid	Process
2160	SkypeC0SvcService.exe

Loads dropped DLL 13 IoCs

pid	Process
1724	b155bc0fe5e27121ec1a6f8a23992726_JaffaCakes118.exe
2160	SkypeC0SvcService.exe
2512	svchost.exe
2160	SkypeC0SvcService.exe
2160	SkypeC0SvcService.exe
2160	SkypeC0SvcService.exe
2160	SkypeC0SvcService.exe
2160	SkypeC0SvcService.exe
2160	SkypeC0SvcService.exe
2160	SkypeC0SvcService.exe
2160	SkypeC0SvcService.exe
2160	SkypeC0SvcService.exe
2160	SkypeC0SvcService.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SkypeC0SvcService.exe = "C:\\Windows\\system32\\regsvr32.exe /s scrrun.dll \"C:\\Users\\Admin\\AppData\\Roaming\\NTLocalData\\msimg32.dll\" htvrh666 \"C:\\Users\\Admin\\AppData\\Roaming\\NTLocalData\\SkypeC0SvcService.exe\" r"	SkypeC0SvcService.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5	SkypeC0SvcService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e52000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	SkypeC0SvcService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e51d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af33313353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b060105050703030f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c92000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	SkypeC0SvcService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 190000000100000010000000d8b5fb368468620275d142ffd2aade370f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5040000000100000010000000cb17e431673ee209fe455793f30afa1c2000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	SkypeC0SvcService.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2160	SkypeC0SvcService.exe
2160	SkypeC0SvcService.exe
2160	SkypeC0SvcService.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	2160	SkypeC0SvcService.exe
Token: SeShutdownPrivilege	2160	SkypeC0SvcService.exe
Token: SeDebugPrivilege	2160	SkypeC0SvcService.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2660	DllHost.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1724 wrote to memory of 2160	1724	b155bc0fe5e27121ec1a6f8a23992726_JaffaCakes118.exe	28
PID 1724 wrote to memory of 2160	1724	b155bc0fe5e27121ec1a6f8a23992726_JaffaCakes118.exe	28
PID 1724 wrote to memory of 2160	1724	b155bc0fe5e27121ec1a6f8a23992726_JaffaCakes118.exe	28
PID 1724 wrote to memory of 2160	1724	b155bc0fe5e27121ec1a6f8a23992726_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\b155bc0fe5e27121ec1a6f8a23992726_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b155bc0fe5e27121ec1a6f8a23992726_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Users\Admin\AppData\Roaming\NTLocalData\SkypeC0SvcService.exe
  "C:\Users\Admin\AppData\Roaming\NTLocalData\SkypeC0SvcService.exe"
  2⤵
  - Sets DLL path for service in the registry
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2160

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:2660

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "MsHubSvc4" -svcr "SkypeC0SvcService.exe"
1⤵
- Loads dropped DLL
PID:2512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab363F.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Roaming\NTLocalData\MSIMG32.dll

Filesize
70KB

MD5
0b4279955a1709d04838fc3183d7342e

SHA1
747b72e37d21773f9cf50d914033b153a0940975

SHA256
1948fe4befb8f7846a7461e01f1c60a0096a941afd7fb16e47794c26a89e99a8

SHA512
c5a05c7613613636aaa82ba497e0372d08e5748484bddfebd5073f5084e79a3d1567b2a9475c1ef8688eb15d2ac8c48fca23b9491b056594b2294811d05154ed

Download Submit
C:\Users\Admin\AppData\Roaming\NTLocalData\TeamViewer.ini

Filesize
154B

MD5
5b71453ec471c85212da6fd1cc8d6faf

SHA1
68f126c3207a723dea81a07315f63f7bfc76424f

SHA256
11171890b6a5de0df0289fbba78fe8c3e47b3cf77866e60abba0170c3ac2043c

SHA512
15b8bbe8fab86b8dbeab48795d7fe09665b3bed0f6068b1129e634d06ccfde202210fa6e700e184cf85702c0016fb0432f3bf33a091dc246eef09c3f61087fb6

Download Submit
C:\Users\Admin\AppData\Roaming\NTLocalData\TeamViewer_Desktop.exe

Filesize
2.2MB

MD5
36738935b6eadbdf570002ee44990360

SHA1
2621f86a0307a6be7032266db868c7af981bc016

SHA256
46aa5507bf0866d924a7974e7dc9255db21efb8ba5dc15e3c1a19c5b408ad29c

SHA512
5737edd344008832b1925972913cb2ba49d1e177a331a5419c5f6cb966f7da735fff1722acf59d5514cf63c2834a5f49d9784b70996fb0186cbbab6de3835f14

Download Submit
C:\Users\Admin\AppData\Roaming\NTLocalData\TeamViewer_Resource_en.dll

Filesize
285KB

MD5
5850b0e30cb6493170ea8d073f34766c

SHA1
d80b0181edca5be738f8c1c4355c4785d0360d06

SHA256
97f8b0f6307156c0c74f3309195c376e5d816b3dbd65048c241a8b7e9233eeda

SHA512
a1a8ee334ef763a78214fbc6a915e9adbf0cdbafb6694fac6e70cb68f2aacfcad945c7b4629bf3b729e8b9b3fcd7956c04a63c89fb6bda7111f41f9c8cb96144

Download Submit
C:\Users\Admin\AppData\Roaming\NTLocalData\TeamViewer_StaticRes.dll

Filesize
2.5MB

MD5
4202e46ac536822fd7043c38e66d0ec8

SHA1
c8908477b539931168e9437d4e17e7c33fb10141

SHA256
542075ba11aaa6c1961985818dc4bb9e1a13afffeaef3514389444db18938fb4

SHA512
20210b8dd54b7ca527e69699ae02d6b1c1733e8e3c8ae797994d24b2134e91d4dbc8345b9a4757ded6a34f460d9ec88b1c133202718e342c9045c77de2bd784d

Download Submit
C:\Users\Admin\AppData\Roaming\NTLocalData\photo_2017-09-29_19-11-18.jpg

Filesize
270KB

MD5
0a7375b12bfd57b8c1b1268bcbbf7ad1

SHA1
c6b0a8f339f343f9f2a8aa25e834115f477dba9e

SHA256
4c9ec814c42bcd15f7aa0671870cdaf268fdc55c1a003c622ee1fc4e59e3cc40

SHA512
c18401399973c0ef3b82c67c9092aae4c10054a75e770060154f956b50e069123a223f89e54d13104dc3be4a8e4ff3dbaa1a5bf156f7fb3d1d6314fe67d37a1c

Download Submit
C:\Users\Admin\AppData\Roaming\NTLocalData\tv_w32.dll

Filesize
66KB

MD5
55b4875e6dd84b1a547a91a789515dfb

SHA1
ad598670ced636134f85c744f6283a16e3766d1f

SHA256
a0791b2f732fdd0c26483d9ef2d77e720d9ba267f887eccadff227bcf247a0a9

SHA512
d9dc737c25a56503bba8f3a2fa030c3dc1fe62f4313cb307203cdcac164fd6bb2fa2ab87be6806d4cf3d1ed1ec880a1c7f3d866e61c3a6005ca400ff9f99459a

Download Submit
C:\Users\Admin\AppData\Roaming\NTLocalData\tv_w32.exe

Filesize
104KB

MD5
c16719e5c670b7c18aab69dea8ea8c66

SHA1
95c9c3b44dcca278b42cb20b1e27d88ae4006f39

SHA256
c23d33f637c3c90ce0e3fc366fce034c5592dd80b660f469619e38b255532689

SHA512
9bae42f6e6ace1e1f0d923894399817a017a1e52e2b01bb780d2a7be20f82ac341b1c9f6de680f16a0b8d5532c0f77f495dde2ad0c95ff85118021785dcd3b3b

Download Submit
C:\Users\Admin\AppData\Roaming\NTLocalData\tv_x64.dll

Filesize
80KB

MD5
6f68147027ba59a8af86ffe1b8fc6899

SHA1
99bb32e1d752a2b93bcd9db36b8a4f3c01ba6458

SHA256
07413a73f7566173b462d7a4de2ca74d211f0872682160afafa618e656cfe9e6

SHA512
5011e05ebcf6e86a988ba79e3f0aec2f240b14c5a602260edc53fa1c4b11c23495171213fe30ab8bf53f9e0c15e6dffa6a463105d1d558a3def50fdc28e571d2

Download Submit
C:\Users\Admin\AppData\Roaming\NTLocalData\tv_x64.exe

Filesize
126KB

MD5
8e50a67752bd070fec717216b9376a7f

SHA1
19c776fd0fe89d6cb3f372d89cac4adf65dabe24

SHA256
f7b239c4101db7c974eef31ba2dd42fba0e898cfa762b1e969f76a7a37aa3d8b

SHA512
be16f2fc675d1231275fd618ea101bfafa71c31b2cea92c5fb1197384bd0ea764e4567350bc1309d9d83439a977ed7600c57c4f5be81bf7170b2d5e59fe1ef46

Download Submit
C:\Users\Admin\AppData\Roaming\NTLocalData\tvr.cfg

Filesize
457B

MD5
a5f5c911806e3ec4162eec75ce7e76c4

SHA1
cbbe893579e62153b178acb3c3e09dfcb839ddf8

SHA256
13167a08fcb35d5c8c10ae37c83a626e8e9af5732e71da3bedff20259565a74e

SHA512
c8b2df6c83f914eda3af7cd25bd61ba704f76befa7e4f79e5a3ee127b6308f49dd492aaf8e76d4b9d68bbc22feee91c5637cc912c1913df4039ea0d9c3bb681d

Download Submit
\Users\Admin\AppData\Roaming\NTLocalData\SkypeC0SvcService.exe

Filesize
7.7MB

MD5
f5fe906f801d99fafa8a9e0584a37008

SHA1
a80175b91e3f9606e63dd0d9a9271e23bbe10321

SHA256
10b12825603dc3f1946bfd4e7cbebda5885fe4fccaeb0df8b6e862ad3dad720b

SHA512
ae149680b212cf0b7f11d841cede275d8e510d3af86c96d75ff75802a8543773a5b7fc9d4c84d4d5fa486d2ddf27129cc42e70d0ea34ca2624f14152ba7497de

Download Submit
memory/1724-36-0x0000000002B30000-0x0000000002B32000-memory.dmp

Filesize
8KB

Download
memory/2160-24-0x0000000010000000-0x000000001001D000-memory.dmp

Filesize
116KB

Download
memory/2160-40-0x0000000010000000-0x000000001001D000-memory.dmp

Filesize
116KB

Download
memory/2160-19-0x0000000010000000-0x000000001001D000-memory.dmp

Filesize
116KB

Download
memory/2160-18-0x0000000073D30000-0x0000000073D46000-memory.dmp

Filesize
88KB

Download
memory/2160-86-0x0000000010000000-0x000000001001D000-memory.dmp

Filesize
116KB

Download
memory/2512-45-0x0000000073D30000-0x0000000073D46000-memory.dmp

Filesize
88KB

Download
memory/2660-37-0x00000000001A0000-0x00000000001A2000-memory.dmp

Filesize
8KB

Download