6f028d1e75a30820f56024b27cbba28d6e48f7e5ab4e08914c20a0bcc18a334f

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
18-08-2024 07:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
Size

32KB
MD5

a5e2c7c260691823cc3c0467e55cf263
SHA1

e6370fb4b0d447c7b2708ae07c1d2c6b25cdcc05
SHA256

6f028d1e75a30820f56024b27cbba28d6e48f7e5ab4e08914c20a0bcc18a334f
SHA512

f36fcb171074e804614be80182e9b4e471682be2ee5d5a072f887906b59fcdc1e8d2dc217a571594d31b86ff482af25d3be8d3cbb64973117d811d06f172242b
SSDEEP

384:6xWUcVYpq5gMwjBE61DLUYkAbEWpdU7Kp1WfKiojP/H2RFE5MXFPOMjULCbQKuAF:hLvgM81D3vp1qUjP/H2RFLPxU+btW+tL

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened (read-only)	\??\I:	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened (read-only)	\??\J:	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened (read-only)	\??\R:	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened (read-only)	\??\S:	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened (read-only)	\??\Z:	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened (read-only)	\??\L:	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened (read-only)	\??\U:	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened (read-only)	\??\V:	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened (read-only)	\??\W:	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened (read-only)	\??\Q:	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened (read-only)	\??\X:	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened (read-only)	\??\G:	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened (read-only)	\??\H:	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened (read-only)	\??\K:	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened (read-only)	\??\P:	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened (read-only)	\??\Y:	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened (read-only)	\??\E:	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened (read-only)	\??\M:	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened (read-only)	\??\N:	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened (read-only)	\??\O:	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\bthudtask.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\esentutl.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\extrac32.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\gpupdate.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\icardagt.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\user.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\dccw.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\dllhst3g.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\findstr.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\ieUnatt.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\IME\IMEJP10\imjpuexc.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\RMActivate_ssp_isv.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\srdelayed.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\wbem\WMIADAP.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\cmmon32.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\diskpart.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\dpapimig.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\shrpubw.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\SystemPropertiesRemote.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\hh.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\IME\IMEJP10\imjppdmg.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\replace.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\odbcconf.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\waitfor.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\wbem\WMIC.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\wevtutil.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\wimserv.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\wowreg32.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\divacx64.inf_amd64_neutral_fa0f82f024789743\ditrace.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\InstallShield\setup.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\ReAgentc.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\ROUTE.EXE	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\SearchProtocolHost.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\fixmapi.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\fltMC.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\MigAutoPlay.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\mountvol.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\NAPSTAT.EXE	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\ntoskrnl.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\tzutil.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\ctfmon.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\TsWpfWrp.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\help.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\osk.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\recover.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\com\MigRegDB.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\dxdiag.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\calc.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\mfpmp.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\timeout.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\wecutil.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\SystemPropertiesComputerName.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\chkdsk.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\chkntfs.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\forfiles.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\iscsicpl.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\ntprint.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\regini.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\sfc.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\tracerpt.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\IME\IMEJP10\IMJPDSVR.EXE	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\mmc.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\nslookup.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSQRY32.EXE	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\FreeCell.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\VPREVIEW.EXE	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Defender\MSASCui.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SETLANG.EXE	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\wmprph.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\wab.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSOUC.EXE	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\WORDICON.EXE	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\sidebar.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SELFCERT.EXE	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\wmpconfig.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\wmplayer.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\Mahjong.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Mail\WinMail.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CNFNOT32.EXE	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSACCESS.EXE	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\misc.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-muicachebuilder_31bf3856ad364e35_6.1.7601.17514_none_1c140627131a6df3\mcbuilder.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\MSBuild\b93c627ec2e15c2675bcc81edafb10be\MSBuild.ni.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\servicing\GC64\tzupd.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-rpc-ping_31bf3856ad364e35_6.1.7600.16385_none_f9aeffb75a698a7f\RpcPing.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..otservicing-utility_31bf3856ad364e35_6.1.7600.16385_none_d139a2cea567ce3f\fveupdate.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_6.1.7600.16385_none_9ba1049ce0053bef\ShapeCollector.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\msil_edmgen_b77a5c561934e089_6.1.7601.17514_none_cddf79f7120d371d\EdmGen.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..unterinfrastructure_31bf3856ad364e35_6.1.7601.17514_none_da00ad1949e715ad\perfhost.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_6.1.7601.17514_none_678566b7ddea04a5\PkgMgr.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-wmi-core_31bf3856ad364e35_6.1.7601.17514_none_177a088436382a34\WmiApSrv.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\msil_servicemodelreg_b03f5f7f11d50a3a_6.1.7601.17514_none_1f2918adb8a9c100\ServiceModelReg.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\ehome\Mcx2Prov.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-smss_31bf3856ad364e35_6.1.7600.16385_none_082f99a432e2a661\smss.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_netfx35linq-addinprocess_31bf3856ad364e35_6.1.7601.17514_none_8ebd3037635a8b2f\AddInProcess.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-winver_31bf3856ad364e35_6.1.7600.16385_none_b627d45ffdcc6f00\winver.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-regsvr32_31bf3856ad364e35_6.1.7600.16385_none_d44c0ef849349ed9\regsvr32.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_6.1.7601.17514_none_42d65ed50fa3c682\qprocess.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-i..etexplorer-optional_31bf3856ad364e35_8.0.7601.17514_none_1beb53526fc80c8d\iexplore.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-tpm-adminsnapin_31bf3856ad364e35_6.1.7600.16385_none_77536d124094b997\TpmInit.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMConfigInstaller.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\notepad.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-cipher_31bf3856ad364e35_6.1.7600.16385_none_090b7101bec9a9e2\cipher.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-errorreportingcore_31bf3856ad364e35_6.1.7600.16385_none_7c6ba3bd1f954290\wermgr.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-taskkill_31bf3856ad364e35_6.1.7600.16385_none_25545528bd642170\taskkill.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-winrsplugins_31bf3856ad364e35_6.1.7600.16385_none_160ccc8a92fae520\winrs.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-certutil_31bf3856ad364e35_6.1.7600.16385_none_1179f9944d0d9973\certutil.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-tcpip_31bf3856ad364e35_6.1.7601.17514_none_ca00459dda59f6f4\netiougc.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-wow64_31bf3856ad364e35_6.1.7600.16385_none_ce6f64032560fa6b\user.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-taskscheduler-engine_31bf3856ad364e35_6.1.7601.17514_none_e7b3b71a1d1c8662\taskeng.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\x86_netfx-aspnet_regiis_exe_b03f5f7f11d50a3a_6.1.7600.16385_none_e6af0acbde467b7b\aspnet_regiis.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-tabletpc-inkwatson_31bf3856ad364e35_6.1.7600.16385_none_644c1a991aac9ffb\InkWatson.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-s..ropertiesprotection_31bf3856ad364e35_6.1.7600.16385_none_6388acf17dd74912\SystemPropertiesProtection.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\MSBuild\1a154709cdfe214029ea88c51ab2b579\MSBuild.ni.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.5\DataSvcUtil.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..-management-console_31bf3856ad364e35_6.1.7600.16385_none_6b683cb78f534561\mmc.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..unterinfrastructure_31bf3856ad364e35_6.1.7600.16385_none_cd7aeeff1897d018\lodctr.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-security-spp-ux_31bf3856ad364e35_6.1.7601.17514_none_b9e7a42ab571bbb9\slui.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_netfx-ngen_exe_b03f5f7f11d50a3a_6.1.7601.17514_none_046c078df2caf5d8\ngen.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-registry-editor_31bf3856ad364e35_6.1.7600.16385_none_5a78515e29ea6f39\regedit.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-wmpdmc-ux_31bf3856ad364e35_6.1.7601.17514_none_f06adab455a2f1e9\WMPDMC.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\wordicon.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ie-ieetwcollector_31bf3856ad364e35_11.2.9600.16428_none_a56da9e617d4f97e\ieetwcollector.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-setupapi_31bf3856ad364e35_6.1.7601.17514_none_931b5f1fdcdd6496\wowreg32.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-wmi-snmp-provider_31bf3856ad364e35_6.1.7601.17514_none_08e183f8dd5f48b7\smi2smir.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-findstr_31bf3856ad364e35_6.1.7601.17514_none_2936f54db7f6c08f\findstr.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\SMSvcHost\0b4d4e172e8054cb61d27f5ab9e0e445\SMSvcHost.ni.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v3.5\EdmGen.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-b..environment-windows_31bf3856ad364e35_6.1.7601.17514_none_c75e9c99a36a285a\winresume.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-runonce_31bf3856ad364e35_6.1.7601.17514_none_17c23e881d4a0b0b\runonce.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7601.17727_none_ca4e9bcdcac7feed\ntoskrnl.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-wmpnss-service_31bf3856ad364e35_6.1.7601.17514_none_61acd141e5332baf\wmpnetwk.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.5\AddInUtil.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-w..ommand-line-utility_31bf3856ad364e35_6.1.7600.16385_none_fd9ec705e687f8c2\WMIC.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-write_31bf3856ad364e35_6.1.7600.16385_none_bb77c3d6f6c8e3f6\write.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-notepad_31bf3856ad364e35_6.1.7600.16385_none_d5642974be118415\notepad.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-m..ommandlineutilities_31bf3856ad364e35_6.1.7600.16385_none_7cf343cac8a829ec\doskey.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\dfsvc.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-com-complus-setup_31bf3856ad364e35_6.1.7600.16385_none_459ccaf008ff34f6\mtstocom.exe	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1928 wrote to memory of 1444	1928	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe	30
PID 1928 wrote to memory of 1444	1928	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe	30
PID 1928 wrote to memory of 1444	1928	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe	30
PID 1928 wrote to memory of 1444	1928	a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe"
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Users\Admin\AppData\Local\Temp\a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\a5e2c7c260691823cc3c0467e55cf263_JaffaCakes118.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

Filesize
446KB

MD5
270a865c5e8a9be95970174b5d5286b7

SHA1
a169de8581f5779d4291fd121d8a258348bbdcf8

SHA256
f202911cf2be96a19ab11c2f203904a3857db27448d21336dc662f1126c7c75f

SHA512
5a5f4e3b6327d2c683276074dc4e783d99550263f3ee08590c35dbdb914256d5e25e4e6e7dcad3f406198734322b334795574712eba6cf28a3cbd48b5da85766

Download Submit
C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

Filesize
634KB

MD5
53f8d6c1b84c114dbfa18372eeab9b33

SHA1
f9c8787b51ab54d20a5055dfffc71c7d1c09a82e

SHA256
60a2c811e2d50cfde6368ab3890500d549381203a2b4ee20c3858bd678598240

SHA512
ea799afdd16e78bf2be0ba546d6302e6befbd34b34334e128c7e8a1e56b05cfd377ea11ab447135d20191ed6eb92f2487586b06cb422f0bd843a1ebaa0979471

Download Submit
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

Filesize
635KB

MD5
1282a360c13de3941e22454d55e93bb3

SHA1
3c17db80df879002ac6af2f467487c407512c7dd

SHA256
d0042d62a691b633f6209fcddd1b49c4e8c012ee631aec66307e2ec1b5325173

SHA512
60bb8dc49c73fda3039f7ffce0f1e463c53cf2db76c391104f811aabd520290195ff47242165c0546d48074e302e06f209faf60ac0de815d903ab4afcc0ee3ac

Download Submit
C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

Filesize
456KB

MD5
e957c69deb6a861f383999c595e9960f

SHA1
a91c91db9b9a0f5d634a5303878c9184fe6dbcd2

SHA256
7e7b89461508d4991da1a52c7b382e1706318aec39a7d47730094dd156abfab6

SHA512
869491c7b66f5755ab73359ab1a941da434ac12d646205d214078029dc9c31d59b3960707533d52f80786092525ae83206fd4f38f62b3d99f96eb4513f384228

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
446KB

MD5
3fb88a8e7e54aed23029fa6aec19aaf7

SHA1
68730888f03c5f72673e7ea552e6e77436f6463d

SHA256
bfdd0b532c5c0641f70fe327a6d44ed538e79d3a9de34b1638c83e772d4f684b

SHA512
d34d45f8395a1db65b45a6394cad6cc6d3e7617c1038932df84b4d75b171f5258e72b9f27b802261bd644c3f1bf918c001401898e5c7f7185dcef055a24f4e96

Download Submit
C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe

Filesize
456KB

MD5
d0aa7ac1ea855e836d556c868980892d

SHA1
1541670f85e7ca182dc6b9d4ef76c2be61661bdd

SHA256
9199b84751dcf16993363594ad4834124b6c00d0092acf05a510b55689353f18

SHA512
51f9833bb92e58d60a0c66dc01660b08e6ded9212838346e5da54590f62e57979e7d1a4b3d849d4cfc81a79348292bc20135e0388e014af2d275c2f4b96f990e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ose00000.exe

Filesize
147KB

MD5
6c485ed897a3802add92bf054c369143

SHA1
f07c9ab9c7b3eb47c48aa5f9531f89052c75a894

SHA256
b4baeec0726e040735ef98672ff2b010aed1da3281601391651f1eb6762ad192

SHA512
a985ca1e2c73cf114fa7effb886b35238e2e4db2d674d73dad2e846414421c483d9b6a5d1d6647c6206fac45178d137dc35be177266f6c1f61db85147be08f9a

Download Submit
C:\Windows\Installer\{90140000-006E-0409-0000-0000000FF1CE}\misc.exe

Filesize
559KB

MD5
17c479142aeef57b7850991b9c0df76b

SHA1
7b22ae403a5897eef3a9031db997f6080ad2228b

SHA256
c4d8fc042df5b69f34877fe6be62f6147263bdbc6f0cef624994a103b4fde500

SHA512
a1e0bd42c8f40925edd9e8596b210322c2f28be617af31dce928f12d393d0a9bf816da63fc5d9e6fda137ff4a4eead7b8297bb8801d7f0de6dcdf6a31fe5663e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe

Filesize
33KB

MD5
582d6c0b59d8fe311ee13eefe109608c

SHA1
b0905dc8e55c152cc2002ca40fab29f73cabda0b

SHA256
7fb96c5c69beb50b27098433e0df15d7be74b9f7b211aabbb1cd2e7e7c8a53bc

SHA512
a4567766892b6c6f5e5083ec1e4cd81fcb3a671362bbcf3deafc68dc598410ba42e75abfe9622f57183de82724326c228c21a4be3378c603b9fb96491d06bf11

Download Submit
C:\Windows\winsxs\amd64_microsoft-windows-s..boxgames-backgammon_31bf3856ad364e35_6.1.7600.16385_none_668d031845881638\bckgzm.exe

Filesize
92KB

MD5
24be58d2da4af68aa3a05d7f362046cd

SHA1
137909c69a94a28412fd9d06bb2f27dc9a337515

SHA256
2b769b423b1aeec83eaeb17cb7fff9e33735f92e6955d8f8ecd76e1aad63b7d5

SHA512
c32c7a47825da0520feb629907b9c52d89b4dd732f72f710cc63e84518ddc6e152c99da103c436cbb01ba14a0c015a26b06b56a881f80f52787df0bc0b6b3599

Download Submit
C:\Windows\winsxs\amd64_microsoft-windows-s..erinboxgames-spades_31bf3856ad364e35_6.1.7600.16385_none_6fa6d7361acba514\shvlzm.exe

Filesize
94KB

MD5
37311f3ef12fa4a85be12185cfbd74e4

SHA1
e59aa26b6cc28c92b7ef08b5bc9f05d080e20e8f

SHA256
b9c3310ee2d4d426a02d04821327c629bbb9b63ab72376a7acb6865997b108a0

SHA512
6b097002e0b77488713054763c3cfcc9676b373510b7f58b8b28e1a476826ce6eb9c1aebaa664d75958b79d1643d5692a35b56f739bf6038d1bdde940597d350

Download Submit
C:\Windows\winsxs\amd64_microsoft-windows-s..inboxgames-checkers_31bf3856ad364e35_6.1.7601.17514_none_d467c138cbce0b24\chkrzm.exe

Filesize
101KB

MD5
c8c25ea4c63b17c455e4c87a8ca109cc

SHA1
9cf06dd3d9f6ddfed4b8110c223a07fe8da0ac50

SHA256
7220e689df0654c04413d779e79660170909880331e05947ea51288223d842bf

SHA512
98e5231a814cd75acea2f86a2a59620bc952e1f074c6a23f049d359893549a756384b1c637b538c680bcaf88e151f4dec50378ebf9bca6e8e7778038726bc962

Download Submit
C:\Windows\winsxs\amd64_microsoft-windows-s..inboxgames-freecell_31bf3856ad364e35_6.1.7600.16385_none_b466b741b68bd29a\FreeCell.exe

Filesize
830KB

MD5
6f60a8afcbe254b1eb72db381393cd14

SHA1
5cf30334ddebf83105f79c606eb847b802498ef5

SHA256
e04466372f538498ed8935694c9be13f9ffd4edd3a83f69e866441dd86d72194

SHA512
2570776e84f36963ef5f5cb6f4c662ab6e2b22def407a682ef3069b1538af2a8b4d05ace75d99ef5722b68e0c646e0023a855be3d3420bdad8331375b663e539

Download Submit
C:\Windows\winsxs\amd64_microsoft-windows-s..inboxgames-shanghai_31bf3856ad364e35_6.1.7600.16385_none_1c98ed5d08db04ce\Mahjong.exe

Filesize
801KB

MD5
9af4c5293e1724ca9c42a2d60ee79311

SHA1
c65d655c1b97421a87ea0769788365b2f049cfb6

SHA256
59f5c888d830b0e6b6bc39d949de8cfa97ef5b873af10a09fbfb1b0034351f96

SHA512
ddbadbf75221fc807da8e06f9b5f049c775390329c4edf090008fd9be2fb19954d2602f091b50aafc8d967ceba0036e1589a67a4f7b553e0840cb7bf52deb866

Download Submit
C:\Windows\winsxs\amd64_microsoft-windows-s..iuminboxgames-chess_31bf3856ad364e35_6.1.7600.16385_none_d0c99374981840d5\Chess.exe

Filesize
3.0MB

MD5
e045a736843c996e7816b6a21dbc90ee

SHA1
10fe6d9fc557d2d5360b249a0a00270aa589c8d0

SHA256
136045a3249f9cab80f458bd06b6474c41eee362835556f66067cd28c71b5c30

SHA512
002aa110578e9668146d1f4ff80f1cf42788b3f156c604fbddd01de55c53ae0d817074f9b270b63e400473d8a47991ed47d264f32e3ddd513593b366484930bc

Download Submit
C:\Windows\winsxs\amd64_microsoft-windows-s..l-inboxgames-hearts_31bf3856ad364e35_6.1.7600.16385_none_4ffeefd67d89d45b\Hearts.exe

Filesize
751KB

MD5
0a4e8ac3748e8c0e37bdd60f2e9a970c

SHA1
de65be3336ceddc9b1ff520220d1c12fc72e7890

SHA256
bb6a6373224b6a6bd3dfdf9e84c8b76f53d7c9760e3565e9560a72b6020e0c38

SHA512
6bebd4e02877a94de9000a50aa744adc0201278e7ec8e1191c135a0b7020c6c07050685b39101510bb1d5415d91b7eeb634e2a33d3005a8f101ddf701f19777d

Download Submit
C:\Windows\winsxs\amd64_microsoft-windows-s..mes-spidersolitaire_31bf3856ad364e35_6.1.7600.16385_none_dead260d8f002b73\SpiderSolitaire.exe

Filesize
846KB

MD5
bc2048f9dba6fba388a237637548d782

SHA1
75967244f852197f1550e7ff3e656c772f6818ec

SHA256
cc6ee66f1dbdd5abc7ed78d6b4f8576423b6e41709dd6d87620f7f10b4e91605

SHA512
1197e0cff44ac01cf6b3f518a3240fa0a10c07c0c644dc1d2e7877a9cac3f184c5bfacba41a2b40b73bc6f1cedb1abd8267a421491806316e27d81d0210a24d7

Download Submit
C:\Windows\winsxs\amd64_microsoft-windows-s..nboxgames-solitaire_31bf3856ad364e35_6.1.7600.16385_none_d1124c00155dfd14\Solitaire.exe

Filesize
844KB

MD5
6fce6bbff61b2f43fa9442f690f21c27

SHA1
6a461a450115fc16b634f4818790372914af2915

SHA256
c5d624d7fa3904119e1f3ed1f9c47f9a2d160fe639a9ba6f030d720b655538fe

SHA512
c283e2c26dc64bd08da1a91007b2c15f87bfe45afe426706706292e59719eb8cf19b94ad4363d4c9ce9f9c8572d801cc9425101c08deb0f780a3f4952daedb43

Download Submit
C:\Windows\winsxs\amd64_microsoft-windows-s..oxgames-minesweeper_31bf3856ad364e35_6.1.7600.16385_none_fe560f0352e04f48\MineSweeper.exe

Filesize
849KB

MD5
9b021e4ee020c3d89dcdbcea372c4f83

SHA1
9390638364c2204c5078644e32c0164d814f5c12

SHA256
af46ae76aaedbd7670c32195dda131c00bdfeb0219e0610c69b5595512d77036

SHA512
232dbcb0efa253df1949c25e459dcbfdf090234dc954937fb74eecb74f45075f1fd3f917259bc6999ba5a7f538fe58945ce0d9a5d41ccc501810d84e2038d077

Download Submit
C:\Windows\winsxs\amd64_microsoft-windows-s..oxgames-purbleplace_31bf3856ad364e35_6.1.7600.16385_none_622070221822eb39\PurblePlace.exe

Filesize
1.2MB

MD5
d665f38b1214d2d9d356c5a5a9da109d

SHA1
a732cbdad2e68472dc9973c630be3ee4b4addb0a

SHA256
638e0e44114cd2ba320a8ed0b6d24abda128311c207157554c083486828d39a7

SHA512
cab9b7621182bbc35ed18b297ebf8c12952058129a55608d42d203e6cc29b88b90082fe150122611f4784de04831809fc4610bfae1f1c85061d0e7a94b400bd5

Download Submit
memory/1444-1-0x0000000001000000-0x000000000100B000-memory.dmp

Filesize
44KB

Download
memory/1928-0-0x0000000001000000-0x000000000100B000-memory.dmp

Filesize
44KB

Download
memory/1928-531-0x0000000000160000-0x000000000016B000-memory.dmp

Filesize
44KB

Download
memory/1928-528-0x0000000001000000-0x000000000100B000-memory.dmp

Filesize
44KB

Download
memory/1928-721-0x0000000001000000-0x000000000100B000-memory.dmp

Filesize
44KB

Download