fd3930ade2ad5f3d7ce6d0a89cfb934e07c18090679904dcb068d790c559170d

Analysis

max time kernel
129s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09/09/2024, 14:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
Size

406KB
MD5

d688a340441d370588dd0faf0c528976
SHA1

3d5f6ab68517fcb4bf29daea374062cdc1089edf
SHA256

fd3930ade2ad5f3d7ce6d0a89cfb934e07c18090679904dcb068d790c559170d
SHA512

b6e1d230affd24ad95623a87443a07fe37a1beb7386c5514a45bfbf0294da38b63c6d06336739c3c9e0537d3a8b350a65f75c0017ee8c27e65742055aa750fb5
SSDEEP

12288:itxqBTfXKy/TNxDvb3NbIsnlpRkIg8jZMkIqWM1E56:exW/ZTLrrJkKMdqWMi56

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4876	eqs7484.tmp

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\Addons\RCX200C.tmp	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\RCX2342.tmp	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.195.15\RCX3CE7.tmp	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\RCX3D2A.tmp	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\RCX1B1A.tmp	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\RCX1BF4.tmp	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\RCX37C0.tmp	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\RCX3C8F.tmp	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\RCX346B.tmp	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\RCX3D5F.tmp	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_x64__8wekyb3d8bbwe\SpeechToTextOverlay64-Retail.exe	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\RCX32FA.tmp	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\RCX2429.tmp	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\lyncicon.exe	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.195.15\RCX3CC3.tmp	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\RCX25B5.tmp	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\RCX2649.tmp	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\AppVLP.exe	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PerfBoost.exe	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\RCX1CFC.tmp	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\RCX2582.tmp	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RCX321B.tmp	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\RCX1B9B.tmp	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\RCX24FB.tmp	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\RCX1F9D.tmp	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\RCX2394.tmp	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\filecompare.exe	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\RCX2829.tmp	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\View3D.ResourceResolver.exe	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\RCX25C5.tmp	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Media Player\RCX2A59.tmp	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\RCX19CE.tmp	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\RCX1B5A.tmp	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\RCX3BD5.tmp	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\msouc.exe	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Media Player\wmlaunch.exe	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\SDXHelper.exe	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX40.exe	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\RCX1E12.tmp	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1372	4876	WerFault.exe	83
4764	4876	WerFault.exe	83

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eqs7484.tmp

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
344	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
344	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
344	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
344	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
344	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
344	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
344	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
344	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
344	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
344	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
344	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
344	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
344	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
344	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
344	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
344	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
344	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
344	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
344	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
344	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
344	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
344	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
344	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
344	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
344	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
344	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
344	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
344	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
344	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
344	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
344	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
344	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
344	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
344	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
344	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
344	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
344	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
344	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
344	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
344	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
344	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
344	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
344	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
344	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
344	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
344	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
344	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
344	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
344	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
344	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
344	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
344	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
344	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
344	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
344	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
344	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
344	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
344	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
344	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
344	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
344	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
344	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
344	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
344	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4876	eqs7484.tmp
4876	eqs7484.tmp

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 344 wrote to memory of 4876	344	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe	83
PID 344 wrote to memory of 4876	344	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe	83
PID 344 wrote to memory of 4876	344	d688a340441d370588dd0faf0c528976_JaffaCakes118.exe	83

C:\Users\Admin\AppData\Local\Temp\d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d688a340441d370588dd0faf0c528976_JaffaCakes118.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:344
- C:\Users\Admin\AppData\Local\Temp\eqs7484.tmp
  "C:\Users\Admin\AppData\Local\Temp\d688a340441d370588dd0faf0c528976_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4876
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 684
    3⤵
    - Program crash
    PID:1372
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 704
    3⤵
    - Program crash
    PID:4764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4876 -ip 4876
1⤵
PID:4516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4876 -ip 4876
1⤵
PID:1680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.371\RCX3827.tmp

Filesize
24KB

MD5
67b757a7c4d5c283d920810974e7efa2

SHA1
d46138510457b3baeba6deb589c1d5f39c851e33

SHA256
34736cb3fd78d842fa9ddb1a9ba3f3d0691757811cc4ae95b4629b8fdf71be59

SHA512
72504025d1f914be24f82745218ada893063c26b53a9a44fcaf3e0ce35d42d3d1e06fd93c2e6f0bf25d784b756bcda514301cc9d08a6e9cb4ab511415e40aa64

Download Submit
C:\Program Files (x86)\Google\Update\RCX3828.tmp

Filesize
24KB

MD5
1df7829c9c106d28f6d13a76b2f1998d

SHA1
af1e1a5fed7922fea01bca3cf7f6ba0a019dd580

SHA256
74346a1ff9d85df591b7d3cd5904772cf12688c6184d09d7101a4c289b11ef1d

SHA512
978cf620e3628bd24e8be98ebb9898ea7c6361de96f5b61ddcf5927119dd6b3076f979bf95a0545ac2e9b536ac34042efa4a8fdaefa3398e9e6949c6ecac48d6

Download Submit
C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.195.15\MicrosoftEdgeUpdateBroker.exe

Filesize
122KB

MD5
aee3ab29ea30212501a19ac75540ead1

SHA1
9248451768bb1cba498c3982ea33955cc46734a8

SHA256
9256fe658fde3599cc6dc6b2dfcb92a895ac4ef212a853a471e7276ec2483a6c

SHA512
e80ee908fb525f9866769cb552e95b0305b79654726e2b510b6bbcbb158dea596ae2f709d4d3f9330594b3f91accf72648b39147c2002d426769e18558d68375

Download Submit
C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\1.3.195.15\RCX3CF7.tmp

Filesize
24KB

MD5
3c95643ca65e9e593703c4a022c06b71

SHA1
2831e5e13915455e879282876fea02e1573af4f8

SHA256
a7cd5bc4b3ce284ad8edd998d3ed232de68cff52fca0cd196f1c66e54f1ba548

SHA512
0e2905dd4d39e0b340ad1e35bac265808366790fb73ce102d1d2469c21708969aa43f49b13880009bb0248ff8e8e1d414111836e3935e3ebeed6bb6fcc2d3300

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe

Filesize
139KB

MD5
c7e231c105995d56eba76aab3dab47d6

SHA1
9ac3f4f89794cf7156550d8bf3762a06a97ffa8d

SHA256
c16ac4989df10c51efc82a3dcc56cd410431ccff9073c60458e20cd3ddc3d433

SHA512
7b2160d2db753cb23558a32973a8faa6afbf7d4fff4f43e50434e5fe6245147d2b6f90424b3f139d175fd55ebf26099f215acdc83fde7626a2c2043c169e2587

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
04ad4b6eccda69d8053ca1afd062d5e6

SHA1
656755eb149ee7bc22f87978c6de2b11bcfcade0

SHA256
b3b84a1f8567a0f0081340ebd192ee3547479a0b5b28ba78d3c4beeef906c0f3

SHA512
8d503faa55b4f39fa7300e898b0bee351b3c3c781395fded253a53387ba5c49e4f1583dfb3c0acf834124e606f3170cd7b2df2c99616c4766b208386fa1fa465

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
942KB

MD5
3a1a023908868f55050839fa8797fe02

SHA1
797e8b5cf03f9dea2f3545c065ce34e129268338

SHA256
d8f6e4bbb86c18116e40b93619949f6bd06860ffc3eda2f81f8420bd365f25f0

SHA512
aed00a0f2a185305952546d1fbd1280af64938aa8a233ffe6c8f6f02d646b7bc59e81952bd183f9014cfec5b6e892fc55c7cfe7ba1e25162ba8aebec3ec5c045

Download Submit
C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\RCX27CA.tmp

Filesize
3.3MB

MD5
ea836dea2eadc1fc87e49797d9ac4208

SHA1
593c0641b83f30c8b3ba10338d31a4763080e97c

SHA256
d1cac1d0a7d5c114db93c9f95b92591c5b851c45dbb56c743834ce981d2214cc

SHA512
a5afc47498534aa87d2e0cf1adbfec5da728129b9169ec958a5316372c0d94b8033c22f19e8319df934ff1dbef46bd59209867e0a385de29b814fb4e82f8c0f0

Download Submit
C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\osmclienticon.exe

Filesize
115KB

MD5
4e63d5c36b153acbef6d14ded496b2ff

SHA1
4e92c051d6e43d89e9a80e0c48b4757ed956579e

SHA256
3f3fddbb245396f899b38f886f2f25838d069aa20e624f3e484e4d36966a46b0

SHA512
95557c2b8a8c404e7fd489f4e55eebadf6287f126fd7d1b64f691e57b86247db8c6de4baa8e648a0c2d45e7ddc1747944de4e8ca23bbc55f9c48436c15c2baa5

Download Submit
C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\pptico.exe

Filesize
7.7MB

MD5
ab2208be84a3a28028cdec619f16a0a1

SHA1
49f2fa963527f6553c9815e98c47444f4b60c2ae

SHA256
f1596d1ad1f768927cef87e91cbd2c52e360668233aeaffe17eb0d4cf9059b54

SHA512
b20a8672adb876d85cd1805520e19082471f19db7e349a4a9a59ec1148b1ce2fdef5aff9142971428fee0e8479b05096ce6e0649781394dd0c1b0943f3e9aa53

Download Submit
C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\xlicons.exe

Filesize
8.2MB

MD5
f48ba97abb92d6114fc43fc0af25e287

SHA1
6932ca17abef0018c9a3d0652874877adec3ad81

SHA256
c1a7d02c5b0394062ee79d748587afcbf73e419dcb8d754499326b9414c99f49

SHA512
6ca0696424e262e78f95893b28294550a562c5a914205861c582bb8893faffd93fc79eeb8d80f882886c066cf484deff5b17642c57f18bb1a005ff7ac4133fdd

Download Submit
C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-1000-0000000FF1CE}\RCX28E7.tmp

Filesize
1007KB

MD5
9ae1356094eb2e4147b2cf53d73867da

SHA1
bec29320b0c234eaeba9534c795a88cefd3e1fbf

SHA256
c753784f7373026a7d09ec14e279b6fcfa9b9b269936db1b675bd73cf1581b7f

SHA512
71f2413f1ef5bea2b30abe5a7ac0ed5d7f37da6f251e08bb188e2ec89a67995987435f6ee30b547c48c52a05ec9fd4dc530484452d22aa3484e28aaf1158a7d0

Download Submit
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\RCX3E13.tmp

Filesize
16KB

MD5
367fd0ed723b669619514265db27fd9f

SHA1
45e5059ba2dd1e4e54a1a6735be5e2b5ea84b4d9

SHA256
3d7576da8587b15cf33295b756bae830439560d250e34b60fb0619f51180d3f0

SHA512
4876d7b6fbea18b1843599edc6644530477c966d983ee80e1be8e896d30ced9124619688b8d4b22ffaacc5aa063cff56d3e51e719c3653bf695fe7bd2f996a3e

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

Filesize
626KB

MD5
cee1c569ce8cbf9c1a9aa54d4f806abc

SHA1
5063025ee8a81407c4dbe56c01d50a821667153c

SHA256
8b2923a19b27665eb96d3eecc5c0a1d1b74b7eb4250b3effdf980cefdf52703a

SHA512
4382d68a1eb816336dc98bd21552eb8f002d32e293275d82998d52123630feb4f0ceaf8b837652be41f08d6d9971b5204c9758e3cee351a0f448d2869a057032

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\RCX3E25.tmp

Filesize
16KB

MD5
9214178779d1764b1b26ec36211ca00e

SHA1
d36e4a3a2d7a5f47ff6e7c55984c5231f4123acb

SHA256
cf13da778562ddaf32cb3915fef8fb0a9a4ae90318cf8a3782c8f360f195a9ad

SHA512
edcb4d717fa0dbb0d28709a38653b658f72e6107d8b5dd99db87b4142b8f9fd38d27cd21ae18c7837b7b36096a955317df52248a07c477b84f4c69a2b5514235

Download Submit
C:\ProgramData\Package Cache\{ef5af41f-d68c-48f7-bfb0-5055718601fc}\windowsdesktop-runtime-7.0.16-win-x64.exe

Filesize
626KB

MD5
3b133909098b290aeede81959454f168

SHA1
4a4e598401976a0899557102ac7f4d92ead49185

SHA256
fbf213c89b83d366f2ef4261b74e09d950d0676a0d1436e6e6f6824a6edc74ed

SHA512
a7160e554779fdf2c7015ad9b469cb71b365875f1b73e8ab908625fe22215040e6e05ba9216cd27b072a92753b72f55b94cc552c4e26ac4e761d93e44acd0c68

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\RCX3EF7.tmp

Filesize
367KB

MD5
c05febce5b7b9f0dbde4d83c70c516ba

SHA1
42d2c559a94075313b8c81402fe6569abb32b976

SHA256
68b7906c3c95d7a6d281000f291293b906e2f20945eada8aadf70233324ad82b

SHA512
1642a43e3ddf746339b0a72e7c8c96d2aacd4530cea174e7b36cde973c95cdd458d9873365d5340faf7a497d276aa6eee22a5f244a8506c71e64eca9763953af

Download Submit
C:\Users\Admin\AppData\Local\Temp\eqs7484.tmp

Filesize
333KB

MD5
9ccd7d633b58589c239aea2d0b10b77c

SHA1
216ac8951c272f3b2fa78a4d5fe074ac4c6922cf

SHA256
dd7747c5eb6c943bfd3dd5f773a020e71299928b4738db9b0495e01be554e417

SHA512
8370b34cbb04548e21628ce3ec96a1364d13194549aea545d1f8140536289b8cbdd31dea96f3c5eda72353b49fb784612fede2c194d5c6cbb84851cf6bc50c90

Download Submit
memory/344-0-0x0000000000401000-0x0000000000402000-memory.dmp

Filesize
4KB

Download
memory/4876-5-0x0000000000400000-0x0000000000556000-memory.dmp

Filesize
1.3MB

Download
memory/4876-6-0x0000000000400000-0x0000000000556000-memory.dmp

Filesize
1.3MB

Download
memory/4876-7-0x0000000000400000-0x0000000000556000-memory.dmp

Filesize
1.3MB

Download