4d4a9dd8b239d394f1998b481cdf83f869be2af2d8d568fcb47648d0d42bb71c

Analysis

max time kernel
137s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02-10-2024 05:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0904efe9f63a556f1ea8695cdabadb96_JaffaCakes118.exe
Size

1.5MB
MD5

0904efe9f63a556f1ea8695cdabadb96
SHA1

0b7eedd5052276e02008f69cb85e7e4d7c5b3535
SHA256

4d4a9dd8b239d394f1998b481cdf83f869be2af2d8d568fcb47648d0d42bb71c
SHA512

181fae5866bbb2567a43a30ffe2e5ca7a8d016491a66f2b2fc0a725c772cd2e46f806d23ba23946c223ecf7e510657d763f748874f2e3247c035eba1942c3618
SSDEEP

49152:NEe3jEfDI94myN4ghZ1KX82Bh/Dd0r/P9JPDdabvwM:NT/9S4OZ1KX880jPfbd0D

Score

7^/10

adware discovery persistence stealer

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2360	netddee.exe
4620	setup.exe

Loads dropped DLL 10 IoCs

pid	Process
2360	netddee.exe
4620	setup.exe
4620	setup.exe
4620	setup.exe
4620	setup.exe
4620	setup.exe
2360	netddee.exe
2360	netddee.exe
2360	netddee.exe
4456	regsvr32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tabxnknbmy = "C:\\Windows\\System32\\regsvr32.exe /s \"C:\\Users\\Admin\\AppData\\Local\\Temp\\nss8CA2.tmp.dll\""	netddee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tabxnknbmy = "C:\\Windows\\System32\\regsvr32.exe /s \"C:\\Windows\\system32\\mygyyzkpdgxymak.dll\""	regsvr32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CAA9A80D-C957-4CD3-1DFA-AC5F496DA681}\NoExplorer = "1"	netddee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CAA9A80D-C957-4CD3-1DFA-AC5F496DA681}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CAA9A80D-C957-4CD3-1DFA-AC5F496DA681}\NoExplorer = "1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CAA9A80D-C957-4CD3-1DFA-AC5F496DA681}	netddee.exe

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	netddee.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	netddee.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	netddee.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	regsvr32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	regsvr32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	regsvr32.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\sjefoaxqorrp.exe	netddee.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0904efe9f63a556f1ea8695cdabadb96_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netddee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ielowutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral2/files/0x0007000000023434-3.dat	nsis_installer_1
behavioral2/files/0x0007000000023434-3.dat	nsis_installer_2
behavioral2/files/0x0007000000023435-6.dat	nsis_installer_1
behavioral2/files/0x0007000000023435-6.dat	nsis_installer_2

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies Internet Explorer Protected Mode 1 TTPs 1 IoCs

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3"	netddee.exe

Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1"	netddee.exe

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7C83E0A1-E25F-E501-CDC8-0FCFB8044502}\AppName = "regsvr32.exe"	netddee.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2204404560"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2204404560"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2205341750"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31134856"	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7C83E0A1-E25F-E501-CDC8-0FCFB8044502}\AppPath = "C:\\Windows\\System32"	netddee.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\Main	netddee.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7C83E0A1-E25F-E501-CDC8-0FCFB8044502}\Policy = "3"	netddee.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{AEFE84E2-807B-11EF-9912-66FD5BE5AD11} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "434610392"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7C83E0A1-E25F-E501-CDC8-0FCFB8044502}	netddee.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31134856"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31134856"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2205341750"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31134856"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAA9A80D-C957-4CD3-1DFA-AC5F496DA681}	netddee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAA9A80D-C957-4CD3-1DFA-AC5F496DA681}\InProcServer32\ThreadingModel = "Apartment"	netddee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAA9A80D-C957-4CD3-1DFA-AC5F496DA681}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nss8CA2.tmp.dll"	netddee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAA9A80D-C957-4CD3-1DFA-AC5F496DA681}\InProcServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAA9A80D-C957-4CD3-1DFA-AC5F496DA681}\InProcServer32\ = "C:\\Windows\\SysWow64\\mygyyzkpdgxymak.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAA9A80D-C957-4CD3-1DFA-AC5F496DA681}\ = "revenuestreaming browser enhancer"	netddee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAA9A80D-C957-4CD3-1DFA-AC5F496DA681}\InProcServer32	netddee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAA9A80D-C957-4CD3-1DFA-AC5F496DA681}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAA9A80D-C957-4CD3-1DFA-AC5F496DA681}\ = "revenuestreaming browser enhancer"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAA9A80D-C957-4CD3-1DFA-AC5F496DA681}\InProcServer32	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2352	msedge.exe
2352	msedge.exe
4592	msedge.exe
4592	msedge.exe
2984	identity_helper.exe
2984	identity_helper.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4932	iexplore.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4932	iexplore.exe
4932	iexplore.exe
2180	IEXPLORE.EXE
2180	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2404 wrote to memory of 2360	2404	0904efe9f63a556f1ea8695cdabadb96_JaffaCakes118.exe	82
PID 2404 wrote to memory of 2360	2404	0904efe9f63a556f1ea8695cdabadb96_JaffaCakes118.exe	82
PID 2404 wrote to memory of 2360	2404	0904efe9f63a556f1ea8695cdabadb96_JaffaCakes118.exe	82
PID 2404 wrote to memory of 4620	2404	0904efe9f63a556f1ea8695cdabadb96_JaffaCakes118.exe	83
PID 2404 wrote to memory of 4620	2404	0904efe9f63a556f1ea8695cdabadb96_JaffaCakes118.exe	83
PID 2404 wrote to memory of 4620	2404	0904efe9f63a556f1ea8695cdabadb96_JaffaCakes118.exe	83
PID 2360 wrote to memory of 4456	2360	netddee.exe	84
PID 2360 wrote to memory of 4456	2360	netddee.exe	84
PID 2360 wrote to memory of 4456	2360	netddee.exe	84
PID 4932 wrote to memory of 2180	4932	iexplore.exe	87
PID 4932 wrote to memory of 2180	4932	iexplore.exe	87
PID 4932 wrote to memory of 2180	4932	iexplore.exe	87
PID 4620 wrote to memory of 4592	4620	setup.exe	88
PID 4620 wrote to memory of 4592	4620	setup.exe	88
PID 4592 wrote to memory of 1172	4592	msedge.exe	89
PID 4592 wrote to memory of 1172	4592	msedge.exe	89
PID 4592 wrote to memory of 4116	4592	msedge.exe	92
PID 4592 wrote to memory of 4116	4592	msedge.exe	92
PID 4592 wrote to memory of 4116	4592	msedge.exe	92
PID 4592 wrote to memory of 4116	4592	msedge.exe	92
PID 4592 wrote to memory of 4116	4592	msedge.exe	92
PID 4592 wrote to memory of 4116	4592	msedge.exe	92
PID 4592 wrote to memory of 4116	4592	msedge.exe	92
PID 4592 wrote to memory of 4116	4592	msedge.exe	92
PID 4592 wrote to memory of 4116	4592	msedge.exe	92
PID 4592 wrote to memory of 4116	4592	msedge.exe	92
PID 4592 wrote to memory of 4116	4592	msedge.exe	92
PID 4592 wrote to memory of 4116	4592	msedge.exe	92
PID 4592 wrote to memory of 4116	4592	msedge.exe	92
PID 4592 wrote to memory of 4116	4592	msedge.exe	92
PID 4592 wrote to memory of 4116	4592	msedge.exe	92
PID 4592 wrote to memory of 4116	4592	msedge.exe	92
PID 4592 wrote to memory of 4116	4592	msedge.exe	92
PID 4592 wrote to memory of 4116	4592	msedge.exe	92
PID 4592 wrote to memory of 4116	4592	msedge.exe	92
PID 4592 wrote to memory of 4116	4592	msedge.exe	92
PID 4592 wrote to memory of 4116	4592	msedge.exe	92
PID 4592 wrote to memory of 4116	4592	msedge.exe	92
PID 4592 wrote to memory of 4116	4592	msedge.exe	92
PID 4592 wrote to memory of 4116	4592	msedge.exe	92
PID 4592 wrote to memory of 4116	4592	msedge.exe	92
PID 4592 wrote to memory of 4116	4592	msedge.exe	92
PID 4592 wrote to memory of 4116	4592	msedge.exe	92
PID 4592 wrote to memory of 4116	4592	msedge.exe	92
PID 4592 wrote to memory of 4116	4592	msedge.exe	92
PID 4592 wrote to memory of 4116	4592	msedge.exe	92
PID 4592 wrote to memory of 4116	4592	msedge.exe	92
PID 4592 wrote to memory of 4116	4592	msedge.exe	92
PID 4592 wrote to memory of 4116	4592	msedge.exe	92
PID 4592 wrote to memory of 4116	4592	msedge.exe	92
PID 4592 wrote to memory of 4116	4592	msedge.exe	92
PID 4592 wrote to memory of 4116	4592	msedge.exe	92
PID 4592 wrote to memory of 4116	4592	msedge.exe	92
PID 4592 wrote to memory of 4116	4592	msedge.exe	92
PID 4592 wrote to memory of 4116	4592	msedge.exe	92
PID 4592 wrote to memory of 4116	4592	msedge.exe	92
PID 4592 wrote to memory of 2352	4592	msedge.exe	93
PID 4592 wrote to memory of 2352	4592	msedge.exe	93
PID 4592 wrote to memory of 1364	4592	msedge.exe	94
PID 4592 wrote to memory of 1364	4592	msedge.exe	94
PID 4592 wrote to memory of 1364	4592	msedge.exe	94
PID 4592 wrote to memory of 1364	4592	msedge.exe	94
PID 4592 wrote to memory of 1364	4592	msedge.exe	94
PID 4592 wrote to memory of 1364	4592	msedge.exe	94

C:\Users\Admin\AppData\Local\Temp\0904efe9f63a556f1ea8695cdabadb96_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0904efe9f63a556f1ea8695cdabadb96_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2404
- C:\Users\Admin\AppData\Local\Temp\netddee.exe
  "C:\Users\Admin\AppData\Local\Temp\netddee.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Installs/modifies Browser Helper Object
  - Maps connected drives based on registry
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer Protected Mode
  - Modifies Internet Explorer Protected Mode Banner
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2360
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\mygyyzkpdgxymak.dll"
    3⤵
    - Loads dropped DLL
    - Adds Run key to start application
    - Installs/modifies Browser Helper Object
    - Maps connected drives based on registry
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:4456
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4620
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.ardamax.com/keylogger/
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4592
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc00f746f8,0x7ffc00f74708,0x7ffc00f74718
      4⤵
      PID:1172
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,11662725088119994580,8706208174235465569,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
      4⤵
      PID:4116
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,11662725088119994580,8706208174235465569,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2372 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2352
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,11662725088119994580,8706208174235465569,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2824 /prefetch:8
      4⤵
      PID:1364
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11662725088119994580,8706208174235465569,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
      4⤵
      PID:1552
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11662725088119994580,8706208174235465569,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
      4⤵
      PID:4572
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11662725088119994580,8706208174235465569,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4636 /prefetch:1
      4⤵
      PID:4828
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,11662725088119994580,8706208174235465569,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5612 /prefetch:8
      4⤵
      PID:4140
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,11662725088119994580,8706208174235465569,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5612 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2984
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11662725088119994580,8706208174235465569,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4028 /prefetch:1
      4⤵
      PID:5028
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11662725088119994580,8706208174235465569,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:1
      4⤵
      PID:4760
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11662725088119994580,8706208174235465569,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6036 /prefetch:1
      4⤵
      PID:4132
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11662725088119994580,8706208174235465569,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:1
      4⤵
      PID:3228
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,11662725088119994580,8706208174235465569,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1360 /prefetch:2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1916

C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:4504

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4932
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4932 CREDAT:17410 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2180

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:664

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
3581a0e6b4a2481b0d17c98cea4c6ba1

SHA1
f55e51abdb6324ae363802235297914a053947ec

SHA256
a904ea3ed03f1568aaea366c859b6f0610d0e47ccd5725c20132d3c10e11188d

SHA512
f9ea3d2712ca7ebb9c5826de7a89c59c7b2a50759baa83cf04fce4234d59e94d251560ab9e3bb845715ce54bc65187297eac9f73ad93adf034bca591cab3ab24

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
36197a4fef91aadc18eac992cdf87ae5

SHA1
81dfc4c147fc779b68d7d34ecd6ba5d57087e361

SHA256
1b1d6d6d26e0b3c56d137c494e1e2a3dddbf32799f42dca6bb7fa4953cb9b02d

SHA512
26121e830f450e79515890da1eb4811da3f6c713f99980bde9f1dd7b9f8652cf9bbdf280dc1a7dd60a614d257d0c0a4a6862e23e91f0f6e13490f91b155416d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
719923124ee00fb57378e0ebcbe894f7

SHA1
cc356a7d27b8b27dc33f21bd4990f286ee13a9f9

SHA256
aa22ab845fa08c786bd3366ec39f733d5be80e9ac933ed115ff048ff30090808

SHA512
a207b6646500d0d504cf70ee10f57948e58dab7f214ad2e7c4af0e7ca23ce1d37c8c745873137e6c55bdcf0f527031a66d9cc54805a0eac3678be6dd497a5bbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7114a6cd851f9bf56cf771c37d664a2

SHA1
769c5d04fd83e583f15ab1ef659de8f883ecab8a

SHA256
d2c75c7d68c474d4b8847b4ba6cfd09fe90717f46dd398c86483d825a66e977e

SHA512
33bdae2305ae98e7c0de576de5a6600bd70a425e7b891d745cba9de992036df1b3d1df9572edb0f89f320e50962d06532dae9491985b6b57fd37d5f46f7a2ff8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
c7f56103c96548a446efdc32bb8f1f05

SHA1
ca99382faa8c9decb529113d8dbc6b9f7946dbcd

SHA256
edd4f97399a86ea3828be9d047760051ef45ab7a2c3d4e459b9dd12761fe8593

SHA512
a8528bcf0dc68878c3f12c3cb6c685ce98b2202821a8b05a139d5eb450f1f7e71f82d0f1bc62ae924fbfb21386d74bb4fe4c4e6ae04cc1d2ad7c9a3236abcf8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
812B

MD5
c24dd02c1197fcf35df24336b33604a6

SHA1
90bed1811d4bf2ba127c55271676f09172dc55d1

SHA256
2bdf2edd8d72f90293a21315da7ac9f88970325b94fa2b1a889f864b3cb675ed

SHA512
85e30b4bbadcecadf72197ab8e97b69081aee44d419c9b73413e4844587e3907fd0b23162c0789e595c29cebc334440f5add945c4cd06b3c8522025b8ac6bbdd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
29f443da7179770bfa263abc13ff305a

SHA1
20a44afa1c20b1b86669c4698262ef0580f0f50f

SHA256
7af32a153a17c792ce11c0fcdbdbe85857ca4eb4d95dedd170e64ea3bdd35b47

SHA512
5a2c0a5d3baca47e3005307046c913f47758418b19b680434465585ef1567852cbe192e6a45616d5613e202d67261147b5a42276578b8839d18a1a37f3d9346a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ea395b7c4925f1c372debededfd87754

SHA1
d562a1f272e6fe117ddd4a51f7b93c647794fc77

SHA256
c07e9c8fd0943655639332c403b896ed579f3926a893e4a97f2b7f58d66a0ca4

SHA512
0740c8553e251659cf39c7c32cbc706a2508f468c9e4f24082ab4ba28add011a1aa0528fd4ed7e5c55ccdf3d2b715f6551c4a0885e4da57e97f6687fc8e7e114

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
2461e4d5c4778b628f5f852aa564e7fe

SHA1
082340f0c7a29d0e015a94729499a8190a995242

SHA256
dbea3ba8d1c9c7fe1e089f588baac34938df54fc0de42f1e8eec76ac5615864e

SHA512
35bc7cbfc1b77fdeffa31bddfacb9eb2c01bfd44787e70a1296f1438f17b9e370a18609b00b61509dbcc0325397e1604e87e01303f7daf34dbe42082885b3e55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver635.tmp

Filesize
15KB

MD5
1a545d0052b581fbb2ab4c52133846bc

SHA1
62f3266a9b9925cd6d98658b92adec673cbe3dd3

SHA256
557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

SHA512
bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\4329235D\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\netddee.exe

Filesize
507KB

MD5
ad4b2243c131ada12b25cb0334690a62

SHA1
811da77cfd2021738196ee13cae9ec9f239b9118

SHA256
ac7891555a255a9b7fe04b78ecfb035507414a6a8598422dab771214d1410a46

SHA512
ee207f92b0d45dab82b486fda7e5baf7e3a476a2418b866f4e00a15152e0a95284916c04137b19e30e078544c391a84840f6a88efe5558e78058e24b7501d049

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso8463.tmp\UAC.dll

Filesize
13KB

MD5
7f56c0d6a8733dec142814ed5a58b0ee

SHA1
c119e66f179cfb758966f3cf878466057bea1840

SHA256
86445396775370aff5834f10bda25e505b6f89efc69a04fe1ce46f5d128be73f

SHA512
8b3b9bed985b3583b7be8b2197bb068e5d5508f8b5c4a7fc1278b2662dc8d9a53fd6df63f636e44bfc5aa37f030ac76b8d259d6b446bf87d5c72b74ff5b158f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss8CA2.tmp.dll

Filesize
877KB

MD5
20a9c78acf901dd4328881cc067e336c

SHA1
e39e2011c8504dbea9356a0dee4770ea30d95509

SHA256
5dc895ed2436461a93e3faf2e89332ad78507608d8249c58b4c093e2d2d3b71e

SHA512
7e8483e19bcd1b03099eb7290e4fe32d1b232162da3da67cf29142c33fead4f82e3e6c26094ccb0aadcb7949d8cbb07db5bd56df8e9069a6c67fa2a8c4d51b72

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst8398.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
1.0MB

MD5
c54a5bfcba4d9fbe1642188b068bc1e4

SHA1
f75f0f4818f53882ab4816d6db8043ecb7306c2c

SHA256
57cdd25b0f1d9e6db58d10cdbc49850e2fd71826ec637646703d97df9c148353

SHA512
92bd4b7317306f6aebf2f5b72f278908b1326bffe4c4c18fa4d82c9ca4c91d167412b3893c24c12bc0d399d48faf2e4159c60fd7f8a80bfe566258be1a9350ae

Download Submit
memory/2360-47-0x0000000018C40000-0x0000000018D22000-memory.dmp

Filesize
904KB

Download