cybergate | 3e87add7e25873a1817d34c80d18fd0146757885800dd6b3ed1cfb92b94d6e65

Analysis

max time kernel
94s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02-10-2024 11:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0a835aaadb9f68d5eeee90c11b200f0c_JaffaCakes118.exe
Size

4.9MB
MD5

0a835aaadb9f68d5eeee90c11b200f0c
SHA1

20a19c6b7116ada0f7b357ebdfc89f263e7e896f
SHA256

3e87add7e25873a1817d34c80d18fd0146757885800dd6b3ed1cfb92b94d6e65
SHA512

377261bfd4c528c813fc1a39f01f4ace4a1715d864f47ce9118d04c48fd7217b218583ec451418e1118836fe52eaa485f40d224676adc3d343a5e9a1fbb5bc82
SSDEEP

49152:Saezzkd+DFLqD49T8abZoVbS+icNBejkjDk4b:

Score

10^/10

cybergate cyber discovery persistence privilege_escalation stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.01.18

Botnet

Cyber

derekstephens82.zapto.org:14216

derekstephens82.zapto.org:55479

Mutex

CyberGate1

Attributes

enable_keylogger
true
enable_message_box
true
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Your .NET Framework may be out of date. Proceed?
message_box_title
Gmail Chat SMS 4.7.6
password
123456

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\install\\server.exe"	vbc.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\install\\server.exe"	vbc.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{NTUJ5VRK-32FG-8DEO-8OVS-JMG8QDM8VQ7I}	vbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{NTUJ5VRK-32FG-8DEO-8OVS-JMG8QDM8VQ7I}\StubPath = "C:\\Windows\\install\\server.exe Restart"	vbc.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	0a835aaadb9f68d5eeee90c11b200f0c_JaffaCakes118.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 2 IoCs

pid	Process
3536	googletalk-setup.exe
1304	googletalk.exe

Loads dropped DLL 7 IoCs

pid	Process
3536	googletalk-setup.exe
3536	googletalk-setup.exe
3536	googletalk-setup.exe
3536	googletalk-setup.exe
3536	googletalk-setup.exe
2320	regsvr32.exe
3536	googletalk-setup.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Talk = "C:\\ProgramData\\Google\\Google\\1.5.1.6\\Google Talk.exe"	0a835aaadb9f68d5eeee90c11b200f0c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\googletalk = "C:\\Program Files (x86)\\Google\\Google Talk\\googletalk.exe /autostart"	googletalk-setup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4988 set thread context of 1600	4988	0a835aaadb9f68d5eeee90c11b200f0c_JaffaCakes118.exe	84

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000b000000023416-7.dat	upx
behavioral2/memory/3536-11-0x0000000000400000-0x0000000000440000-memory.dmp	upx
behavioral2/memory/1600-53-0x0000000024070000-0x00000000240CF000-memory.dmp	upx
behavioral2/memory/1600-50-0x0000000024010000-0x000000002406F000-memory.dmp	upx
behavioral2/memory/1600-168-0x0000000024070000-0x00000000240CF000-memory.dmp	upx
behavioral2/memory/3536-415-0x0000000000400000-0x0000000000440000-memory.dmp	upx
behavioral2/memory/3536-430-0x0000000000400000-0x0000000000440000-memory.dmp	upx

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Google\Google Talk\	googletalk-setup.exe
File created	C:\Program Files (x86)\Google\Google Talk\googletalk.exe	googletalk-setup.exe
File created	C:\Program Files (x86)\Google\Google Talk\gtalkwmp1.dll	googletalk-setup.exe
File created	C:\Program Files (x86)\Google\Google Talk\uninstall.exe	googletalk-setup.exe
File created	C:\Program Files (x86)\Google\Google Talk\testperm.txt	googletalk-setup.exe
File opened for modification	C:\Program Files (x86)\Google\Google Talk\testperm.txt	googletalk-setup.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\install\server.exe	vbc.exe
File opened for modification	C:\Windows\install\server.exe	vbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4824	2864	WerFault.exe	86

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0a835aaadb9f68d5eeee90c11b200f0c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	googletalk-setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	googletalk.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65D12388-C5E9-468C-83B9-60AEA2E658DF}\TypeLib\Version = "1.0"	googletalk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\WOW6432Node\CLSID\{33b07fd4-5917-43e1-968d-4c79231836bf}\LocalServer32\ = "C:\\Program Files (x86)\\Google\\Google Talk\\googletalk.exe"	googletalk.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\WOW6432Node\Interface\{5A9FF74C-53D0-4513-9481-0F61EDEEFFE2}	googletalk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{38FDD2C4-9164-4EAF-8C74-24D764FF613E}\ = "ITalkFriend"	googletalk.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\WOW6432Node\CLSID\{d33f3ced-d7d5-44f1-a9fe-6927dabb1934}	googletalk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\WOW6432Node\Interface\{7a9d1480-c6a1-11da-95ab-00e08161165f}\TypeLib\ = "{7B29C130-826A-4070-BA18-EC01E703D244}"	googletalk.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{226b64e8-dc75-4eea-a6c8-abcb496320f2}\Google Talk	googletalk-setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5A9FF74C-53D0-4513-9481-0F61EDEEFFE2}\ = "ITalkPlugin"	googletalk.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\WOW6432Node\CLSID\{0507EEDE-3AE7-49c7-BF37-0EB4A62D8638}\TypeLib	googletalk.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\WOW6432Node\Interface\{62d14448-68ff-4c37-a7f2-31105a1be427}\ProxyStubClsid32	googletalk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\WOW6432Node\Interface\{4c9dc108-c73f-11da-95ab-00e08161165f}\ = "IMUCTalkPlugin"	googletalk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7A9D1480-C6A1-11DA-95AB-00E08161165F}\ = "IMUCTalkAPI"	googletalk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5A9FF74C-53D0-4513-9481-0F61EDEEFFE2}\ = "ITalkPlugin"	googletalk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{38FDD2C4-9164-4EAF-8C74-24D764FF613E}\TypeLib\ = "{7B29C130-826A-4070-BA18-EC01E703D244}"	googletalk.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\WOW6432Node\CLSID\{33b07fd4-5917-43e1-968d-4c79231836bf}\LocalServer32	googletalk.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\TypeLib\{7B29C130-826A-4070-BA18-EC01E703D244}\1.0\HELPDIR	googletalk.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\TypeLib\{7B29C130-826A-4070-BA18-EC01E703D244}\1.0\FLAGS	googletalk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4C9DC108-C73F-11DA-95AB-00E08161165F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	googletalk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{38FDD2C4-9164-4EAF-8C74-24D764FF613E}	googletalk.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\WOW6432Node\CLSID\{A8F086C3-2497-4229-82FE-586F2D326F95}\TypeLib	googletalk.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\WOW6432Node\Interface\{38FDD2C4-9164-4eaf-8C74-24D764FF613E}\TypeLib	googletalk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4A1527F6-C11F-4131-82BC-FE891D4E3B70}\TypeLib	googletalk.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\WOW6432Node\Interface\{4A1527F6-C11F-4131-82BC-FE891D4E3B70}\TypeLib	googletalk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2C876D28-FB0C-11DA-9804-B622A1EF5492}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	googletalk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65D12388-C5E9-468C-83B9-60AEA2E658DF}\ = "ITalkTunnelExp"	googletalk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\WOW6432Node\CLSID\{d33f3ced-d7d5-44f1-a9fe-6927dabb1934}\ = "ChatRoom Class"	googletalk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4C9DC108-C73F-11DA-95AB-00E08161165F}	googletalk.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\WOW6432Node\Interface\{62d14448-68ff-4c37-a7f2-31105a1be427}	googletalk.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\WOW6432Node\Interface\{38FDD2C4-9164-4eaf-8C74-24D764FF613E}	googletalk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4A1527F6-C11F-4131-82BC-FE891D4E3B70}\ = "ITalkAPI"	googletalk.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\WOW6432Node\CLSID	googletalk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\gtalk\shell\open\command\ = "\"C:\\Program Files (x86)\\Google\\Google Talk\\googletalk.exe\" \"/%1\""	googletalk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	googletalk-setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5A9FF74C-53D0-4513-9481-0F61EDEEFFE2}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	googletalk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5A9FF74C-53D0-4513-9481-0F61EDEEFFE2}	googletalk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65D12388-C5E9-468C-83B9-60AEA2E658DF}\TypeLib\ = "{7B29C130-826A-4070-BA18-EC01E703D244}"	googletalk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65D12388-C5E9-468C-83B9-60AEA2E658DF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	googletalk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\WOW6432Node\Interface\{65D12388-C5E9-468c-83B9-60AEA2E658DF}\ = "ITalkTunnelExp"	googletalk.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\WOW6432Node\Interface\{65D12388-C5E9-468c-83B9-60AEA2E658DF}\ProxyStubClsid32	googletalk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4C9DC108-C73F-11DA-95AB-00E08161165F}\TypeLib\Version = "1.0"	googletalk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{82ec66ad-6a51-4aa5-8788-dea156a4580b}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\WOW6432Node\CLSID\{0507EEDE-3AE7-49c7-BF37-0EB4A62D8638}\LocalServer32\ = "C:\\Program Files (x86)\\Google\\Google Talk\\googletalk.exe"	googletalk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\WOW6432Node\CLSID\{0507EEDE-3AE7-49c7-BF37-0EB4A62D8638}\LocalServer32\ThreadingModel = "Apartment"	googletalk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\WOW6432Node\Interface\{38FDD2C4-9164-4eaf-8C74-24D764FF613E}\ = "ITalkFriend"	googletalk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\WOW6432Node\Interface\{4c9dc108-c73f-11da-95ab-00e08161165f}\TypeLib\ = "{7B29C130-826A-4070-BA18-EC01E703D244}"	googletalk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{82ec66ad-6a51-4aa5-8788-dea156a4580b}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\WOW6432Node	googletalk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\gtalk	googletalk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{0507EEDE-3AE7-49C7-BF37-0EB4A62D8638}\RunAs = "Interactive User"	googletalk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{74C992C7-BA13-4E6A-A469-B43AE8FD557A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	googletalk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2C876D28-FB0C-11DA-9804-B622A1EF5492}	googletalk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2C876D28-FB0C-11DA-9804-B622A1EF5492}\TypeLib\ = "{7B29C130-826A-4070-BA18-EC01E703D244}"	googletalk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{38FDD2C4-9164-4EAF-8C74-24D764FF613E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	googletalk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{226b64e8-dc75-4eea-a6c8-abcb496320f2}\Google Talk	googletalk-setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\WOW6432Node\CLSID\{d33f3ced-d7d5-44f1-a9fe-6927dabb1934}\TypeLib\ = "{7B29C130-826A-4070-BA18-EC01E703D244}"	googletalk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\WOW6432Node\CLSID\{A8F086C3-2497-4229-82FE-586F2D326F95}\LocalServer32\ThreadingModel = "Apartment"	googletalk.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\WOW6432Node\Interface\{4A1527F6-C11F-4131-82BC-FE891D4E3B70}	googletalk.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\WOW6432Node\Interface\{5A9FF74C-53D0-4513-9481-0F61EDEEFFE2}\ProxyStubClsid32	googletalk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\WOW6432Node\CLSID\{0507EEDE-3AE7-49c7-BF37-0EB4A62D8638}\TypeLib\ = "{7B29C130-826A-4070-BA18-EC01E703D244}"	googletalk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{74C992C7-BA13-4E6A-A469-B43AE8FD557A}\TypeLib\ = "{7B29C130-826A-4070-BA18-EC01E703D244}"	googletalk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{74C992C7-BA13-4E6A-A469-B43AE8FD557A}	googletalk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4C9DC108-C73F-11DA-95AB-00E08161165F}\TypeLib	googletalk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7B29C130-826A-4070-BA18-EC01E703D244}\1.0\0\win32	googletalk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{38FDD2C4-9164-4EAF-8C74-24D764FF613E}	googletalk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1600	vbc.exe
1600	vbc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4988 wrote to memory of 3536	4988	0a835aaadb9f68d5eeee90c11b200f0c_JaffaCakes118.exe	82
PID 4988 wrote to memory of 3536	4988	0a835aaadb9f68d5eeee90c11b200f0c_JaffaCakes118.exe	82
PID 4988 wrote to memory of 3536	4988	0a835aaadb9f68d5eeee90c11b200f0c_JaffaCakes118.exe	82
PID 4988 wrote to memory of 752	4988	0a835aaadb9f68d5eeee90c11b200f0c_JaffaCakes118.exe	83
PID 4988 wrote to memory of 752	4988	0a835aaadb9f68d5eeee90c11b200f0c_JaffaCakes118.exe	83
PID 4988 wrote to memory of 752	4988	0a835aaadb9f68d5eeee90c11b200f0c_JaffaCakes118.exe	83
PID 4988 wrote to memory of 1600	4988	0a835aaadb9f68d5eeee90c11b200f0c_JaffaCakes118.exe	84
PID 4988 wrote to memory of 1600	4988	0a835aaadb9f68d5eeee90c11b200f0c_JaffaCakes118.exe	84
PID 4988 wrote to memory of 1600	4988	0a835aaadb9f68d5eeee90c11b200f0c_JaffaCakes118.exe	84
PID 4988 wrote to memory of 1600	4988	0a835aaadb9f68d5eeee90c11b200f0c_JaffaCakes118.exe	84
PID 4988 wrote to memory of 1600	4988	0a835aaadb9f68d5eeee90c11b200f0c_JaffaCakes118.exe	84
PID 4988 wrote to memory of 1600	4988	0a835aaadb9f68d5eeee90c11b200f0c_JaffaCakes118.exe	84
PID 4988 wrote to memory of 1600	4988	0a835aaadb9f68d5eeee90c11b200f0c_JaffaCakes118.exe	84
PID 4988 wrote to memory of 1600	4988	0a835aaadb9f68d5eeee90c11b200f0c_JaffaCakes118.exe	84
PID 4988 wrote to memory of 1600	4988	0a835aaadb9f68d5eeee90c11b200f0c_JaffaCakes118.exe	84
PID 4988 wrote to memory of 1600	4988	0a835aaadb9f68d5eeee90c11b200f0c_JaffaCakes118.exe	84
PID 4988 wrote to memory of 1600	4988	0a835aaadb9f68d5eeee90c11b200f0c_JaffaCakes118.exe	84
PID 4988 wrote to memory of 1600	4988	0a835aaadb9f68d5eeee90c11b200f0c_JaffaCakes118.exe	84
PID 4988 wrote to memory of 1600	4988	0a835aaadb9f68d5eeee90c11b200f0c_JaffaCakes118.exe	84
PID 1600 wrote to memory of 4496	1600	vbc.exe	85
PID 1600 wrote to memory of 4496	1600	vbc.exe	85
PID 1600 wrote to memory of 4496	1600	vbc.exe	85
PID 1600 wrote to memory of 4496	1600	vbc.exe	85
PID 1600 wrote to memory of 4496	1600	vbc.exe	85
PID 1600 wrote to memory of 4496	1600	vbc.exe	85
PID 1600 wrote to memory of 4496	1600	vbc.exe	85
PID 1600 wrote to memory of 4496	1600	vbc.exe	85
PID 1600 wrote to memory of 4496	1600	vbc.exe	85
PID 1600 wrote to memory of 4496	1600	vbc.exe	85
PID 1600 wrote to memory of 4496	1600	vbc.exe	85
PID 1600 wrote to memory of 4496	1600	vbc.exe	85
PID 1600 wrote to memory of 4496	1600	vbc.exe	85
PID 1600 wrote to memory of 4496	1600	vbc.exe	85
PID 1600 wrote to memory of 4496	1600	vbc.exe	85
PID 1600 wrote to memory of 4496	1600	vbc.exe	85
PID 1600 wrote to memory of 4496	1600	vbc.exe	85
PID 1600 wrote to memory of 4496	1600	vbc.exe	85
PID 1600 wrote to memory of 4496	1600	vbc.exe	85
PID 1600 wrote to memory of 4496	1600	vbc.exe	85
PID 1600 wrote to memory of 4496	1600	vbc.exe	85
PID 1600 wrote to memory of 4496	1600	vbc.exe	85
PID 1600 wrote to memory of 4496	1600	vbc.exe	85
PID 1600 wrote to memory of 4496	1600	vbc.exe	85
PID 1600 wrote to memory of 4496	1600	vbc.exe	85
PID 1600 wrote to memory of 4496	1600	vbc.exe	85
PID 1600 wrote to memory of 4496	1600	vbc.exe	85
PID 1600 wrote to memory of 4496	1600	vbc.exe	85
PID 1600 wrote to memory of 4496	1600	vbc.exe	85
PID 1600 wrote to memory of 4496	1600	vbc.exe	85
PID 1600 wrote to memory of 4496	1600	vbc.exe	85
PID 1600 wrote to memory of 4496	1600	vbc.exe	85
PID 1600 wrote to memory of 4496	1600	vbc.exe	85
PID 1600 wrote to memory of 4496	1600	vbc.exe	85
PID 1600 wrote to memory of 4496	1600	vbc.exe	85
PID 1600 wrote to memory of 4496	1600	vbc.exe	85
PID 1600 wrote to memory of 4496	1600	vbc.exe	85
PID 1600 wrote to memory of 4496	1600	vbc.exe	85
PID 1600 wrote to memory of 4496	1600	vbc.exe	85
PID 1600 wrote to memory of 4496	1600	vbc.exe	85
PID 1600 wrote to memory of 4496	1600	vbc.exe	85
PID 1600 wrote to memory of 4496	1600	vbc.exe	85
PID 1600 wrote to memory of 4496	1600	vbc.exe	85
PID 1600 wrote to memory of 4496	1600	vbc.exe	85
PID 1600 wrote to memory of 4496	1600	vbc.exe	85

C:\Users\Admin\AppData\Local\Temp\0a835aaadb9f68d5eeee90c11b200f0c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0a835aaadb9f68d5eeee90c11b200f0c_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4988
- C:\Users\Admin\AppData\Local\Temp\googletalk-setup.exe
  "C:\Users\Admin\AppData\Local\Temp\googletalk-setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:3536
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s "C:\Program Files (x86)\Google\Google Talk\gtalkwmp1.dll"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:2320
- - C:\Program Files (x86)\Google\Google Talk\googletalk.exe
    "C:\Program Files (x86)\Google\Google Talk\googletalk.exe" /register
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:1304
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  2⤵
  PID:752
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  2⤵
  - Adds policy Run key to start application
  - Boot or Logon Autostart Execution: Active Setup
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1600
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:4496
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
    3⤵
    PID:2864
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2864 -s 76
      4⤵
      Program crash
      PID:4824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2864 -ip 2864
1⤵
PID:3744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Google Talk\googletalk.exe

Filesize
3.6MB

MD5
bcd9cbf0621f9a6767276a2e0bf1dd15

SHA1
802daf7cb7823ce7f36408f0fba01e2e75fdde90

SHA256
c0748aee57a79d1ad8a4307d3ecb03a517464d047cd5cc64bad299e0bfaefb60

SHA512
0dd7dbb13c84e111b6c3a10629498724c4879f3b94a7d786b03009347186c8199791d0cc519d11affb89ff1ac3a1151d532bb9540a23bb0ad35bccea6327be96

Download Submit
C:\Program Files (x86)\Google\Google Talk\testperm.txt

Filesize
31B

MD5
cf41c3a04147fc650486a80e85f2444c

SHA1
f98fcb580c775b8d902f6bf76f52a559af43d445

SHA256
d632b0b91898356488302714bebeb771cd765fa045f7a16ae925d2e99263671c

SHA512
4d24cac88a0baae5426577e18152d9a404cb525aaf3830cb75f0f1bbe868b635206f9f3e5468255b1cbe0ee761a24dc46b9aae6e0ed17aa4fff5c7090c8c8ed8

Download Submit
C:\Users\Admin\AppData\Local\Google\Google Talk\avatars\775aabe7ca171d273616297f50453c711d150494.original.avatar

Filesize
16KB

MD5
438815592db40de2264606f1bfd4d903

SHA1
775aabe7ca171d273616297f50453c711d150494

SHA256
e166689a2be4b0c649c4455b946373cba82be7bb56e8c50230bedab1f22b2115

SHA512
3af5009acda043a85cd4264758614e4cc15a1b044244ff877b26e35cab56ce30bc390f90242ce735657fb7f1c35d177f6d1fb1123fd4ca52854091e0d18bb53c

Download Submit
C:\Users\Admin\AppData\Local\Google\Google Talk\avatars\temp.original.avatar

Filesize
12KB

MD5
477b9b2262edfb077aa9622b473dc3db

SHA1
fbfa567309724a59bad65e51ca1ce467ab52141c

SHA256
0f0154aaef14b04bac6dc6d55fddbc99440a822c165725bfe7083be90ab50e3d

SHA512
9f9698478accf1791ff6c6e2e5c150d691d135a319c5888b46947ca0f4896a025a26296ffac8adc276b4f3d4f086c3af747cbedcb1b841bef0135e717e3fbf1b

Download Submit
C:\Users\Admin\AppData\Local\Google\Google Talk\avatars\temp.original.avatar

Filesize
24KB

MD5
91d5e3de0a48f1d28d4f72050a99ea02

SHA1
2a76fc6f39dbbb2da6ee8064c08ce6d8ad6cbd01

SHA256
bce7a8f3a90e7b484abeceabb81c932a01856cb825350b7fa5bf4c81beb246e6

SHA512
0757eba0fa6bd44d6de804ee5799e379e059cd15acef84897b4c32a7a7d48220d9d870a4637de0a79a7872439ecb321d312aa32f9917021ebbf3c3e8f520c683

Download Submit
C:\Users\Admin\AppData\Local\Google\Google Talk\avatars\temp.original.avatar

Filesize
11KB

MD5
90623c105b3a59a8de55402d5690d179

SHA1
a5515c11ddc68cc7afcf94ef564cb331c6685116

SHA256
8d79a640a600c7f95bbf5bb992dde81e2d829899f13dffd599bab032a192ea1a

SHA512
5e6db87d6b2b879ae5a7bf43f7a19721a825bac26e003574b7cd539553fb681968b7b265b5233a55074ca9cc0d982230cc49eef01f61cc4f79ba054fe2225828

Download Submit
C:\Users\Admin\AppData\Local\Google\Google Talk\avatars\temp.original.avatar

Filesize
7KB

MD5
35a4f023cd551801f84b91b43ca4b321

SHA1
3797ca1bfa12a956f91292344eae4d444d567187

SHA256
e84cd6011e1dd88ab49db2ece980beaa6bd432908168487fcad04f961f2bfc49

SHA512
3fa800db342022ba54621f678da2c4050a465b2face80d4fec6633b02aa46afd582d3d808e950893eb326cf599218997476c3d86e208fe507c6960b777d1c6e1

Download Submit
C:\Users\Admin\AppData\Local\Google\Google Talk\avatars\temp.original.avatar

Filesize
10KB

MD5
46363431e0b687e017e5d5614181aa5c

SHA1
250915850e9017edc6e503c2c83b75715917592b

SHA256
1cbf77384a0af8d1f6ed54c3f7411d7b63a682e6d27b51c7def512642d037eb7

SHA512
cca8ffef787a4f4dc88e4d562d0ca8e824cfdaa2dd3d26ddc730ed12f15508cc6360ab3f454e6a6c36eec35800f79451fefa00a24c2bef012aff3fbb9a6ebe9c

Download Submit
C:\Users\Admin\AppData\Local\Google\Google Talk\avatars\temp.original.avatar

Filesize
11KB

MD5
e7ed315542e8c9e38b5dc50cb62ad9c2

SHA1
573a43a3fbc18f656bc9c7cad720977c3e5747f9

SHA256
e34346514992ff121d2fb023b894312f9de7db569238a58f2d4b7fa2bc428a54

SHA512
118c7e421e6ffaab1b8c34ab5cb2d8515894b01b50ec37d8f958ca66baaf5b1edce2bcc7c9b912fc8644ae2680449e2a438b2e9b38e85dc60b1a9bdd1dcd7c38

Download Submit
C:\Users\Admin\AppData\Local\Google\Google Talk\avatars\temp.original.avatar

Filesize
13KB

MD5
a22506cd785b216a6fb917118c234655

SHA1
f26dd8252ce14dee46510cb3cdf205780c2d2407

SHA256
a4513cb4108881a0d525512419518d849b821c0240fa2df0a8d119905646ef5a

SHA512
db985a4203d1fd0902e88f90e125b3013ca001795b37cf2bee1638046ffa91b1dc8a9446991e9c1ddafc7fc1f0fab249d58b1850246709f6b0523c141dd44e42

Download Submit
C:\Users\Admin\AppData\Local\Google\Google Talk\avatars\temp.original.avatar

Filesize
10KB

MD5
d66c769878374d62b887c2ed54f0d960

SHA1
4955c0b12cf51b51d4b54549b443437e17c65a5a

SHA256
a208f2a0c83d6cf3ef02cabb6727a0342efa54aa787116fdaa3f816351153844

SHA512
107062dd1b4edf74afe63ad9227f278410369e0e24864c8120fdb7c2e093d5089c1eb7d86ca80b7474a9128528f4979dc2e847ffac0c53b0c90afd288d9b8dc1

Download Submit
C:\Users\Admin\AppData\Local\Google\Google Talk\avatars\temp.original.avatar

Filesize
16KB

MD5
f08fc19d4b33cf4d93585c6730e300cc

SHA1
3d57d79863ec79cc7b84f5d51c9982e91c0a3b8a

SHA256
3eca4fec079b1d4a4806547c75f22100ff3c48d382e25e9da66d67b4680e54f0

SHA512
8184ba705045544cd0f757e91e3c91abfc89b8b46338eb7b70e2cbb73a369fa62915f553b9d6c477941f480afa618f76e3c18b12fd6700c1a95f1e34c5dfcc38

Download Submit
C:\Users\Admin\AppData\Local\Google\Google Talk\avatars\temp.original.avatar

Filesize
16KB

MD5
66f6abfe52772f4f03a9790ddd12c773

SHA1
0e858c934b5d74a003b0bee82efc12887d61c011

SHA256
e42642a6b9b6ec79d3e35ea4bbf892d5641817e50cce3f5025fca31ea38f3b42

SHA512
5ef9798dc424b871dcbeed63bf4638b2b71e12c222b543bbcf9caafe12a891fb49fe54f317ec177ccb8659bd334e97689a7e8b84cd04e3b3952aa2b8e4aed181

Download Submit
C:\Users\Admin\AppData\Local\Google\Google Talk\avatars\temp.original.avatar

Filesize
18KB

MD5
3627b56c6ea08d1a49a71fd3b21a1204

SHA1
de4a8862133aa788f9ea4b0f8c10080a140e7bdd

SHA256
ba8283dd9b8b6ead35a405148267d449ebf2fb6514918ed9b4e66400f29afc4f

SHA512
199be24143c4e455feacf49781335bfb9df7dc7bf85247591fb60580171f7576d41bdcf87d2e44a66fd1c6fa12dbb2c79d190d3e1203ea536c7b1a9a9eb0ab12

Download Submit
C:\Users\Admin\AppData\Local\Google\Google Talk\avatars\temp.original.avatar

Filesize
8KB

MD5
139ab22ebfe6b86790b9859251d2cb85

SHA1
46914b47602a13eb2069793817c907fde482e509

SHA256
4d945da6e45abd54d757b4f82ec926e3ae24874727dc15e16229ece7b933c94e

SHA512
f7dd86f347fd3c9123b7a89629bdfc81cd18f6b4a8502d58804495596e6e9dc13fa5600c517340a25c3262091d97b78e9e3d2690f51a3ba80dd40c0b3a37c2ca

Download Submit
C:\Users\Admin\AppData\Local\Google\Google Talk\avatars\temp.original.avatar

Filesize
15KB

MD5
57c563baf3fd6fe44392636258812c42

SHA1
4b0cbdb4719f04efc57798f4f9e66ba412cff885

SHA256
8893af9a901791cd34a66fbbdfa48da7038dbd1646915b3cfc36b21dc31d546e

SHA512
1b8ca6a37228bbac09ac3c3b118209371b30cbda021f762224e4149c630c394b66d511a96f9f8fe3dd6cd5beb50e80e0813ba6dd59fe5d25a24560730b8fc629

Download Submit
C:\Users\Admin\AppData\Local\Google\Google Talk\avatars\temp.original.avatar

Filesize
13KB

MD5
85c0a49a6a1bb1cbbe130e24cb23814e

SHA1
dcddafc8de2361f8524f10e06183277b01127ef0

SHA256
d6d36336a156cee0f9b57610e48ecfd4434a78b6f08dbb77a9a47c26b5050c5b

SHA512
94baf832f8077076346bdd21a485025bd9696bb3daf68d457b4001ffb5fd4b8ffc975e65054a3cdeafabee10597252f78db9706824fea4aa1e076a4dbbed3ea8

Download Submit
C:\Users\Admin\AppData\Local\Google\Google Talk\avatars\temp.original.avatar

Filesize
17KB

MD5
cd14924ded52e0a997bd72c86c3a339b

SHA1
901fa3e2a8f3fe30ec331c559ae5a69ec47bafcf

SHA256
0f56495dfe187cfa79f98c8584216b8c128e1d61e08c43a5964df8faa4dcc448

SHA512
053345e0a9184edeab251026a8e06909b4603f531eb301601894e51b440b4399a26ee71a84f15e101ea43d62dc2aba0384d4f6c8ba3bbca65e1e9b066d0e4cde

Download Submit
C:\Users\Admin\AppData\Local\Google\Google Talk\avatars\temp.original.avatar

Filesize
5KB

MD5
370a9e303a5e2b140a7b3f37a4233481

SHA1
02e77036c1ea4be91e1053e3c96f28e805d119a9

SHA256
66babc236e7e018e82bad773dacb5c3089ba85456a4efb8a19ee310efa3824bd

SHA512
657b99bf1959dbfe8ca7b515b792550113e21b3b416296bc69961abf89cad1561f4e0cb2d443c4bc0906cc77e70b33ecf95ec572001f5c88d5635a87add62e51

Download Submit
C:\Users\Admin\AppData\Local\Google\Google Talk\avatars\temp.original.avatar

Filesize
11KB

MD5
5f7e31f0001ef4310865f1ff4549b12b

SHA1
34c95afe0b0fcb9576636e25261c92dbb32c2ca3

SHA256
4681737d35db0808cbb99d4653b9f99141d7409f60268b9adb84c2e59792c6e9

SHA512
fef96b44c10223fa1138832e34fd12ed6a3ed934dba3f736a985cbc236bde9411fffaf6e49f65e50302711a09af30d27853a8158f807e7ac5065208619c07502

Download Submit
C:\Users\Admin\AppData\Local\Google\Google Talk\avatars\temp.original.avatar

Filesize
17KB

MD5
ceef4fca7bc7083ac26ecc0e4fc7a4ca

SHA1
5a3f30f9764147a12215431398540e05c0435aa2

SHA256
9ee950db30334eb12eb6b1a12b667d68710f42d53d069eacc39ed25b6c25ff5f

SHA512
702d0e658cc6429304f8c770dae31ea2617c23aefa234267f9a2d45eb4650bb97e39356bf669e71c635fbfdc8b5872bfce8efcb90b65f04f2e43d6acd955f3d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Google Talk\themes\system\chat\Classic\Contents\Resources\Incoming\NextContent.html

Filesize
61B

MD5
70e3aa6ea6428c65e2c99fb67cdf3c38

SHA1
65cdb1fd2901446df663190a3ab381b1969cce00

SHA256
773c0f0b634ec3106c09645484bb08cb2f18d316a6b6f805463feb3f892470c8

SHA512
b913c91987f68943487e6fac363d3abfe1a43d80ebc9838dac0fd2a06b14f0c2594a2abfb893a1f170a8d3b22272ec2e118b52c2d8492b94f1b4b6e3d520858a

Download Submit
C:\Users\Admin\AppData\Local\Google\Google Talk\themes\system\chat\PingPongPicture\Contents\Resources\NextStatus.html

Filesize
87B

MD5
4a75b7ffdd13bc07628b23a1340db9bd

SHA1
80b6f0db8880ae484d5e016077b174a702550b38

SHA256
fe5006e8ad1e3dcc44588712ea4a6e5723a4cf6bbf5be7db9f04d25d91f62327

SHA512
498b6451ac4cd3a7a598001a8486358582bce29479a6cc14e1fd3038d5751b81f5662340936b7e7594268662ac794482869f799de9144eae0a5c930820a83c01

Download Submit
C:\Users\Admin\AppData\Local\Google\Google Talk\themes\system\chat\PingPongPicture\Contents\Resources\Status.html

Filesize
87B

MD5
c1659928c4171dcee82ba065549d80a7

SHA1
6887fcdccea434cfc4247faee95662e201b9bcf2

SHA256
e2d9fa6e3e1044265356afc6369147a8a7dd68e030ba3d68e83473b375f1ee65

SHA512
a1a71b238e76089c5a4087e8451180057b0c32a0c6b2ebb6234d9d317630aa5d58df63d0e0b60b11218724b0ffa0fe023de31dff3fe83f95a58ea013fbbd0194

Download Submit
C:\Users\Admin\AppData\Local\Temp\googletalk-setup.exe

Filesize
1.5MB

MD5
8260031b32d9101c9f222161a87ff2f1

SHA1
83b5614bcbe19d992a617e059943c297ddffc848

SHA256
5cf4427b2ae3a6787776fbd91274228562b8ff2777bab4573916b4d042ab9926

SHA512
e60ff2570275b77023e21c0b09017ad2ccbd3cb92fd3441dbb0f9cf0ee65a951e594f4781109f1d2b29abcfe95ce5a87a283031d10f4a0c53a630e065d409c30

Download Submit
C:\Users\Admin\AppData\Local\Temp\gtalkwmp1.dll

Filesize
68KB

MD5
f341a096bbc785dc39e0170ff725a7d5

SHA1
75b233a2fc20ff4a748c65b80c17188f63b9cd53

SHA256
fd23273a36db53e1da88e2b4ec84ffb720e54f9c6ab8820bf8937e870d64e44b

SHA512
fe4a237a9b7b100e0b4ae5a2daf30989b3d6744ee7e7ba0a8a3c6322cf390a93fde3cfed79e4593e06f7ff072e1c207b9182623ccdb1b9da02cb412c8096b77a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn8D6D.tmp\InstallOptions.dll

Filesize
12KB

MD5
08c82a46416a5e2b471d457968f53816

SHA1
3e3897c20b9e89b279b4764a633f67955bf8f09a

SHA256
435baf3b7282c9110697a4916834ef9371dd29fae6b4cb8e19c19eb126562dc9

SHA512
91e2055b91d04b2348a923cb298ac6ba3637de5038dc4f849c4d2f1665d17de9cd6eb6a97d42d0f894d65348c8fd8e79cd61b667ea5a78e8960347e8cc8db81d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn8D6D.tmp\System.dll

Filesize
10KB

MD5
61151aff8c92ca17b3fab51ce1ca7156

SHA1
68a02015863c2877a20c27da45704028dbaa7eff

SHA256
af15ef6479e5ac5752d139d1c477ec02def9077df897dadc8297005b3fc4999d

SHA512
4f5c943b7058910dc635bdcfadfea1d369c3d645239d1a52b030c21f43aac8e76549e52fd28e38ba5341d32aefe3c090dd8377d9e105ad77f71ab8870d8e326e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn8D6D.tmp\UserInfo.dll

Filesize
4KB

MD5
2b006bbf7c9295683eddfad40008be85

SHA1
b3f42a8e2ff172d51418c72811586b11ed589909

SHA256
9e4440baf56d47ca4cc1f29e7a62d407d1f9524986160b30de5f825a3fedee88

SHA512
e1cfd739b7f8de442e2fb49c83569e8051492180780d92a4bfaa9c90b1444fd0020f9f596c12820642dd33cbee2c81ec793acb1c8dab1d1bebbe25b33c51efe8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn8D6D.tmp\ioSpecial.ini

Filesize
506B

MD5
f03274fc7596500cbfbd7a411f0219c6

SHA1
3e1f3de2612d97a400251d896ebc64e2a58604f0

SHA256
a86e491a49e516ff243507f63dfb2a887c6f2bf1db19f71253be5cb9c3e18be6

SHA512
9a6b3cda4abab5e6e8a6112ec117f583e6bc3d328ccee6097ad6f25cd975cd2539b221c8ee9352942470d771658dbdda954d3a8c2a93e3343c6dbe883fafd764

Download Submit
memory/1600-14-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1600-171-0x0000000000450000-0x0000000000519000-memory.dmp

Filesize
804KB

Download
memory/1600-175-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1600-50-0x0000000024010000-0x000000002406F000-memory.dmp

Filesize
380KB

Download
memory/1600-53-0x0000000024070000-0x00000000240CF000-memory.dmp

Filesize
380KB

Download
memory/1600-168-0x0000000024070000-0x00000000240CF000-memory.dmp

Filesize
380KB

Download
memory/1600-13-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1600-12-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2864-54-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2864-55-0x0000000000690000-0x0000000000691000-memory.dmp

Filesize
4KB

Download
memory/3536-36-0x0000000002ED0000-0x0000000002EE2000-memory.dmp

Filesize
72KB

Download
memory/3536-11-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3536-415-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3536-430-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4988-17-0x0000000074B90000-0x0000000075141000-memory.dmp

Filesize
5.7MB

Download
memory/4988-2-0x0000000074B90000-0x0000000075141000-memory.dmp

Filesize
5.7MB

Download
memory/4988-1-0x0000000074B90000-0x0000000075141000-memory.dmp

Filesize
5.7MB

Download
memory/4988-0-0x0000000074B92000-0x0000000074B93000-memory.dmp

Filesize
4KB

Download