0ec6cfdd24365db9a661561652a05f5bb6400ac0e873608944f1fbc4e40c2a23

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
14/10/2024, 15:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

42ef7d0682afe1e17084b9e4e8f6fa7e_JaffaCakes118.exe
Size

84KB
MD5

42ef7d0682afe1e17084b9e4e8f6fa7e
SHA1

5e10b642de7611b81857f7f4920d4b8409a257d7
SHA256

0ec6cfdd24365db9a661561652a05f5bb6400ac0e873608944f1fbc4e40c2a23
SHA512

0e2cc9103842725a01d06811bc984adac87ba68d7b5522f32d4a0543282497daf88cba897bc4d40318b9c6160aa2f7f8fcdd4189212c45505491f277a41abc8f
SSDEEP

1536:0LE5nnQe9kzuY21ixKmppo+BuO0arCTizh7Jh5Rtk3yTzgZK:l5nx9tYc59ja7J/Rtog

Score

8^/10

discovery persistence spyware stealer

Malware Config

Signatures

Server Software Component: Terminal Services DLL 1 TTPs 10 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ntmssvc\Parameters\ServiceDll = "C:\\Windows\\system32\\Ntmssvc.dll"	42ef7d0682afe1e17084b9e4e8f6fa7e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Nwsapagent\Parameters\ServiceDll = "C:\\Windows\\system32\\Nwsapagent.dll"	42ef7d0682afe1e17084b9e4e8f6fa7e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SRService\Parameters\ServiceDll = "C:\\Windows\\system32\\SRService.dll"	42ef7d0682afe1e17084b9e4e8f6fa7e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ias\Parameters\ServiceDll = "C:\\Windows\\system32\\Ias.dll"	42ef7d0682afe1e17084b9e4e8f6fa7e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Nla\Parameters\ServiceDll = "C:\\Windows\\system32\\Nla.dll"	42ef7d0682afe1e17084b9e4e8f6fa7e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\NWCWorkstation\Parameters\ServiceDll = "C:\\Windows\\system32\\NWCWorkstation.dll"	42ef7d0682afe1e17084b9e4e8f6fa7e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Wmi\Parameters\ServiceDll = "C:\\Windows\\system32\\Wmi.dll"	42ef7d0682afe1e17084b9e4e8f6fa7e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WmdmPmSp\Parameters\ServiceDll = "C:\\Windows\\system32\\WmdmPmSp.dll"	42ef7d0682afe1e17084b9e4e8f6fa7e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibility.dll"	42ef7d0682afe1e17084b9e4e8f6fa7e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Irmon\Parameters\ServiceDll = "C:\\Windows\\system32\\Irmon.dll"	42ef7d0682afe1e17084b9e4e8f6fa7e_JaffaCakes118.exe

Loads dropped DLL 16 IoCs

pid	Process
2240	svchost.exe
2240	svchost.exe
1632	svchost.exe
1632	svchost.exe
2896	svchost.exe
2896	svchost.exe
1864	svchost.exe
1864	svchost.exe
316	svchost.exe
316	svchost.exe
2164	svchost.exe
2164	svchost.exe
3020	svchost.exe
3020	svchost.exe
2312	svchost.exe
2312	svchost.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in System32 directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\NWCWorkstation.dll	42ef7d0682afe1e17084b9e4e8f6fa7e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Nwsapagent.dll	42ef7d0682afe1e17084b9e4e8f6fa7e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\SRService.dll	42ef7d0682afe1e17084b9e4e8f6fa7e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WmdmPmSp.dll	42ef7d0682afe1e17084b9e4e8f6fa7e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\FastUserSwitchingCompatibility.dll	42ef7d0682afe1e17084b9e4e8f6fa7e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Nla.dll	42ef7d0682afe1e17084b9e4e8f6fa7e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Ntmssvc.dll	42ef7d0682afe1e17084b9e4e8f6fa7e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Ias.dll	42ef7d0682afe1e17084b9e4e8f6fa7e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Irmon.dll	42ef7d0682afe1e17084b9e4e8f6fa7e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Wmi.dll	42ef7d0682afe1e17084b9e4e8f6fa7e_JaffaCakes118.exe

Drops file in Program Files directory 32 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	42ef7d0682afe1e17084b9e4e8f6fa7e_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Defender\MpCmdRun.exe	42ef7d0682afe1e17084b9e4e8f6fa7e_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	42ef7d0682afe1e17084b9e4e8f6fa7e_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\shvlzm.exe	42ef7d0682afe1e17084b9e4e8f6fa7e_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaire.exe	42ef7d0682afe1e17084b9e4e8f6fa7e_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Defender\MSASCui.exe	42ef7d0682afe1e17084b9e4e8f6fa7e_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\WinMail.exe	42ef7d0682afe1e17084b9e4e8f6fa7e_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	42ef7d0682afe1e17084b9e4e8f6fa7e_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\Hearts.exe	42ef7d0682afe1e17084b9e4e8f6fa7e_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\chkrzm.exe	42ef7d0682afe1e17084b9e4e8f6fa7e_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Mail\wabmig.exe	42ef7d0682afe1e17084b9e4e8f6fa7e_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	42ef7d0682afe1e17084b9e4e8f6fa7e_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	42ef7d0682afe1e17084b9e4e8f6fa7e_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\Mahjong.exe	42ef7d0682afe1e17084b9e4e8f6fa7e_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\MineSweeper.exe	42ef7d0682afe1e17084b9e4e8f6fa7e_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Journal\Journal.exe	42ef7d0682afe1e17084b9e4e8f6fa7e_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	42ef7d0682afe1e17084b9e4e8f6fa7e_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	42ef7d0682afe1e17084b9e4e8f6fa7e_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\FreeCell.exe	42ef7d0682afe1e17084b9e4e8f6fa7e_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\Solitaire.exe	42ef7d0682afe1e17084b9e4e8f6fa7e_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\sidebar.exe	42ef7d0682afe1e17084b9e4e8f6fa7e_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	42ef7d0682afe1e17084b9e4e8f6fa7e_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\wab.exe	42ef7d0682afe1e17084b9e4e8f6fa7e_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\sidebar.exe	42ef7d0682afe1e17084b9e4e8f6fa7e_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\Chess.exe	42ef7d0682afe1e17084b9e4e8f6fa7e_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\PurblePlace.exe	42ef7d0682afe1e17084b9e4e8f6fa7e_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Journal\PDIALOG.exe	42ef7d0682afe1e17084b9e4e8f6fa7e_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckgzm.exe	42ef7d0682afe1e17084b9e4e8f6fa7e_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Mail\wab.exe	42ef7d0682afe1e17084b9e4e8f6fa7e_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	42ef7d0682afe1e17084b9e4e8f6fa7e_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Mail\WinMail.exe	42ef7d0682afe1e17084b9e4e8f6fa7e_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\wabmig.exe	42ef7d0682afe1e17084b9e4e8f6fa7e_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	42ef7d0682afe1e17084b9e4e8f6fa7e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Modifies system certificate store 2 TTPs 10 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	42ef7d0682afe1e17084b9e4e8f6fa7e_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	42ef7d0682afe1e17084b9e4e8f6fa7e_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e52000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	42ef7d0682afe1e17084b9e4e8f6fa7e_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e51d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af33313353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b060105050703030f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c92000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	42ef7d0682afe1e17084b9e4e8f6fa7e_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 190000000100000010000000d8b5fb368468620275d142ffd2aade370f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5040000000100000010000000cb17e431673ee209fe455793f30afa1c2000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	42ef7d0682afe1e17084b9e4e8f6fa7e_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	42ef7d0682afe1e17084b9e4e8f6fa7e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	42ef7d0682afe1e17084b9e4e8f6fa7e_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	42ef7d0682afe1e17084b9e4e8f6fa7e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5	42ef7d0682afe1e17084b9e4e8f6fa7e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	42ef7d0682afe1e17084b9e4e8f6fa7e_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2668	42ef7d0682afe1e17084b9e4e8f6fa7e_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\42ef7d0682afe1e17084b9e4e8f6fa7e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\42ef7d0682afe1e17084b9e4e8f6fa7e_JaffaCakes118.exe"
1⤵
- Server Software Component: Terminal Services DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:2668

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2240

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- System Location Discovery: System Language Discovery
PID:944

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1632

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2896

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1864

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:316

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2164

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3020

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- System Location Discovery: System Language Discovery
PID:812

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

Filesize
635KB

MD5
91a917a34024158ed86ea60e2d6b5fb9

SHA1
7fecab9c3403e5b8a0d9919566a49fd0346e1ffd

SHA256
e48aa1dd07b495884447aa1319f9d51f83d1589ec8e13b203844c974d93f607f

SHA512
4dee536b6cea4358bea1337158390b723545592b432f081b0e5d6fb46f2762552b17b42f22dd1db61b71fb208fa98131947ccc8501359fb4674e402bd2d5478a

Download Submit
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

Filesize
635KB

MD5
4f81f423a293dbc1d8426a64c372e2c3

SHA1
d7a55ec91b232a0a540c87c70e834beaa2962694

SHA256
7c001e7d87a7ac61340f24a8bdb1e51a756f8ac0e909aceddb86ce3342fd2928

SHA512
2067b6adac8c6afb75f79959816e7806fafd22846ca7a9097ec075c479b1399a9a922b2d890174f3f4d8d309647c9c86e93be877449ac4513feef81652733c6f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B8944BA8AD0EFDF0E01A43EF62BECD0_B2DB1CC4B5F2D2A802D56AAED525802D

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C3948BE6E525B8A8CEE9FAC91C9E392_F70553637B9F26717122C4DAFA3ADB11

Filesize
412B

MD5
b17e16410f9b5f955f3974c4367179c2

SHA1
9e8801a78d5d4657c441fd3c7b5f0ab241997261

SHA256
3c77a5838051729a200960ec513f3088816d0fb716cf7ad9e6ff12f6e30c2d62

SHA512
73c09f1b1d55c7548b5922839fd991740e7a1a2c6573d7c16146e7918f1c59bb99fef440d94749b3517825ce8a725a4771132722991a1a6d43b6759aff04285d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
971a2e70e8843d9a4e67910e94866ef0

SHA1
2aa4611d88f4306ccd8d69382c93e9f607c39859

SHA256
ec84832b7cdbcaf6a8ef1fe1eac77ef7458644b8dab274fb2c372b8bfc34a284

SHA512
1f108c4d4882e5cbc9d5cad744905fb7c6957e25464120b190dc8ff00972cac0640aaa4df5491e5860c05b67dc88369872a0da4b72e8ef7d261d7fb57adbef2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c7821bd06ba28d42dfe3280091156400

SHA1
990f1b43846d1f6cae54c9e183d20e390133be32

SHA256
952af40e70b7290524cb189b7be8cb3bd3a13c0de0faf357aa5859cd7a9c3c14

SHA512
5bb0158d60452d00b449c9813ec6b86b66d9c229a9241880eb539acfbe9183f8e57996cff7f0ae52458455fb5650f9162d14d5852fa111c9fed8f504c1aa09aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8d5526332185f746bd7db6dc753fc027

SHA1
9cd3cc82df8d0540b7d64492b913f3c690962504

SHA256
f8c957bc8fcbe06dd951b67350415f3a3f480af56d01b616909e325dc966d21c

SHA512
0071d83620ebcbe6ed85e8610a343d041878dc58012cac2a4d5eed6d3c233a12bf225053c743f10c61ab0c541c4ae50ce4f0d200981d9b4e4f3fd0ef329f7056

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3630.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3643.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\??\c:\windows\SysWOW64\fastuserswitchingcompatibility.dll

Filesize
84KB

MD5
e6dc09ce56dc47d647fef2b3898a68f9

SHA1
69da5e0a0292de8498100093864652d783907351

SHA256
cacdfce01a543c12abc2f2ffa2b24155fe216a2bb715431dfe0c28027ad3a99a

SHA512
11dfbfb1df9c0d2bd1edbf44164378e205d20febd2a6b3f60c8b782bf900ada1818d8f9be5cd0f1217061028243c991232628ad253ca7883d0d12e627ba3aa22

Download Submit
memory/316-366-0x0000000074DD0000-0x0000000074DF1000-memory.dmp

Filesize
132KB

Download
memory/316-367-0x0000000074DA0000-0x0000000074DC1000-memory.dmp

Filesize
132KB

Download
memory/1632-349-0x0000000074DD0000-0x0000000074DF1000-memory.dmp

Filesize
132KB

Download
memory/1864-360-0x0000000074DD0000-0x0000000074DF1000-memory.dmp

Filesize
132KB

Download
memory/1864-361-0x0000000074DA0000-0x0000000074DC1000-memory.dmp

Filesize
132KB

Download
memory/2164-372-0x0000000074E10000-0x0000000074E31000-memory.dmp

Filesize
132KB

Download
memory/2240-340-0x0000000074DD0000-0x0000000074DF1000-memory.dmp

Filesize
132KB

Download
memory/2240-342-0x0000000074DA0000-0x0000000074DC1000-memory.dmp

Filesize
132KB

Download
memory/2312-391-0x0000000074DE0000-0x0000000074E01000-memory.dmp

Filesize
132KB

Download
memory/2312-389-0x0000000074E10000-0x0000000074E31000-memory.dmp

Filesize
132KB

Download
memory/2668-0-0x00000000009E0000-0x0000000000A01000-memory.dmp

Filesize
132KB

Download
memory/2668-3-0x0000000000140000-0x0000000000161000-memory.dmp

Filesize
132KB

Download
memory/2668-315-0x00000000009E0000-0x0000000000A01000-memory.dmp

Filesize
132KB

Download
memory/2668-4-0x0000000000A00000-0x0000000000A01000-memory.dmp

Filesize
4KB

Download
memory/2668-158-0x0000000000140000-0x0000000000161000-memory.dmp

Filesize
132KB

Download
memory/2668-2-0x0000000000140000-0x0000000000161000-memory.dmp

Filesize
132KB

Download
memory/2668-159-0x0000000000140000-0x0000000000161000-memory.dmp

Filesize
132KB

Download
memory/2668-160-0x0000000000140000-0x0000000000161000-memory.dmp

Filesize
132KB

Download
memory/2668-157-0x00000000009E0000-0x0000000000A01000-memory.dmp

Filesize
132KB

Download
memory/3020-382-0x0000000074E10000-0x0000000074E31000-memory.dmp

Filesize
132KB

Download