8204c13c8893456a05472e907ac01d81786d0a3d8d89caa3c06e9b264713fc0d

Analysis

max time kernel
63s
max time network
139s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17/10/2024, 18:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe
Size

2.7MB
MD5

530937cb71478ab5a790d31a8952cd07
SHA1

c69dd743af8e135f96ba7c2db6d115af6a62b233
SHA256

8204c13c8893456a05472e907ac01d81786d0a3d8d89caa3c06e9b264713fc0d
SHA512

bd72116565455abaf117502dd1f96c9f1c7e173bf07fba87c0b79fecb788d7256e8b30ac7a19bc14fb5b392e0193a07c0c777ad06b0dbbd062f8c5963e61d95e
SSDEEP

49152:V6UrTrarOtpA+R8BOOwVw3h6SlCZ0OxJJlVt4OwpnlrEiorarOGWAfUOKLxCCr09:UCTrtA82XIamTlVqdllrEior1AQLJ4aY

Score

7^/10

adware discovery spyware stealer upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0006000000019319-9.dat	acprotect

Loads dropped DLL 24 IoCs

pid	Process
2616	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe
2616	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe
2616	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe
2616	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe
2616	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe
2616	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe
2616	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe
2616	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe
2616	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe
2616	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe
2616	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe
2616	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe
2616	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe
2616	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe
2616	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe
2616	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe
2616	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe
2616	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe
2616	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe
2616	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe
1200	regsvr32.exe
2616	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe
2616	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe
2616	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{44ed99e2-16a6-4b89-80d6-5b21cf42e78b}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{44ed99e2-16a6-4b89-80d6-5b21cf42e78b}\ = "TVGenie"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{44ed99e2-16a6-4b89-80d6-5b21cf42e78b}\NoExplorer = "1"	regsvr32.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0006000000019319-9.dat	upx

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\TVGenie\IE\common.dll	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe
File created	C:\Program Files (x86)\TVGenie\Uninstall.exe	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe
File created	C:\Program Files (x86)\TVGenie\TVGenie.ico	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe
File created	C:\Program Files (x86)\TVGenie\Chrome\common.crx	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe
File created	C:\Program Files (x86)\TVGenie\Firefox\chrome.manifest	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe
File created	C:\Program Files (x86)\TVGenie\Firefox\install.rdf	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe
File created	C:\Program Files (x86)\TVGenie\Firefox\chrome\content\main.js	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe
File created	C:\Program Files (x86)\TVGenie\Firefox\chrome\content\overlay.xul	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\SOFTWARE\Microsoft\Internet Explorer\MAO Settings	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\MAO Settings\AddonLoadTimeThreshold = "1000"	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\MAO Settings	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\MAO Settings\AddonLoadTimeThreshold = "10000"	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe

Modifies registry class 50 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DynConIE.DynConIEObject.1\CLSID\ = "{44ed99e2-16a6-4b89-80d6-5b21cf42e78b}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DynConIE.DynConIEObject\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{44ed99e2-16a6-4b89-80d6-5b21cf42e78b}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2830488C-079B-45C2-88B6-AFE4EAA2DF85}\ = "IDynConIEObject"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2830488C-079B-45C2-88B6-AFE4EAA2DF85}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{384997EE-E3BE-49C4-9ECA-C62B7C08128A}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DynConIE.DynConIEObject.1\ = "TVGenie"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2830488C-079B-45C2-88B6-AFE4EAA2DF85}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\DynConIE.DLL\AppID = "{384997EE-E3BE-49C4-9ECA-C62B7C08128A}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{44ed99e2-16a6-4b89-80d6-5b21cf42e78b}\VersionIndependentProgID\ = "DynConIE.DynConIEObject"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{44ed99e2-16a6-4b89-80d6-5b21cf42e78b}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{781CA792-9B6E-400B-B36F-15C097D2CA54}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{781CA792-9B6E-400B-B36F-15C097D2CA54}\1.0\0\win32\ = "C:\\Program Files (x86)\\TVGenie\\IE\\common.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2830488C-079B-45C2-88B6-AFE4EAA2DF85}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2830488C-079B-45C2-88B6-AFE4EAA2DF85}\ = "IDynConIEObject"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2830488C-079B-45C2-88B6-AFE4EAA2DF85}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DynConIE.DynConIEObject\CurVer\ = "DynConIE.DynConIEObject.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{781CA792-9B6E-400B-B36F-15C097D2CA54}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{781CA792-9B6E-400B-B36F-15C097D2CA54}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2830488C-079B-45C2-88B6-AFE4EAA2DF85}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DynConIE.DynConIEObject.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{44ed99e2-16a6-4b89-80d6-5b21cf42e78b}\InprocServer32\ = "C:\\Program Files (x86)\\TVGenie\\IE\\common.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{781CA792-9B6E-400B-B36F-15C097D2CA54}\1.0\ = "Common 430 1.0 Type Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{781CA792-9B6E-400B-B36F-15C097D2CA54}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{781CA792-9B6E-400B-B36F-15C097D2CA54}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\TVGenie\\IE"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2830488C-079B-45C2-88B6-AFE4EAA2DF85}\TypeLib\ = "{781CA792-9B6E-400B-B36F-15C097D2CA54}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2830488C-079B-45C2-88B6-AFE4EAA2DF85}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{384997EE-E3BE-49C4-9ECA-C62B7C08128A}\ = "DynConIE"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\DynConIE.DLL	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{44ed99e2-16a6-4b89-80d6-5b21cf42e78b}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{44ed99e2-16a6-4b89-80d6-5b21cf42e78b}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{781CA792-9B6E-400B-B36F-15C097D2CA54}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{781CA792-9B6E-400B-B36F-15C097D2CA54}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2830488C-079B-45C2-88B6-AFE4EAA2DF85}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2830488C-079B-45C2-88B6-AFE4EAA2DF85}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2830488C-079B-45C2-88B6-AFE4EAA2DF85}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2830488C-079B-45C2-88B6-AFE4EAA2DF85}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DynConIE.DynConIEObject.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DynConIE.DynConIEObject\ = "TVGenie"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{44ed99e2-16a6-4b89-80d6-5b21cf42e78b}\ = "TVGenie"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{44ed99e2-16a6-4b89-80d6-5b21cf42e78b}\ProgID\ = "DynConIE.DynConIEObject.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{44ed99e2-16a6-4b89-80d6-5b21cf42e78b}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{44ed99e2-16a6-4b89-80d6-5b21cf42e78b}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{44ed99e2-16a6-4b89-80d6-5b21cf42e78b}\TypeLib\ = "{781ca792-9b6e-400b-b36f-15c097d2ca54}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DynConIE.DynConIEObject	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DynConIE.DynConIEObject\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DynConIE.DynConIEObject\CLSID\ = "{44ed99e2-16a6-4b89-80d6-5b21cf42e78b}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{44ed99e2-16a6-4b89-80d6-5b21cf42e78b}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{781CA792-9B6E-400B-B36F-15C097D2CA54}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2830488C-079B-45C2-88B6-AFE4EAA2DF85}\TypeLib\ = "{781CA792-9B6E-400B-B36F-15C097D2CA54}"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2616	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe
2616	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe
2364	chrome.exe
2364	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2616 wrote to memory of 1200	2616	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe	33
PID 2616 wrote to memory of 1200	2616	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe	33
PID 2616 wrote to memory of 1200	2616	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe	33
PID 2616 wrote to memory of 1200	2616	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe	33
PID 2616 wrote to memory of 1200	2616	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe	33
PID 2616 wrote to memory of 1200	2616	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe	33
PID 2616 wrote to memory of 1200	2616	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe	33
PID 2616 wrote to memory of 2364	2616	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe	35
PID 2616 wrote to memory of 2364	2616	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe	35
PID 2616 wrote to memory of 2364	2616	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe	35
PID 2616 wrote to memory of 2364	2616	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe	35
PID 2364 wrote to memory of 2140	2364	chrome.exe	36
PID 2364 wrote to memory of 2140	2364	chrome.exe	36
PID 2364 wrote to memory of 2140	2364	chrome.exe	36
PID 2364 wrote to memory of 1424	2364	chrome.exe	37
PID 2364 wrote to memory of 1424	2364	chrome.exe	37
PID 2364 wrote to memory of 1424	2364	chrome.exe	37
PID 2364 wrote to memory of 1424	2364	chrome.exe	37
PID 2364 wrote to memory of 1424	2364	chrome.exe	37
PID 2364 wrote to memory of 1424	2364	chrome.exe	37
PID 2364 wrote to memory of 1424	2364	chrome.exe	37
PID 2364 wrote to memory of 1424	2364	chrome.exe	37
PID 2364 wrote to memory of 1424	2364	chrome.exe	37
PID 2364 wrote to memory of 1424	2364	chrome.exe	37
PID 2364 wrote to memory of 1424	2364	chrome.exe	37
PID 2364 wrote to memory of 1424	2364	chrome.exe	37
PID 2364 wrote to memory of 1424	2364	chrome.exe	37
PID 2364 wrote to memory of 1424	2364	chrome.exe	37
PID 2364 wrote to memory of 1424	2364	chrome.exe	37
PID 2364 wrote to memory of 1424	2364	chrome.exe	37
PID 2364 wrote to memory of 1424	2364	chrome.exe	37
PID 2364 wrote to memory of 1424	2364	chrome.exe	37
PID 2364 wrote to memory of 1424	2364	chrome.exe	37
PID 2364 wrote to memory of 1424	2364	chrome.exe	37
PID 2364 wrote to memory of 1424	2364	chrome.exe	37
PID 2364 wrote to memory of 1424	2364	chrome.exe	37
PID 2364 wrote to memory of 1424	2364	chrome.exe	37
PID 2364 wrote to memory of 1424	2364	chrome.exe	37
PID 2364 wrote to memory of 1424	2364	chrome.exe	37
PID 2364 wrote to memory of 1424	2364	chrome.exe	37
PID 2364 wrote to memory of 1424	2364	chrome.exe	37
PID 2364 wrote to memory of 1424	2364	chrome.exe	37
PID 2364 wrote to memory of 1424	2364	chrome.exe	37
PID 2364 wrote to memory of 1424	2364	chrome.exe	37
PID 2364 wrote to memory of 1424	2364	chrome.exe	37
PID 2364 wrote to memory of 1424	2364	chrome.exe	37
PID 2364 wrote to memory of 1424	2364	chrome.exe	37
PID 2364 wrote to memory of 1424	2364	chrome.exe	37
PID 2364 wrote to memory of 1424	2364	chrome.exe	37
PID 2364 wrote to memory of 1424	2364	chrome.exe	37
PID 2364 wrote to memory of 1424	2364	chrome.exe	37
PID 2364 wrote to memory of 1424	2364	chrome.exe	37
PID 2364 wrote to memory of 1424	2364	chrome.exe	37
PID 2364 wrote to memory of 1488	2364	chrome.exe	38
PID 2364 wrote to memory of 1488	2364	chrome.exe	38
PID 2364 wrote to memory of 1488	2364	chrome.exe	38
PID 2364 wrote to memory of 1736	2364	chrome.exe	39
PID 2364 wrote to memory of 1736	2364	chrome.exe	39
PID 2364 wrote to memory of 1736	2364	chrome.exe	39
PID 2364 wrote to memory of 1736	2364	chrome.exe	39
PID 2364 wrote to memory of 1736	2364	chrome.exe	39
PID 2364 wrote to memory of 1736	2364	chrome.exe	39
PID 2364 wrote to memory of 1736	2364	chrome.exe	39
PID 2364 wrote to memory of 1736	2364	chrome.exe	39

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\ListBox_Support_CLSID = "1"	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{FED6A736-129B-49C7-857E-25FC91E87DB3} = "1"	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2616
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /s "C:\Program Files (x86)\TVGenie\IE\common.dll"
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:1200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" http://m.tvgenieapp.com/r/?ts=TS_IN_TVGN&v=TVGN_P0_2.6.30&pid=612&gi=5c1376faaa6a427fb3c880668b2ddda8&i=p
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2364
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6b99758,0x7fef6b99768,0x7fef6b99778
    3⤵
    PID:2140
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1156 --field-trial-handle=1248,i,12434520874396922586,2992739134013373739,131072 /prefetch:2
    3⤵
    PID:1424
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1444 --field-trial-handle=1248,i,12434520874396922586,2992739134013373739,131072 /prefetch:8
    3⤵
    PID:1488
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1532 --field-trial-handle=1248,i,12434520874396922586,2992739134013373739,131072 /prefetch:8
    3⤵
    PID:1736
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2208 --field-trial-handle=1248,i,12434520874396922586,2992739134013373739,131072 /prefetch:1
    3⤵
    PID:2980
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2212 --field-trial-handle=1248,i,12434520874396922586,2992739134013373739,131072 /prefetch:1
    3⤵
    PID:3036
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2796 --field-trial-handle=1248,i,12434520874396922586,2992739134013373739,131072 /prefetch:1
    3⤵
    PID:2336
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1316 --field-trial-handle=1248,i,12434520874396922586,2992739134013373739,131072 /prefetch:2
    3⤵
    PID:1944
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=2340 --field-trial-handle=1248,i,12434520874396922586,2992739134013373739,131072 /prefetch:1
    3⤵
    PID:2776
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3588 --field-trial-handle=1248,i,12434520874396922586,2992739134013373739,131072 /prefetch:8
    3⤵
    PID:1724
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=2904 --field-trial-handle=1248,i,12434520874396922586,2992739134013373739,131072 /prefetch:1
    3⤵
    PID:2728
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=2132 --field-trial-handle=1248,i,12434520874396922586,2992739134013373739,131072 /prefetch:1
    3⤵
    PID:2184
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=1604 --field-trial-handle=1248,i,12434520874396922586,2992739134013373739,131072 /prefetch:1
    3⤵
    PID:1996

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\TVGenie\Chrome\common.crx

Filesize
45KB

MD5
a8e16a5ab2902c61295406c7f9f7138f

SHA1
51fa2eb4b4d694fc6e5403963fa3454d4163e0da

SHA256
f8c76195612dbfa2a3846680c53c7fb041d1b347923518c6aeeb4810890adfbc

SHA512
7546384bac6d4968905e4df227105649d43e00c3e276df0bd12c71a2efcc9fc73332f27c3f5ff1cc54490e878c8b4faa95bf25a42f602e277ea8c7032cfac75b

Download Submit
C:\Program Files (x86)\TVGenie\IE\common.dll

Filesize
383KB

MD5
ce4349d963306dadc8406af61bf4da2c

SHA1
4c697d1cf0bd5b2ee1f23d71d7697ac8dc48d7c9

SHA256
478397551c500819949a1abb0337159df4103337d6a0bfdefdebb61196de3823

SHA512
7ee642d6ae5953a4a60d726344e6530f01596fefbd4e36d25b9bd04f4fada0ceb67114946ac6bc52bf4dd0f2c13b01938ff7f7640d51ae4e86ffeac8cbce821c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
226b242c740f906e5f5e28cdac2019cb

SHA1
c229230ab7fef3ef255666902f11c1e0f7791a8a

SHA256
a179129a75003d97bb36dd626784da4b44ddb326344bfe02fe0a468e80d7b8ea

SHA512
e2d0d0985e6d261cf640d758124d4e9bbb0bd721dd8ff2fb0e2f0dc242e7cbf9b5bf03fe3dfcf11ff3803da4eefcb3821dda94c98d46265aca7e6c3ba6b2ec2e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
fddb268fee341bbd66eaeebcb29eaf63

SHA1
c6d5c69e33f612f946dd694d7b2240514172ba76

SHA256
73f0bc070ddf6c31526696b8e779579027aa5cec1fa2d03e4a2de0e2a2ed5721

SHA512
b982fe827e22a2e4b6c89ea3b049920bba9a54935d1eb02f0feed0fd06266db2a048c558b5db3f1cac921d6fc2a394f8d8c088168367905be129b6942ea472d7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
\Users\Admin\AppData\Local\Temp\Helper.dll

Filesize
884KB

MD5
0c05804ee2737cdddec09f1ff9cfd418

SHA1
8b675415e84c63ed246456bf0c010a89b2d1817d

SHA256
9847a88d78d42d7ab1a3e39e5ffdf59229b60d99b23944125c8194ccca9c5a68

SHA512
8db0889c5b6eaabe381e506bda9fd22f883b1325982c0215f28cde976db3a4c979bde1085b2e983b9334bde886c6a18cf492d51588dda038068a0bc5ca9065e8

Download Submit
\Users\Admin\AppData\Local\Temp\nsyDC6B.tmp\KillProcWMI.dll

Filesize
65KB

MD5
61fd777443084ed61c05c22e8e3c3eff

SHA1
607944fdcfad205a164f3ca84793ab13d3d4ba97

SHA256
a69a51de19784287ee9031322cda5104a6025d7cdf1ffd0e897fdd8ce4e8df4b

SHA512
ce12cc55088a2176bfc5de8b65b92db8def8e930ddffe3961bb855b9536a25632cd921903f616c885699fb2d00f5074d03a213e25a759ac0aa4ecdfc33878323

Download Submit
\Users\Admin\AppData\Local\Temp\nsyDC6B.tmp\Processes.dll

Filesize
35KB

MD5
2cfba79d485cf441c646dd40d82490fc

SHA1
83e51ac1115a50986ed456bd18729653018b9619

SHA256
86b302fa9c85dfa0c1c03ba000864a928365dab571f3355347dba02da22949b7

SHA512
cca186a7f9c5cff3f4eca410fbe8cc13dad2514a7e36aec9b1addfbcb239ace9b9b2d8427771858e3fd11783abce7e24d43c286f98da9f8b17562ca095a4c043

Download Submit
\Users\Admin\AppData\Local\Temp\nsyDC6B.tmp\System.dll

Filesize
11KB

MD5
00a0194c20ee912257df53bfe258ee4a

SHA1
d7b4e319bc5119024690dc8230b9cc919b1b86b2

SHA256
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

SHA512
3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Download Submit
\Users\Admin\AppData\Local\Temp\nsyDC6B.tmp\inetc.dll

Filesize
20KB

MD5
3a3a9223dd834d9898fdd8bf260bc373

SHA1
ec7ba0f20486cfb16bed7a2f8e62c228cb9f5e93

SHA256
e36cdce05b8858cf6841db19f5618f9335aa67a9a59ffe8ec2be0fe83b5bb8cb

SHA512
c8a4e07da6fe203f79f5c4314a6f5aa21b1a6648848bfa009a87b9af1d6c09ccf9c01ed3813442e57f7fa221ca088dbca236ea1bf80d033574c9670883d3611c

Download Submit
\Users\Admin\AppData\Local\Temp\nsyDC6B.tmp\nsDialogs.dll

Filesize
9KB

MD5
ab73c0c2a23f913eabdc4cb24b75cbad

SHA1
6569d2863d54c88dcf57c843fc310f6d9571a41e

SHA256
3d0060c5c9400a487dbefe4ac132dd96b07d3a4ba3badab46a7410a667c93457

SHA512
99d287b5152944f64edc7ce8f3ebcd294699e54a5b42ac7a88e27dff8a68278a5429f4d299802ee7ddbe290f1e3b6a372a5f3bb4ecb1a3c32e384bca3ccdb2b8

Download Submit
\Users\Admin\AppData\Local\Temp\nsyDC6B.tmp\util_ex.dll

Filesize
776KB

MD5
80b2e3d8a6a283c2019bf239a60cbbc5

SHA1
a6b63dce1cb4741f443332a7ccb52031088918ee

SHA256
cd564402cfe6744b2f9fe8df895fa9f30650c9061a4e4ec1bc71603ce1bc031d

SHA512
c7c645939a5e237393958a75f39f7c9990116967aa9cc3388b7b14370ccca0c839f6579a56cf8bce08ba43ce847a0d6046a8a43730680e261a61ca0d401558c2

Download Submit
\Users\Admin\AppData\Local\Temp\nsyDC6B.tmp\version.dll

Filesize
6KB

MD5
ebc5bb904cdac1c67ada3fa733229966

SHA1
3c6abfa0ddef7f3289f38326077a5041389b15d2

SHA256
3eba921ef649b71f98d9378dee8105b38d2464c9ccde37a694e4a0cd77d22a75

SHA512
fa71afcc166093fbd076a84f10d055f5a686618711d053ab60d8bd060e78cb2fdc15fa35f363822c9913413251c718d01ddd6432ab128816d98f9aabf5612c9f

Download Submit
memory/2616-117-0x0000000000330000-0x000000000033C000-memory.dmp

Filesize
48KB

Download
memory/2616-53-0x00000000003C0000-0x00000000003D5000-memory.dmp

Filesize
84KB

Download
memory/2616-47-0x00000000003C0000-0x00000000003CD000-memory.dmp

Filesize
52KB

Download
memory/2616-11-0x0000000000330000-0x000000000033C000-memory.dmp

Filesize
48KB

Download