8204c13c8893456a05472e907ac01d81786d0a3d8d89caa3c06e9b264713fc0d

Analysis

max time kernel
150s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-10-2024 18:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe
Size

2.7MB
MD5

530937cb71478ab5a790d31a8952cd07
SHA1

c69dd743af8e135f96ba7c2db6d115af6a62b233
SHA256

8204c13c8893456a05472e907ac01d81786d0a3d8d89caa3c06e9b264713fc0d
SHA512

bd72116565455abaf117502dd1f96c9f1c7e173bf07fba87c0b79fecb788d7256e8b30ac7a19bc14fb5b392e0193a07c0c777ad06b0dbbd062f8c5963e61d95e
SSDEEP

49152:V6UrTrarOtpA+R8BOOwVw3h6SlCZ0OxJJlVt4OwpnlrEiorarOGWAfUOKLxCCr09:UCTrtA82XIamTlVqdllrEior1AQLJ4aY

Score

7^/10

adware discovery spyware stealer upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000a000000023b65-8.dat	acprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe

Loads dropped DLL 44 IoCs

pid	Process
2248	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe
2248	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe
2248	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe
2248	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe
2248	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe
2248	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe
2248	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe
2248	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe
2248	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe
2248	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe
2248	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe
2248	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe
2248	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe
2248	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe
2248	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe
2248	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe
2248	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe
2248	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe
2248	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe
2248	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe
2248	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe
2248	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe
2248	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe
2248	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe
2248	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe
2248	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe
2248	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe
2248	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe
2248	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe
2248	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe
2248	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe
2248	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe
2248	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe
2248	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe
2248	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe
2248	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe
2248	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe
2248	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe
3108	regsvr32.exe
2248	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe
2248	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe
2248	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe
2248	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe
2248	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{44ed99e2-16a6-4b89-80d6-5b21cf42e78b}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{44ed99e2-16a6-4b89-80d6-5b21cf42e78b}\ = "TVGenie"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{44ed99e2-16a6-4b89-80d6-5b21cf42e78b}\NoExplorer = "1"	regsvr32.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000a000000023b65-8.dat	upx
behavioral2/memory/2248-11-0x0000000002180000-0x000000000218C000-memory.dmp	upx
behavioral2/memory/2248-148-0x0000000002180000-0x000000000218C000-memory.dmp	upx

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\TVGenie\IE\common.dll	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe
File created	C:\Program Files (x86)\TVGenie\Uninstall.exe	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe
File created	C:\Program Files (x86)\TVGenie\TVGenie.ico	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe
File created	C:\Program Files (x86)\TVGenie\Chrome\common.crx	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe
File created	C:\Program Files (x86)\TVGenie\Firefox\chrome.manifest	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe
File created	C:\Program Files (x86)\TVGenie\Firefox\install.rdf	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe
File created	C:\Program Files (x86)\TVGenie\Firefox\chrome\content\main.js	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe
File created	C:\Program Files (x86)\TVGenie\Firefox\chrome\content\overlay.xul	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\MAO Settings	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\MAO Settings\AddonLoadTimeThreshold = "1000"	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\MAO Settings	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\MAO Settings\AddonLoadTimeThreshold = "10000"	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133736627952235961"	chrome.exe

Modifies registry class 50 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DynConIE.DynConIEObject.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{44ed99e2-16a6-4b89-80d6-5b21cf42e78b}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{781CA792-9B6E-400B-B36F-15C097D2CA54}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2830488C-079B-45C2-88B6-AFE4EAA2DF85}\ = "IDynConIEObject"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2830488C-079B-45C2-88B6-AFE4EAA2DF85}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2830488C-079B-45C2-88B6-AFE4EAA2DF85}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{384997EE-E3BE-49C4-9ECA-C62B7C08128A}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\DynConIE.DLL\AppID = "{384997EE-E3BE-49C4-9ECA-C62B7C08128A}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DynConIE.DynConIEObject\CurVer\ = "DynConIE.DynConIEObject.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{44ed99e2-16a6-4b89-80d6-5b21cf42e78b}\ = "TVGenie"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{44ed99e2-16a6-4b89-80d6-5b21cf42e78b}\VersionIndependentProgID\ = "DynConIE.DynConIEObject"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{781CA792-9B6E-400B-B36F-15C097D2CA54}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{781CA792-9B6E-400B-B36F-15C097D2CA54}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2830488C-079B-45C2-88B6-AFE4EAA2DF85}\ = "IDynConIEObject"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{781CA792-9B6E-400B-B36F-15C097D2CA54}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2830488C-079B-45C2-88B6-AFE4EAA2DF85}\TypeLib\ = "{781CA792-9B6E-400B-B36F-15C097D2CA54}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2830488C-079B-45C2-88B6-AFE4EAA2DF85}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\DynConIE.DLL	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DynConIE.DynConIEObject.1\CLSID\ = "{44ed99e2-16a6-4b89-80d6-5b21cf42e78b}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DynConIE.DynConIEObject\ = "TVGenie"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{44ed99e2-16a6-4b89-80d6-5b21cf42e78b}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{44ed99e2-16a6-4b89-80d6-5b21cf42e78b}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{781CA792-9B6E-400B-B36F-15C097D2CA54}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{781CA792-9B6E-400B-B36F-15C097D2CA54}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\TVGenie\\IE"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2830488C-079B-45C2-88B6-AFE4EAA2DF85}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2830488C-079B-45C2-88B6-AFE4EAA2DF85}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DynConIE.DynConIEObject.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DynConIE.DynConIEObject.1\ = "TVGenie"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DynConIE.DynConIEObject\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{44ed99e2-16a6-4b89-80d6-5b21cf42e78b}\InprocServer32\ = "C:\\Program Files (x86)\\TVGenie\\IE\\common.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{781CA792-9B6E-400B-B36F-15C097D2CA54}\1.0\0\win32\ = "C:\\Program Files (x86)\\TVGenie\\IE\\common.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2830488C-079B-45C2-88B6-AFE4EAA2DF85}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DynConIE.DynConIEObject\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{44ed99e2-16a6-4b89-80d6-5b21cf42e78b}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{44ed99e2-16a6-4b89-80d6-5b21cf42e78b}\TypeLib\ = "{781ca792-9b6e-400b-b36f-15c097d2ca54}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{781CA792-9B6E-400B-B36F-15C097D2CA54}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2830488C-079B-45C2-88B6-AFE4EAA2DF85}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DynConIE.DynConIEObject	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{44ed99e2-16a6-4b89-80d6-5b21cf42e78b}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{44ed99e2-16a6-4b89-80d6-5b21cf42e78b}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{781CA792-9B6E-400B-B36F-15C097D2CA54}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2830488C-079B-45C2-88B6-AFE4EAA2DF85}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2830488C-079B-45C2-88B6-AFE4EAA2DF85}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{384997EE-E3BE-49C4-9ECA-C62B7C08128A}\ = "DynConIE"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DynConIE.DynConIEObject\CLSID\ = "{44ed99e2-16a6-4b89-80d6-5b21cf42e78b}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{44ed99e2-16a6-4b89-80d6-5b21cf42e78b}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{44ed99e2-16a6-4b89-80d6-5b21cf42e78b}\ProgID\ = "DynConIE.DynConIEObject.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{781CA792-9B6E-400B-B36F-15C097D2CA54}\1.0\ = "Common 430 1.0 Type Library"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2830488C-079B-45C2-88B6-AFE4EAA2DF85}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2830488C-079B-45C2-88B6-AFE4EAA2DF85}\TypeLib\ = "{781CA792-9B6E-400B-B36F-15C097D2CA54}"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2248	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe
2248	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe
4820	chrome.exe
4820	chrome.exe
1096	chrome.exe
1096	chrome.exe
1096	chrome.exe
1096	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe
Token: SeShutdownPrivilege	4820	chrome.exe
Token: SeCreatePagefilePrivilege	4820	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe
4820	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2248 wrote to memory of 3108	2248	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe	95
PID 2248 wrote to memory of 3108	2248	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe	95
PID 2248 wrote to memory of 3108	2248	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe	95
PID 2248 wrote to memory of 4820	2248	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe	98
PID 2248 wrote to memory of 4820	2248	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe	98
PID 4820 wrote to memory of 4628	4820	chrome.exe	99
PID 4820 wrote to memory of 4628	4820	chrome.exe	99
PID 4820 wrote to memory of 1844	4820	chrome.exe	100
PID 4820 wrote to memory of 1844	4820	chrome.exe	100
PID 4820 wrote to memory of 1844	4820	chrome.exe	100
PID 4820 wrote to memory of 1844	4820	chrome.exe	100
PID 4820 wrote to memory of 1844	4820	chrome.exe	100
PID 4820 wrote to memory of 1844	4820	chrome.exe	100
PID 4820 wrote to memory of 1844	4820	chrome.exe	100
PID 4820 wrote to memory of 1844	4820	chrome.exe	100
PID 4820 wrote to memory of 1844	4820	chrome.exe	100
PID 4820 wrote to memory of 1844	4820	chrome.exe	100
PID 4820 wrote to memory of 1844	4820	chrome.exe	100
PID 4820 wrote to memory of 1844	4820	chrome.exe	100
PID 4820 wrote to memory of 1844	4820	chrome.exe	100
PID 4820 wrote to memory of 1844	4820	chrome.exe	100
PID 4820 wrote to memory of 1844	4820	chrome.exe	100
PID 4820 wrote to memory of 1844	4820	chrome.exe	100
PID 4820 wrote to memory of 1844	4820	chrome.exe	100
PID 4820 wrote to memory of 1844	4820	chrome.exe	100
PID 4820 wrote to memory of 1844	4820	chrome.exe	100
PID 4820 wrote to memory of 1844	4820	chrome.exe	100
PID 4820 wrote to memory of 1844	4820	chrome.exe	100
PID 4820 wrote to memory of 1844	4820	chrome.exe	100
PID 4820 wrote to memory of 1844	4820	chrome.exe	100
PID 4820 wrote to memory of 1844	4820	chrome.exe	100
PID 4820 wrote to memory of 1844	4820	chrome.exe	100
PID 4820 wrote to memory of 1844	4820	chrome.exe	100
PID 4820 wrote to memory of 1844	4820	chrome.exe	100
PID 4820 wrote to memory of 1844	4820	chrome.exe	100
PID 4820 wrote to memory of 1844	4820	chrome.exe	100
PID 4820 wrote to memory of 1844	4820	chrome.exe	100
PID 4820 wrote to memory of 1708	4820	chrome.exe	101
PID 4820 wrote to memory of 1708	4820	chrome.exe	101
PID 4820 wrote to memory of 1484	4820	chrome.exe	102
PID 4820 wrote to memory of 1484	4820	chrome.exe	102
PID 4820 wrote to memory of 1484	4820	chrome.exe	102
PID 4820 wrote to memory of 1484	4820	chrome.exe	102
PID 4820 wrote to memory of 1484	4820	chrome.exe	102
PID 4820 wrote to memory of 1484	4820	chrome.exe	102
PID 4820 wrote to memory of 1484	4820	chrome.exe	102
PID 4820 wrote to memory of 1484	4820	chrome.exe	102
PID 4820 wrote to memory of 1484	4820	chrome.exe	102
PID 4820 wrote to memory of 1484	4820	chrome.exe	102
PID 4820 wrote to memory of 1484	4820	chrome.exe	102
PID 4820 wrote to memory of 1484	4820	chrome.exe	102
PID 4820 wrote to memory of 1484	4820	chrome.exe	102
PID 4820 wrote to memory of 1484	4820	chrome.exe	102
PID 4820 wrote to memory of 1484	4820	chrome.exe	102
PID 4820 wrote to memory of 1484	4820	chrome.exe	102
PID 4820 wrote to memory of 1484	4820	chrome.exe	102
PID 4820 wrote to memory of 1484	4820	chrome.exe	102
PID 4820 wrote to memory of 1484	4820	chrome.exe	102
PID 4820 wrote to memory of 1484	4820	chrome.exe	102
PID 4820 wrote to memory of 1484	4820	chrome.exe	102
PID 4820 wrote to memory of 1484	4820	chrome.exe	102
PID 4820 wrote to memory of 1484	4820	chrome.exe	102
PID 4820 wrote to memory of 1484	4820	chrome.exe	102
PID 4820 wrote to memory of 1484	4820	chrome.exe	102

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\ListBox_Support_CLSID = "1"	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{FED6A736-129B-49C7-857E-25FC91E87DB3} = "1"	530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\530937cb71478ab5a790d31a8952cd07_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2248
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /s "C:\Program Files (x86)\TVGenie\IE\common.dll"
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:3108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" http://m.tvgenieapp.com/r/?ts=TS_IN_TVGN&v=TVGN_P0_2.6.30&pid=612&gi=647334651f5b4ba1819ba0518f638769&i=p
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4820
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe5918cc40,0x7ffe5918cc4c,0x7ffe5918cc58
    3⤵
    PID:4628
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2088,i,3516109611773174469,12311610022739896868,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1980 /prefetch:2
    3⤵
    PID:1844
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1956,i,3516109611773174469,12311610022739896868,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2272 /prefetch:3
    3⤵
    PID:1708
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2260,i,3516109611773174469,12311610022739896868,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2464 /prefetch:8
    3⤵
    PID:1484
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3044,i,3516109611773174469,12311610022739896868,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3060 /prefetch:1
    3⤵
    PID:4640
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3056,i,3516109611773174469,12311610022739896868,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3100 /prefetch:1
    3⤵
    PID:3456
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4416,i,3516109611773174469,12311610022739896868,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4496 /prefetch:1
    3⤵
    PID:4832
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=3064,i,3516109611773174469,12311610022739896868,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3228 /prefetch:1
    3⤵
    PID:2588
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3372,i,3516109611773174469,12311610022739896868,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4904 /prefetch:8
    3⤵
    PID:2312
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3336,i,3516109611773174469,12311610022739896868,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3312 /prefetch:8
    3⤵
    PID:2280
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=4512,i,3516109611773174469,12311610022739896868,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4664 /prefetch:1
    3⤵
    PID:1552
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=208,i,3516109611773174469,12311610022739896868,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3228 /prefetch:1
    3⤵
    PID:3056
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=4632,i,3516109611773174469,12311610022739896868,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4624 /prefetch:1
    3⤵
    PID:3804
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4440,i,3516109611773174469,12311610022739896868,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4492 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1096

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1388

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:32

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\TVGenie\Chrome\common.crx

Filesize
45KB

MD5
a8e16a5ab2902c61295406c7f9f7138f

SHA1
51fa2eb4b4d694fc6e5403963fa3454d4163e0da

SHA256
f8c76195612dbfa2a3846680c53c7fb041d1b347923518c6aeeb4810890adfbc

SHA512
7546384bac6d4968905e4df227105649d43e00c3e276df0bd12c71a2efcc9fc73332f27c3f5ff1cc54490e878c8b4faa95bf25a42f602e277ea8c7032cfac75b

Download Submit
C:\Program Files (x86)\TVGenie\IE\common.dll

Filesize
383KB

MD5
ce4349d963306dadc8406af61bf4da2c

SHA1
4c697d1cf0bd5b2ee1f23d71d7697ac8dc48d7c9

SHA256
478397551c500819949a1abb0337159df4103337d6a0bfdefdebb61196de3823

SHA512
7ee642d6ae5953a4a60d726344e6530f01596fefbd4e36d25b9bd04f4fada0ceb67114946ac6bc52bf4dd0f2c13b01938ff7f7640d51ae4e86ffeac8cbce821c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\1523ab90-dc1e-4278-a383-d20423a79813.tmp

Filesize
9KB

MD5
d1e5df123877bd843cfcb89ac1fd177a

SHA1
4c92980127e59babe5a5947324d4347c85a9959a

SHA256
ce3914c668619e7c1548890f41bf583042c334652893014a0b40f6a6bd66c19e

SHA512
5acf0c6003f8a40824deaac932060a320c57ba904f32cf4eff072fffc7c827e47323cb50356e5632950260952e3de0d3df37b0428169e722393b7cf389305c57

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
1b8f4decea1d9826447f21dd3532c75b

SHA1
f45d99467ff3a3186ce6b5d8752a59483154d14f

SHA256
7fab07d7761f2afbb8054d7bfdf37ac2090e169c5b23889808d924b9ab2fd0e5

SHA512
02e4dbbbb4b085c8c5fd047bab9ee50e8b0f52a013c3b48bb711745fac7694b237f995cd4a6d65fcbe5d2cf43999697b66085661ecb32e11c8e8bba4fb98c31b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
7968b4a8d3b9419c586d7cefd5094c9e

SHA1
787216d9f6139c882429dcac2e2b9945e10cb556

SHA256
8e25af7775eb57ff8463235d26b3a88a884c750a10dae07d4d27f1c75617f035

SHA512
0226ff857bf36e9c6d27a6f508f08575c72d7e566ffcb375df6041e962e9bc56bebd57c418e8830e954616051b513f0d6ba0fd3bb710709c8a52056450a5118f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1217ac81c5a8d6f5cde3f7c31fbd47ec

SHA1
caab02b9dbf51e7b544d8d63f48d1684b8390d16

SHA256
d08d9e46503462f44ae66da393f8be8a13867bcbf330ddedd5088e705274b2fa

SHA512
28bcf7cfb52776c4e3c75a1f7ad347c5b0e0f06148ae5774f68a4e1bdd8131fc200e3abf90d13959383813004efad935253fdd63bfca2ee23790a833b967e449

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
420314b41b6de79a9bba19a341e7f7cb

SHA1
11d4ab863930a9699e2a0d4081cab829a5747793

SHA256
d116491613f3e4b2bc356270f501dbd246fced1424eb3943098aa2120aa0d500

SHA512
dc42bf3be09d03c9b3f4d2ffecf1f9c72f0b0b8f6cb80be9f6c9a2307af76ca8715fa2a3bec50731d6e07e065e58ba322a4bbb30d5f0f2c71631db5bf4287152

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7f7043d72e01d1dd3d8d35672038e95a

SHA1
535e22bc190210447b30f8cae621b9fe291041e1

SHA256
8d68877cc1d024665c607a3861f9150a9f6ffa4205205fc91fa0d138db0db730

SHA512
2554294ffc7110f8c78387850a99c4a15536ddb2025e7f1228950c46718a99b5e9ce04b60f5a3eaf7d669038855ae3893cc35e83ffa1d7f722fc603a4e0afa40

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6358d390f9e82f8c15204ca1986242b7

SHA1
2d755bd218d2abc79dc6f57f9b8188e8aad626ad

SHA256
6426e679fad06274f3e36c9b20c684a944aaa8bf6d5ceedb0d846a13af125a45

SHA512
6f759fe3ce03481d40187b02665ad27d6774c0d5cad6c01cca5fc616491c3c54404be0c41b55a40a2b7ae3d75ddf0f4656966a288287664835eb75bef25a1d03

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
ad19d007f5f47d95100b2dc7960269b1

SHA1
3a5ac5cffe9cc074e4acff177a4770056941cdc3

SHA256
d28e79421712ee34f5b25ab2bc8fb132a09986f87e3823849f3038acf8aeaf9a

SHA512
5a4b76af1b067ebd8d3e84306e5c035da0b6d8069c0fca780cf7fcebe108bdbe06f61aca61632b531d6732c9c0b0c30a92b15705eb4d20dd233a16f96eeead1a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
229KB

MD5
4f60d5bf0e3c7afec9bbfb7e6a095671

SHA1
921c911b96a0d4e883d6545c1bd5f92e49b75660

SHA256
c6a1315e59faf592bd7120a462efa8871fb263d72e2cd8f48521a99860a44db6

SHA512
1aba55b5a812c880fb3712d85d285b6bbc893f42d303dcc10f895fdce4b2a2e22031a5d75a640ffb31b3f38ce61fb64cdc23ebc9b17cdc75e5022b3bd273f687

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
229KB

MD5
1d450e92ebdd0e7ab3de611714d8015c

SHA1
2ddcd5e498e6b6b2b30947facf2e7a635978526a

SHA256
4347cd16c740cb43aff72d9b032928e20859cf89e0cf299fb996b4c8f4c93b2b

SHA512
30ab3f55297f245ae1484de990541fa86b06be5a16e26df221a3da8eee7dae6752abfab65465eaaa1759bcad7dc55f2c3d9da3949b7f8471fc3f8912b9c5995d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Helper.dll

Filesize
884KB

MD5
0c05804ee2737cdddec09f1ff9cfd418

SHA1
8b675415e84c63ed246456bf0c010a89b2d1817d

SHA256
9847a88d78d42d7ab1a3e39e5ffdf59229b60d99b23944125c8194ccca9c5a68

SHA512
8db0889c5b6eaabe381e506bda9fd22f883b1325982c0215f28cde976db3a4c979bde1085b2e983b9334bde886c6a18cf492d51588dda038068a0bc5ca9065e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq9471.tmp\KillProcWMI.dll

Filesize
65KB

MD5
61fd777443084ed61c05c22e8e3c3eff

SHA1
607944fdcfad205a164f3ca84793ab13d3d4ba97

SHA256
a69a51de19784287ee9031322cda5104a6025d7cdf1ffd0e897fdd8ce4e8df4b

SHA512
ce12cc55088a2176bfc5de8b65b92db8def8e930ddffe3961bb855b9536a25632cd921903f616c885699fb2d00f5074d03a213e25a759ac0aa4ecdfc33878323

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq9471.tmp\Processes.dll

Filesize
35KB

MD5
2cfba79d485cf441c646dd40d82490fc

SHA1
83e51ac1115a50986ed456bd18729653018b9619

SHA256
86b302fa9c85dfa0c1c03ba000864a928365dab571f3355347dba02da22949b7

SHA512
cca186a7f9c5cff3f4eca410fbe8cc13dad2514a7e36aec9b1addfbcb239ace9b9b2d8427771858e3fd11783abce7e24d43c286f98da9f8b17562ca095a4c043

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq9471.tmp\System.dll

Filesize
11KB

MD5
00a0194c20ee912257df53bfe258ee4a

SHA1
d7b4e319bc5119024690dc8230b9cc919b1b86b2

SHA256
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

SHA512
3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq9471.tmp\inetc.dll

Filesize
20KB

MD5
3a3a9223dd834d9898fdd8bf260bc373

SHA1
ec7ba0f20486cfb16bed7a2f8e62c228cb9f5e93

SHA256
e36cdce05b8858cf6841db19f5618f9335aa67a9a59ffe8ec2be0fe83b5bb8cb

SHA512
c8a4e07da6fe203f79f5c4314a6f5aa21b1a6648848bfa009a87b9af1d6c09ccf9c01ed3813442e57f7fa221ca088dbca236ea1bf80d033574c9670883d3611c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq9471.tmp\nsDialogs.dll

Filesize
9KB

MD5
ab73c0c2a23f913eabdc4cb24b75cbad

SHA1
6569d2863d54c88dcf57c843fc310f6d9571a41e

SHA256
3d0060c5c9400a487dbefe4ac132dd96b07d3a4ba3badab46a7410a667c93457

SHA512
99d287b5152944f64edc7ce8f3ebcd294699e54a5b42ac7a88e27dff8a68278a5429f4d299802ee7ddbe290f1e3b6a372a5f3bb4ecb1a3c32e384bca3ccdb2b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq9471.tmp\util_ex.dll

Filesize
776KB

MD5
80b2e3d8a6a283c2019bf239a60cbbc5

SHA1
a6b63dce1cb4741f443332a7ccb52031088918ee

SHA256
cd564402cfe6744b2f9fe8df895fa9f30650c9061a4e4ec1bc71603ce1bc031d

SHA512
c7c645939a5e237393958a75f39f7c9990116967aa9cc3388b7b14370ccca0c839f6579a56cf8bce08ba43ce847a0d6046a8a43730680e261a61ca0d401558c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq9471.tmp\version.dll

Filesize
6KB

MD5
ebc5bb904cdac1c67ada3fa733229966

SHA1
3c6abfa0ddef7f3289f38326077a5041389b15d2

SHA256
3eba921ef649b71f98d9378dee8105b38d2464c9ccde37a694e4a0cd77d22a75

SHA512
fa71afcc166093fbd076a84f10d055f5a686618711d053ab60d8bd060e78cb2fdc15fa35f363822c9913413251c718d01ddd6432ab128816d98f9aabf5612c9f

Download Submit
memory/2248-156-0x0000000002180000-0x000000000218C000-memory.dmp

Filesize
48KB

Download
memory/2248-148-0x0000000002180000-0x000000000218C000-memory.dmp

Filesize
48KB

Download
memory/2248-72-0x00000000051D0000-0x00000000051E5000-memory.dmp

Filesize
84KB

Download
memory/2248-64-0x00000000050C0000-0x00000000050CD000-memory.dmp

Filesize
52KB

Download
memory/2248-11-0x0000000002180000-0x000000000218C000-memory.dmp

Filesize
48KB

Download
memory/2248-14-0x0000000002180000-0x000000000218C000-memory.dmp

Filesize
48KB

Download