pandastealer | 6db345ff7f370b0785a5ce1a0f3e8d9b2a8d8fb6a236d29744c87749868adc50

Analysis

max time kernel
146s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
02-11-2024 11:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe
Size

6.7MB
MD5

852b1c668870b9e64ac7c23d5d75ee9e
SHA1

28b2571d9d3585552480607a95e9dd242b96a766
SHA256

6db345ff7f370b0785a5ce1a0f3e8d9b2a8d8fb6a236d29744c87749868adc50
SHA512

e375078ad47ef25612e81051dd366f23db30534e7743a9b5b708a58a3b5086521d5c0c5d7a1998d7c9196e18adfc51777a2ff824dde61983149dbc0e2c112588
SSDEEP

196608:D7q7IsFwqyNah8zqpati6Kf5rnVQ1V85Ej:DzmU68maV4Rne85q

Score

10^/10

pandastealer discovery stealer

Malware Config

Signatures

Panda Stealer payload 1 IoCs

resource	yara_rule
behavioral2/files/0x0009000000023bbd-57.dat	family_pandastealer

PandaStealer
Panda Stealer is a fork of CollectorProject Stealer written in C++.
stealer pandastealer
Pandastealer family
pandastealer

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	cscript.exe

Executes dropped EXE 1 IoCs

pid	Process
3908	splayer.exe

Loads dropped DLL 38 IoCs

pid	Process
1720	852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe
1720	852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe
1720	852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe
1720	852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe
1720	852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe
1720	852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe
1720	852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe
1720	852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe
1720	852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe
1720	852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe
1720	852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe
1720	852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe
1720	852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe
1720	852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe
1720	852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe
1720	852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe
1720	852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe
1720	852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe
1720	852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe
1720	852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe
1720	852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe
1720	852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe
1720	852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe
1720	852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe
1720	852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe
1720	852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe
1720	852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe
1720	852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe
1720	852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe
1720	852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe
1720	852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe
1720	852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe
1720	852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe
1720	852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe
1720	852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe
3908	splayer.exe
3908	splayer.exe
3908	splayer.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 51 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\SPlayer\PmpSplitter.ax	852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe
File created	C:\Program Files (x86)\SPlayer\lang\splayer.ru.dll	852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe
File created	C:\Program Files (x86)\SPlayer\hotkey\SPlayer.key	852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe
File created	C:\Program Files (x86)\SPlayer\IVMSource.ax	852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe
File created	C:\Program Files (x86)\SPlayer\csfcodec\mpc_mcucltu.dll	852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\SPlayer\lang\default	splayer.exe
File opened for modification	C:\Program Files (x86)\SPlayer\settings.db-journal	splayer.exe
File created	C:\Program Files (x86)\SPlayer\sphash.dll	852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe
File created	C:\Program Files (x86)\SPlayer\smackw32.dll	852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe
File created	C:\Program Files (x86)\SPlayer\lang\splayer.en.dll	852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\SPlayer\lang\default	852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe
File created	C:\Program Files (x86)\SPlayer\csfcodec\mpc_mxshmaiu.dll	852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe
File created	C:\Program Files (x86)\SPlayer\csfcodec\mpc_mxvideo.dll	852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe
File created	C:\Program Files (x86)\SPlayer\unrar.dll	852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe
File created	C:\Program Files (x86)\SPlayer\csfcodec\mpc_mdssockc.dll	852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe
File created	C:\Program Files (x86)\SPlayer\csfcodec\mpc_mxshsour.dll	852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe
File created	C:\Program Files (x86)\SPlayer\csfcodec\mpc_mxsource.dll	852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\SPlayer\settings.db	splayer.exe
File created	C:\Program Files (x86)\SPlayer\mkzlib.dll	852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe
File created	C:\Program Files (x86)\SPlayer\mmamrdmx.ax	852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe
File created	C:\Program Files (x86)\SPlayer\RadGtSplitter.ax	852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe
File created	C:\Program Files (x86)\SPlayer\ivm.dll	852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe
File created	C:\Program Files (x86)\SPlayer\csfcodec\mpc_wtlvcl.dll	852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe
File created	C:\Program Files (x86)\SPlayer\Esdll.dll	852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe
File created	C:\Program Files (x86)\SPlayer\mc.dll	852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe
File created	C:\Program Files (x86)\SPlayer\csfcodec\mpc_mxshbasu.dll	852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe
File created	C:\Program Files (x86)\SPlayer\splayer.exe	852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe
File created	C:\Program Files (x86)\SPlayer\rlapedec.ax	852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe
File created	C:\Program Files (x86)\SPlayer\vp6dec.ax	852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe
File created	C:\Program Files (x86)\SPlayer\binkw32.dll	852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe
File created	C:\Program Files (x86)\SPlayer\lang\splayer.ge.dll	852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe
File created	C:\Program Files (x86)\SPlayer\lang\splayer.cht.dll	852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe
File created	C:\Program Files (x86)\SPlayer\csfcodec\ijl15.dll	852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe
File created	C:\Program Files (x86)\SPlayer\ir41_32.ax	852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe
File created	C:\Program Files (x86)\SPlayer\ir50_32.dll	852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe
File created	C:\Program Files (x86)\SPlayer\csfcodec\mpc_mxscreen.dll	852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe
File created	C:\Program Files (x86)\SPlayer\csfcodec\mpc_mtcontrol.dll	852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe
File created	C:\Program Files (x86)\SPlayer\csfcodec\mpc_mtcontain.dll	852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe
File created	C:\Program Files (x86)\SPlayer\CSMX.dll	852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe
File created	C:\Program Files (x86)\SPlayer\csfcodec\mpc_mcufilecu.dll	852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe
File created	C:\Program Files (x86)\SPlayer\csfcodec\mpc_mxaudio.dll	852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe
File created	C:\Program Files (x86)\SPlayer\ts.dll	852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe
File created	C:\Program Files (x86)\SPlayer\sinet.dll	852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe
File created	C:\Program Files (x86)\SPlayer\ogm.dll	852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe
File created	C:\Program Files (x86)\SPlayer\mp4.dll	852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe
File created	C:\Program Files (x86)\SPlayer\vp8decoder.dll	852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe
File created	C:\Program Files (x86)\SPlayer\uninstall.exe	852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\SPlayer\SVPDebug.log	splayer.exe
File created	C:\Program Files (x86)\SPlayer\haalis.ax	852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe
File created	C:\Program Files (x86)\SPlayer\mkunicode.dll	852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe
File created	C:\Program Files (x86)\SPlayer\csfcodec\mpc_mxrender.dll	852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	splayer.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor	852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AD461A96-4DB8-4C6E-BF23-84D682ADC382}\1.0\0\win32	852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B5A7D70F-AE96-4F83-B811-572CA3529323}\VersionIndependentProgID	852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SPlayer.wm\ = "Windows Media file"	splayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SPlayer.mpcpl\shell\openewnd	splayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{665A4449-D905-11D0-A30E-444553540000}	852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0C56B154-43F7-48A0-87B2-E9ACC8E1E471}\InprocServer32	852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SPlayer.mpeg\shell\openewnd\command	splayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SPlayer.m1v\shell\openewnd\command\ = "\"C:\\Program Files (x86)\\SPlayer\\splayer.exe\" /new \"%1\""	splayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SPlayer.mts\shell\openewnd	splayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SPlayer.evo	splayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SPlayer.3gp\ = "VLC.3gp"	splayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SPlayer.ram\shell\enqueue\command\ = "\"C:\\Program Files (x86)\\SPlayer\\splayer.exe\" /add \"%1\""	splayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SPlayer.amv	splayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3FD0479E-D6B9-4629-9496-509D3D070918}\InprocServer32	852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SPlayer.mpg\DefaultIcon\ = "\"C:\\Program Files (x86)\\SPlayer\\splayer.exe\",5"	splayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SPlayer.m1v	splayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SPlayer.ratdvd	splayer.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\.flac	splayer.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\WOW6432Node\CLSID	852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SPlayer.mpg\DefaultIcon	splayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SPlayer.roq\shell\open\command	splayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MtControl.MtTaskManager\ = "Multimedia Terminator Task Manager"	852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SPlayer.mpeg	splayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SPlayer.m2t\shell\openewnd\command	splayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SPlayer.asx\shell\enqueue	splayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SPlayer.wvx\shell\open\ = "Open with ShootPlayer"	splayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SPlayer.wvx\DefaultIcon\ = "\"C:\\Program Files (x86)\\SPlayer\\splayer.exe\",6"	splayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SPlayer.mpls\shell\open\command	splayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Mpcwtlvcl.WebFrame\CLSID\ = "{D6D61C19-8563-4e8e-B755-0589DA6A3077}"	852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SPlayer.mpeg\ = "VLC.mpeg"	splayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SPlayer.ts\shell\enqueue\command\ = "\"C:\\Program Files (x86)\\SPlayer\\splayer.exe\" /add \"%1\""	splayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SPlayer.smil\shell\openewnd	splayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SPlayer.bdmv\shell\enqueue\command\ = "\"C:\\Program Files (x86)\\SPlayer\\splayer.exe\" /add \"%1\""	splayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A94662D1-35FD-43d1-BDA3-172CE4D5C236}\InprocServer32	852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Collegesoft.McuFileManagerClient.1	852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SPlayer.wmp\shell\open\command\ = "\"C:\\Program Files (x86)\\SPlayer\\splayer.exe\" \"%1\""	splayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SPlayer.m2t\shell\enqueue\command	splayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SPlayer.rp\shell\openewnd\command\ = "\"C:\\Program Files (x86)\\SPlayer\\splayer.exe\" /new \"%1\""	splayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SPlayer.dsa\shell\enqueue\command	splayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SPlayer.mov\ = "Quicktime file"	splayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SPlayer.bdmv\shell\enqueue\command	splayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SPlayer.mpe\shell\open\command	splayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SPlayer.csf\shell\open\command\ = "\"C:\\Program Files (x86)\\SPlayer\\splayer.exe\" \"%1\""	splayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SPlayer.rm\shell	splayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SPlayer.mpcpl\ = "Playlist file"	splayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{665A4444-D905-11D0-A30E-444553540000}\InprocServer32\ThreadingModel = "Both"	852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{665A4449-D905-11D0-A30E-444553540000}\TypeLib	852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A94662D1-35FD-43d1-BDA3-172CE4D5C236}\ProgID\ = "Mpcwtlvcl.WtlListContainer.1"	852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{86708513-5A2E-424f-AB46-F4BE3F82954F}\TypeLib\ = "{E3DEC0EB-13E4-45EE-8F2E-577A3ECAFCBD}"	852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SPlayer.wmv\shell\open\ = "Open with ShootPlayer"	splayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SPlayer.mp2v\shell\open\command\ = "\"C:\\Program Files (x86)\\SPlayer\\splayer.exe\" \"%1\""	splayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SPlayer.mkv\shell\enqueue\ = "Add to ShootPlayer's Playlist"	splayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SPlayer.rp\ = "Real Script file"	splayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SPlayer.rp\shell\enqueue\command	splayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SPlayer.amr\shell\open\ = "Open with ShootPlayer"	splayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AD461A96-4DB8-4C6E-BF23-84D682ADC382}\1.0	852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SPlayer.mp4\shell\open\ = "Open with ShootPlayer"	splayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.dsm	splayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SPlayer.3g2\shell\enqueue\command\ = "\"C:\\Program Files (x86)\\SPlayer\\splayer.exe\" /add \"%1\""	splayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SPlayer.sub\DefaultIcon\ = "\"C:\\Program Files (x86)\\SPlayer\\splayer.exe\",4"	splayer.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\WOW6432Node\Interface	852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{99AA8908-FC7F-4815-B023-3BC2F5F8D372}\InprocServer32	852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Mpcwtlvcl.WtlListContainer.1	852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SPlayer.wmv	splayer.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46	splayer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46\Blob = 0f0000000100000014000000f45a0858c9cd920e647bad539ab9f1cfc77f24cb0b000000010000002a0000005300650063007400690067006f0020002800550054004e0020004f0062006a0065006300740029000000090000000100000022000000302006082b06010505070303060a2b0601040182370a030406082b060105050703086200000001000000200000006fff78e400a70c11011cd85977c459fb5af96a3df0540820d0f4b8607875e58f140000000100000014000000daed6474149c143cabdd99a9bd5b284d8b3cc9d81d0000000100000010000000f919b9ccce1e59c2e785f7dc2ccf67087e0000000100000008000000000063f58926d70168000000010000000800000000409120d035d901030000000100000014000000e12dfb4b41d7d9c32b30514bac1d81d8385e2d4620000000010000006a040000308204663082034ea003020102021044be0c8b500024b411d3362de0b35f1b300d06092a864886f70d0101050500308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a656374301e170d3939303730393138333132305a170d3139303730393138343033365a308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a65637430820122300d06092a864886f70d01010105000382010f003082010a0282010100ceaa813fa3a36178aa31005595119e270f1f1cdf3a9b826830c04a611df12f0efabe79f7a523ef55519684cddbe3b96e3e31d80a2067c7f4d9bf94eb47043e02ce2aa25d870409f6309d188a97b2aa1cfc41d2a136cbfb3d91bae7d97035fae4e790c39ba39bd33cf5129977b1b709e068e61cb8f39463886a6afe0b76c9bef422e467b9ab1a5e77c18507dd0d6cbfee06c7776a419ea70fd7fbee9417b7fc85bea4abc41c31ddd7b6d1e4f0efdf168fb25293d7a1d489a1072ebfe10112421e1ae1d89534db647928ffba2e11c2e5e85b9248fb470bc26cdaad328341f3a5e54170fd65906dfafa51c4f9bd962b19042cd36da7dcf07f6f8365e26aab8786750203010001a381af3081ac300b0603551d0f0404030201c6300f0603551d130101ff040530030101ff301d0603551d0e04160414daed6474149c143cabdd99a9bd5b284d8b3cc9d830420603551d1f043b30393037a035a0338631687474703a2f2f63726c2e7573657274727573742e636f6d2f55544e2d5553455246697273742d4f626a6563742e63726c30290603551d250422302006082b0601050507030306082b06010505070308060a2b0601040182370a0304300d06092a864886f70d01010505000382010100081f52b1374478dbfdceb9da959698aa556480b55a40dd21a5c5c1f35f2c4cc8475a69eae8f03535f4d025f3c8a6a4874abd1bb17308bdd4c3cab635bb59867731cda78014ae13effcb148f96b25252d51b62c6d45c198c88a565d3eee434e3e6b278ed03a4b850b5fd3ed6aa775cbd15a872f3975135a72b002819fbef00f845420626c69d4e14dc60d9943010d12968c789dbf50a2b144aa6acf177acf6f0fd4f824555ff0341649663e5046c96371383162b862b9f353ad6cb52ba212aa194f09da5ee793c68e1408fef0308018a086854dc87dd78b03fe6ed5f79d16ac922ca023e59c91521f94df179473c3b3c1c17105200078bd13521da83ecd001fc8	splayer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46\Blob = 040000000100000010000000a7f2e41606411150306b9ce3b49cb0c9030000000100000014000000e12dfb4b41d7d9c32b30514bac1d81d8385e2d4668000000010000000800000000409120d035d9017e0000000100000008000000000063f58926d7011d0000000100000010000000f919b9ccce1e59c2e785f7dc2ccf6708140000000100000014000000daed6474149c143cabdd99a9bd5b284d8b3cc9d86200000001000000200000006fff78e400a70c11011cd85977c459fb5af96a3df0540820d0f4b8607875e58f090000000100000022000000302006082b06010505070303060a2b0601040182370a030406082b060105050703080b000000010000002a0000005300650063007400690067006f0020002800550054004e0020004f0062006a00650063007400290000000f0000000100000014000000f45a0858c9cd920e647bad539ab9f1cfc77f24cb20000000010000006a040000308204663082034ea003020102021044be0c8b500024b411d3362de0b35f1b300d06092a864886f70d0101050500308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a656374301e170d3939303730393138333132305a170d3139303730393138343033365a308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a65637430820122300d06092a864886f70d01010105000382010f003082010a0282010100ceaa813fa3a36178aa31005595119e270f1f1cdf3a9b826830c04a611df12f0efabe79f7a523ef55519684cddbe3b96e3e31d80a2067c7f4d9bf94eb47043e02ce2aa25d870409f6309d188a97b2aa1cfc41d2a136cbfb3d91bae7d97035fae4e790c39ba39bd33cf5129977b1b709e068e61cb8f39463886a6afe0b76c9bef422e467b9ab1a5e77c18507dd0d6cbfee06c7776a419ea70fd7fbee9417b7fc85bea4abc41c31ddd7b6d1e4f0efdf168fb25293d7a1d489a1072ebfe10112421e1ae1d89534db647928ffba2e11c2e5e85b9248fb470bc26cdaad328341f3a5e54170fd65906dfafa51c4f9bd962b19042cd36da7dcf07f6f8365e26aab8786750203010001a381af3081ac300b0603551d0f0404030201c6300f0603551d130101ff040530030101ff301d0603551d0e04160414daed6474149c143cabdd99a9bd5b284d8b3cc9d830420603551d1f043b30393037a035a0338631687474703a2f2f63726c2e7573657274727573742e636f6d2f55544e2d5553455246697273742d4f626a6563742e63726c30290603551d250422302006082b0601050507030306082b06010505070308060a2b0601040182370a0304300d06092a864886f70d01010505000382010100081f52b1374478dbfdceb9da959698aa556480b55a40dd21a5c5c1f35f2c4cc8475a69eae8f03535f4d025f3c8a6a4874abd1bb17308bdd4c3cab635bb59867731cda78014ae13effcb148f96b25252d51b62c6d45c198c88a565d3eee434e3e6b278ed03a4b850b5fd3ed6aa775cbd15a872f3975135a72b002819fbef00f845420626c69d4e14dc60d9943010d12968c789dbf50a2b144aa6acf177acf6f0fd4f824555ff0341649663e5046c96371383162b862b9f353ad6cb52ba212aa194f09da5ee793c68e1408fef0308018a086854dc87dd78b03fe6ed5f79d16ac922ca023e59c91521f94df179473c3b3c1c17105200078bd13521da83ecd001fc8	splayer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46\Blob = 190000000100000010000000e843ac3b52ec8c297fa948c9b1fb28190f0000000100000014000000f45a0858c9cd920e647bad539ab9f1cfc77f24cb0b000000010000002a0000005300650063007400690067006f0020002800550054004e0020004f0062006a0065006300740029000000090000000100000022000000302006082b06010505070303060a2b0601040182370a030406082b060105050703086200000001000000200000006fff78e400a70c11011cd85977c459fb5af96a3df0540820d0f4b8607875e58f140000000100000014000000daed6474149c143cabdd99a9bd5b284d8b3cc9d81d0000000100000010000000f919b9ccce1e59c2e785f7dc2ccf67087e0000000100000008000000000063f58926d70168000000010000000800000000409120d035d901030000000100000014000000e12dfb4b41d7d9c32b30514bac1d81d8385e2d46040000000100000010000000a7f2e41606411150306b9ce3b49cb0c920000000010000006a040000308204663082034ea003020102021044be0c8b500024b411d3362de0b35f1b300d06092a864886f70d0101050500308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a656374301e170d3939303730393138333132305a170d3139303730393138343033365a308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a65637430820122300d06092a864886f70d01010105000382010f003082010a0282010100ceaa813fa3a36178aa31005595119e270f1f1cdf3a9b826830c04a611df12f0efabe79f7a523ef55519684cddbe3b96e3e31d80a2067c7f4d9bf94eb47043e02ce2aa25d870409f6309d188a97b2aa1cfc41d2a136cbfb3d91bae7d97035fae4e790c39ba39bd33cf5129977b1b709e068e61cb8f39463886a6afe0b76c9bef422e467b9ab1a5e77c18507dd0d6cbfee06c7776a419ea70fd7fbee9417b7fc85bea4abc41c31ddd7b6d1e4f0efdf168fb25293d7a1d489a1072ebfe10112421e1ae1d89534db647928ffba2e11c2e5e85b9248fb470bc26cdaad328341f3a5e54170fd65906dfafa51c4f9bd962b19042cd36da7dcf07f6f8365e26aab8786750203010001a381af3081ac300b0603551d0f0404030201c6300f0603551d130101ff040530030101ff301d0603551d0e04160414daed6474149c143cabdd99a9bd5b284d8b3cc9d830420603551d1f043b30393037a035a0338631687474703a2f2f63726c2e7573657274727573742e636f6d2f55544e2d5553455246697273742d4f626a6563742e63726c30290603551d250422302006082b0601050507030306082b06010505070308060a2b0601040182370a0304300d06092a864886f70d01010505000382010100081f52b1374478dbfdceb9da959698aa556480b55a40dd21a5c5c1f35f2c4cc8475a69eae8f03535f4d025f3c8a6a4874abd1bb17308bdd4c3cab635bb59867731cda78014ae13effcb148f96b25252d51b62c6d45c198c88a565d3eee434e3e6b278ed03a4b850b5fd3ed6aa775cbd15a872f3975135a72b002819fbef00f845420626c69d4e14dc60d9943010d12968c789dbf50a2b144aa6acf177acf6f0fd4f824555ff0341649663e5046c96371383162b862b9f353ad6cb52ba212aa194f09da5ee793c68e1408fef0308018a086854dc87dd78b03fe6ed5f79d16ac922ca023e59c91521f94df179473c3b3c1c17105200078bd13521da83ecd001fc8	splayer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46\Blob = 5c000000010000000400000000080000040000000100000010000000a7f2e41606411150306b9ce3b49cb0c9030000000100000014000000e12dfb4b41d7d9c32b30514bac1d81d8385e2d4668000000010000000800000000409120d035d9017e0000000100000008000000000063f58926d7011d0000000100000010000000f919b9ccce1e59c2e785f7dc2ccf6708140000000100000014000000daed6474149c143cabdd99a9bd5b284d8b3cc9d86200000001000000200000006fff78e400a70c11011cd85977c459fb5af96a3df0540820d0f4b8607875e58f090000000100000022000000302006082b06010505070303060a2b0601040182370a030406082b060105050703080b000000010000002a0000005300650063007400690067006f0020002800550054004e0020004f0062006a00650063007400290000000f0000000100000014000000f45a0858c9cd920e647bad539ab9f1cfc77f24cb190000000100000010000000e843ac3b52ec8c297fa948c9b1fb281920000000010000006a040000308204663082034ea003020102021044be0c8b500024b411d3362de0b35f1b300d06092a864886f70d0101050500308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a656374301e170d3939303730393138333132305a170d3139303730393138343033365a308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a65637430820122300d06092a864886f70d01010105000382010f003082010a0282010100ceaa813fa3a36178aa31005595119e270f1f1cdf3a9b826830c04a611df12f0efabe79f7a523ef55519684cddbe3b96e3e31d80a2067c7f4d9bf94eb47043e02ce2aa25d870409f6309d188a97b2aa1cfc41d2a136cbfb3d91bae7d97035fae4e790c39ba39bd33cf5129977b1b709e068e61cb8f39463886a6afe0b76c9bef422e467b9ab1a5e77c18507dd0d6cbfee06c7776a419ea70fd7fbee9417b7fc85bea4abc41c31ddd7b6d1e4f0efdf168fb25293d7a1d489a1072ebfe10112421e1ae1d89534db647928ffba2e11c2e5e85b9248fb470bc26cdaad328341f3a5e54170fd65906dfafa51c4f9bd962b19042cd36da7dcf07f6f8365e26aab8786750203010001a381af3081ac300b0603551d0f0404030201c6300f0603551d130101ff040530030101ff301d0603551d0e04160414daed6474149c143cabdd99a9bd5b284d8b3cc9d830420603551d1f043b30393037a035a0338631687474703a2f2f63726c2e7573657274727573742e636f6d2f55544e2d5553455246697273742d4f626a6563742e63726c30290603551d250422302006082b0601050507030306082b06010505070308060a2b0601040182370a0304300d06092a864886f70d01010505000382010100081f52b1374478dbfdceb9da959698aa556480b55a40dd21a5c5c1f35f2c4cc8475a69eae8f03535f4d025f3c8a6a4874abd1bb17308bdd4c3cab635bb59867731cda78014ae13effcb148f96b25252d51b62c6d45c198c88a565d3eee434e3e6b278ed03a4b850b5fd3ed6aa775cbd15a872f3975135a72b002819fbef00f845420626c69d4e14dc60d9943010d12968c789dbf50a2b144aa6acf177acf6f0fd4f824555ff0341649663e5046c96371383162b862b9f353ad6cb52ba212aa194f09da5ee793c68e1408fef0308018a086854dc87dd78b03fe6ed5f79d16ac922ca023e59c91521f94df179473c3b3c1c17105200078bd13521da83ecd001fc8	splayer.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2396	msedge.exe
2396	msedge.exe
4832	msedge.exe
4832	msedge.exe
3480	identity_helper.exe
3480	identity_helper.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3908	splayer.exe
3908	splayer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 4108	1720	852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe	97
PID 1720 wrote to memory of 4108	1720	852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe	97
PID 1720 wrote to memory of 4108	1720	852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe	97
PID 4108 wrote to memory of 4896	4108	cmd.exe	99
PID 4108 wrote to memory of 4896	4108	cmd.exe	99
PID 4108 wrote to memory of 4896	4108	cmd.exe	99
PID 1720 wrote to memory of 2104	1720	852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe	100
PID 1720 wrote to memory of 2104	1720	852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe	100
PID 1720 wrote to memory of 2104	1720	852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe	100
PID 1720 wrote to memory of 4120	1720	852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe	102
PID 1720 wrote to memory of 4120	1720	852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe	102
PID 1720 wrote to memory of 4120	1720	852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe	102
PID 1720 wrote to memory of 3908	1720	852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe	105
PID 1720 wrote to memory of 3908	1720	852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe	105
PID 1720 wrote to memory of 3908	1720	852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe	105
PID 1720 wrote to memory of 4832	1720	852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe	106
PID 1720 wrote to memory of 4832	1720	852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe	106
PID 4832 wrote to memory of 3236	4832	msedge.exe	107
PID 4832 wrote to memory of 3236	4832	msedge.exe	107
PID 4832 wrote to memory of 1996	4832	msedge.exe	108
PID 4832 wrote to memory of 1996	4832	msedge.exe	108
PID 4832 wrote to memory of 1996	4832	msedge.exe	108
PID 4832 wrote to memory of 1996	4832	msedge.exe	108
PID 4832 wrote to memory of 1996	4832	msedge.exe	108
PID 4832 wrote to memory of 1996	4832	msedge.exe	108
PID 4832 wrote to memory of 1996	4832	msedge.exe	108
PID 4832 wrote to memory of 1996	4832	msedge.exe	108
PID 4832 wrote to memory of 1996	4832	msedge.exe	108
PID 4832 wrote to memory of 1996	4832	msedge.exe	108
PID 4832 wrote to memory of 1996	4832	msedge.exe	108
PID 4832 wrote to memory of 1996	4832	msedge.exe	108
PID 4832 wrote to memory of 1996	4832	msedge.exe	108
PID 4832 wrote to memory of 1996	4832	msedge.exe	108
PID 4832 wrote to memory of 1996	4832	msedge.exe	108
PID 4832 wrote to memory of 1996	4832	msedge.exe	108
PID 4832 wrote to memory of 1996	4832	msedge.exe	108
PID 4832 wrote to memory of 1996	4832	msedge.exe	108
PID 4832 wrote to memory of 1996	4832	msedge.exe	108
PID 4832 wrote to memory of 1996	4832	msedge.exe	108
PID 4832 wrote to memory of 1996	4832	msedge.exe	108
PID 4832 wrote to memory of 1996	4832	msedge.exe	108
PID 4832 wrote to memory of 1996	4832	msedge.exe	108
PID 4832 wrote to memory of 1996	4832	msedge.exe	108
PID 4832 wrote to memory of 1996	4832	msedge.exe	108
PID 4832 wrote to memory of 1996	4832	msedge.exe	108
PID 4832 wrote to memory of 1996	4832	msedge.exe	108
PID 4832 wrote to memory of 1996	4832	msedge.exe	108
PID 4832 wrote to memory of 1996	4832	msedge.exe	108
PID 4832 wrote to memory of 1996	4832	msedge.exe	108
PID 4832 wrote to memory of 1996	4832	msedge.exe	108
PID 4832 wrote to memory of 1996	4832	msedge.exe	108
PID 4832 wrote to memory of 1996	4832	msedge.exe	108
PID 4832 wrote to memory of 1996	4832	msedge.exe	108
PID 4832 wrote to memory of 1996	4832	msedge.exe	108
PID 4832 wrote to memory of 1996	4832	msedge.exe	108
PID 4832 wrote to memory of 1996	4832	msedge.exe	108
PID 4832 wrote to memory of 1996	4832	msedge.exe	108
PID 4832 wrote to memory of 1996	4832	msedge.exe	108
PID 4832 wrote to memory of 1996	4832	msedge.exe	108
PID 4832 wrote to memory of 2396	4832	msedge.exe	109
PID 4832 wrote to memory of 2396	4832	msedge.exe	109
PID 4832 wrote to memory of 4156	4832	msedge.exe	110
PID 4832 wrote to memory of 4156	4832	msedge.exe	110
PID 4832 wrote to memory of 4156	4832	msedge.exe	110

C:\Users\Admin\AppData\Local\Temp\852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\852b1c668870b9e64ac7c23d5d75ee9e_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c CACLS "C:\Program Files (x86)\SPlayer" /e /c /T /P Users:F
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4108
- - C:\Windows\SysWOW64\cacls.exe
    CACLS "C:\Program Files (x86)\SPlayer" /e /c /T /P Users:F
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4896
- C:\Windows\SysWOW64\cscript.exe
  "C:\Windows\System32\cscript.exe" /b /nologo C:\Users\Admin\AppData\Local\Temp\pin.vbs pin "C:\Program Files (x86)\SPlayer\SPlayer.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2104
- C:\Windows\SysWOW64\cscript.exe
  "C:\Windows\System32\cscript.exe" /b /nologo C:\Users\Admin\AppData\Local\Temp\pin.vbs unpin "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Media Player.lnk"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4120
- C:\Program Files (x86)\SPlayer\splayer.exe
  "C:\Program Files (x86)\SPlayer\splayer.exe" /adminoption 168
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Modifies system certificate store
  - Suspicious use of SetWindowsHookEx
  PID:3908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.splayer.org/install.html
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4832
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe0c6846f8,0x7ffe0c684708,0x7ffe0c684718
    3⤵
    PID:3236
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,9676389238632609543,17157551819928750865,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:2
    3⤵
    PID:1996
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2172,9676389238632609543,17157551819928750865,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2396
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2172,9676389238632609543,17157551819928750865,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2960 /prefetch:8
    3⤵
    PID:4156
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,9676389238632609543,17157551819928750865,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3156 /prefetch:1
    3⤵
    PID:1576
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,9676389238632609543,17157551819928750865,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1
    3⤵
    PID:3468
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,9676389238632609543,17157551819928750865,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4628 /prefetch:1
    3⤵
    PID:2136
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,9676389238632609543,17157551819928750865,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5260 /prefetch:8
    3⤵
    PID:4332
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,9676389238632609543,17157551819928750865,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5260 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3480
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,9676389238632609543,17157551819928750865,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4004 /prefetch:1
    3⤵
    PID:2856
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,9676389238632609543,17157551819928750865,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:1
    3⤵
    PID:2964
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,9676389238632609543,17157551819928750865,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:1
    3⤵
    PID:2240
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,9676389238632609543,17157551819928750865,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5664 /prefetch:1
    3⤵
    PID:1080
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,9676389238632609543,17157551819928750865,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1372 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4496

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5104

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\SPlayer\PmpSplitter.ax

Filesize
236KB

MD5
dc1defde4f0b51bd17332586d0962786

SHA1
06a6da68883b7ef5f515f9df9d58004b502d15bb

SHA256
fc4d9fbdfebec64d2d7207ceba6fec4ad8ec2b210ee07775577d4435ea5ad8e5

SHA512
01fd15256abd24deb758e6007bef77184fad94e945192dd650d9b01798ed974675b60d818f2d570fda9b2a8c6f27d1ab2d38b342a464613079adfa34a2b4f83b

Download Submit
C:\Program Files (x86)\SPlayer\RadGtSplitter.ax

Filesize
288KB

MD5
7668248c3101e6cca0b88fc9ea99f6a3

SHA1
161c786cfb89fde589a5fa0c79ad2986541e3fc9

SHA256
7d6eeea0a3d1bdaf6d5e2bd13916836121026a6e37da2474296a8bcbbe538677

SHA512
94e7d68824c4e4ce1f58d909ee9906725cc27d70f03a52708fb6c1e9f797dda475609d4cf2f5907029a7aae535946e5caca2a73b7c58def126f1d1845a428ca1

Download Submit
C:\Program Files (x86)\SPlayer\binkw32.dll

Filesize
367KB

MD5
002cdf612509807b33e4ab09c686a966

SHA1
73a2ee8ec4c074b6a5c5485c615ee7ce230137e0

SHA256
2d0ae23a6175dc7b635c402a5e7e9542e923c0d1c376a8c5ef876ca0d5959d23

SHA512
e6d1c3f5e33ff8fc56b4798a6155ae76411ba9a234bea599338b7af424051943b1a2e666baa6935975df3d0354ba435962d1281b88b1ea17a77b1fbeb2cecca2

Download Submit
C:\Program Files (x86)\SPlayer\csfcodec\ijl15.dll

Filesize
364KB

MD5
1aa06c81a0621e277e755b965b5e4b5f

SHA1
4a6f2a8cb383192c80ee0b2c1deee3c795a0986a

SHA256
334aa12f7dee453d1c6cb1b661a3bb3494d3e4cc9c2ff3f9002064c78404e43a

SHA512
49a8ab45b176667c4dd69f86abe7c608cfa8f37af14f6326a2d56553adef08d9a416e79bf31a06e59653a487df539dc6aefa6ddedad0042477aea89bb215e9c7

Download Submit
C:\Program Files (x86)\SPlayer\csfcodec\mpc_mcucltu.dll

Filesize
124KB

MD5
1aafc350fcc3dd779318b35a28da2dfc

SHA1
551ec6829b85ec06a8eed31514ae2c546ac89edb

SHA256
a8b3302278d43c5530569a7328d9466f4d3c2f09dddc2aa9edef7a243f7c7151

SHA512
43eff2803061121aef477ad313e9dcdddec1cae7bbafb70b9737f7a82cfc045a0fd0c52923f77b580fec82c7e23a35ba98116819500a4111b9712d4ed9d36ddf

Download Submit
C:\Program Files (x86)\SPlayer\csfcodec\mpc_mcufilecu.dll

Filesize
92KB

MD5
ebc40e6239ac8f4f540707ee091dd30b

SHA1
2f830b951a68ce9700ef7a47fa2d3be9db285643

SHA256
2e551151c3fc7dc88a462f46bad62d8e2022ab6a7b3250da0eaa1d1bad81e1f3

SHA512
891016940c2ba93fde6b78101c661dd70534c462183da6776873d8b08351431e76d60ab70b84d82e11b98ec6d7e5c6f8b25c421408187331b4346ef85c0dd351

Download Submit
C:\Program Files (x86)\SPlayer\csfcodec\mpc_mdssockc.dll

Filesize
108KB

MD5
58135a410b167716559dd10e4490af16

SHA1
cbd792cec4643d76b61fc9f96248a9fa92bb23ec

SHA256
77a7b542ceab4c9107201e207c093408bbecb1b8d0e1ebb818ba937df8cf731e

SHA512
8455aa9f09319ce276a7a22c1e6f96a01ca1cfaf5a4cf9ffe4be45f51da9ee4303ec1581c486f283f9eae3ecda474ce353ea3ea776226e151074a7fac3207bc8

Download Submit
C:\Program Files (x86)\SPlayer\csfcodec\mpc_mtcontain.dll

Filesize
192KB

MD5
e0efe1dab943f136d263f3d85d2f1944

SHA1
763c2fe2ce37d479b5b5b716b95cbf29199cae33

SHA256
a46ff7bb0216e79265c550121ee6d2f0688e357e8633f5d394cfa6a55429bbb7

SHA512
4942d5d44df4c043d5bf397205f77300aff059a26a803708781e0f7e14423b485c1c551aa73dd83378df6ec6a51618b2a148412d426329b744a8ea946a452702

Download Submit
C:\Program Files (x86)\SPlayer\csfcodec\mpc_mtcontrol.dll

Filesize
184KB

MD5
6378a2aca2d140475e829377bded3880

SHA1
37e0fcc9f89ee2bcaa46afe916b65c8be4ae6274

SHA256
746a1f508b20461fed66fdc950dd6c36707e88699b7070833d0dc8e83cc95a1a

SHA512
ae7ee08fa505120e30839fffb17583f12b7754d42d2948adc998067b2dae7dedb947947227ab2bb6eb38c71057342e551e792e8ad4780b45e35f6b3cc0c824e6

Download Submit
C:\Program Files (x86)\SPlayer\csfcodec\mpc_mxaudio.dll

Filesize
180KB

MD5
4c00d9f5ed7ccdf35d8cb3261a50caee

SHA1
e9f14d7d1536e2bca2c39b566a3ccd0340b93896

SHA256
39341a4960db493e8e06e8e6513ea80bde5100d922bf2d221b51079b8aa81605

SHA512
7265139f4ca7a9e56690f2c2abe57e5e67188d46316d401c1dcde6fe901566e71cba7167dffb2c09f64be62f74f358e34defae1313e68bb5cb914f2991fe8521

Download Submit
C:\Program Files (x86)\SPlayer\csfcodec\mpc_mxrender.dll

Filesize
180KB

MD5
456bb7c4af47a98ebdba68f9f820cfa6

SHA1
7b1199737077f14424044ca840bd19deb8a62c2d

SHA256
01b77e244cc16564cab082a0b7b74615b565bb23511afec8204d19d0cf70a772

SHA512
ea6b0d304e6c8e6769b94c59375aa20c10a56532cd0dacf8ad7fabfa37ee0dede62727c4c90c71b70cb4c7dd24d0c28329609f31a93eadbd0cbf4482b05bb3e0

Download Submit
C:\Program Files (x86)\SPlayer\csfcodec\mpc_mxscreen.dll

Filesize
248KB

MD5
9d1a9816646bac9e232b40d7c932097f

SHA1
56f0b418fb923ec327864a92c4c0e21f71de3de1

SHA256
f0d7d68678914d484461b1a8aec813d2d910d359d183881f4d0f6afba7933e20

SHA512
983079eb45559fc4fc3c9443e01c29aa798ca27b0ed57d213a55855a81075155a5c56d782e908505ba7c27ec624785a3077f422a6b4f9f1be2f47eb58d9550d3

Download Submit
C:\Program Files (x86)\SPlayer\csfcodec\mpc_mxshbasu.dll

Filesize
136KB

MD5
c5ed78a732e51b60630a15ea2781c518

SHA1
e3d62651deb96de39ad9994f7a9cbceab80ed481

SHA256
4a98a205dc397257be3b2f6ad8b7f7093bbb3f21a5d20ac85c34510972104014

SHA512
8fbfd3f6e9b4cdaa36455a618e5cf990d5ce78351bbbb017eabe304d62f03d9dadef4b1532613a07b8fbb5d5efe513dc28194aca146ab23dabfe2c5acefacafb

Download Submit
C:\Program Files (x86)\SPlayer\csfcodec\mpc_mxshmaiu.dll

Filesize
188KB

MD5
cc2697f85f4ed2da6d9834a093e5d6ef

SHA1
baf8384c631a30c3e676a940cca48fc050ec281b

SHA256
aa8e4cbd6317807590d66d20b13d1c1eb56d02e7321bd1a2c229b1a4ab9ec2cf

SHA512
8dfbd1261972e8b5ec55f76d8ddb12c8b7b6dd2329f70f5ad3d75049cd860e5d1d86357cf9a857bc09082094efc77bb22ae0760377b6e7524e311ececd57e344

Download Submit
C:\Program Files (x86)\SPlayer\csfcodec\mpc_mxshsour.dll

Filesize
164KB

MD5
e26ec8940c247bd5550eb08c97274f28

SHA1
cc63cc43237e6ca6a854a559b95013302368d1a9

SHA256
86e11729d88bce58030171d80bf456e948e98533506fbea5e8055297bfcb4f07

SHA512
81f3ecb3f68ec7815be5e69d7492711c1cbc7cdbd557fa7ed748564907687adf33f409ec99f36d0bf1e3fde0a71207741778a198052436909dd95f58dcda5803

Download Submit
C:\Program Files (x86)\SPlayer\csfcodec\mpc_mxsource.dll

Filesize
84KB

MD5
a2ee8a8baa29d10dd036eea89c2f21b5

SHA1
5a1ba9f59e9901e1a8421d55265a1794f6243cd2

SHA256
62cddf460794051d3145b26067ae598caee67c4960a8f8640c71edff7892d6cc

SHA512
8d6ebec85eb48a944b44f24d3f3b33e0c42a9295bf35eeed0daa0ef194db2bdff4e15922231891138bc9289e35b10328a123f0f3329585ee82d292fb33c3a751

Download Submit
C:\Program Files (x86)\SPlayer\csfcodec\mpc_mxvideo.dll

Filesize
92KB

MD5
0a32278b26203af0ca304f22f432b36e

SHA1
b750229b24b6923d738cf58577af96f078b826b2

SHA256
6413d173b2178f4b87a839c1daf78de960d2a6b1f35a9aeb6d830fbb5a3268ac

SHA512
2cd9ef4056045e3180f2ba548e26cbfbff23fbd6ff15ec6d8149363d8e8a81a672659b867aa7c6eaade9d94fb62d2bf7e6584fc812df7b7497062743e480a5b9

Download Submit
C:\Program Files (x86)\SPlayer\csfcodec\mpc_wtlvcl.dll

Filesize
496KB

MD5
0e80f8ce150718ea62678de24c7e8720

SHA1
2ede0f66d6264cc4291a7285e0f9e3ee6e8b0d21

SHA256
51527979f67748c5ab944c073d415a4cfb82067685af8242acd8e8de0a6f1201

SHA512
ad35542a9790e5d6f04a1e4fbd931cd636662998ee99f7997c059099ef19d7ce26ad3e46b21c0ded06922ae2bcbd100ac2f7ca66e87383317e2a84a8ca5dda51

Download Submit
C:\Program Files (x86)\SPlayer\haalis.ax

Filesize
537KB

MD5
0dc0734ba778ef05933cd8a3d9a2fff1

SHA1
059ca431515adb37e7e52604f256cd699104f8a3

SHA256
e36bc4b191233fd848c52656c9aab63be9bc9f01ea163fd892b34f96b2e4b520

SHA512
2b13def6a3426975355fa445f6137bacbd9603ad4298f98357f2ec89689c99dc009b723a03e25647dcbb712a4788b5dabad61b5628b68e00fafb5b344acfc1a8

Download Submit
C:\Program Files (x86)\SPlayer\hotkey\SPlayer.key

Filesize
19KB

MD5
12af190be4930e536a952db0eec4b46f

SHA1
ac34d5c80c4562f543f8d008358067b28582708c

SHA256
4dc54bfbcb099d4e32fa28d0b473cba02fdbffd690a90ad6a3bec9582d3929aa

SHA512
b2a1b4b882e0e94a3b5a54d5f4c40fc8afec183725fe294986098c30d65de56ecee1fe63b24a0aabd08ce67ee33800bd65643986fd4d87a690a73b9dd025fe08

Download Submit
C:\Program Files (x86)\SPlayer\ir41_32.ax

Filesize
828KB

MD5
e520af771051085a0d88f681b1e3aa07

SHA1
b8a03586b28e647ae9ee373828929049c391e34e

SHA256
57585b558c52bbf95c412993c679c41e712d1f2c60ec7525aa00fff020e2f6a7

SHA512
d72dfc3cb2893b7450f1276787b6c3b3f91d114d0c51e64b0fc2da8a36f6e21bbea16a538d6c65372c1fe563c03d6d456f048c3820ff2dddc3498bf06b055e2a

Download Submit
C:\Program Files (x86)\SPlayer\ir50_32.dll

Filesize
737KB

MD5
652809bf6fc8ff180094b069f0612188

SHA1
64109d748ea64ca1864bf7a2301c45c75970526c

SHA256
665060b8a30f7a90a1e39da936390bb8d0aa77824527d575b620715a4f826fee

SHA512
2ff1794e5c8f01b932850aef00f5cce088112b6dc9d3325fe5f25809c362f0b5410fc897579d017b99820988fcd94f40c2f2316f4a853bec6e86a7b6446dcc2a

Download Submit
C:\Program Files (x86)\SPlayer\lang\splayer.cht.dll

Filesize
97KB

MD5
39f94b20a3636b8a80eeed94a6d9c298

SHA1
b6c57bbfec803ad9819a0a169dddefd815bbb96a

SHA256
0d925e33fb40965ce60d15086b695d70c5978123aad9a63f2b63b546bb8d3f92

SHA512
dd4d7ccc0434e24fa2e48bf1b801001769a58778e76dad14242280aa6433527a556803025c6ac6eefc773d9f3fc87b3a282bb89d83cc8bcfe3d2cb5f63904379

Download Submit
C:\Program Files (x86)\SPlayer\lang\splayer.en.dll

Filesize
143KB

MD5
2f36074aa61989ffbd4a4526cdf8b0da

SHA1
796dd2d2dd3d167dd6135d7cad63b9bf07cc1459

SHA256
0db8033ee250e0286882686926e4bfb05e88284c4769304ef47ab328bacd1acb

SHA512
e83c6bc68851837063bd6d22a8615d40918359f2d743181940410ebb1dce3dc352cad84f3be32561547ddb9640d290317c631011f6c55ac2a3d120974a80baee

Download Submit
C:\Program Files (x86)\SPlayer\lang\splayer.ge.dll

Filesize
138KB

MD5
52d7fb5ce858a29b8ea9214ea13d00d5

SHA1
c9c8a3cb46e2a78bf9423bb883fd6d7a47b30135

SHA256
65671d2c99a1dfdb5cc3434cbc756d984932aea78bdf93bb368ace42e0b86a8e

SHA512
7e544c46a10035fb3334e706cdf079b3b4abe775214da1a84da221f0cf3b35058e1df4264f47895f00482b7d54c4ef0aa0b693aad9779d7746b817e3fd0f1bf0

Download Submit
C:\Program Files (x86)\SPlayer\lang\splayer.ru.dll

Filesize
154KB

MD5
75b230a6690ac65d447008cb97fbffb5

SHA1
085716a846b39091de6a9dd459081cbe1ee5f306

SHA256
9dd6b4833e6eba558e6b78838a79b80b6da644aa36c50e44d56a78078b763071

SHA512
30630ba99defb4e58be7f50029e86ef9aea85c75e9e1645b1764072cc8f4481f7e1bbefc4d3b8aa96da54ee5a3d6f4a6a3c9686c6037faba11678c77afb216c1

Download Submit
C:\Program Files (x86)\SPlayer\mkunicode.dll

Filesize
24KB

MD5
8d803ebe525991e6c85ac047d39b569a

SHA1
4d1b5a9373f7cbce6e57ddf8edb1c49ccf0e73a6

SHA256
006d5f191260dc524c2565f5d13cabac9117b4e2e4fb43d9523f7272fe75626a

SHA512
8d3323d7b66d829b814c4edb6d5ca333ef2e194cf9400d9567f44fc11e4f169c69b314abf74fc9d3d237dca67dc5fcb915cb2bc8cb3cafcd81a5464062b9c95b

Download Submit
C:\Program Files (x86)\SPlayer\mkzlib.dll

Filesize
78KB

MD5
9df0f8c0acc5548f32906f6ea4d222b1

SHA1
28901f67977cc46ee6877fc3ee31544e07dc9612

SHA256
108937c0a47a4c9c72f57863973eadfb700f52a6cc2af6030f7c8e82e0b1fcb3

SHA512
c22fb8f702b3a5799aa5b4fa584931a746cadd70541fab51b682269425aeffe7a692e935219cdfc31d18e637c320e7d22b260682d7f1f2e39f32b05c7ef93ebc

Download Submit
C:\Program Files (x86)\SPlayer\mmamrdmx.ax

Filesize
252KB

MD5
e7d1fed458491c4963da4529756d46dc

SHA1
1365fe0182bfe3bb02956e19dc52969de54d0ff4

SHA256
c2f2db4855945052dc2e3f701db1f9b11beb42515f4d42b220402f3e917dbc73

SHA512
3ba43c0929a56335479d0795b40f74b7f90954143747545f229c201ab439dea8f87638613f20708dd5082373b683550dffd74d79c0bd91e3d7699ef10419096e

Download Submit
C:\Program Files (x86)\SPlayer\mp4.dll

Filesize
138KB

MD5
17cf953ae7ea3128f1a8d44a39746011

SHA1
b980baaf8f44755def237e3ab302c6339af85065

SHA256
1c395ae152eb47388fb33c1f922fe707cff578fb7fe19e1625cd1957094da0e8

SHA512
d3031f70ec0c3a2d3932c493acbaf6196bea4f7ee65e2c48b44e7857e532c411358e5b8687f14fd0ce0d4ae306121bbab110ffb8b8bf5ecb9848dfa05fcdb61f

Download Submit
C:\Program Files (x86)\SPlayer\ogm.dll

Filesize
120KB

MD5
43316f8a3072ce9ba9a82526e7f94987

SHA1
fadfef22c01325b087e7cf10061526a14270509e

SHA256
14ad96918ecd7790ec0f391fff07c1e5e23ac4d9608690a678dd22db5d241076

SHA512
675890e02b3e561dd50ca6395a024494da65ad5f412dd74ef230d1a79631da8db7f3ba9c608986355b109db3f7ffcb80a9cfe37988cbda1152295dca60990aad

Download Submit
C:\Program Files (x86)\SPlayer\rlapedec.ax

Filesize
136KB

MD5
f8dd535c7c145b18d31e00d40f1ffef8

SHA1
364e6d4019979dc64c9aaca14ca3663d8dd3d44e

SHA256
ff5fa90cbc2b77a730e3e97719f86500d3a3902ca0dda0383818731f76d4d0f7

SHA512
a9a41aff1607d14a30fbbbda528c62fb9cd7663a94e0265cb103a3975d137360fbb0a4b7260b324da12db95753f40c4bbc6f2de6bcadf34c6425d9136db596b8

Download Submit
C:\Program Files (x86)\SPlayer\sinet.dll

Filesize
1.1MB

MD5
e4db34edcdb4d5d0c986e7814379350d

SHA1
70e9fa2854ba1fee806b226556ef13f8a945c777

SHA256
1eaada50331eaa7b2b8c76ead762f03a5c532c1feb34673b2f72c68777d86eeb

SHA512
35a4dd9ce52626f254d92cedc945fbe916109b2916e02141bd459bf3e952b05765f2744b0e2b89cd7e62138ef1c7040348b7df203ab8cb4d987b1c206541c120

Download Submit
C:\Program Files (x86)\SPlayer\smackw32.dll

Filesize
94KB

MD5
9dcf8871a1c8fbf20fbd9cd8b332cea4

SHA1
97eb8b87be15b228c5498aebe9f384ec31d4570d

SHA256
f9b2fdb5ebc8e659c7ac132c213fcfd2eb059a1195a129121bb68ca21699e5e1

SHA512
6458152d4d86609670bd0aa41bf8bf19e259e77612836bd633dfa6fd9019b3b3c9cde9d52482fc6fc112fce0b89484e4607b877396149ffba9524189afef6e4f

Download Submit
C:\Program Files (x86)\SPlayer\sphash.dll

Filesize
169KB

MD5
175a19f025bc4de9b2eee839839dd22d

SHA1
81f47fce74eac77900d157b6eeddd690098172fe

SHA256
1d49fc762b93ce644d1e4a68579e3376a3d7544528ea1c08c345f1524f5fca7e

SHA512
b0d5d80c22cb3011481d4a9d6240d496794a7f70bfa78723423cefe8f62b0ba9c4d71e93638a1d970ef9787e3651096a7cf1b65d681caaa9510442d74dddf2a3

Download Submit
C:\Program Files (x86)\SPlayer\splayer.exe

Filesize
9.7MB

MD5
1a8242c5d3de6ea9b8f2ec2eeba49242

SHA1
865495edbf6b8071add8f416df8befe2e17b7f46

SHA256
3ada7893955515e4c2f4c549f0ad89badea9d2e980041b6d4449b84f111118c2

SHA512
369a705a0d490a3ef29504783323a0257fb9f0761a79fc8013054be0b1eb583f68945f9cf4e709c73b419288971c99c79bad43b3cb561422b247d468c66c2a04

Download Submit
C:\Program Files (x86)\SPlayer\ts.dll

Filesize
150KB

MD5
6258e2a978ab7fa47692ab2bb15bd32a

SHA1
b62c5f9a503b7412a9b68a40ca2c4bd431a7b481

SHA256
c82fd14b700df1112a23c36a9c8347cf3cb243cf79d5bbbfdc206a917b85aa85

SHA512
3b22c80b7d2998fc34b63aecb31a403cb9a18c8ae3da46ce1800970cdafe1c2f2f80fc9a858718096752aa92748fd3136c4c781cb752515672d4b8f186fd9697

Download Submit
C:\Program Files (x86)\SPlayer\unrar.dll

Filesize
165KB

MD5
26e08cdabeeb89d741303f0d61cf4cb2

SHA1
7d46c021500ccb362048141ccf2cf0c779917308

SHA256
23756a18f60b34961c2ab33e8b5e6ae81012f6c4e673690002b0bc5b5c7f02ec

SHA512
1959516d46a3e2d66d14cb3f56e450c8ffe68138def1d33c2e726d20c18b018dd0c33742fed7247e823028212f4e12cfe83b19d51423a482409024fdc7654fd2

Download Submit
C:\Program Files (x86)\SPlayer\vp6dec.ax

Filesize
320KB

MD5
55ca1bff59bded14d855aaa5c5c0a6c1

SHA1
b1399962b73f4891da59a038f585eb7006695ee8

SHA256
f076fc98171423cc95ca7cece2814c53b60b2b654df8ab4af0d790fa5e673be7

SHA512
06bb53c40fe3835d2b9140f870c0d56d8f8e233763a0b0bfc62b2ced1f34b4da706af98461f81cbc05b48c643179a5521fb976db6ba3146819342b0d8e78c444

Download Submit
C:\Program Files (x86)\SPlayer\vp8decoder.dll

Filesize
245KB

MD5
03b37a7ad33faf03a808a5521cc59bf8

SHA1
61062d2317482c09ce543615a8be6b7273b3de6e

SHA256
e7ed9dc077e00a2a9a5f47d3a4a9e0f06c10622840ccf27fae3185d0e65439b5

SHA512
36a8af342784a7bdf6316ed335956799a653e71811dd94a659056b5f13658d85c081375b7476ea6f237910f17d69bcebf8509525c8c5f0d042898342de51626e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f426165d1e5f7df1b7a3758c306cd4ae

SHA1
59ef728fbbb5c4197600f61daec48556fec651c1

SHA256
b68dfc21866d0abe5c75d70acc54670421fa9b26baf98af852768676a901b841

SHA512
8d437fcb85acb0705bf080141e7a021740901248985a76299ea8c43e46ad78fb88c738322cf302f6a550caa5e79d85b36827e9b329b1094521b17cf638c015b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6960857d16aadfa79d36df8ebbf0e423

SHA1
e1db43bd478274366621a8c6497e270d46c6ed4f

SHA256
f40b812ce44e391423eb66602ac0af138a1e948aa8c4116045fef671ef21cd32

SHA512
6deb2a63055a643759dd0ae125fb2f68ec04a443dbf8b066a812b42352bbcfa4517382ed0910c190c986a864559c3453c772e153ee2e9432fb2de2e1e49ca7fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
39c9a4ed2604b29a1e2c06cc62bcda9f

SHA1
c262a5f27dfb7a469e652f7655794ccb0ab55769

SHA256
6da3dab67ec65aefa63eb382cd68610c8888d055dd796fa05f8a65204489e3d2

SHA512
e1d6adf41d1baffa8888d60736984f8cc429505857fe8b2b4e6b0201d104c29f9187c56bb9bc57e06a0727dcaab961bdd715a9bd01ace58758a1bac3403a05be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
23ed55d1794cbb2ba306b8497a4bf084

SHA1
5b006deae549a6f55956e8c8519c3573962ba4c9

SHA256
d203cd34aa9fcd8445303c460863e627563f43d6ab402d61e74494711431d517

SHA512
cc31f579268d62d5c9b7a6b49a4f7c1d0098c9215a132278dab03f5f78e1b46d3f164a281c26686cd25b2a573da89d152f4c695be00fa83e9d3aa70b64777138

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1d5465229b7f8f5c521795dcb7fbb142

SHA1
299a2824708ad22de1e09f53b51bb1929553ab25

SHA256
af8cf59bfe0f598fe36ff76d7ef281aeb206a854b4e62a66ec06b97e2bfb76fc

SHA512
3172b181d1d73e1c6228f2ea210950398afc2f86811c97e8da2ca79b6818a9f8753dd61fb860a763cece7bc54de2136a505b4bb5b361de3f7e2083ea12b1b859

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
ac55a23d2b15da53d597b0c039e9c706

SHA1
1c352795dfbfc0131d57d415f568c11828c00bf2

SHA256
42b99e625866dd04694c91bde4cdb5285dcf906462216b75467eaa1ed9880129

SHA512
5bb535e4aa29265c0272020dc5f9cab03dc1e328a772337db48b55248726ec3758083ab7a68257ff2ddc4aa31dd3213a424d144c3dedb6b2dd28819021bc3d64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
3d9a65aa3ea03ae4d6b46931832bc5bc

SHA1
18eca0374f1d73049586b16a07e119a6d4729759

SHA256
7b4c119744a97230fd548a0cd1f44710562559fd118a6073879e971ba2822e3f

SHA512
fd17c203d5f2656fd42013e2d874d5e45bced5f6a2201653ca067993c1fbeba33d03d4ac2375233364b1ffe836b619f6deb6b848d3ac38a5f57f156702ec55ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshB141.tmp\System.dll

Filesize
11KB

MD5
959ea64598b9a3e494c00e8fa793be7e

SHA1
40f284a3b92c2f04b1038def79579d4b3d066ee0

SHA256
03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b

SHA512
5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshB141.tmp\nsDialogs.dll

Filesize
9KB

MD5
f7b92b78f1a00a872c8a38f40afa7d65

SHA1
872522498f69ad49270190c74cf3af28862057f2

SHA256
2bee549b2816ba29f81c47778d9e299c3a364b81769e43d5255310c2bd146d6e

SHA512
3ad6afa6269b48f238b48cf09eeefdef03b58bab4e25282c8c2887b4509856cf5cbb0223fbb06c822fb745aeea000dd1eee878df46ad0ba7f2ef520a7a607f79

Download Submit
C:\Users\Admin\AppData\Local\Temp\pin.vbs

Filesize
1KB

MD5
2612f70262c6641cddd6ffb88b2bf118

SHA1
4564e41168323750afb07152d716582cc56ab83c

SHA256
6f97f4bd0f72b6af58dc05b06df7568330dca4e5cf9a8eda335fb28e975f54a7

SHA512
93bc0a85f17e4f2f06326904887a4b4e1c466609d9127efa9bfaaad0af04cd39ebe62608a7cdfb10b74d8280f866b3019fc139e69246eb19a3e5231b5cf75612

Download Submit
memory/1720-151-0x00000000037C0000-0x00000000037D9000-memory.dmp

Filesize
100KB

Download
memory/1720-157-0x00000000037C0000-0x00000000037EF000-memory.dmp

Filesize
188KB

Download
memory/1720-137-0x0000000005480000-0x00000000054FC000-memory.dmp

Filesize
496KB

Download
memory/1720-190-0x00000000037C0000-0x00000000037EF000-memory.dmp

Filesize
188KB

Download
memory/1720-145-0x00000000037C0000-0x00000000037E1000-memory.dmp

Filesize
132KB

Download
memory/1720-183-0x00000000037C0000-0x00000000037D8000-memory.dmp

Filesize
96KB

Download
memory/1720-176-0x00000000037C0000-0x00000000037EE000-memory.dmp

Filesize
184KB

Download
memory/1720-37-0x0000000005480000-0x0000000005544000-memory.dmp

Filesize
784KB

Download
memory/1720-117-0x00000000037C0000-0x00000000037E3000-memory.dmp

Filesize
140KB

Download
memory/1720-170-0x00000000037C0000-0x00000000037D6000-memory.dmp

Filesize
88KB

Download
memory/1720-99-0x00000000037C0000-0x00000000037DD000-memory.dmp

Filesize
116KB

Download
memory/1720-105-0x00000000037C0000-0x0000000003800000-memory.dmp

Filesize
256KB

Download
memory/1720-40-0x0000000005650000-0x00000000056DB000-memory.dmp

Filesize
556KB

Download
memory/1720-130-0x00000000037C0000-0x00000000037EA000-memory.dmp

Filesize
168KB

Download
memory/1720-164-0x00000000037C0000-0x00000000037F1000-memory.dmp

Filesize
196KB

Download
memory/1720-123-0x00000000037C0000-0x00000000037F0000-memory.dmp

Filesize
192KB

Download
memory/3908-314-0x0000000075C20000-0x0000000075EA1000-memory.dmp

Filesize
2.5MB

Download
memory/3908-311-0x0000000075F30000-0x00000000760D0000-memory.dmp

Filesize
1.6MB

Download
memory/3908-315-0x00000000770E0000-0x000000007715A000-memory.dmp

Filesize
488KB

Download
memory/3908-316-0x0000000073630000-0x0000000073658000-memory.dmp

Filesize
160KB

Download
memory/3908-310-0x0000000075180000-0x000000007521F000-memory.dmp

Filesize
636KB

Download
memory/3908-309-0x0000000076AF0000-0x0000000076D05000-memory.dmp

Filesize
2.1MB

Download
memory/3908-208-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download