neshta | 62b6f44caf58bfb29bf4791afbc79f20f3a87be5865884744f121d4608e9d0e4

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
26-11-2024 19:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a3ac1686e6e2619253b1a81ec9a1138b_JaffaCakes118.exe
Size

3.0MB
MD5

a3ac1686e6e2619253b1a81ec9a1138b
SHA1

772385143050ed61cc7a066e51dca5da7d4883f5
SHA256

62b6f44caf58bfb29bf4791afbc79f20f3a87be5865884744f121d4608e9d0e4
SHA512

410a982e2de8b072459671f8b65d089a758acdc0704d7553940a0b1eb3cf87f3cb1ce2a7e6dc3e276225452cc323728746c2f13378dd5ac073702b03dfdbb250
SSDEEP

49152:A4x8x/qu2HN46nFd0XJ3JCBJZzfPPCBFwpXuob3tRTH31C7FWIdEBb5XE+h+BxIl:A4x8x/qu2HjnFd0XJ30BJtKkFuoT1C7S

Score

10^/10

neshta discovery persistence spyware stealer

Malware Config

Signatures

Detect Neshta payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0001000000010318-11.dat	family_neshta
behavioral1/memory/2080-202-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2080-204-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Neshta family
neshta

Executes dropped EXE 2 IoCs

pid	Process
2500	a3ac1686e6e2619253b1a81ec9a1138b_JaffaCakes118.exe
2876	Setup.exe

Loads dropped DLL 7 IoCs

pid	Process
2080	a3ac1686e6e2619253b1a81ec9a1138b_JaffaCakes118.exe
2500	a3ac1686e6e2619253b1a81ec9a1138b_JaffaCakes118.exe
2876	Setup.exe
2876	Setup.exe
2080	a3ac1686e6e2619253b1a81ec9a1138b_JaffaCakes118.exe
2876	Setup.exe
2876	Setup.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	a3ac1686e6e2619253b1a81ec9a1138b_JaffaCakes118.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE	a3ac1686e6e2619253b1a81ec9a1138b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE	a3ac1686e6e2619253b1a81ec9a1138b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\misc.exe	a3ac1686e6e2619253b1a81ec9a1138b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE	a3ac1686e6e2619253b1a81ec9a1138b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE	a3ac1686e6e2619253b1a81ec9a1138b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	a3ac1686e6e2619253b1a81ec9a1138b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE	a3ac1686e6e2619253b1a81ec9a1138b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE	a3ac1686e6e2619253b1a81ec9a1138b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	a3ac1686e6e2619253b1a81ec9a1138b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	a3ac1686e6e2619253b1a81ec9a1138b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	a3ac1686e6e2619253b1a81ec9a1138b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE	a3ac1686e6e2619253b1a81ec9a1138b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE	a3ac1686e6e2619253b1a81ec9a1138b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE	a3ac1686e6e2619253b1a81ec9a1138b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE	a3ac1686e6e2619253b1a81ec9a1138b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wabmig.exe	a3ac1686e6e2619253b1a81ec9a1138b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\WMPDMC.exe	a3ac1686e6e2619253b1a81ec9a1138b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE	a3ac1686e6e2619253b1a81ec9a1138b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE	a3ac1686e6e2619253b1a81ec9a1138b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE	a3ac1686e6e2619253b1a81ec9a1138b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	a3ac1686e6e2619253b1a81ec9a1138b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE	a3ac1686e6e2619253b1a81ec9a1138b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE	a3ac1686e6e2619253b1a81ec9a1138b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	a3ac1686e6e2619253b1a81ec9a1138b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE	a3ac1686e6e2619253b1a81ec9a1138b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OIS.EXE	a3ac1686e6e2619253b1a81ec9a1138b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE	a3ac1686e6e2619253b1a81ec9a1138b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	a3ac1686e6e2619253b1a81ec9a1138b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	a3ac1686e6e2619253b1a81ec9a1138b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE	a3ac1686e6e2619253b1a81ec9a1138b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE	a3ac1686e6e2619253b1a81ec9a1138b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe	a3ac1686e6e2619253b1a81ec9a1138b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe	a3ac1686e6e2619253b1a81ec9a1138b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE	a3ac1686e6e2619253b1a81ec9a1138b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE	a3ac1686e6e2619253b1a81ec9a1138b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	a3ac1686e6e2619253b1a81ec9a1138b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE	a3ac1686e6e2619253b1a81ec9a1138b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	a3ac1686e6e2619253b1a81ec9a1138b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe	a3ac1686e6e2619253b1a81ec9a1138b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE	a3ac1686e6e2619253b1a81ec9a1138b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE	a3ac1686e6e2619253b1a81ec9a1138b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE	a3ac1686e6e2619253b1a81ec9a1138b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe	a3ac1686e6e2619253b1a81ec9a1138b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE	a3ac1686e6e2619253b1a81ec9a1138b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	a3ac1686e6e2619253b1a81ec9a1138b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe	a3ac1686e6e2619253b1a81ec9a1138b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE	a3ac1686e6e2619253b1a81ec9a1138b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wab.exe	a3ac1686e6e2619253b1a81ec9a1138b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	a3ac1686e6e2619253b1a81ec9a1138b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe	a3ac1686e6e2619253b1a81ec9a1138b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE	a3ac1686e6e2619253b1a81ec9a1138b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE	a3ac1686e6e2619253b1a81ec9a1138b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE	a3ac1686e6e2619253b1a81ec9a1138b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	a3ac1686e6e2619253b1a81ec9a1138b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	a3ac1686e6e2619253b1a81ec9a1138b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE	a3ac1686e6e2619253b1a81ec9a1138b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE	a3ac1686e6e2619253b1a81ec9a1138b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	a3ac1686e6e2619253b1a81ec9a1138b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE	a3ac1686e6e2619253b1a81ec9a1138b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE	a3ac1686e6e2619253b1a81ec9a1138b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE	a3ac1686e6e2619253b1a81ec9a1138b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE	a3ac1686e6e2619253b1a81ec9a1138b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe	a3ac1686e6e2619253b1a81ec9a1138b_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe	a3ac1686e6e2619253b1a81ec9a1138b_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	a3ac1686e6e2619253b1a81ec9a1138b_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a3ac1686e6e2619253b1a81ec9a1138b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a3ac1686e6e2619253b1a81ec9a1138b_JaffaCakes118.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Setup.exe

Modifies registry class 1 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	a3ac1686e6e2619253b1a81ec9a1138b_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2876	Setup.exe
2876	Setup.exe
2876	Setup.exe
2876	Setup.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 2500	2080	a3ac1686e6e2619253b1a81ec9a1138b_JaffaCakes118.exe	31
PID 2080 wrote to memory of 2500	2080	a3ac1686e6e2619253b1a81ec9a1138b_JaffaCakes118.exe	31
PID 2080 wrote to memory of 2500	2080	a3ac1686e6e2619253b1a81ec9a1138b_JaffaCakes118.exe	31
PID 2080 wrote to memory of 2500	2080	a3ac1686e6e2619253b1a81ec9a1138b_JaffaCakes118.exe	31
PID 2080 wrote to memory of 2500	2080	a3ac1686e6e2619253b1a81ec9a1138b_JaffaCakes118.exe	31
PID 2080 wrote to memory of 2500	2080	a3ac1686e6e2619253b1a81ec9a1138b_JaffaCakes118.exe	31
PID 2080 wrote to memory of 2500	2080	a3ac1686e6e2619253b1a81ec9a1138b_JaffaCakes118.exe	31
PID 2500 wrote to memory of 2876	2500	a3ac1686e6e2619253b1a81ec9a1138b_JaffaCakes118.exe	32
PID 2500 wrote to memory of 2876	2500	a3ac1686e6e2619253b1a81ec9a1138b_JaffaCakes118.exe	32
PID 2500 wrote to memory of 2876	2500	a3ac1686e6e2619253b1a81ec9a1138b_JaffaCakes118.exe	32
PID 2500 wrote to memory of 2876	2500	a3ac1686e6e2619253b1a81ec9a1138b_JaffaCakes118.exe	32
PID 2500 wrote to memory of 2876	2500	a3ac1686e6e2619253b1a81ec9a1138b_JaffaCakes118.exe	32
PID 2500 wrote to memory of 2876	2500	a3ac1686e6e2619253b1a81ec9a1138b_JaffaCakes118.exe	32
PID 2500 wrote to memory of 2876	2500	a3ac1686e6e2619253b1a81ec9a1138b_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\a3ac1686e6e2619253b1a81ec9a1138b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a3ac1686e6e2619253b1a81ec9a1138b_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Users\Admin\AppData\Local\Temp\3582-490\a3ac1686e6e2619253b1a81ec9a1138b_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\a3ac1686e6e2619253b1a81ec9a1138b_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2500
- - C:\3fcbe818b1518f75a0d78511e30dd801\Setup.exe
    C:\3fcbe818b1518f75a0d78511e30dd801\\Setup.exe /x86 /lcid 1049
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:2876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\3fcbe818b1518f75a0d78511e30dd801\1033\LocalizedData.xml

Filesize
75KB

MD5
326518603d85acd79a6258886fc85456

SHA1
f1cef14bc4671a132225d22a1385936ad9505348

SHA256
665797c7840b86379019e5a46227f888fa1a36a593ea41f9170ef018c337b577

SHA512
f8a514efd70e81d0f2f983282d69040bca6e42f29aa5df554e6874922a61f112e311ad5d2b719b6ca90012f69965447fb91e8cd4103efb2453ff160a9062e5d3

Download Submit
C:\3fcbe818b1518f75a0d78511e30dd801\1049\LocalizedData.xml

Filesize
79KB

MD5
349b52a81342a7afb8842459e537ecc6

SHA1
6268343e82fbbabe7618bd873335a8f9f84ed64d

SHA256
992bf5aeb06aa3701d50c23fa475b4b86d8997383c9f0e3425663cfbd6b8a2a5

SHA512
ef4cbd3f7f572a9f146a524cfbc2efbd084e6c70a65b96a42339adc088e3f0524bc202548340969481e7f3df3ac517ac34b200b56a3b9957802abd0efa951c49

Download Submit
C:\3fcbe818b1518f75a0d78511e30dd801\1049\SetupResources.dll

Filesize
17KB

MD5
e319e7edbce3380e6093c57ba42a7d80

SHA1
836a6b652b31bbb3651f67792b03134f93b3aa51

SHA256
76780363e5a487b5f67316e54cce727cb8a19b11063af0781a08d082ab51b853

SHA512
ec4e0123817a8ddfbffa9cdb95e9190bd2366e532f90157bb76d1354f1b08c7b8dffc5e2a1e1d4e161ee1b60cc5fd2cea5ce069f69c314fe80813d37d9a87d0f

Download Submit
C:\3fcbe818b1518f75a0d78511e30dd801\DHTMLHeader.html

Filesize
15KB

MD5
cd131d41791a543cc6f6ed1ea5bd257c

SHA1
f42a2708a0b42a13530d26515274d1fcdbfe8490

SHA256
e139af8858fe90127095ac1c4685bcd849437ef0df7c416033554703f5d864bb

SHA512
a6ee9af8f8c2c7acd58dd3c42b8d70c55202b382ffc5a93772af7bf7d7740c1162bb6d38a4307b1802294a18eb52032d410e128072af7d4f9d54f415be020c9a

Download Submit
C:\3fcbe818b1518f75a0d78511e30dd801\ParameterInfo.xml

Filesize
146KB

MD5
fd4dda01f4dec2e404fb4536f3b6660f

SHA1
017750c0896e916fc3d80c4e5c18bcba7320fd90

SHA256
e6b3f7f8108094edf2e1de1967ffb7bf7db73dda717082f856e9ca1421987df8

SHA512
4e0ce874755b0569d067f3f1c457afb3bb859c0fae2d01238f99f17304d3462a3fd36469f0087f58ddc0f19b684c21780e1f4688eb31c5e9ac869010961ea666

Download Submit
C:\3fcbe818b1518f75a0d78511e30dd801\SetupEngine.dll

Filesize
788KB

MD5
84c1daf5f30ff99895ecab3a55354bcf

SHA1
7e25ba36bcc7deed89f3c9568016ddb3156c9c5a

SHA256
7a0d281fa802d615ea1207bd2e9ebb98f3b74f9833bba3cb964ba7c7e0fb67fd

SHA512
e4fb7e4d39f094463fdcdc4895ab2ea500eb51a32b6909cec80a526bbf34d5c0eb98f47ee256c0f0865bf3169374937f047bf5c4d6762779c8ca3332b4103be3

Download Submit
C:\3fcbe818b1518f75a0d78511e30dd801\SetupUi.dll

Filesize
288KB

MD5
eb881e3dddc84b20bd92abcec444455f

SHA1
e2c32b1c86d4f70e39de65e9ebc4f361b24ff4a1

SHA256
11565d97287c01d22ad2e46c78d8a822fa3e6524561d4c02dfc87e8d346c44e7

SHA512
5750cec73b36a3f19bfb055f880f3b6498a7ae589017333f6272d26f1c72c6f475a3308826268a098372bbb096b43fbd1e06e93eecc0a81046668228bc179a75

Download Submit
C:\3fcbe818b1518f75a0d78511e30dd801\SetupUi.xsd

Filesize
29KB

MD5
2fadd9e618eff8175f2a6e8b95c0cacc

SHA1
9ab1710a217d15b192188b19467932d947b0a4f8

SHA256
222211e8f512edf97d78bc93e1f271c922d5e91fa899e092b4a096776a704093

SHA512
a3a934a8572ff9208d38cf381649bd83de227c44b735489fd2a9dc5a636ead9bb62459c9460ee53f61f0587a494877cd3a3c2611997be563f3137f8236ffc4ca

Download Submit
C:\3fcbe818b1518f75a0d78511e30dd801\SplashScreen.bmp

Filesize
40KB

MD5
0966fcd5a4ab0ddf71f46c01eff3cdd5

SHA1
8f4554f079edad23bcd1096e6501a61cf1f8ec34

SHA256
31c13ecfc0eb27f34036fb65cc0e735cd444eec75376eea2642f926ac162dcb3

SHA512
a9e70a2fb5a9899acf086474d71d0e180e2234c40e68bcadb9bf4fe145774680cb55584b39fe53cc75de445c6bf5741fc9b15b18385cbbe20fc595fe0ff86fce

Download Submit
C:\3fcbe818b1518f75a0d78511e30dd801\Strings.xml

Filesize
13KB

MD5
8a28b474f4849bee7354ba4c74087cea

SHA1
c17514dfc33dd14f57ff8660eb7b75af9b2b37b0

SHA256
2a7a44fb25476886617a1ec294a20a37552fd0824907f5284fade3e496ed609b

SHA512
a7927700d8050623bc5c761b215a97534c2c260fcab68469b7a61c85e2dff22ed9cf57e7cb5a6c8886422abe7ac89b5c71e569741db74daa2dcb4152f14c2369

Download Submit
C:\3fcbe818b1518f75a0d78511e30dd801\UiInfo.xml

Filesize
38KB

MD5
002b52d8a030fb5bc2e35c9d209ecd41

SHA1
c4da0554a913a7a580c724d76ba2b1e13a598970

SHA256
44e7de36e58052f79d6168e867c9edee5bd6632d6f7450b55e94b1c666c4789e

SHA512
48a73976f797d3f83c722599e42135b550fe1f9479eede180403b2fda1c87da08e9176871f8ff017032a42046ac018eeb60c8e0b2c9fbc9e9f7a2d2f62cfb7da

Download Submit
C:\3fcbe818b1518f75a0d78511e30dd801\graphics\print.ico

Filesize
1KB

MD5
7e55ddc6d611176e697d01c90a1212cf

SHA1
e2620da05b8e4e2360da579a7be32c1b225deb1b

SHA256
ff542e32330b123486797b410621e19eafb39df3997e14701afa4c22096520ed

SHA512
283d381aa396820b7e15768b20099d67688da1f6315ec9f7938c2fcc3167777502cded0d1beddf015a34cc4e5d045bcb665ffd28ba2fbb6faf50fdd38b31d16e

Download Submit
C:\3fcbe818b1518f75a0d78511e30dd801\graphics\save.ico

Filesize
1KB

MD5
7d62e82d960a938c98da02b1d5201bd5

SHA1
194e96b0440bf8631887e5e9d3cc485f8e90fbf5

SHA256
ae041c8764f56fd89277b34982145d16fc59a4754d261c861b19371c3271c6e5

SHA512
ab06b2605f0c1f6b71ef69563c0c977d06c6ea84d58ef7f2baecba566d6037d1458c2b58e6bfd70ddef47dccbdea6d9c2f2e46dea67ea9e92457f754d7042f67

Download Submit
C:\3fcbe818b1518f75a0d78511e30dd801\graphics\setup.ico

Filesize
35KB

MD5
3d25d679e0ff0b8c94273dcd8b07049d

SHA1
a517fc5e96bc68a02a44093673ee7e076ad57308

SHA256
288e9ad8f0201e45bc187839f15aca79d6b9f76a7d3c9274c80f5d4a4c219c0f

SHA512
3bde668004ca7e28390862d0ae9903c756c16255bdbb3f7e73a5b093ce6a57a3165d6797b0a643b254493149231aca7f7f03e0af15a0cbe28aff02f0071ec255

Download Submit
C:\3fcbe818b1518f75a0d78511e30dd801\graphics\stop.ico

Filesize
9KB

MD5
5dfa8d3abcf4962d9ec41cfc7c0f75e3

SHA1
4196b0878c6c66b6fa260ab765a0e79f7aec0d24

SHA256
b499e1b21091b539d4906e45b6fdf490d5445256b72871aece2f5b2562c11793

SHA512
69a13d4348384f134ba93c9a846c6760b342e3a7a2e9df9c7062088105ac0b77b8a524f179efb1724c0ce168e01ba8bb46f2d6fae39cabe32cab9a34fc293e4a

Download Submit
C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

Filesize
547KB

MD5
cf6c595d3e5e9667667af096762fd9c4

SHA1
9bb44da8d7f6457099cb56e4f7d1026963dce7ce

SHA256
593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d

SHA512
ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

Download Submit
C:\Users\Admin\AppData\Local\Temp\HFIECB1.tmp.html

Filesize
16KB

MD5
8577024b8a49de16c9827e8a4656fa1f

SHA1
e7173afa78381b4d22d222a1ac92d26140a66d2a

SHA256
797895d4e60c6939f4ac9276b047ad3755a56132399c273cc7da61cc37d22393

SHA512
356735ad7dc283af1ca7af4d5825a28c1840d9a3e1466d3d378e894ab9adeb424b35ba0bff118c701b3dc4b795cff39b20ef86ec872e08c5cd712e3632e515d3

Download Submit
\3fcbe818b1518f75a0d78511e30dd801\Setup.exe

Filesize
76KB

MD5
006f8a615020a4a17f5e63801485df46

SHA1
78c82a80ebf9c8bf0c996dd8bc26087679f77fea

SHA256
d273460aa4d42f0b5764383e2ab852ab9af6fecb3ed866f1783869f2f155d8be

SHA512
c603ed6f3611eb7049a43a190ed223445a9f7bd5651100a825917198b50c70011e950fa968d3019439afa0a416752517b1c181ee9445e02da3904f4e4b73ce76

Download Submit
\3fcbe818b1518f75a0d78511e30dd801\sqmapi.dll

Filesize
141KB

MD5
3f0363b40376047eff6a9b97d633b750

SHA1
4eaf6650eca5ce931ee771181b04263c536a948b

SHA256
bd6395a58f55a8b1f4063e813ce7438f695b9b086bb965d8ac44e7a97d35a93c

SHA512
537be86e2f171e0b2b9f462ac7f62c4342beb5d00b68451228f28677d26a525014758672466ad15ed1fd073be38142dae478df67718908eae9e6266359e1f9e8

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\a3ac1686e6e2619253b1a81ec9a1138b_JaffaCakes118.exe

Filesize
2.9MB

MD5
ff3d8bb1f5b48b663e70d5d81f6a0e27

SHA1
cd3c9202ad527dc3807351180b3947247d249d9a

SHA256
bb5348de646644edeccbfc7c9e794afd5158cbc42c240cd258566a80286c1cc4

SHA512
186292aace010e067dd0ef984109b8298b21555aadaea4526de6f51e0db64482bbd64d41231881753993b105eca9208f6b606ad6f3d782a1e9c9e2b1e278d334

Download Submit
memory/2080-202-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2080-204-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download