Analysis

  • max time kernel
    149s
  • max time network
    138s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    20/01/2025, 11:40

General

  • Target

    JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe

  • Size

    3.6MB

  • MD5

    e60156f6d9a9642465da11d0915b43ad

  • SHA1

    c332bc20c25fb9bbc94185992811e977243c5664

  • SHA256

    672d70ad03e526910432bcc74c21e184b33b1bedd80c6a29223f4e52175b78f1

  • SHA512

    806d626f2181c3968e90e0fe254a2956807d8beaed45ea20348c121a6db425cea3008a3518c2c0e77681e08a7c7bbca686b2189aba813628f2ebbcf2185e2997

  • SSDEEP

    98304:6jiX418wVrgGlg9iHjOzZYr8d/GXGtQ9TANT:6jiIBy6O9d/GXAx

Malware Config

Signatures

  • Executes dropped EXE 11 IoCs
  • Loads dropped DLL 22 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 40 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 6 IoCs
  • Modifies registry class 64 IoCs
  • Modifies system certificate store 2 TTPs 13 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2428
    • C:\Users\Admin\AppData\Local\Temp\nst563C.tmp\InstGameInfoHelper.exe
      "C:\Users\Admin\AppData\Local\Temp\nst563C.tmp\InstGameInfoHelper.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies system certificate store
      PID:2324
    • C:\Program Files (x86)\iWin Games\AdminWorker.exe
      "C:\Program Files (x86)\iWin Games\AdminWorker.exe" AddArcadeToFireWallExceptions
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2668
    • C:\Program Files (x86)\iWin Games\AdminWorker.exe
      "C:\Program Files (x86)\iWin Games\AdminWorker.exe" restoreShortcutsPathes
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2348
    • C:\Program Files (x86)\iWin Games\iWinTrusted.exe
      "C:\Program Files (x86)\iWin Games\iWinTrusted.exe" -install
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      PID:1140
    • C:\Program Files (x86)\iWin Games\WebInstaller.exe
      "C:\Program Files (x86)\iWin Games\WebInstaller.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:696
      • C:\Windows\SysWOW64\regsvr32.exe
        regsvr32 /s /i "C:\Program Files (x86)\iWin Games\iWinGamesHookIE.dll"
        3⤵
        • Loads dropped DLL
        • Installs/modifies Browser Helper Object
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        PID:972
    • C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\iWin Games\iWinInfo.dll"
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      PID:1856
    • C:\Users\Admin\AppData\Local\Temp\nst563C.tmp\iwintoolbar.exe
      iwintoolbar.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1328
    • C:\Program Files (x86)\iWin Games\iWinGames.exe
      "C:\Program Files (x86)\iWin Games\iWinGames.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2096
      • C:\Program Files (x86)\iWin Games\iWinTrusted.exe
        "C:\Program Files (x86)\iWin Games\iWinTrusted.exe" -install
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2904
      • C:\Program Files (x86)\iWin Games\WebInstaller.exe
        "C:\Program Files (x86)\iWin Games\WebInstaller.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1596
        • C:\Windows\SysWOW64\regsvr32.exe
          regsvr32 /s /i "C:\Program Files (x86)\iWin Games\iWinGamesHookIE.dll"
          4⤵
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          PID:1644
      • C:\Program Files (x86)\iWin Games\AdminWorker.exe
        "C:\Program Files (x86)\iWin Games\AdminWorker.exe" StartProcessNoWait "C:\Program Files (x86)\iWin Games\iWinTrusted.exe" "-install"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2992
        • C:\Program Files (x86)\iWin Games\iWinTrusted.exe
          "C:\Program Files (x86)\iWin Games\iWinTrusted.exe" -install
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2616

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\iWin Games\firefox\version

          Filesize

          5B

          MD5

          c314a4674d7e2d0d0df34fb27a0983d8

          SHA1

          56b9cdb1f345be8212ffa03722d792edf09b55fa

          SHA256

          2e8516fe8eade72d519ce204c2c296bf838589585c14d28170e1621bd10e4dc4

          SHA512

          1d25fa966a36fe0d12a0f58b1a94bb0b9787738b321d79aa8db9934a494a412117273cad836a37ef3ff44540441e3e343c8260a28e8883581a9def37ad0e5b60

        • C:\Program Files (x86)\iWin Games\host.cfg

          Filesize

          18B

          MD5

          48219b846f8111f0064fd38788b9ab98

          SHA1

          542cb5f93dbf610f28d6c66fca0a49da0076d31d

          SHA256

          38d321b4d09d2d0192d11d7356ebd2f94d413661b126b7494b223a57b04084de

          SHA512

          50ac1b46f6eb79bcad7c20927a95b734fb9b7a7e5d5a0927264fbeba82c9374cfd6437149f9cc43cfe50bfac52cc2948fae20074385ea0e4530841436b5120ad

        • C:\Program Files (x86)\iWin Games\iWinInfo.dll

          Filesize

          120KB

          MD5

          067b2c0a3d6b801fc8c9bcce8411dfd1

          SHA1

          ff26f2c84a6c256b2959c9482f45524a9ab06781

          SHA256

          1e692ee7bbd08d0862055a4bf69647c8022385706bf3b07462f28de9d1a6cf7d

          SHA512

          8b7e372c3a15d27cbf449b51ced7485b40f687cb7429a0765f4cc6ff2a8f67ace2b0594662183b5a0292f1b46873694d9b8e2208f56d542cac5cddabfdb8e3b3

        • C:\Program Files (x86)\iWin Games\iWinTrusted.exe

          Filesize

          76KB

          MD5

          dc2c60e7d42d67a560918f8e497a0980

          SHA1

          55efe25e33e660d0284c73517a37d019777488c0

          SHA256

          b79f06804168a096ee499fed0dcdf0b73a4ce742b455d5de0059d2ec7e1bb89f

          SHA512

          e7c4e53ee45f5d1030c2c361194457e3e3a4009f2e356c687aaf299872a9c1388f2a86c8f5b69e68c64353ae5286c9dd411da218dd0fd20ff2f5d16219a83474

        • C:\Program Files (x86)\iWin Games\pages\blank.html

          Filesize

          251B

          MD5

          f8ab4f67022399715ff3e862f59bd27e

          SHA1

          2606eca361d217990708bb1714e6de2d0bb21584

          SHA256

          3db213886c1a831f8c1867c367cf46ffc84065ce5831b04eb398837abcfd6965

          SHA512

          9bd33cd117228af88aef403472edf669a12aa4ec68fdc4cd168e1c6ad8aaa63e12278475583268aeff37609eef5b3118747f8be9792ca6cc59ded647dac86ad5

        • C:\Program Files (x86)\iWin Games\pages\blank2.html

          Filesize

          74B

          MD5

          90b42fd8e93203218847a3c0a646d377

          SHA1

          0d485e2de867448e4853031d5714942128d92983

          SHA256

          aec450600b1ea9c5cd12a92ff9764092434c2cca7e56c10c7b11a63a13209c5f

          SHA512

          de8ab5192fbb9e1df4f1baa7436f2d21cbb94f921931d502aed87049b46affe2dba1929ef48b528f114722cff7c797d381070b35884f7bea18813df355b0ffab

        • C:\Program Files (x86)\iWin Games\pages\iwin_logo.gif

          Filesize

          5KB

          MD5

          0dc284616d7449d447d4d5a9ac2a230b

          SHA1

          377a3077c320f639c8e58b50aab55725f2bb6e34

          SHA256

          1a75196360b1ce49017e0dac6fb29797e1a947085e6f5dcf03a37747b51e83a1

          SHA512

          044a70e9a448ea2f4ef0a8971420a230aaebf3cd1c4e896d1dcc1c52a20f94e48d0a59484077c2ff1bd2e4cb23b6fad041b87e1ea06a43e768b96b372d2955c9

        • C:\Program Files (x86)\iWin Games\sounds\animation.wav

          Filesize

          77KB

          MD5

          3ef7618619348fbbeca7b0f772be7e5c

          SHA1

          d86829f29c8f22c2d3562269b3d2f0c3b822ad0c

          SHA256

          d361e7b9d8d6e1e3c2b4977f53a06a363183b74796b27cbba2d0277a7e19a872

          SHA512

          b7c339678b214ff57594f02f2953ec762584f8b31644b1f63ac55586423fd34a7afae9c3d208db7caaab6e30bcb806cc9720cdb34c58f466aabad547d3263376

        • C:\Program Files (x86)\iWin Games\sounds\animationBack.wav

          Filesize

          54KB

          MD5

          cfc4459f1adafbe92f5c0f02c1ce07e0

          SHA1

          f7b308ac9c4c5e367d7d76608793115cd91e3dd7

          SHA256

          580121199e3e9bd286d8837c5405acbe9f041e13e956afc4f9eb60eab69fab12

          SHA512

          724198bf7766a8812a35a59171bf107da90ffcc0cf975af945fc8f99b674709584bdc5de96fc0892675a9bd3204d689e39f82beda0f401eaa604cca89b3e050c

        • C:\Program Files (x86)\iWin Games\sounds\button_click.wav

          Filesize

          8KB

          MD5

          d5c43fe0fd3f6b5c1d2d96ef21834f9d

          SHA1

          f8e36c4fe187396cec014bb2e733d953b3a76fdd

          SHA256

          ed0c4264b99666a9e59299097c2acc7549dcf7e896c2a7584d65a616aaa415e1

          SHA512

          e629e4cab48e75c35dbbb33b427c31babe814ecadf4357695e7bb3370ca838005c9c156a3dcb79f574cfd4b05b4fa6b55c991f249d9f3b6b072c3d87468c04cc

        • C:\Program Files (x86)\iWin Games\sounds\start.wav

          Filesize

          57KB

          MD5

          94ab5e493c7fd8358c9a893d0a108d5f

          SHA1

          5dd41e775bb246ee33cbbb6bbf1a4a6b65da1173

          SHA256

          54e995d1600802e1dccb785ba3ea20d14c85b54e70c397d48074135f2c731b4a

          SHA512

          f95197a3f28d57c77ad4f40346d941ce075e83bec79531eb7000b981f9587f0ccbe962edb11390c4a122386666e0665f1572091489338760a2dcd2bba0113164

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          48581bafccddc044ba3f8646db127c11

          SHA1

          389d9d438cdd48222e4c50a6c58bfdd77546b903

          SHA256

          24a2345038472ee0d5ee381389052bdd4c9151451fb61588ed5c85c10f39dca2

          SHA512

          22683fe8eb30af96cbb691ae78c532f3a833669dee1e10e48dec9821954a967bf2c67aaf26ac84dfb331973ea53d4370d60688f1b03dfd20c39842bcf47be136

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          ebcbc9461cfbf341085628de7661a102

          SHA1

          aa98698c2fb19f8b7fecaf2e6ac5be2660244cbf

          SHA256

          9aa9436847d6bdaed235f69ad32b2060b8463b764907797fde7086cebd5f28fd

          SHA512

          81f903a8dff4ebff19512392d3db8d52ba1389f5fa3a61a23e85a2e3b8cb1bbc02f5b224391336fc9ef7372dcc01dde1eef30734d13298b1bffe2fc3cb55fef1

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROLMKJ86\core-standard[1].js

          Filesize

          578KB

          MD5

          2b50ac1e90a98cdb82d4ae5becb0221c

          SHA1

          665df17df710296f9576bdc90b18640c28c94680

          SHA256

          3aa33e1c6608b54c59d8ada00e8a1b7d5c122d699ec0fc37fdd97a02d42134f5

          SHA512

          5370c60717ade00568ed271c3f77c02bd946686c943d9a64587bfeef0767f0c9d43babff3cd5a72976123e7e477fae91283a1799fba58481bd43f4d8d0e8f6a4

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROLMKJ86\polyfills[1].js

          Filesize

          4KB

          MD5

          04b96b5f357a07c6675daaeffcf55074

          SHA1

          8ed411a804b9cdccdc12caaea070911ca324f13f

          SHA256

          a0757d0ce2b9c57b119aa3fc447ab0d2049d6a963c42db7c625189e5c90fed9a

          SHA512

          647925a5f1d7c0c0151a4ebcde56efa80e89d5632d8c371ee0b1ec807ca8d26839a8f154a716e599fe0f2ddaae7c45452e437c2fdcaa1c723078675a279453e2

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y8UFEBH5\header[1].js

          Filesize

          20KB

          MD5

          04c832663ef2c497c27975760b988a6e

          SHA1

          21475d2e59bfc306d5f9eb319e9c1405bb4f571d

          SHA256

          f24f6fe2a459a9f1766028e1cef53182a3304240c2c2b7b475ac9d2e11813b18

          SHA512

          a0bed83e3d4880b0ff2321321d745c11f0e11f08a21090b6a3e0781f41ead7a2e5b4267e8e99ebed1783e294c1a7ac0b466d23841df7a673e6e97813fa1275b1

        • C:\Users\Admin\AppData\Local\Temp\Cab678B.tmp

          Filesize

          70KB

          MD5

          49aebf8cbd62d92ac215b2923fb1b9f5

          SHA1

          1723be06719828dda65ad804298d0431f6aff976

          SHA256

          b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

          SHA512

          bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

        • C:\Users\Admin\AppData\Local\Temp\Tar679E.tmp

          Filesize

          181KB

          MD5

          4ea6026cf93ec6338144661bf1202cd1

          SHA1

          a1dec9044f750ad887935a01430bf49322fbdcb7

          SHA256

          8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

          SHA512

          6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

        • C:\Users\Admin\AppData\Local\Temp\iWinGames\Downloads\file_334011000125259428757.unk

          Filesize

          5KB

          MD5

          dd387b050a4bf3eae73f9741dcc91412

          SHA1

          8b8afc9628bdd823ae137c7ac08165ab1331a446

          SHA256

          0af4b1ed4f5181903476d2d3ddcdd8426f540b8ef7cf690e44c857ec5cd7bdda

          SHA512

          624d72050074fdee4a3c56ed5af230e3f668b83def795518813aab2df674014b35fdd2bae62239ae0ec7dade0ceedc37d4c502f18a90dcabcea473ef3ca12972

        • C:\Users\Admin\AppData\Local\Temp\nst563C.tmp\InstGameInfoHelper.exe

          Filesize

          98KB

          MD5

          ec08c1c867ded8f5221aefb969b161c1

          SHA1

          839866cc28b401d1d3f0f07aa8f13803f56b496a

          SHA256

          f3bd166834e626631abe30c2353dd1c015d8b9cf6b63cf94164478e6cbf3c0be

          SHA512

          34c35aab50e9207bdb50cb619c0882b585577b46cdd23710663dcfeceaca8b7c4248e082ad28c2718201225c42d0ad559ebd0ebe904a588d324d50d44774a7a7

        • C:\Users\Admin\AppData\Local\Temp\nst563C.tmp\ftdownload.dat

          Filesize

          512B

          MD5

          e45db6ebc4de21e77ddd6ac9a7735dc7

          SHA1

          2230443ffa9c45016b17aaaf05492e155032d8b5

          SHA256

          9af15500af37d4bba70bf38ed1100eb81553f6a6171d8dba84c1eb8cfc6fc2f9

          SHA512

          95078c3ee3abd00e97d99cb93f554c51ba935d21e5884e35c045e06c77474e45610ff43740bc5d6eadfd1a7ca2cec9967bb04bbc344158660ad3e8ddb2d70945

        • C:\Users\Admin\AppData\Local\Temp\nst563C.tmp\gametitle.txt

          Filesize

          10B

          MD5

          09413be548245a232bf1857a0c94524b

          SHA1

          367cae47d819a19202c30a801d05b3114f02bcb9

          SHA256

          cb60483845cf9bced83019d3825d76fc6d1c2cea8430c2d3d33a0a926d5a5073

          SHA512

          953c3fb3ebebfec1856454b423154c425986af4eecf3ffd741639ea4c4be9d47dc9663b73683171b68db753abb1219241a8082cdf40e915a2411c38e755bccf7

        • C:\Users\Admin\AppData\Local\Temp\nst563C.tmp\tn_feat.bmp

          Filesize

          275B

          MD5

          2296dcd0b755b4583b5b527bfca0bd0e

          SHA1

          b96ef22a4b6d629b7f50e630b51cd9dc631750cc

          SHA256

          02b679743bdd60c5b3001cf1b4e515ff278cf3ad643c0076a086b7f508238800

          SHA512

          9b8df772d9252f876a87e4d554087019217071789d383e297a2b5eba926cda3431aa80ef757d6711b7624cb20ca52799aca1259074a24cd9958d3d38a17c865a

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\H22PPSSS.txt

          Filesize

          76B

          MD5

          e41ae075dad2bf2abf87a30464c7b6f9

          SHA1

          fecc0d941e3002e0c8c23fd1d2f30205a3bc8588

          SHA256

          2e053808cb86ed8bbdf19f0163c0d6e89710ab236b13ea9a6710a2cb2320c357

          SHA512

          70d77d051a73ba7aff31ae8d4633e2d90c4fca8c9583e732fc072fca53cfc347e5c8e9a898b3613e603aa43bbc50da99e6658675108a821b583308b291f94c96

        • \Program Files (x86)\iWin Games\AdminWorker.exe

          Filesize

          90KB

          MD5

          4c0f8f3cf26f0396ead85a2356807c3c

          SHA1

          ce72ae607bf5bc4b3eeb7494e2e1bd4ebcbb69ff

          SHA256

          b024f78e61fbb1e26c844a35cbe1c49c34a36af3ec1fff6528e5539c30b7132e

          SHA512

          574d76ef6cc7f705ee084faa8900bad77fb93732b37732e4d9e9bc66585690d623dff51921b0918904600da27fa607938fdca6fdc42733c73e6a94fd6adc3240

        • \Program Files (x86)\iWin Games\WebInstaller.exe

          Filesize

          119KB

          MD5

          68f57e85a24b56f8ef8147594d36cdce

          SHA1

          5a0a2df45c1d3a9ebed83eae74bbd1c13ad5d053

          SHA256

          5c8c6afa74f03fb0d2ac31cb9cf19077211dd5c08c0166881893efb7d2a3977f

          SHA512

          7ecfb670e4d3672413d9274cf7ebd888d007ba09d6c2dd24f88175817663d0b67064603f1e011fa2cdaf7a160dce62c2502516dd29c4a28b8686315bea0cb042

        • \Program Files (x86)\iWin Games\iWinGames.exe

          Filesize

          1.5MB

          MD5

          4851958fad503e3467be9b047517e4d3

          SHA1

          95d09a8bae10756fe41739336f5768dc14d27dd9

          SHA256

          2c8e819d3cfec79cce6fa9ecc2402a7bdc1839c6af98505e38215318f511ed28

          SHA512

          7bb53990f50512fc1550b91789fc7b3190fb0cdba9bca068f49579d162d46782895d1d518de00e7f95e82823d1f855670492d5dde057b44720bae71d85f063d1

        • \Program Files (x86)\iWin Games\iWinGamesHookIE.dll

          Filesize

          138KB

          MD5

          f841c2d5f930cf4ae834b67a9eba5809

          SHA1

          50d550e3d9ea5585148f644f12e33d113dd303e8

          SHA256

          9b22d81b76219c30914dbf93f431cf72a6dc071a34fda46c4534a24eb6ca43c7

          SHA512

          ee5f53e67826dd6542b39e5808c6bcfc4b5ddb09ef566de7167c57e7ebfe1a4dd915bb3ab6c7c6693b0b3b499dd35ca6c16f782fc11ea4262f4955a08e206702

        • \Users\Admin\AppData\Local\Temp\nst563C.tmp\IwinToolbar.exe

          Filesize

          103KB

          MD5

          2977804931e9cf61cf86d1d0d0d7eb3e

          SHA1

          3e96c8baa8d6ebeb8deb021a453adc02b4f7a288

          SHA256

          c79f67e60d4d9d8e3446bcf804b9f78fc7a52a994a47383c1aff9a7b58790979

          SHA512

          4004e12a59d175d7d88c7e6cd8ddddc78ee787ca0f82b63ee63d1e271d828655aa10c2d8463928a9db1fcf13308572c55d407194baa941f9162d6d08a5a47b14

        • \Users\Admin\AppData\Local\Temp\nst563C.tmp\System.dll

          Filesize

          10KB

          MD5

          4c0c6163b636f627e0d505deda672c90

          SHA1

          2eae4e6f00673a03ae2434f1b22dc9218e4761a8

          SHA256

          bea71368433f91e32c597db990089ecb7599879f76a64f7f3446489578b2d5fb

          SHA512

          e817ad35f0e89ecce9d73add641d9eab95de6c6c30153e594673c8e0243e738a31dfb872cc76a8d51bc513775fc1dabc9adb65019298048539d6c3aa7d33e2ef

        • \Users\Admin\AppData\Local\Temp\nst563C.tmp\nsExec.dll

          Filesize

          6KB

          MD5

          0eaa468e975017262a246e03e23b3172

          SHA1

          17064408bd1c2fe2a6aa8588fba7d34018f94241

          SHA256

          2a0b28de70575228c2bf63f0d3c4073904e2c854427c006f187532f1d0349bd6

          SHA512

          e5946258c126fb0a6657d862931b6c965bfd899a499f023ee3626f62039acdbf844f495c714eaaae47c08de4d8b668377e23f7b5632c0b9d83391aaf08378de7

        • memory/1140-232-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/1140-234-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/1328-253-0x0000000000400000-0x0000000000462000-memory.dmp

          Filesize

          392KB

        • memory/2096-278-0x00000000042D0000-0x0000000004303000-memory.dmp

          Filesize

          204KB

        • memory/2096-279-0x00000000042D0000-0x0000000004303000-memory.dmp

          Filesize

          204KB

        • memory/2096-293-0x00000000048B0000-0x00000000048E9000-memory.dmp

          Filesize

          228KB

        • memory/2096-438-0x00000000048B0000-0x00000000048E9000-memory.dmp

          Filesize

          228KB

        • memory/2096-436-0x00000000048B0000-0x00000000048E9000-memory.dmp

          Filesize

          228KB

        • memory/2096-435-0x00000000042D0000-0x0000000004303000-memory.dmp

          Filesize

          204KB

        • memory/2096-434-0x00000000042D0000-0x0000000004303000-memory.dmp

          Filesize

          204KB

        • memory/2096-277-0x00000000042D0000-0x0000000004303000-memory.dmp

          Filesize

          204KB

        • memory/2096-426-0x0000000000400000-0x0000000000FCD000-memory.dmp

          Filesize

          11.8MB

        • memory/2096-294-0x00000000048B0000-0x00000000048E9000-memory.dmp

          Filesize

          228KB

        • memory/2096-273-0x0000000002CF0000-0x0000000002D00000-memory.dmp

          Filesize

          64KB

        • memory/2096-268-0x0000000000400000-0x0000000000FCD000-memory.dmp

          Filesize

          11.8MB

        • memory/2096-295-0x00000000048B0000-0x00000000048E9000-memory.dmp

          Filesize

          228KB

        • memory/2096-433-0x0000000002CF0000-0x0000000002D00000-memory.dmp

          Filesize

          64KB

        • memory/2096-437-0x00000000048B0000-0x00000000048E9000-memory.dmp

          Filesize

          228KB

        • memory/2096-428-0x0000000000400000-0x0000000000FCD000-memory.dmp

          Filesize

          11.8MB

        • memory/2096-431-0x0000000000400000-0x0000000000FCD000-memory.dmp

          Filesize

          11.8MB

        • memory/2348-226-0x0000000000400000-0x0000000000439000-memory.dmp

          Filesize

          228KB

        • memory/2428-208-0x0000000002960000-0x0000000002970000-memory.dmp

          Filesize

          64KB

        • memory/2428-220-0x0000000004480000-0x00000000044B9000-memory.dmp

          Filesize

          228KB

        • memory/2428-229-0x0000000004480000-0x00000000044B3000-memory.dmp

          Filesize

          204KB

        • memory/2428-247-0x0000000004480000-0x00000000044E2000-memory.dmp

          Filesize

          392KB

        • memory/2616-303-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/2616-301-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/2668-223-0x0000000000400000-0x0000000000439000-memory.dmp

          Filesize

          228KB

        • memory/2904-283-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/2904-287-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/2992-299-0x0000000000400000-0x0000000000439000-memory.dmp

          Filesize

          228KB

        • memory/2992-297-0x0000000000400000-0x0000000000439000-memory.dmp

          Filesize

          228KB