Analysis
-
max time kernel
142s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2024 08:22
Behavioral task
behavioral1
Sample
6ddeeb36a6569a8a145e7a85a152a5d2_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
6ddeeb36a6569a8a145e7a85a152a5d2_JaffaCakes118.exe
-
Size
155KB
-
MD5
6ddeeb36a6569a8a145e7a85a152a5d2
-
SHA1
29f9bbf8b56429bbbb3ca3d34cbd0100ce2eff25
-
SHA256
24c9154acd3eb56367df51d49ded984f64b312a048c6c72da24d28577e538116
-
SHA512
56f20d9457d64e7242f6c26ae0fc880665804853f7ab246e7f2100cfdc9a9863679165e46c7ba184c0033f900fbe3657bf13819299245fd7964d53d720d3c114
-
SSDEEP
3072:veAiXfLb9Dw86q4VRrV5tidHTY4dvoSGxsfcARUFxZJY11qQNIYK2QnmX0qoutCg:2AiH9xIRHtcokchFxLY11tHKDnooSCs5
Malware Config
Signatures
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
6ddeeb36a6569a8a145e7a85a152a5d2_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 6ddeeb36a6569a8a145e7a85a152a5d2_JaffaCakes118.exe -
Executes dropped EXE 22 IoCs
Processes:
javaSetup.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exejavaw.exejavaws.exejavaw.exejp2launcher.exejavaw.exejavaw.exejavaw.exejavaw.exejavaw.exejavaw.exejavaw.exejavaw.exejavaw.exepid process 2508 javaSetup.exe 3552 unpack200.exe 1544 unpack200.exe 2596 unpack200.exe 1396 unpack200.exe 3224 unpack200.exe 4172 unpack200.exe 1724 unpack200.exe 764 unpack200.exe 1752 javaw.exe 2592 javaws.exe 796 javaw.exe 2124 jp2launcher.exe 5436 javaw.exe 5600 javaw.exe 5772 javaw.exe 8 javaw.exe 1892 javaw.exe 3112 javaw.exe 2968 javaw.exe 3356 javaw.exe 5516 javaw.exe -
Loads dropped DLL 64 IoCs
Processes:
MsiExec.exeMsiExec.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exeunpack200.exejavaw.exejavaws.exejavaw.exejp2launcher.exejavaw.exejavaw.exejavaw.exejavaw.exejavaw.exejavaw.exepid process 1228 MsiExec.exe 2968 MsiExec.exe 3552 unpack200.exe 1544 unpack200.exe 2596 unpack200.exe 1396 unpack200.exe 3224 unpack200.exe 4172 unpack200.exe 1724 unpack200.exe 764 unpack200.exe 1752 javaw.exe 1752 javaw.exe 1752 javaw.exe 1752 javaw.exe 1752 javaw.exe 2968 MsiExec.exe 2968 MsiExec.exe 2968 MsiExec.exe 2968 MsiExec.exe 2592 javaws.exe 796 javaw.exe 796 javaw.exe 796 javaw.exe 796 javaw.exe 796 javaw.exe 2124 jp2launcher.exe 2124 jp2launcher.exe 2124 jp2launcher.exe 2124 jp2launcher.exe 2124 jp2launcher.exe 2124 jp2launcher.exe 2124 jp2launcher.exe 2124 jp2launcher.exe 2124 jp2launcher.exe 2124 jp2launcher.exe 5436 javaw.exe 5436 javaw.exe 5436 javaw.exe 5436 javaw.exe 5436 javaw.exe 5600 javaw.exe 5600 javaw.exe 5600 javaw.exe 5600 javaw.exe 5600 javaw.exe 5772 javaw.exe 5772 javaw.exe 5772 javaw.exe 5772 javaw.exe 5772 javaw.exe 8 javaw.exe 8 javaw.exe 8 javaw.exe 8 javaw.exe 8 javaw.exe 1892 javaw.exe 1892 javaw.exe 1892 javaw.exe 1892 javaw.exe 1892 javaw.exe 3112 javaw.exe 3112 javaw.exe 3112 javaw.exe 3112 javaw.exe -
Processes:
resource yara_rule behavioral2/memory/676-0-0x0000000000A00000-0x0000000000A60000-memory.dmp upx behavioral2/memory/4124-38-0x0000000000A00000-0x0000000000A60000-memory.dmp upx behavioral2/memory/676-73-0x0000000000A00000-0x0000000000A60000-memory.dmp upx behavioral2/memory/4124-74-0x0000000000A00000-0x0000000000A60000-memory.dmp upx -
Blocklisted process makes network request 1 IoCs
Processes:
msiexec.exeflow pid process 56 2732 msiexec.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exedescription ioc process File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe -
Installs/modifies Browser Helper Object 2 TTPs 4 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
Processes:
MsiExec.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9} MsiExec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}\NoExplorer = "1" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} MsiExec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\NoExplorer = "1" MsiExec.exe -
Drops file in System32 directory 5 IoCs
Processes:
MsiExec.exedescription ioc process File opened for modification C:\Windows\SysWOW64\java.exe MsiExec.exe File created C:\Windows\SysWOW64\javaw.exe MsiExec.exe File created C:\Windows\SysWOW64\WindowsAccessBridge-32.dll MsiExec.exe File created C:\Windows\SysWOW64\javaws.exe MsiExec.exe File created C:\Windows\SysWOW64\java.exe MsiExec.exe -
Drops file in Program Files directory 64 IoCs
Processes:
MsiExec.exeunpack200.exedescription ioc process File created C:\Program Files (x86)\Java\jre7\lib\zi\EST5EDT MsiExec.exe File created C:\Program Files (x86)\Java\jre7\bin\tnameserv.exe MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\psfontj2d.properties MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\America\Los_Angeles MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\Australia\Broken_Hill MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\Australia\Currie MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\SystemV\CST6CDT MsiExec.exe File created C:\Program Files (x86)\Java\jre7\release MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\America\Eirunepe MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Dili MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Ho_Chi_Minh MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\Australia\Brisbane MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\Pacific\Enderbury MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\Europe\Gibraltar MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\fonts\LucidaSansRegular.ttf MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\America\Argentina\Catamarca MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\America\Inuvik MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Kamchatka MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\Etc\GMT-4 MsiExec.exe File created C:\Program Files (x86)\Java\jre7\Welcome.html MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\deploy\jqs\jqsmessages.properties MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\Africa\Tripoli MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\America\Porto_Velho MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\Etc\GMT-7 MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\deploy\ffjcext.zip MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\fonts\LucidaTypewriterRegular.ttf MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\Pacific\Palau MsiExec.exe File created C:\Program Files (x86)\Java\jre7\bin\eula.dll MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Yerevan MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\Europe\Vilnius MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\Pacific\Honolulu MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\Pacific\Nauru MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\jsse.jar unpack200.exe File created C:\Program Files (x86)\Java\jre7\bin\ssvagent.exe MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\deploy\messages_ja.properties MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Qyzylorda MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\Australia\Sydney MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\Etc\GMT+8 MsiExec.exe File created C:\Program Files (x86)\Java\jre7\bin\jawt.dll MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\America\Cayenne MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\America\Glace_Bay MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Samarkand MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\Europe\Amsterdam MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\currency.data MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\America\Edmonton MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Tbilisi MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\Australia\Adelaide MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\Etc\GMT+11 MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\ext\sunmscapi.jar MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\Africa\Ceuta MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\America\Managua MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\Antarctica\Troll MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\Atlantic\Stanley MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\Indian\Kerguelen MsiExec.exe File created C:\Program Files (x86)\Java\jre7\bin\WindowsAccessBridge.dll MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\images\cursors\win32_LinkNoDrop32x32.gif MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\Africa\Algiers MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Choibalsan MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Thimphu MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\America\Nassau MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\Asia\Dubai MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\Europe\Budapest MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\Pacific\Saipan MsiExec.exe File created C:\Program Files (x86)\Java\jre7\lib\zi\CST6CDT MsiExec.exe -
Drops file in Windows directory 10 IoCs
Processes:
msiexec.exedescription ioc process File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{26A24AE4-039D-4CA4-87B4-2F03217080FF} msiexec.exe File opened for modification C:\Windows\Installer\MSID2E2.tmp msiexec.exe File created C:\Windows\Installer\e57ca84.msi msiexec.exe File opened for modification C:\Windows\Installer\MSICCC6.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSICECA.tmp msiexec.exe File created C:\Windows\Installer\e57ca88.msi msiexec.exe File opened for modification C:\Windows\Installer\e57ca84.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
msiexec.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString msiexec.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 msiexec.exe -
Processes:
MsiExec.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppPath = "C:\\Program Files (x86)\\Java\\jre7\\bin" MsiExec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\Policy = "3" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA} MsiExec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\Compatibility Flags = "1024" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284} MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A} MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppPath MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\AlternateCLSID = "{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7} MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppPath = "C:\\Program Files (x86)\\Java\\jre7\\bin" MsiExec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\Policy = "50907092" MsiExec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\Policy = "3" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppName = "jp2launcher.exe" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppName MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppName = "ssvagent.exe" MsiExec.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
MsiExec.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0019-ABCDEFFEDCBB}\InprocServer32 MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0001-ABCDEFFEDCBA}\InprocServer32 MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0018-ABCDEFFEDCBC}\InprocServer32 MsiExec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0034-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0062-ABCDEFFEDCBA} MsiExec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0024-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA}\InprocServer32 MsiExec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0002-ABCDEFFEDCBB}\ = "Java Plug-in 1.5.0_02" MsiExec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0070-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0065-ABCDEFFEDCBB}\InprocServer32 MsiExec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0051-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_51" MsiExec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0064-ABCDEFFEDCBC}\ = "Java Plug-in 1.5.0_64" MsiExec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0029-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0042-ABCDEFFEDCBA} MsiExec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBA}\ = "Java Plug-in 1.3.1_12" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0017-ABCDEFFEDCBA} MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0017-ABCDEFFEDCBB} MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0016-ABCDEFFEDCBB} MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0033-ABCDEFFEDCBB} MsiExec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0035-ABCDEFFEDCBA}\ = "Java Plug-in 1.4.2_35" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0048-ABCDEFFEDCBC} MsiExec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0095-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0019-ABCDEFFEDCBC} MsiExec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0077-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" MsiExec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0037-ABCDEFFEDCBB}\ = "Java Plug-in 1.7.0_37" MsiExec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0008-ABCDEFFEDCBB}\ = "Java Plug-in 1.5.0_08" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0045-ABCDEFFEDCBC} MsiExec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0086-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" MsiExec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0092-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0003-ABCDEFFEDCBB}\InprocServer32 MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBC} MsiExec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" MsiExec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" MsiExec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0034-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0039-ABCDEFFEDCBB} MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0071-ABCDEFFEDCBA}\InprocServer32 MsiExec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0010-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0030-ABCDEFFEDCBB} MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0039-ABCDEFFEDCBB} MsiExec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0090-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0037-ABCDEFFEDCBB} MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0057-ABCDEFFEDCBA}\InprocServer32 MsiExec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0060-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" MsiExec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBA}\InprocServer32 MsiExec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0057-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBC} MsiExec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0007-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0021-ABCDEFFEDCBB} MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0026-ABCDEFFEDCBA}\InprocServer32 MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0036-ABCDEFFEDCBC}\InprocServer32 MsiExec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0085-ABCDEFFEDCBB}\ = "Java Plug-in 1.5.0_85" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}\InprocServer32 MsiExec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0033-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" MsiExec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0038-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0041-ABCDEFFEDCBC}\InprocServer32 MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBB} MsiExec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0011-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0048-ABCDEFFEDCBA} MsiExec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0068-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" MsiExec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0020-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" MsiExec.exe -
Modifies registry class 64 IoCs
Processes:
MsiExec.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DBC80044-A445-435b-BC74-9C25C1C588A9}\InProcServer32\ThreadingModel = "Apartment" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0002-ABCDEFFEDCBC}\InprocServer32 MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0024-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0057-ABCDEFFEDCBB} MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0013-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0040-ABCDEFFEDCBA}\InprocServer32 MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0064-ABCDEFFEDCBB}\InprocServer32 MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0079-ABCDEFFEDCBA}\ = "Java Plug-in 1.6.0_79" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0063-ABCDEFFEDCBC} MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBB}\InprocServer32 MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBC}\InprocServer32 MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0080-ABCDEFFEDCBC}\ = "Java Plug-in 1.6.0_80" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0057-ABCDEFFEDCBC} MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JNLPFile\Shell\Open\Command MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0014-0002-0033-ABCDEFFEDCBA} MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0064-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0060-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0093-ABCDEFFEDCBC}\ = "Java Plug-in 1.6.0_93" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0053-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0022-ABCDEFFEDCBB} MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0014-0002-0026-ABCDEFFEDCBB}\ = "Java Plug-in 1.4.2_26" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0031-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_31" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0056-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC}\ = "Java Plug-in 1.6.0" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBA} MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0014-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0024-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0014-ABCDEFFEDCBB}\ = "Java Plug-in 1.5.0_14" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0060-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0080-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBA} MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0014-0002-0020-ABCDEFFEDCBA} MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0089-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0060-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0089-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0038-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0086-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0065-ABCDEFFEDCBC}\InprocServer32 MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0062-ABCDEFFEDCBC}\ = "Java Plug-in 1.7.0_62" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0001-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0044-ABCDEFFEDCBB}\InprocServer32 MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0055-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0026-ABCDEFFEDCBA} MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0042-ABCDEFFEDCBB}\ = "Java Plug-in 1.7.0_42" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0043-ABCDEFFEDCBB}\ = "Java Plug-in 1.7.0_43" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0065-ABCDEFFEDCBB}\ = "Java Plug-in 1.6.0_65" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0072-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0006-ABCDEFFEDCBC}\InprocServer32 MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0014-0002-0009-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0023-ABCDEFFEDCBA} MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0063-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}\InprocServer32 MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0056-ABCDEFFEDCBB}\InprocServer32 MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0057-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_57" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0016-0000-0084-ABCDEFFEDCBC} MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0017-0000-0005-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0014-0000-0002-ABCDEFFEDCBA} MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAFEEFAC-0015-0000-0037-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" MsiExec.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
jp2launcher.exepid process 2124 jp2launcher.exe 2124 jp2launcher.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exedescription pid process Token: SeShutdownPrivilege 4908 msiexec.exe Token: SeIncreaseQuotaPrivilege 4908 msiexec.exe Token: SeSecurityPrivilege 2732 msiexec.exe Token: SeCreateTokenPrivilege 4908 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4908 msiexec.exe Token: SeLockMemoryPrivilege 4908 msiexec.exe Token: SeIncreaseQuotaPrivilege 4908 msiexec.exe Token: SeMachineAccountPrivilege 4908 msiexec.exe Token: SeTcbPrivilege 4908 msiexec.exe Token: SeSecurityPrivilege 4908 msiexec.exe Token: SeTakeOwnershipPrivilege 4908 msiexec.exe Token: SeLoadDriverPrivilege 4908 msiexec.exe Token: SeSystemProfilePrivilege 4908 msiexec.exe Token: SeSystemtimePrivilege 4908 msiexec.exe Token: SeProfSingleProcessPrivilege 4908 msiexec.exe Token: SeIncBasePriorityPrivilege 4908 msiexec.exe Token: SeCreatePagefilePrivilege 4908 msiexec.exe Token: SeCreatePermanentPrivilege 4908 msiexec.exe Token: SeBackupPrivilege 4908 msiexec.exe Token: SeRestorePrivilege 4908 msiexec.exe Token: SeShutdownPrivilege 4908 msiexec.exe Token: SeDebugPrivilege 4908 msiexec.exe Token: SeAuditPrivilege 4908 msiexec.exe Token: SeSystemEnvironmentPrivilege 4908 msiexec.exe Token: SeChangeNotifyPrivilege 4908 msiexec.exe Token: SeRemoteShutdownPrivilege 4908 msiexec.exe Token: SeUndockPrivilege 4908 msiexec.exe Token: SeSyncAgentPrivilege 4908 msiexec.exe Token: SeEnableDelegationPrivilege 4908 msiexec.exe Token: SeManageVolumePrivilege 4908 msiexec.exe Token: SeImpersonatePrivilege 4908 msiexec.exe Token: SeCreateGlobalPrivilege 4908 msiexec.exe Token: SeRestorePrivilege 2732 msiexec.exe Token: SeTakeOwnershipPrivilege 2732 msiexec.exe Token: SeRestorePrivilege 2732 msiexec.exe Token: SeTakeOwnershipPrivilege 2732 msiexec.exe Token: SeRestorePrivilege 2732 msiexec.exe Token: SeTakeOwnershipPrivilege 2732 msiexec.exe Token: SeRestorePrivilege 2732 msiexec.exe Token: SeTakeOwnershipPrivilege 2732 msiexec.exe Token: SeRestorePrivilege 2732 msiexec.exe Token: SeTakeOwnershipPrivilege 2732 msiexec.exe Token: SeRestorePrivilege 2732 msiexec.exe Token: SeTakeOwnershipPrivilege 2732 msiexec.exe Token: SeRestorePrivilege 2732 msiexec.exe Token: SeTakeOwnershipPrivilege 2732 msiexec.exe Token: SeRestorePrivilege 2732 msiexec.exe Token: SeTakeOwnershipPrivilege 2732 msiexec.exe Token: SeRestorePrivilege 2732 msiexec.exe Token: SeTakeOwnershipPrivilege 2732 msiexec.exe Token: SeRestorePrivilege 2732 msiexec.exe Token: SeTakeOwnershipPrivilege 2732 msiexec.exe Token: SeRestorePrivilege 2732 msiexec.exe Token: SeTakeOwnershipPrivilege 2732 msiexec.exe Token: SeRestorePrivilege 2732 msiexec.exe Token: SeTakeOwnershipPrivilege 2732 msiexec.exe Token: SeRestorePrivilege 2732 msiexec.exe Token: SeTakeOwnershipPrivilege 2732 msiexec.exe Token: SeRestorePrivilege 2732 msiexec.exe Token: SeTakeOwnershipPrivilege 2732 msiexec.exe Token: SeRestorePrivilege 2732 msiexec.exe Token: SeTakeOwnershipPrivilege 2732 msiexec.exe Token: SeRestorePrivilege 2732 msiexec.exe Token: SeTakeOwnershipPrivilege 2732 msiexec.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
jp2launcher.exepid process 2124 jp2launcher.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
6ddeeb36a6569a8a145e7a85a152a5d2_JaffaCakes118.exe6ddeeb36a6569a8a145e7a85a152a5d2_JaffaCakes118.exejavaSetup.exemsiexec.exeMsiExec.exejavaws.exedescription pid process target process PID 676 wrote to memory of 2828 676 6ddeeb36a6569a8a145e7a85a152a5d2_JaffaCakes118.exe cscript.exe PID 676 wrote to memory of 2828 676 6ddeeb36a6569a8a145e7a85a152a5d2_JaffaCakes118.exe cscript.exe PID 676 wrote to memory of 2828 676 6ddeeb36a6569a8a145e7a85a152a5d2_JaffaCakes118.exe cscript.exe PID 676 wrote to memory of 4124 676 6ddeeb36a6569a8a145e7a85a152a5d2_JaffaCakes118.exe 6ddeeb36a6569a8a145e7a85a152a5d2_JaffaCakes118.exe PID 676 wrote to memory of 4124 676 6ddeeb36a6569a8a145e7a85a152a5d2_JaffaCakes118.exe 6ddeeb36a6569a8a145e7a85a152a5d2_JaffaCakes118.exe PID 676 wrote to memory of 4124 676 6ddeeb36a6569a8a145e7a85a152a5d2_JaffaCakes118.exe 6ddeeb36a6569a8a145e7a85a152a5d2_JaffaCakes118.exe PID 4124 wrote to memory of 2508 4124 6ddeeb36a6569a8a145e7a85a152a5d2_JaffaCakes118.exe javaSetup.exe PID 4124 wrote to memory of 2508 4124 6ddeeb36a6569a8a145e7a85a152a5d2_JaffaCakes118.exe javaSetup.exe PID 4124 wrote to memory of 2508 4124 6ddeeb36a6569a8a145e7a85a152a5d2_JaffaCakes118.exe javaSetup.exe PID 2508 wrote to memory of 4908 2508 javaSetup.exe msiexec.exe PID 2508 wrote to memory of 4908 2508 javaSetup.exe msiexec.exe PID 2508 wrote to memory of 4908 2508 javaSetup.exe msiexec.exe PID 2732 wrote to memory of 1228 2732 msiexec.exe MsiExec.exe PID 2732 wrote to memory of 1228 2732 msiexec.exe MsiExec.exe PID 2732 wrote to memory of 1228 2732 msiexec.exe MsiExec.exe PID 2732 wrote to memory of 2968 2732 msiexec.exe MsiExec.exe PID 2732 wrote to memory of 2968 2732 msiexec.exe MsiExec.exe PID 2732 wrote to memory of 2968 2732 msiexec.exe MsiExec.exe PID 2968 wrote to memory of 3552 2968 MsiExec.exe unpack200.exe PID 2968 wrote to memory of 3552 2968 MsiExec.exe unpack200.exe PID 2968 wrote to memory of 3552 2968 MsiExec.exe unpack200.exe PID 2968 wrote to memory of 1544 2968 MsiExec.exe unpack200.exe PID 2968 wrote to memory of 1544 2968 MsiExec.exe unpack200.exe PID 2968 wrote to memory of 1544 2968 MsiExec.exe unpack200.exe PID 2968 wrote to memory of 2596 2968 MsiExec.exe unpack200.exe PID 2968 wrote to memory of 2596 2968 MsiExec.exe unpack200.exe PID 2968 wrote to memory of 2596 2968 MsiExec.exe unpack200.exe PID 2968 wrote to memory of 1396 2968 MsiExec.exe unpack200.exe PID 2968 wrote to memory of 1396 2968 MsiExec.exe unpack200.exe PID 2968 wrote to memory of 1396 2968 MsiExec.exe unpack200.exe PID 2968 wrote to memory of 3224 2968 MsiExec.exe unpack200.exe PID 2968 wrote to memory of 3224 2968 MsiExec.exe unpack200.exe PID 2968 wrote to memory of 3224 2968 MsiExec.exe unpack200.exe PID 2968 wrote to memory of 4172 2968 MsiExec.exe unpack200.exe PID 2968 wrote to memory of 4172 2968 MsiExec.exe unpack200.exe PID 2968 wrote to memory of 4172 2968 MsiExec.exe unpack200.exe PID 2968 wrote to memory of 1724 2968 MsiExec.exe unpack200.exe PID 2968 wrote to memory of 1724 2968 MsiExec.exe unpack200.exe PID 2968 wrote to memory of 1724 2968 MsiExec.exe unpack200.exe PID 2968 wrote to memory of 764 2968 MsiExec.exe unpack200.exe PID 2968 wrote to memory of 764 2968 MsiExec.exe unpack200.exe PID 2968 wrote to memory of 764 2968 MsiExec.exe unpack200.exe PID 2968 wrote to memory of 1752 2968 MsiExec.exe javaw.exe PID 2968 wrote to memory of 1752 2968 MsiExec.exe javaw.exe PID 2968 wrote to memory of 1752 2968 MsiExec.exe javaw.exe PID 2592 wrote to memory of 796 2592 javaws.exe javaw.exe PID 2592 wrote to memory of 796 2592 javaws.exe javaw.exe PID 2592 wrote to memory of 796 2592 javaws.exe javaw.exe PID 2592 wrote to memory of 2124 2592 javaws.exe jp2launcher.exe PID 2592 wrote to memory of 2124 2592 javaws.exe jp2launcher.exe PID 2592 wrote to memory of 2124 2592 javaws.exe jp2launcher.exe PID 676 wrote to memory of 5436 676 6ddeeb36a6569a8a145e7a85a152a5d2_JaffaCakes118.exe javaw.exe PID 676 wrote to memory of 5436 676 6ddeeb36a6569a8a145e7a85a152a5d2_JaffaCakes118.exe javaw.exe PID 676 wrote to memory of 5436 676 6ddeeb36a6569a8a145e7a85a152a5d2_JaffaCakes118.exe javaw.exe PID 676 wrote to memory of 5600 676 6ddeeb36a6569a8a145e7a85a152a5d2_JaffaCakes118.exe javaw.exe PID 676 wrote to memory of 5600 676 6ddeeb36a6569a8a145e7a85a152a5d2_JaffaCakes118.exe javaw.exe PID 676 wrote to memory of 5600 676 6ddeeb36a6569a8a145e7a85a152a5d2_JaffaCakes118.exe javaw.exe PID 676 wrote to memory of 5772 676 6ddeeb36a6569a8a145e7a85a152a5d2_JaffaCakes118.exe javaw.exe PID 676 wrote to memory of 5772 676 6ddeeb36a6569a8a145e7a85a152a5d2_JaffaCakes118.exe javaw.exe PID 676 wrote to memory of 5772 676 6ddeeb36a6569a8a145e7a85a152a5d2_JaffaCakes118.exe javaw.exe PID 676 wrote to memory of 8 676 6ddeeb36a6569a8a145e7a85a152a5d2_JaffaCakes118.exe javaw.exe PID 676 wrote to memory of 8 676 6ddeeb36a6569a8a145e7a85a152a5d2_JaffaCakes118.exe javaw.exe PID 676 wrote to memory of 8 676 6ddeeb36a6569a8a145e7a85a152a5d2_JaffaCakes118.exe javaw.exe PID 4124 wrote to memory of 1892 4124 6ddeeb36a6569a8a145e7a85a152a5d2_JaffaCakes118.exe javaw.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6ddeeb36a6569a8a145e7a85a152a5d2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6ddeeb36a6569a8a145e7a85a152a5d2_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:676 -
C:\Windows\SysWOW64\cscript.execscript //NoLogo C:\Users\Admin\AppData\Local\Temp\hd.vbs2⤵PID:2828
-
C:\Users\Admin\AppData\Local\Temp\6ddeeb36a6569a8a145e7a85a152a5d2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6ddeeb36a6569a8a145e7a85a152a5d2_JaffaCakes118.exe" /asService2⤵
- Suspicious use of WriteProcessMemory
PID:4124 -
C:\Users\Admin\AppData\Local\Temp\javaSetup.exe"C:\Users\Admin\AppData\Local\Temp\javaSetup.exe" /s REBOOT=Suppress JAVAUPDATE=0 WEBSTARTICON=03⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\\msiexec.exe" /i "C:\Users\Admin\AppData\LocalLow\Sun\Java\jre1.7.0_80\jre1.7.0_80.msi" REBOOT=Suppress JAVAUPDATE=0 WEBSTARTICON=0 /qn METHOD=joff4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4908 -
C:\Program Files (x86)\Java\jre7\bin\javaw.exe"C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -classpath "C:\PROGRA~2\Zona\utils.jar" org.sevenzip.decoder.SevenZipFolderDecoder "C:\Users\Admin\AppData\Roaming\Zona\tmp\Zona.7z" "C:\PROGRA~2\Zona" "C:\Users\Admin\AppData\Local\Temp\zonaErr_core_1716539010384.log"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1892 -
C:\Program Files (x86)\Java\jre7\bin\javaw.exe"C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -classpath "C:\PROGRA~2\Zona\utils.jar" org.sevenzip.decoder.SevenZipFolderDecoder "C:\Users\Admin\AppData\Roaming\Zona\tmp\appdata.7z" "C:\Users\Admin\AppData\Roaming\Zona" "C:\Users\Admin\AppData\Local\Temp\zonaErr_plugin_1716539011618.log"3⤵
- Executes dropped EXE
PID:2968 -
C:\Program Files (x86)\Java\jre7\bin\javaw.exe"C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -classpath "C:\PROGRA~2\Zona\utils.jar" ru.megamakc.core.JavaArch2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5436 -
C:\Program Files (x86)\Java\jre7\bin\javaw.exe"C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -classpath "C:\PROGRA~2\Zona\utils.jar" ru.megamakc.core.JavaArch2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5600 -
C:\Program Files (x86)\Java\jre7\bin\javaw.exe"C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -classpath "C:\PROGRA~2\Zona\utils.jar" ru.megamakc.core.JavaArch2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5772 -
C:\Program Files (x86)\Java\jre7\bin\javaw.exe"C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -classpath "C:\PROGRA~2\Zona\utils.jar" ru.megamakc.core.JavaArch2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:8 -
C:\Program Files (x86)\Java\jre7\bin\javaw.exe"C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -classpath "C:\PROGRA~2\Zona\utils.jar" ru.megamakc.core.JavaArch2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3112 -
C:\Program Files (x86)\Java\jre7\bin\javaw.exe"C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -classpath "C:\PROGRA~2\Zona\utils.jar" ru.megamakc.core.JavaArch2⤵
- Executes dropped EXE
PID:3356 -
C:\Program Files (x86)\Java\jre7\bin\javaw.exe"C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -classpath "C:\PROGRA~2\Zona\Zona.jar" org.gudy.azureus2.core3.util.Constants2⤵
- Executes dropped EXE
PID:5516
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 2C5604A08B2AE919A55A874E21CC230A2⤵
- Loads dropped DLL
PID:1228 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding F1AE04168292E9FB8E51EFB6CE3D52D4 E Global\MSI00002⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Program Files (x86)\Java\jre7\bin\unpack200.exe"C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\rt.pack" "C:\Program Files (x86)\Java\jre7\lib\rt.jar"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3552 -
C:\Program Files (x86)\Java\jre7\bin\unpack200.exe"C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\charsets.pack" "C:\Program Files (x86)\Java\jre7\lib\charsets.jar"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1544 -
C:\Program Files (x86)\Java\jre7\bin\unpack200.exe"C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\deploy.pack" "C:\Program Files (x86)\Java\jre7\lib\deploy.jar"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2596 -
C:\Program Files (x86)\Java\jre7\bin\unpack200.exe"C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\javaws.pack" "C:\Program Files (x86)\Java\jre7\lib\javaws.jar"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1396 -
C:\Program Files (x86)\Java\jre7\bin\unpack200.exe"C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\plugin.pack" "C:\Program Files (x86)\Java\jre7\lib\plugin.jar"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3224 -
C:\Program Files (x86)\Java\jre7\bin\unpack200.exe"C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\jsse.pack" "C:\Program Files (x86)\Java\jre7\lib\jsse.jar"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:4172 -
C:\Program Files (x86)\Java\jre7\bin\unpack200.exe"C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\ext\localedata.pack" "C:\Program Files (x86)\Java\jre7\lib\ext\localedata.jar"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1724 -
C:\Program Files (x86)\Java\jre7\bin\unpack200.exe"C:\Program Files (x86)\Java\jre7\bin\unpack200.exe" -r -v -l "C:\Users\Admin\AppData\Local\Temp\java_install.log" "C:\Program Files (x86)\Java\jre7\lib\jfxrt.pack" "C:\Program Files (x86)\Java\jre7\lib\jfxrt.jar"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:764 -
C:\Program Files (x86)\Java\jre7\bin\javaw.exe"C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -Xshare:dump3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1752 -
C:\Program Files (x86)\Java\jre7\bin\javaws.exe"C:\Program Files (x86)\Java\jre7\bin\javaws.exe" -fix -permissions -silent3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Program Files (x86)\Java\jre7\bin\javaw.exe"C:\Program Files (x86)\Java\jre7\bin\javaw.exe" -classpath "C:\Program Files (x86)\Java\jre7\lib\deploy.jar" com.sun.deploy.panel.JreLocator4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:796 -
C:\Program Files (x86)\Java\jre7\bin\jp2launcher.exe"C:\Program Files (x86)\Java\jre7\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files (x86)\Java\jre7" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlN1xsaWJcZGVwbG95LmphcgAtRGphdmEuc2VjdXJpdHkucG9saWN5PWZpbGU6QzpcUHJvZ3JhbSBGaWxlcyAoeDg2KVxKYXZhXGpyZTdcbGliXHNlY3VyaXR5XGphdmF3cy5wb2xpY3kALUR0cnVzdFByb3h5PXRydWUALVh2ZXJpZnk6cmVtb3RlAC1Eam5scHguaG9tZT1DOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlN1xiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXMgKHg4NilcSmF2YVxqcmU3XGxpYlxqYXZhd3MuamFyO0M6XFByb2dyYW0gRmlsZXMgKHg4NilcSmF2YVxqcmU3XGxpYlxkZXBsb3kuamFyO0M6XFByb2dyYW0gRmlsZXMgKHg4NilcSmF2YVxqcmU3XGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlN1xiaW5camF2YXcuZXhl -ma LWZpeAAtcGVybWlzc2lvbnMALXNpbGVudAAtbm90V2ViSmF2YQ==4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2124
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10KB
MD531c1f55306ee3dfde755a46026d01858
SHA12c188e01a11d9e80e8abd5a34e1a155933324cee
SHA2562cfe4ddca507886baedb131cd150bdf7f49a26c662885da7580a6f6436631031
SHA512136f43ad0c63a9c1b50c32db6d3b60550e8ed700b63f5ad84f30e9e6222c2e0d01adfa4094362a84d61a39258f6e6b5137d0ff7eb4c0ce610e4909824cf2e099
-
Filesize
755KB
MD5bf38660a9125935658cfa3e53fdc7d65
SHA10b51fb415ec89848f339f8989d323bea722bfd70
SHA25660c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa
SHA51225f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1
-
Filesize
95KB
MD51722510af00ea3c7406681b47bf442f7
SHA1cafac266d52d78d3743c31ebef22a894781e0de5
SHA2564010a3ec604a327861bedf01626c12eaded9d381b6e4f0e6f760895838834a21
SHA51231a2ce3d5eb9828cbb82d2a7e29f2c5bf46528d38f25827329512cedde37bd03b3cfdba0aba3320b6c0e7779588958e83bff735f6059aad37172598e70e863eb
-
Filesize
3.4MB
MD527147e1e3faf9b5ccda882cd96f2a85c
SHA17103f60121727917f812bfc7cdff5347fc17cc8e
SHA256500d359211ece211cf672de328345876f016fb4a476b2a03cbc3b8b89023ae1f
SHA5120866c604911e243687e7fe721142eb882b19691c902736b59ba304933463d8c9154ecc319b91c9771cee8139e151cc2a2e960bc7a93ed97352cf5232a0964194
-
Filesize
371KB
MD587ec9d4a00d34eb6a0f8f92e1d1cc08e
SHA1bee4ecae201905096dd44d1d348ecb3556d90832
SHA256352707a271a9ab5d0e190a539b6468d6c6c5ce9675b300acf2305aa1f30625d8
SHA5125b7f9866168ad7948a5a80078b14ff747201d17922ca907072a081e0078f6ac68446ddd36b027b4a17f5afa7d1bb4962642cff28cf66867171ebb78735f242d2
-
Filesize
864KB
MD5bc3a575dfb1a58d35e8617f2966bf1ea
SHA16353630f62e246d7f462134e8d10a7a42935e20f
SHA256c029fd3c6ffd2158d0633fc122786838a6f5d3cc7ef78bbe934697015c8c63dd
SHA512c976da30d343f8e104bec72300dc0c17e582e380f0a3ae85b242dbf2d5b40459feb4a3b7789fb8d755b21cbaa0940038d20dbbf1296a48e77b461092abbbe514
-
Filesize
117KB
MD5a258a133f7d565600647a248ab95792c
SHA11c6a855ca1fc04413b906b0b17609eff38317161
SHA25681ad5696a6fcad89127fc7a428636d431b446ff1ee0c37bf87e8d513a8bae7af
SHA512bf9dd97947eb0c71243ae28255af54b06d9e17af7ade666538dd93f9fdf6d8fbc3855f48bfaf6522dbd9ce3c6cff655581f092709670606d033f2321b1f4a5e7
-
Filesize
171KB
MD588651044108e995f9801e35d2582491c
SHA1abbf404c0253d085223a64ab947e1057c4211c9c
SHA256c7fd72a0730b377c6da5ac80cdaf5f4cca84cc999a563a4c420fe5a8576810f8
SHA512486b1d7ad7c3debcb8d70f9351adb08c8321c4cfb409a00ff818be1dacdc376a0eded630ccdc74aa99cc472589b88c9681989076fd78eb109759d33e7bf70543
-
Filesize
171KB
MD564e2bb67ea740860510dcc5c2b6ffa2d
SHA16c5996358264624cdb4a075acc4f0b46177cd259
SHA256844ab2231f45fad60d81770ea36d9937da9aa72cd905ce06e7471ddf9d69263b
SHA512ed24331883ada44d8b034f5c8bc458e53234109d5cd02a27989972033f5b3305d23365106ce80be81caa16e472c14c103e457a1e0d138eb0d95036e58d877462
-
Filesize
266KB
MD52b4493bb1f94580c41def972ea9a887e
SHA1880ca8b20c6df9a6a176b91cc50304cb0fe66d06
SHA256841339373958786d9c93a7dad5de8fd213ed6b5ad69623f5a5762a453c48e0a5
SHA512b43e54f2c1f3e0a3c3d2fcee518e47d17476bb735606351e41b49e97e10af758ea9a539ac370a2d12cffa93e3e752e829db969968664c59386f65b732c29e40e
-
Filesize
145KB
MD50d46182b6134aa9c7acd16133d67e4c3
SHA17b5be3d65e5e744723bf55a08f9dc1042585d5eb
SHA256c89091f2a4de2fcf10b30e54a74ec5764e2dfc0577f4f1d879ac8816e3b08bcc
SHA512735b6c6bd69b22a71c15ae44c6fa1693700321dc3b4b2367ce05d5c37df62e45d1d3836c2c0f5e44be1036aeb11a533c2a4dbec55163b4a15adfa1c8ef75673b
-
Filesize
38KB
MD5cb89b1d71061f5ec52468528ecc0b1fc
SHA16feb23a8b5719c8997de92c7da644807fcba8819
SHA25687d8d59972e73700507c07cee8750b0053c6a0899410338722a00c2803d39ee6
SHA5122ff0ed38c7f28eb7ea16f24a0841dfb3306c4fec48ded5fddec8c3140f1a425433a444fe6b6cc4c17b3a39841c8ab0c23d7c9525c119c1b9d6daac2c17a4e4b0
-
Filesize
159KB
MD5958bc8d82e4d0a5b51536bb4fc4fb6d6
SHA1626312fa01c72ec5c85c9262ba0ae97a8b1f5b25
SHA2562ef891881d506084ed182a0ac58b10dbe8c45877ef889ac9105f19431beee4ca
SHA512fe17b58e3eed817619bebf6d091aee99fdc331c9c5a4163e9f5993b41b2e7362365da210e0636755ada6b8838012de1bc5435b8670aa12f378a3c9e3a9f5af04
-
Filesize
66KB
MD51ecf056944068b933ba71cda3edc4a68
SHA12052b2138db0d9a368942470b41bb6fc5b1d4007
SHA25635ce7ab154a38e97951714e17f7689873d89e8c01188de6e5cd741bc0ca3e384
SHA512cadf312841d392a9970cc068b72063e17454d5e6738b46ec9622257d9dfc0bcad0d9420352752bf7d8f8e8ceaf6aca97d83896f753dc12cfeac3e5efb5e1ab05
-
Filesize
1.3MB
MD5549bbcd204914b543dafee670f110834
SHA1012461935191a55482e8c3d453d245e965a10a2a
SHA2568ea5af036ec067a0abcf87b8f5921e2281ff9d259e1d4c3bbe7fa9037cd87d02
SHA512b0346a2ec52ce47351286f27f347f5fea99e160aedde52bcf74e1629739704bd975c9c99d8db6be3b6bd45e7fa933616fa081eda49e9b911efcc031c7241400e
-
Filesize
1.7MB
MD5b2a448112b7c886ccce9b6a3d5efd8a0
SHA1660bc9efe960015b208a421b1a63443e7151024f
SHA256928f6b847f94b920c462a08c43f0dfd3f7c40076b1cd60545523a5c27a4870ca
SHA512871da63f4eaf16d77ba6c19c10d8ddd8e94f744c20a70e24793f837023d20e56698d85f67498bc06ec37b73a8f376c220afbe7f3884b00536b710ff49c339b3f
-
Filesize
736KB
MD5c8dc1cfeaf0fefc39ed0f1de4eaa175c
SHA111cacbb9e5724d37789455de37a225d8e0c648a1
SHA256da2803a283d28882182e1e280b4f25ee1579a5805e73fcc9882e63968f102a8f
SHA5126b419ba94ae90f8caa3a57690f2ec7e249c9fb8ab86819439621cde1243c7636ee76820622ce32ed483ce76976f7ced74778898fc2725b1a2407b039fb53508c
-
Filesize
686B
MD55147cce789cd18ad6b2996eb89e5d866
SHA1756f1fffe96ef581f0d4d47253523544c89a2622
SHA256c471d622198461715f245d478484fc7c8de533313c56e922931a875460a5aa88
SHA51255f53adb70b1cf741cdf0dee74d92d2bf4c96954a760afae289972a0ea9bb27bc5eb4df1bd41829c7c484211fcb294fe296a4d560d8a1cdbb8c707b3bf2a79a6
-
Filesize
153B
MD51e9d8f133a442da6b0c74d49bc84a341
SHA1259edc45b4569427e8319895a444f4295d54348f
SHA2561a1d3079d49583837662b84e11d8c0870698511d9110e710eb8e7eb20df7ae3b
SHA51263d6f70c8cab9735f0f857f5bf99e319f6ae98238dc7829dd706b7d6855c70be206e32e3e55df884402483cf8bebad00d139283af5c0b85dc1c5bf8f253acd37
-
Filesize
205KB
MD5491bce42c6cd8af88a2e11f37711ed4f
SHA13de7c18fee44465a6afe34e068f2a64dea9fa324
SHA256ee43869ee94eefe241d661101ff6a03cc276f8e558967b1b350ea088f1dad2e2
SHA5121e5f99466b77b5a82c23449434272acf5746811ef96b98105f89b3339ccd86734d7713c94b773755219345d673a761a356fbe846a38e7893bd8894e43cf102e4
-
Filesize
3.2MB
MD5dfaa6429468d56ef77932cf26a495f75
SHA18a21a29225640f1829ae328a24ef9cb5e215a4e0
SHA2568c481a549acfa58b1bac0385906febe33a928d004a529fec505b6a9228678fed
SHA5126c19ed573b111315648de0646441486729b304452c15b2282938460a2339db0be4e1eb19cf6f2bf17f73037811ca2553a15957ea96b9d9af64a93045407c1148
-
Filesize
141KB
MD531b4d9c29d29567b0ae3037fac9fbdc6
SHA18b5d1b1a309177466d71a742414d441f600ea38e
SHA2569f031f2f1292bb311c400b0a93a11b78a08f013332b1263ea58617b6548862eb
SHA512b4a8a3a1e837f98a3164e19a6fe939819eb336892335de975822890b52b5923d85fee4c4e5464ccb0d46c847f37f7da98a839aadbf4d20fca355f396a53836c0
-
Filesize
2KB
MD58bff510abed2b6fcc5a83eedb65b1766
SHA1ba6d0cd7504a5baeb963501b8bdf315ec6cb355c
SHA256afb4850419612e0daf1876a5d61120ed0ccae241f188c25c014602007b3a765b
SHA5128786bd672ce9c53f4c31f8206d621eb06ae7527f9adf3700955cc1cb928dde145b684666a5eb4ac11301541f585970ccd377ba144da351741e3cb5769b6ff522
-
Filesize
489KB
MD547d6cfa1b01a6d41885504bbc3b1919a
SHA13838060f9d530c972d65f36fa38b265120a218aa
SHA25693defaaf7f82e2e9565b27dd31a41c89e02d1b7719d0da0b940a55dcc75b91e5
SHA512b0df9b174624234aaeb2b50cf611f698377925a0ae5c5ee9da46c65fcecf4d28941d1bf2332316d9327981c1f8c6c4fecf750e013f04eef63f5df52d27593135
-
Filesize
13.1MB
MD5b6d75e8c90c79af1579769f10b1e5c88
SHA1146cb3f05fa161885e8faf079fa2bbd89b5c5b18
SHA25682dc6806d9ec9eb16604f90a5c78d0d882b69a0e718d8f6c3c6b7c9719887b7e
SHA51202cdd0c0d6e71bc09120db2cd3b9471c0176567d92bb74a08c13e82c1d23722eb4afac41583a11dee3fc531fd442754ee0f5cb964898ec036ddd432947996037
-
Filesize
27B
MD57da9aa0de33b521b3399a4ffd4078bdb
SHA1f188a712f77103d544d4acf91d13dbc664c67034
SHA2560a526439ed04845ce94f7e9ae55c689ad01e1493f3b30c5c2b434a31fa33a43d
SHA5129d2170571a58aed23f29fc465c2b14db3511e88907e017c010d452ecdf7a77299020d71f8b621a86e94dd2774a5418612d381e39335f92e287a4f451ee90cfb6
-
Filesize
27B
MD5a2abe32f03e019dbd5c21e71cc0f0db9
SHA125b042eb931fff4e815adcc2ddce3636debf0ae1
SHA25627ba8b5814833b1e8e8b5d08246b383cb8a5fb7e74e237cdbcadf320e882ab78
SHA512197c065b9c17c6849a15f45ac69dafa68aaa0b792219fedb153d146f23997bfa4fbc4127b1d030a92a4d7103bded76a1389df715b9539ea23ea21e6a4bb65fb2
-
Filesize
27B
MD5715dc3fcec7a4b845347b628caf46c84
SHA11b194cdd0a0dc5560680c33f19fc2e7c09523cd1
SHA2563144bc5353ebbd941cdccbbd9f5fb5a06f38abf5cc7b672111705c9778412d08
SHA51272ab4b4ad0990cce0723a882652bf4f37aac09b32a8dd33b56b1fbf25ac56ae054328909efd68c8243e54e449d845fb9d53dd95f47eaaf5873762fcd55a39662
-
Filesize
27B
MD511f8e73ad57571383afa5eaf6bc0456a
SHA165a736dddd8e9a3f1dd6fbe999b188910b5f7931
SHA2560e6a7f1ab731ae6840eacc36b37cbe3277a991720a7c779e116ab488e0eeed4e
SHA512578665a0897a2c05eda59fb6828f4a9f440fc784059a5f97c8484f164a5fcec95274159c6ff6336f4863b942129cb884110d14c9bd507a2d12d83a4e17f596d2
-
Filesize
1KB
MD5abb200b726e69b348a9b8058c1ed5504
SHA10110018cf1f1a8c7fe23c4148f9542f8dc3ff652
SHA25624349d96a85f5ecc9e239d7d13957a510bf40975f7e8d882aeef57960ab4f42a
SHA512b670f7c713fd6087baea9e923dcc8db99999726d6a2d74f9c374ae0b21e4a4a19c7e18b6a85d4f78f4d042c35b43255698e4d7a2ffe534ef756bb865360d4d16
-
Filesize
24.6MB
MD5003a488a2139105704566b47eb29520d
SHA152d672a592cd52ad5e2e7239421f2659e0d17afa
SHA256a84262dd486cf59049d0d2d9a1b00dfb5aa5271592edd8de0e052f12496dec67
SHA512ab34061f8e04bb1d59f1b35e0e1848a176f2b119095e79015130da3a4384c70fa35ecbe1625e07c0eb0de49c67bcdbba59f10fa1dfbbb2066dcb6ee6825215de
-
Filesize
898KB
MD5e24d9b483ce7a3a6a4406111883457f7
SHA10d5efff0d110c48f5e6f5d438967427f1e2dbf84
SHA256dbf28e21d55dd662cccf4d422a1a645a6a3dbfd6914942dde417d20c4d2fe01c
SHA512b614b023ce683e78ee685be028fa06d7df90f10360d55de2a8c1214200b0b85998683502f377b01584bf23b72b168c33ef560a78d7abdf68aa3af87beca59398
-
Filesize
4KB
MD5c7fe03f4a8ce9335a277840fda8215b7
SHA1ca94ba79a157d243e322cc0a95688e0b423fc6ea
SHA25672de7395fd4ce57672fa64e433e64d5a49197ee2440bfe37722f0fa55fd8195f
SHA512f1cb4fdc00444336a5a6652aaa4c7ec7cec9077299dcac1c4fc7f7e76aad152bf0ca44451b8d5eb4b8c289f1af012906446ea6b9210066fed6369072596a33e0
-
Filesize
5KB
MD57aa332e11d23237ce30f9e7bce3e84e1
SHA1c89fe14a6151d5abf11bc02a55550b6382fa310b
SHA2566aeb0056f834f1ddc4ab805de99d3e816d16333954b0e0adfa221496f11d64a3
SHA51227fc47b9a09c9a79c72d3e697bf17cc4bb0c03f2f87750a67120a64c9691f98f7b6ce6b03b7106db1ef06703d3f7e14cdc6334c26dc04fd4148ed9a00ac055df
-
Filesize
1KB
MD5c66b222dc16f56c5b579275fad21f57e
SHA1507734ebaf463d6a9cf179d737a4be1a8f05e495
SHA256770c7c3ad252a3c22791c75c3cefbcbab7f5a0a67ee4f33202c6037bc42a612f
SHA512c6e19cc9f9fcb70297b405e2a497fcf545d6b436571153c872dee5cdc1e68ee52af12dd519e5be5084e741cf44859157be011371e6ae75f68dc94ca00d8b64e4
-
Filesize
6KB
MD57da974c95448413c43660f0acf5b160f
SHA1190625d4545f70a39c9ccfc685c7dffc013aeeea
SHA25626874c04f1c0c86d3ab188ceeaf651dbf5fc8d5733d5e7831b577524751caf53
SHA512d02a7a93f894de394417f1559db469b950201483ef435a696e655b230c917ed061e3857fbe69bde423284e0a55dcb57b5c1d60e001d2fab96f5bbee5b1d40e8b
-
Filesize
245B
MD5d8682d715a652f994dca50509fd09669
SHA1bb03cf242964028b5d9183812ed8b04de9d55c6e
SHA2564bd3521fb2b5c48fe318a874bf64c6b1f62f5212b8c88790006cafaf31d207ba
SHA512eaa39d87002df1eea16b215c9f099731253b7af72e46b12f64423874dbcdd8f68a164d7641bafb3f854aa6ad8aa7269da59ed0b32cd41eccba5d6f296f9a52ca
-
Filesize
28.1MB
MD5f2fd417b6d5c7ffc501c7632cc811c3e
SHA1305c1493fca53ab63ba1686c9afdfb65142e59d3
SHA256a87adf22064e2f7fa6ef64b2513533bf02aa0bf5265670e95b301a79d7ca89d9
SHA512289ee902156537e039636722ad5ac8b0592cf5cffda3d03cf22240003627b049382b95db1b24cf6a2f7134b0df93ede65a80a86381fc161b54c84a76ed04458b
-
Filesize
22KB
MD5525bf7f5b63ffd5e86fa3aee92551c21
SHA1bf3cd939fe57f5076afbd231cb5b1b0ea03ba5d0
SHA256e0e88bda4bcbbcfadb1009060372744f8b3f3628ae29b1d310a99255ec76aa7a
SHA512825d048f8a3eb7ec88bda27eaf34b5c05a9545a12d48d29fc264aeae571fb2b4aa2957cd1b5459d53dc5d18b7968760d47136a6ec099c5612c3a7ab677b24d73
-
Filesize
23KB
MD518f48d6714640435ab93cad409e10070
SHA1fd33c178274fb08adb77cf5c695ce29ba32417bd
SHA256f7468e1cf9cb05006bb7eebf4ce106f98828351ac7d8637486794ba90e5f5bc2
SHA512632e4957e610ab787ed9a2cf3e8d988acb16e4cfc4d4df9b52682ca54fa4f7fed980b7b5dd69b1c4dd71554894ee5e5199da630b721f3c7403652f923a16dcc1
-
Filesize
23KB
MD5a2623660c345873243bb8f88145663b5
SHA1d8cabac7b4057649bb6ca31504719fb0881c7190
SHA2563532daff57c2b70280ef79edf17af55d108b2d46b88bdbf248fab74db2a43d14
SHA51260dc96479ae28a9011dee7a2e8ff2cb60ab548a6164ba8f5562fcd1cb154362677a68c98c62aa62333ac9812d4ddb3e332957efdbc5acfb5eade18f111c21f6e
-
Filesize
24KB
MD5e2aaff5f40ba3fbc2df129ed2157dd19
SHA18d6b9aeeae45922687e24365cecffdc0e4997f08
SHA2561e1a1fcf7c15b8f6019b1696765c696e69a510bb25fd29daa4f8286b206e738a
SHA512e1e5a42c4b5bac65b4747b149a694d738fe7e4e7c5398ef564885796e4d9d3cf5ae4ef1cd2066dd6ba24463654c090d79ac84e0f1ad76575155deab8088e6843
-
Filesize
25KB
MD5d2c611a13ec2cd37d228aad0305dc734
SHA1b7d5dd93fb333c96f9d0c516fc862a1f6dc31ae8
SHA256648dac2d3607a22d24056d6d29f1e43343c0e812faffa92a381f627cc42789d4
SHA5125e73bcfaf14e4a45068a74623e9ed39276844efc6269604ea231f1457c5837605e34ebc7fbf106156b0d653c3a0ce90bf0817d09a44a7b268718747506da70d3
-
Filesize
25KB
MD5250dd63c170bf6cc59e2a7a34edb348b
SHA1da811a6038e340332de88fe1c2a574ee1bb8a8a8
SHA256f46f4d796f236751d277dc24184765679d409c0e454ae07587ca09e0710a0f1f
SHA512ffc14529043f3231ace3beda1cb14de9ef37d24221d462138eb8fe9cb255eacba42bb864e41a575b7c14773ae577f6e44afcd408f2415678f1019895e3c376c4
-
Filesize
26KB
MD56395ef19c45e81bddd74837a1394acb5
SHA192a97d8fa5c76891d0df4b4d9812370ee85859b9
SHA256a0da062ab80c0dc8d84f51bd76faf53001cd4b48bcbc0ddae6d75e210ea92ccb
SHA5125bb7439566d386aa46774e71378284fff75855f2b5971345d54e5142a23a9488a49b1de2a9533d37cb3f33c8d50cc64727daac7c96ca6dd3779144379a068fdb
-
Filesize
26KB
MD5cc147c8509b89de26462cd73e51d3df4
SHA1b37e85f40a18c1832530a760b309799378f7f6a9
SHA2562f0f162f348b4020566418fd30c090fac83883284dde7c163b923f68d0886c69
SHA512b8ef88fc7c91371605dc12a6fae41fa576836ad7eecbf728cd78ab5de9b235c221d5f43d2e9f9adc234f6ae5c3e823dd1b213aaa0340aa8d341015ad393a3e93
-
Filesize
3KB
MD5a571a80e3e7f07d8d5318528ffcf057f
SHA1e3ec23f4b500ff697f327a186c6b7a1d0203d242
SHA2569bf99654183263090ac650e9f691e074a0de278848a0b618df2c074d9fac23e7
SHA51270db57b8e9aafeaf7fb4e7c7bc4a7b91297b3e5ed7dbe683c63c8191bd98c0a92457d92ee4ee379eca4935c85362cbbfb1bc9fa4a00cc010afec40752d641be4
-
Filesize
295KB
MD51cc59a5e2dcb900dedfca8c59cafd535
SHA12b4d3a018b45779c9feb090d130b4b9a7e7f9391
SHA256dccf2d948a8ac1c1f45063a62b70f26bfcd2a5e00fbd6c133b68cd6c5f153b90
SHA512624fe97b5be58e24700bf3aae65e2d3225b8a8aa1e49bb97f5bd599eead6b8adfc4ab2f7aab3c869db64533c7f3f7cfd3d2f901b34392a8c4fc1ef364acad998
-
Filesize
296KB
MD56aff40e238a6a983f251b7f24006dffb
SHA12d52c6286196986bdb338a4c17e06aef08e6e545
SHA2568c44ec431e2f7c93fb500eb9e0d5bdf2c132408d9334d0f05a9f92bb109a7011
SHA51226a9bb2e7d6a47ce15d1082f190c6268febe7041af271a3457c65f37a0c683bb46a1e64c28dcca0c0eaf7a8705d9f230b458cc52d223e2aa7e4785c6233d90b6
-
Filesize
295KB
MD5e8dd34459041d125b0856c1aa0d84ea2
SHA1e993258ebcb05621e0fdd8a0fdc366661d4ecfa2
SHA2560b81021053807a508bc6212f6cc502448a2f2b38821d90bca0594a3dcd0dca92
SHA5124ddfc46e9542e91661f344a182e2b06174c4d6a9b3bd947cbf6ba58ab7ac81b43535a9a84455943efba1e867223a29a749e0a8f855f8c3262a8dd21c56d8d7a1
-
Filesize
202KB
MD59f84d910602183954bed6d9660600783
SHA182e3b122dc63e0a333bca531dd16667d5fafbf23
SHA256bf4e4c75d148cb412e28a0b4e665919fd5ac6b9aa6bc3fa75401394759218d5e
SHA51209fb450e6c6f22a32d5e06f470070aab17d4973afe307b529093af7fa29ab96b61a89814e4964d005459f8ebb25716134a5e1c41f6ea7d260361b135306544b9