Analysis
-
max time kernel
130s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
02/06/2024, 01:39
Static task
static1
Behavioral task
behavioral1
Sample
8c7d5a492d7680b8062055cc3ddb9b45_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
8c7d5a492d7680b8062055cc3ddb9b45_JaffaCakes118.exe
Resource
win10v2004-20240426-en
General
-
Target
8c7d5a492d7680b8062055cc3ddb9b45_JaffaCakes118.exe
-
Size
2.0MB
-
MD5
8c7d5a492d7680b8062055cc3ddb9b45
-
SHA1
0a8ab10ec6ccec645a7b40d4e5ca943475d2a5aa
-
SHA256
2af485626e4b3fac3c880cf16b950f17562169c0c3b01e8bcead75453e74ce0d
-
SHA512
8ea5a985fed7d884305558a8c2c2c0a93779e2efc803721f32d952df302bb208e101f83831f6df6611de3f6fbe860a305ee2c677a14b2e49726c4c6ade069a71
-
SSDEEP
49152:gco0o0emPUHFwm72hQ9y14tkANvHwXS245zSHNiK+UqbeCIRb:gcT6cEFwmS14tk4Hwl4haQ/xbY
Malware Config
Signatures
-
Drops file in Drivers directory 3 IoCs
description ioc Process File opened for modification C:\Windows\system32\DRIVERS\SET4C0E.tmp DrvInst.exe File created C:\Windows\system32\DRIVERS\SET4C0E.tmp DrvInst.exe File opened for modification C:\Windows\system32\DRIVERS\tap0901.sys DrvInst.exe -
Manipulates Digital Signatures 1 TTPs 2 IoCs
Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\EC4F1D31686625ECC004993CD0E89A4136DD3344\Blob = 030000000100000014000000ec4f1d31686625ecc004993cd0e89a4136dd33442000000001000000b8060000308206b43082059ca00302010202100d587aa4bceb8da561ca0c5bca964fb2300d06092a864886f70d01010505003073310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d313230300603550403132944696769436572742048696768204173737572616e636520436f6465205369676e696e672043412d31301e170d3133303831333030303030305a170d3136303930323132303030305a308181310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a028201010094f1ac640a9673deff3484f827fe6aaf4047ed2007a959917ae23473bde33f1f027f414f3d25f21c334d915df7ee7f2e4defe55722ad8209d59f288b4e6ef4df24ac3cefd26719ad20234aca74c523b4cef70af782d0affe645e6f8ecb250d728d8b78b7473257b883b464a5e9679fbca648c5f1c08248d5b856328b086ba2f24202ff04a1c284e8f8ddf721a1354b92605c25602296cbc4e1b334d7b84319d29373877c266ece8728be2bbba994d166612b426cb3c65a80edde2b392151ada2d6d43f8b1bec9ae882b243c1658ba24bf5deb3e2842bb7ddec5c12f54ec9750a11aebdde907328e1c8c117db9e4d7d340e31c2de8738166e78a224abc69131b90203010001a38203333082032f301f0603551d23041830168014974803eb15086bb9b25823cc942ef1c665d2648e301d0603551d0e04160414894de782e940e255a6361318fe5050aea4d9ef3a300e0603551d0f0101ff04040302078030130603551d25040c300a06082b0601050507030330690603551d1f04623060302ea02ca02a8628687474703a2f2f63726c332e64696769636572742e636f6d2f68612d63732d32303131612e63726c302ea02ca02a8628687474703a2f2f63726c342e64696769636572742e636f6d2f68612d63732d32303131612e63726c308201c40603551d20048201bb308201b7308201b306096086480186fd6c0301308201a4303a06082b06010505070201162e687474703a2f2f7777772e64696769636572742e636f6d2f73736c2d6370732d7265706f7369746f72792e68746d3082016406082b06010505070202308201561e8201520041006e007900200075007300650020006f00660020007400680069007300200043006500720074006900660069006300610074006500200063006f006e0073007400690074007500740065007300200061006300630065007000740061006e006300650020006f00660020007400680065002000440069006700690043006500720074002000430050002f00430050005300200061006e00640020007400680065002000520065006c00790069006e0067002000500061007200740079002000410067007200650065006d0065006e00740020007700680069006300680020006c0069006d006900740020006c0069006100620069006c00690074007900200061006e0064002000610072006500200069006e0063006f00720070006f00720061007400650064002000680065007200650069006e0020006200790020007200650066006500720065006e00630065002e30818606082b06010505070101047a3078302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d305006082b060105050730028644687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274486967684173737572616e6365436f64655369676e696e6743412d312e637274300c0603551d130101ff04023000300d06092a864886f70d01010505000382010100571fa87e0b23db3ba76e725b615428a3d2673894b6516c76e7952911d3a143cd0d17c34acc87a56c58dffbb86614cf60c1614545a6db64d63cd9278536ec862d93d169e39fcc0677e634d19b1c885ff0315743e3d85b0865846b639df92424bf7fc213c5dd7cc5e4c37d0da01f827b36bf3dfd97ac3a8c0ba2e003f69440d23ae0a0dbf84249218d0b32d93e2f02d6697c330bf22f75b679c2fe286a1029744af33351996c02abf24173e675b28220ec59c10e6f82880630f0396f95399c4d3d19088c252f4b82b1d27f697e595c12f35ec18d243d547621e32bc1c30eef819213bc66023b1fb8e095a9775e0f650c1d55a25a846e6ad35a75d809a9c379d626 certutil.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\EC4F1D31686625ECC004993CD0E89A4136DD3344\Blob = 0f000000010000001400000070a56ed6a2c19243eb4083ddb3ab8118e8cb9501030000000100000014000000ec4f1d31686625ecc004993cd0e89a4136dd33442000000001000000b8060000308206b43082059ca00302010202100d587aa4bceb8da561ca0c5bca964fb2300d06092a864886f70d01010505003073310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d313230300603550403132944696769436572742048696768204173737572616e636520436f6465205369676e696e672043412d31301e170d3133303831333030303030305a170d3136303930323132303030305a308181310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a028201010094f1ac640a9673deff3484f827fe6aaf4047ed2007a959917ae23473bde33f1f027f414f3d25f21c334d915df7ee7f2e4defe55722ad8209d59f288b4e6ef4df24ac3cefd26719ad20234aca74c523b4cef70af782d0affe645e6f8ecb250d728d8b78b7473257b883b464a5e9679fbca648c5f1c08248d5b856328b086ba2f24202ff04a1c284e8f8ddf721a1354b92605c25602296cbc4e1b334d7b84319d29373877c266ece8728be2bbba994d166612b426cb3c65a80edde2b392151ada2d6d43f8b1bec9ae882b243c1658ba24bf5deb3e2842bb7ddec5c12f54ec9750a11aebdde907328e1c8c117db9e4d7d340e31c2de8738166e78a224abc69131b90203010001a38203333082032f301f0603551d23041830168014974803eb15086bb9b25823cc942ef1c665d2648e301d0603551d0e04160414894de782e940e255a6361318fe5050aea4d9ef3a300e0603551d0f0101ff04040302078030130603551d25040c300a06082b0601050507030330690603551d1f04623060302ea02ca02a8628687474703a2f2f63726c332e64696769636572742e636f6d2f68612d63732d32303131612e63726c302ea02ca02a8628687474703a2f2f63726c342e64696769636572742e636f6d2f68612d63732d32303131612e63726c308201c40603551d20048201bb308201b7308201b306096086480186fd6c0301308201a4303a06082b06010505070201162e687474703a2f2f7777772e64696769636572742e636f6d2f73736c2d6370732d7265706f7369746f72792e68746d3082016406082b06010505070202308201561e8201520041006e007900200075007300650020006f00660020007400680069007300200043006500720074006900660069006300610074006500200063006f006e0073007400690074007500740065007300200061006300630065007000740061006e006300650020006f00660020007400680065002000440069006700690043006500720074002000430050002f00430050005300200061006e00640020007400680065002000520065006c00790069006e0067002000500061007200740079002000410067007200650065006d0065006e00740020007700680069006300680020006c0069006d006900740020006c0069006100620069006c00690074007900200061006e0064002000610072006500200069006e0063006f00720070006f00720061007400650064002000680065007200650069006e0020006200790020007200650066006500720065006e00630065002e30818606082b06010505070101047a3078302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d305006082b060105050730028644687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274486967684173737572616e6365436f64655369676e696e6743412d312e637274300c0603551d130101ff04023000300d06092a864886f70d01010505000382010100571fa87e0b23db3ba76e725b615428a3d2673894b6516c76e7952911d3a143cd0d17c34acc87a56c58dffbb86614cf60c1614545a6db64d63cd9278536ec862d93d169e39fcc0677e634d19b1c885ff0315743e3d85b0865846b639df92424bf7fc213c5dd7cc5e4c37d0da01f827b36bf3dfd97ac3a8c0ba2e003f69440d23ae0a0dbf84249218d0b32d93e2f02d6697c330bf22f75b679c2fe286a1029744af33351996c02abf24173e675b28220ec59c10e6f82880630f0396f95399c4d3d19088c252f4b82b1d27f697e595c12f35ec18d243d547621e32bc1c30eef819213bc66023b1fb8e095a9775e0f650c1d55a25a846e6ad35a75d809a9c379d626 devcon64.exe -
Executes dropped EXE 5 IoCs
pid Process 2480 hidec.exe 2760 devcon64.exe 2776 devcon64.exe 2024 autoit3.exe 2920 devcon64.exe -
Loads dropped DLL 14 IoCs
pid Process 1608 8c7d5a492d7680b8062055cc3ddb9b45_JaffaCakes118.exe 1608 8c7d5a492d7680b8062055cc3ddb9b45_JaffaCakes118.exe 2952 cmd.exe 2952 cmd.exe 2952 cmd.exe 2952 cmd.exe 2952 cmd.exe 2952 cmd.exe 2952 cmd.exe 2952 cmd.exe 2952 cmd.exe 2952 cmd.exe 2488 wscript.exe 2656 wscript.exe -
Drops file in System32 directory 21 IoCs
description ioc Process File opened for modification C:\Windows\System32\DriverStore\Temp\{4949a07e-13b6-3d0f-f7a5-b17260bde81c}\SET2D09.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{4949a07e-13b6-3d0f-f7a5-b17260bde81c}\tap0901.cat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{4949a07e-13b6-3d0f-f7a5-b17260bde81c}\SET2D1B.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{4949a07e-13b6-3d0f-f7a5-b17260bde81c}\SET2D1B.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{4949a07e-13b6-3d0f-f7a5-b17260bde81c}\tap0901.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\infstrng.dat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{4949a07e-13b6-3d0f-f7a5-b17260bde81c} DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\infpub.dat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\infstrng.dat DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{4949a07e-13b6-3d0f-f7a5-b17260bde81c}\SET2D09.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{4949a07e-13b6-3d0f-f7a5-b17260bde81c}\oemwin2k.inf DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{4949a07e-13b6-3d0f-f7a5-b17260bde81c}\SET2D0A.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\infstor.dat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\oemwin2k.inf_amd64_neutral_5a1fec2fbbccefcc\oemwin2k.PNF DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\infpub.dat devcon64.exe File created C:\Windows\System32\DriverStore\Temp\{4949a07e-13b6-3d0f-f7a5-b17260bde81c}\SET2D0A.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\infpub.dat DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\oemwin2k.inf_amd64_neutral_5a1fec2fbbccefcc\oemwin2k.PNF DrvInst.exe File created C:\Windows\System32\DriverStore\INFCACHE.0 DrvInst.exe File opened for modification C:\Windows\System32\CatRoot2\dberr.txt devcon64.exe File opened for modification C:\Windows\System32\DriverStore\infstrng.dat devcon64.exe -
Drops file in Program Files directory 60 IoCs
description ioc Process File opened for modification C:\Program Files\OpenVPN\cpau-run.exe xcopy.exe File created C:\Program Files\OpenVPN\openvpn-run.exe xcopy.exe File created C:\Program Files\OpenVPN\tapadd.bat xcopy.exe File created C:\Program Files\OpenVPN\devcon64.exe xcopy.exe File opened for modification C:\Program Files\OpenVPN\openvpn-run.exe xcopy.exe File opened for modification C:\Program Files\OpenVPN\openvpn.exe xcopy.exe File created C:\Program Files\OpenVPN\cpau-run.exe xcopy.exe File created C:\Program Files\OpenVPN\devcon32.exe xcopy.exe File opened for modification C:\Program Files\OpenVPN\tapadd.bat xcopy.exe File opened for modification C:\Program Files\OpenVPN\tap\x32\oemwin2k.inf xcopy.exe File created C:\Program Files\OpenVPN\cpau.exe xcopy.exe File created C:\Program Files\OpenVPN\hidec.exe xcopy.exe File opened for modification C:\Program Files\OpenVPN\hidec.exe xcopy.exe File opened for modification C:\Program Files\OpenVPN\devcon32.exe xcopy.exe File opened for modification C:\Program Files\OpenVPN\tapadd.au3 xcopy.exe File created C:\Program Files\OpenVPN\tap\x64\tap0901.sys xcopy.exe File opened for modification C:\Program Files\OpenVPN\autoit3.exe xcopy.exe File created C:\Program Files\OpenVPN\libeay32.dll xcopy.exe File created C:\Program Files\OpenVPN\openssl.exe xcopy.exe File created C:\Program Files\OpenVPN\openvpn-gui.exe xcopy.exe File opened for modification C:\Program Files\OpenVPN\tap\x32 xcopy.exe File created C:\Program Files\OpenVPN\tap\x32\tap0901.sys xcopy.exe File opened for modification C:\Program Files\OpenVPN\tap\x64\tap0901.cat xcopy.exe File opened for modification C:\Program Files\OpenVPN xcopy.exe File opened for modification C:\Program Files\OpenVPN\openvpn-gui.exe xcopy.exe File created C:\Program Files\OpenVPN\openvpn.exe xcopy.exe File opened for modification C:\Program Files\OpenVPN\ssleay32.dll xcopy.exe File opened for modification C:\Program Files\OpenVPN\log xcopy.exe File created C:\Program Files\OpenVPN\cpau.job xcopy.exe File created C:\Program Files\OpenVPN\tapdel.bat xcopy.exe File created C:\Program Files\OpenVPN\config\lnkrivoshapka.ovpn xcopy.exe File created C:\Program Files\OpenVPN\tap\x32\tap0901.cat xcopy.exe File created C:\Program Files\OpenVPN\tap\x64\tap0901.cat xcopy.exe File opened for modification C:\Program Files\OpenVPN\libeay32.dll xcopy.exe File created C:\Program Files\OpenVPN\liblzo2-2.dll xcopy.exe File opened for modification C:\Program Files\OpenVPN\liblzo2-2.dll xcopy.exe File created C:\Program Files\OpenVPN\libpkcs11-helper-1.dll xcopy.exe File opened for modification C:\Program Files\OpenVPN\openvpn.ico xcopy.exe File opened for modification C:\Program Files\OpenVPN\config\lnkrivoshapka.ovpn xcopy.exe File opened for modification C:\Program Files\OpenVPN\tap\x64\tap0901.sys xcopy.exe File created C:\Program Files\OpenVPN\tap\x32\oemwin2k.inf xcopy.exe File opened for modification C:\Program Files\OpenVPN\tap\x64 xcopy.exe File opened for modification C:\Program Files\OpenVPN\tapdel.bat xcopy.exe File opened for modification C:\Program Files\OpenVPN\tap\x64\oemwin2k.inf xcopy.exe File opened for modification C:\Program Files\OpenVPN\devcon64.exe xcopy.exe File created C:\Program Files\OpenVPN\ssleay32.dll xcopy.exe File opened for modification C:\Program Files\OpenVPN\config xcopy.exe File opened for modification C:\Program Files\OpenVPN\tap\x32\tap0901.sys xcopy.exe File created C:\Program Files\OpenVPN\tap\x64\oemwin2k.inf xcopy.exe File opened for modification C:\Program Files\OpenVPN\cpau.exe xcopy.exe File created C:\Program Files\OpenVPN\openvpn.ico xcopy.exe File opened for modification C:\Program Files\OpenVPN\tap\x32\tap0901.cat xcopy.exe File created C:\Program Files\OpenVPN\autoit3.exe xcopy.exe File opened for modification C:\Program Files\OpenVPN\tapadd.cer xcopy.exe File opened for modification C:\Program Files\OpenVPN\tap xcopy.exe File opened for modification C:\Program Files\OpenVPN\cpau.job xcopy.exe File opened for modification C:\Program Files\OpenVPN\libpkcs11-helper-1.dll xcopy.exe File opened for modification C:\Program Files\OpenVPN\openssl.exe xcopy.exe File created C:\Program Files\OpenVPN\tapadd.au3 xcopy.exe File created C:\Program Files\OpenVPN\tapadd.cer xcopy.exe -
Drops file in Windows directory 13 IoCs
description ioc Process File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File opened for modification C:\Windows\INF\oem2.inf DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File created C:\Windows\INF\oem2.inf DrvInst.exe File opened for modification C:\Windows\INF\setupapi.app.log devcon64.exe File opened for modification C:\Windows\INF\setupapi.dev.log devcon64.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File created C:\Windows\INF\oem2.PNF DrvInst.exe File opened for modification C:\Windows\INF\setupapi.ev2 DrvInst.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe -
Kills process with taskkill 2 IoCs
pid Process 1696 taskkill.exe 1396 taskkill.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\CRLs DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\lltdres.dll,-3 = "Allows this PC to be discovered and located on the network." DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tcpipcfg.dll,-50002 = "TCP/IP version 6. The latest version of the internet protocol that provides communication across diverse interconnected networks." DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\rascfg.dll,-32009 = "Allows you to securely connect to a private network using the Internet." DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a devcon64.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a devcon64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\EC4F1D31686625ECC004993CD0E89A4136DD3344 devcon64.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\EC4F1D31686625ECC004993CD0E89A4136DD3344\Blob = 0f000000010000001400000070a56ed6a2c19243eb4083ddb3ab8118e8cb9501030000000100000014000000ec4f1d31686625ecc004993cd0e89a4136dd33442000000001000000b8060000308206b43082059ca00302010202100d587aa4bceb8da561ca0c5bca964fb2300d06092a864886f70d01010505003073310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d313230300603550403132944696769436572742048696768204173737572616e636520436f6465205369676e696e672043412d31301e170d3133303831333030303030305a170d3136303930323132303030305a308181310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a028201010094f1ac640a9673deff3484f827fe6aaf4047ed2007a959917ae23473bde33f1f027f414f3d25f21c334d915df7ee7f2e4defe55722ad8209d59f288b4e6ef4df24ac3cefd26719ad20234aca74c523b4cef70af782d0affe645e6f8ecb250d728d8b78b7473257b883b464a5e9679fbca648c5f1c08248d5b856328b086ba2f24202ff04a1c284e8f8ddf721a1354b92605c25602296cbc4e1b334d7b84319d29373877c266ece8728be2bbba994d166612b426cb3c65a80edde2b392151ada2d6d43f8b1bec9ae882b243c1658ba24bf5deb3e2842bb7ddec5c12f54ec9750a11aebdde907328e1c8c117db9e4d7d340e31c2de8738166e78a224abc69131b90203010001a38203333082032f301f0603551d23041830168014974803eb15086bb9b25823cc942ef1c665d2648e301d0603551d0e04160414894de782e940e255a6361318fe5050aea4d9ef3a300e0603551d0f0101ff04040302078030130603551d25040c300a06082b0601050507030330690603551d1f04623060302ea02ca02a8628687474703a2f2f63726c332e64696769636572742e636f6d2f68612d63732d32303131612e63726c302ea02ca02a8628687474703a2f2f63726c342e64696769636572742e636f6d2f68612d63732d32303131612e63726c308201c40603551d20048201bb308201b7308201b306096086480186fd6c0301308201a4303a06082b06010505070201162e687474703a2f2f7777772e64696769636572742e636f6d2f73736c2d6370732d7265706f7369746f72792e68746d3082016406082b06010505070202308201561e8201520041006e007900200075007300650020006f00660020007400680069007300200043006500720074006900660069006300610074006500200063006f006e0073007400690074007500740065007300200061006300630065007000740061006e006300650020006f00660020007400680065002000440069006700690043006500720074002000430050002f00430050005300200061006e00640020007400680065002000520065006c00790069006e0067002000500061007200740079002000410067007200650065006d0065006e00740020007700680069006300680020006c0069006d006900740020006c0069006100620069006c00690074007900200061006e0064002000610072006500200069006e0063006f00720070006f00720061007400650064002000680065007200650069006e0020006200790020007200650066006500720065006e00630065002e30818606082b06010505070101047a3078302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d305006082b060105050730028644687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274486967684173737572616e6365436f64655369676e696e6743412d312e637274300c0603551d130101ff04023000300d06092a864886f70d01010505000382010100571fa87e0b23db3ba76e725b615428a3d2673894b6516c76e7952911d3a143cd0d17c34acc87a56c58dffbb86614cf60c1614545a6db64d63cd9278536ec862d93d169e39fcc0677e634d19b1c885ff0315743e3d85b0865846b639df92424bf7fc213c5dd7cc5e4c37d0da01f827b36bf3dfd97ac3a8c0ba2e003f69440d23ae0a0dbf84249218d0b32d93e2f02d6697c330bf22f75b679c2fe286a1029744af33351996c02abf24173e675b28220ec59c10e6f82880630f0396f95399c4d3d19088c252f4b82b1d27f697e595c12f35ec18d243d547621e32bc1c30eef819213bc66023b1fb8e095a9775e0f650c1d55a25a846e6ad35a75d809a9c379d626 devcon64.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a devcon64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 devcon64.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 devcon64.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 devcon64.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 devcon64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 devcon64.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2492 PING.EXE -
Suspicious use of AdjustPrivilegeToken 56 IoCs
description pid Process Token: SeDebugPrivilege 1696 taskkill.exe Token: SeRestorePrivilege 2920 devcon64.exe Token: SeRestorePrivilege 2920 devcon64.exe Token: SeRestorePrivilege 2920 devcon64.exe Token: SeRestorePrivilege 2920 devcon64.exe Token: SeRestorePrivilege 2920 devcon64.exe Token: SeRestorePrivilege 2920 devcon64.exe Token: SeRestorePrivilege 2920 devcon64.exe Token: SeRestorePrivilege 2920 devcon64.exe Token: SeRestorePrivilege 2920 devcon64.exe Token: SeRestorePrivilege 2920 devcon64.exe Token: SeRestorePrivilege 2920 devcon64.exe Token: SeRestorePrivilege 2920 devcon64.exe Token: SeRestorePrivilege 2920 devcon64.exe Token: SeRestorePrivilege 2920 devcon64.exe Token: SeRestorePrivilege 1448 DrvInst.exe Token: SeRestorePrivilege 1448 DrvInst.exe Token: SeRestorePrivilege 1448 DrvInst.exe Token: SeRestorePrivilege 1448 DrvInst.exe Token: SeRestorePrivilege 1448 DrvInst.exe Token: SeRestorePrivilege 1448 DrvInst.exe Token: SeRestorePrivilege 1448 DrvInst.exe Token: SeRestorePrivilege 1448 DrvInst.exe Token: SeRestorePrivilege 1448 DrvInst.exe Token: SeRestorePrivilege 1448 DrvInst.exe Token: SeRestorePrivilege 1448 DrvInst.exe Token: SeRestorePrivilege 1448 DrvInst.exe Token: SeRestorePrivilege 1448 DrvInst.exe Token: SeRestorePrivilege 1448 DrvInst.exe Token: SeBackupPrivilege 2320 vssvc.exe Token: SeRestorePrivilege 2320 vssvc.exe Token: SeAuditPrivilege 2320 vssvc.exe Token: SeBackupPrivilege 1448 DrvInst.exe Token: SeRestorePrivilege 1448 DrvInst.exe Token: SeRestorePrivilege 2608 DrvInst.exe Token: SeRestorePrivilege 2608 DrvInst.exe Token: SeRestorePrivilege 2608 DrvInst.exe Token: SeRestorePrivilege 2608 DrvInst.exe Token: SeRestorePrivilege 2608 DrvInst.exe Token: SeRestorePrivilege 2608 DrvInst.exe Token: SeRestorePrivilege 2608 DrvInst.exe Token: SeLoadDriverPrivilege 2608 DrvInst.exe Token: SeLoadDriverPrivilege 2608 DrvInst.exe Token: SeLoadDriverPrivilege 2608 DrvInst.exe Token: SeRestorePrivilege 2920 devcon64.exe Token: SeLoadDriverPrivilege 2920 devcon64.exe Token: SeRestorePrivilege 2644 DrvInst.exe Token: SeRestorePrivilege 2644 DrvInst.exe Token: SeRestorePrivilege 2644 DrvInst.exe Token: SeRestorePrivilege 2644 DrvInst.exe Token: SeRestorePrivilege 2644 DrvInst.exe Token: SeRestorePrivilege 2644 DrvInst.exe Token: SeRestorePrivilege 2644 DrvInst.exe Token: SeRestorePrivilege 2644 DrvInst.exe Token: SeLoadDriverPrivilege 2644 DrvInst.exe Token: SeDebugPrivilege 1396 taskkill.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1608 wrote to memory of 2480 1608 8c7d5a492d7680b8062055cc3ddb9b45_JaffaCakes118.exe 28 PID 1608 wrote to memory of 2480 1608 8c7d5a492d7680b8062055cc3ddb9b45_JaffaCakes118.exe 28 PID 1608 wrote to memory of 2480 1608 8c7d5a492d7680b8062055cc3ddb9b45_JaffaCakes118.exe 28 PID 1608 wrote to memory of 2480 1608 8c7d5a492d7680b8062055cc3ddb9b45_JaffaCakes118.exe 28 PID 1608 wrote to memory of 2480 1608 8c7d5a492d7680b8062055cc3ddb9b45_JaffaCakes118.exe 28 PID 1608 wrote to memory of 2480 1608 8c7d5a492d7680b8062055cc3ddb9b45_JaffaCakes118.exe 28 PID 1608 wrote to memory of 2480 1608 8c7d5a492d7680b8062055cc3ddb9b45_JaffaCakes118.exe 28 PID 2480 wrote to memory of 2952 2480 hidec.exe 29 PID 2480 wrote to memory of 2952 2480 hidec.exe 29 PID 2480 wrote to memory of 2952 2480 hidec.exe 29 PID 2480 wrote to memory of 2952 2480 hidec.exe 29 PID 2480 wrote to memory of 2952 2480 hidec.exe 29 PID 2480 wrote to memory of 2952 2480 hidec.exe 29 PID 2480 wrote to memory of 2952 2480 hidec.exe 29 PID 2952 wrote to memory of 1696 2952 cmd.exe 31 PID 2952 wrote to memory of 1696 2952 cmd.exe 31 PID 2952 wrote to memory of 1696 2952 cmd.exe 31 PID 2952 wrote to memory of 1696 2952 cmd.exe 31 PID 2952 wrote to memory of 1696 2952 cmd.exe 31 PID 2952 wrote to memory of 1696 2952 cmd.exe 31 PID 2952 wrote to memory of 1696 2952 cmd.exe 31 PID 2952 wrote to memory of 2760 2952 cmd.exe 33 PID 2952 wrote to memory of 2760 2952 cmd.exe 33 PID 2952 wrote to memory of 2760 2952 cmd.exe 33 PID 2952 wrote to memory of 2760 2952 cmd.exe 33 PID 2952 wrote to memory of 2776 2952 cmd.exe 34 PID 2952 wrote to memory of 2776 2952 cmd.exe 34 PID 2952 wrote to memory of 2776 2952 cmd.exe 34 PID 2952 wrote to memory of 2776 2952 cmd.exe 34 PID 2952 wrote to memory of 1784 2952 cmd.exe 35 PID 2952 wrote to memory of 1784 2952 cmd.exe 35 PID 2952 wrote to memory of 1784 2952 cmd.exe 35 PID 2952 wrote to memory of 1784 2952 cmd.exe 35 PID 2952 wrote to memory of 1784 2952 cmd.exe 35 PID 2952 wrote to memory of 1784 2952 cmd.exe 35 PID 2952 wrote to memory of 1784 2952 cmd.exe 35 PID 2952 wrote to memory of 1556 2952 cmd.exe 36 PID 2952 wrote to memory of 1556 2952 cmd.exe 36 PID 2952 wrote to memory of 1556 2952 cmd.exe 36 PID 2952 wrote to memory of 1556 2952 cmd.exe 36 PID 2952 wrote to memory of 1556 2952 cmd.exe 36 PID 2952 wrote to memory of 1556 2952 cmd.exe 36 PID 2952 wrote to memory of 1556 2952 cmd.exe 36 PID 2952 wrote to memory of 608 2952 cmd.exe 37 PID 2952 wrote to memory of 608 2952 cmd.exe 37 PID 2952 wrote to memory of 608 2952 cmd.exe 37 PID 2952 wrote to memory of 608 2952 cmd.exe 37 PID 2952 wrote to memory of 608 2952 cmd.exe 37 PID 2952 wrote to memory of 608 2952 cmd.exe 37 PID 2952 wrote to memory of 608 2952 cmd.exe 37 PID 2952 wrote to memory of 1504 2952 cmd.exe 38 PID 2952 wrote to memory of 1504 2952 cmd.exe 38 PID 2952 wrote to memory of 1504 2952 cmd.exe 38 PID 2952 wrote to memory of 1504 2952 cmd.exe 38 PID 2952 wrote to memory of 1504 2952 cmd.exe 38 PID 2952 wrote to memory of 1504 2952 cmd.exe 38 PID 2952 wrote to memory of 1504 2952 cmd.exe 38 PID 2952 wrote to memory of 1620 2952 cmd.exe 39 PID 2952 wrote to memory of 1620 2952 cmd.exe 39 PID 2952 wrote to memory of 1620 2952 cmd.exe 39 PID 2952 wrote to memory of 1620 2952 cmd.exe 39 PID 2952 wrote to memory of 1620 2952 cmd.exe 39 PID 2952 wrote to memory of 1620 2952 cmd.exe 39 PID 2952 wrote to memory of 1620 2952 cmd.exe 39 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\8c7d5a492d7680b8062055cc3ddb9b45_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8c7d5a492d7680b8062055cc3ddb9b45_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\hidec.exe"C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\hidec.exe" "C:\Windows\system32\cmd.exe" /C "install.bat %~1 & ping 127.0.0.1 -n 11 & cd .. && rmdir /S /Q "C:\Users\Admin\AppData\Local\Temp\OpenVPN""2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C "install.bat %~1 & ping 127.0.0.1 -n 11 & cd .. && rmdir /S /Q "C:\Users\Admin\AppData\Local\Temp\OpenVPN""3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /F /T /IM "openvpn*" /IM "openssl.exe" /IM "autoit3.exe" /IM "devcon.exe" /IM "cpau-run.exe"4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1696
-
-
C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe"C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe" remove "tap0901"4⤵
- Executes dropped EXE
PID:2760
-
-
C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe"C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe" remove "tap0801"4⤵
- Executes dropped EXE
PID:2776
-
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKLM\SYSTEM\CurrentControlSet\Services\tap0801" /F4⤵PID:1784
-
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKLM\SOFTWARE\OpenVPN" /F4⤵PID:1556
-
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKLM\SOFTWARE\OpenVPN-GUI" /F4⤵PID:608
-
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKLM\SOFTWARE\Wow6432Node\OpenVPN" /F4⤵PID:1504
-
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /F4⤵PID:1620
-
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKCR\.ovpn" /F4⤵PID:1544
-
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKCR\OpenVPN" /F4⤵PID:1552
-
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ovpn" /F4⤵PID:1744
-
-
C:\Windows\SysWOW64\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\OpenVPN\shortcut.vbs" "" "AllUsersPrograms" "OpenVPN"4⤵PID:984
-
-
C:\Windows\SysWOW64\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\OpenVPN\shortcut.vbs" "" "AllUsersDesktop" "OpenVPN"4⤵PID:1888
-
-
C:\Windows\SysWOW64\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\OpenVPN\shortcut.vbs" "" "Desktop" "OpenVPN"4⤵PID:2184
-
-
C:\Windows\SysWOW64\certutil.execertutil.exe -addstore "TrustedPublisher" "C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\\tapadd.cer"4⤵
- Manipulates Digital Signatures
PID:2200
-
-
C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\autoit3.exe"C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\autoit3.exe" "tapadd.au3"4⤵
- Executes dropped EXE
PID:2024
-
-
C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe"C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe" install "C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\tap\x64\oemwin2k.inf" "tap0901"4⤵
- Manipulates Digital Signatures
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:2920
-
-
C:\Windows\SysWOW64\find.exefind.exe /I "successfully"4⤵PID:976
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg.exe query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}" /S4⤵PID:2984
-
C:\Windows\SysWOW64\reg.exereg.exe query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}" /S5⤵PID:2964
-
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0011" /V "Characteristics" /T REG_DWORD /D "0x89" /F4⤵PID:1828
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /F /T /IM "autoit3.exe"4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1396
-
-
C:\Windows\SysWOW64\xcopy.exexcopy.exe /E /C /Q /H /R /Y /Z "C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files" "C:\Program Files\OpenVPN\"4⤵
- Drops file in Program Files directory
- Enumerates system info in registry
PID:2892
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN" /VE /T REG_SZ /D "C:\Program Files\OpenVPN" /F4⤵PID:1864
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN" /V "config_dir" /T REG_SZ /D "C:\Program Files\OpenVPN\config" /F4⤵PID:1640
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN" /V "config_ext" /T REG_SZ /D "ovpn" /F4⤵PID:1472
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN" /V "exe_path" /T REG_SZ /D "C:\Program Files\OpenVPN\openvpn.exe" /F4⤵PID:2016
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN" /V "log_dir" /T REG_SZ /D "C:\Program Files\OpenVPN\log" /F4⤵PID:1488
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN" /V "priority" /T REG_SZ /D "NORMAL_PRIORITY_CLASS" /F4⤵PID:1844
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN" /V "log_append" /T REG_SZ /D "0" /F4⤵PID:3044
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /VE /T REG_SZ /D "C:\Program Files\OpenVPN" /F4⤵PID:2316
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "config_dir" /T REG_SZ /D "C:\Program Files\OpenVPN\config" /F4⤵PID:3012
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "config_ext" /T REG_SZ /D "ovpn" /F4⤵PID:2928
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "exe_path" /T REG_SZ /D "C:\Program Files\OpenVPN\openvpn.exe" /F4⤵PID:1308
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "log_dir" /T REG_SZ /D "C:\Program Files\OpenVPN\log" /F4⤵PID:1648
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "priority" /T REG_SZ /D "NORMAL_PRIORITY_CLASS" /F4⤵PID:2552
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "log_append" /T REG_SZ /D "0" /F4⤵PID:2056
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "allow_view" /T REG_SZ /D "0" /F4⤵PID:1600
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "allow_edit" /T REG_SZ /D "0" /F4⤵PID:2132
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "allow_service" /T REG_SZ /D "0" /F4⤵PID:2384
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "allow_proxy" /T REG_SZ /D "1" /F4⤵PID:2212
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "allow_password" /T REG_SZ /D "0" /F4⤵PID:2568
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "service_only" /T REG_SZ /D "0" /F4⤵PID:2232
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "log_viewer" /T REG_SZ /D "hidec.exe" /F4⤵PID:1936
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "passphrase_attempts" /T REG_SZ /D "3" /F4⤵PID:2732
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "editor" /T REG_SZ /D "notepad.exe" /F4⤵PID:2672
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "connectscript_timeout" /T REG_SZ /D "15" /F4⤵PID:2704
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "disconnectscript_timeout" /T REG_SZ /D "10" /F4⤵PID:2608
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "preconnectscript_timeout" /T REG_SZ /D "10" /F4⤵PID:2728
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "silent_connection" /T REG_SZ /D "0" /F4⤵PID:3068
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "show_balloon" /T REG_SZ /D "1" /F4⤵PID:1652
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "show_script_window" /T REG_SZ /D "1" /F4⤵PID:2576
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "disconnect_on_suspend" /T REG_SZ /D "1" /F4⤵PID:2708
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers" /V "C:\Program Files\OpenVPN\openvpn-gui.exe" /T REG_SZ /D "RUNASADMIN" /F4⤵PID:2496
-
-
C:\Windows\SysWOW64\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\OpenVPN\shortcut.vbs" "C:\Program Files\OpenVPN\cpau-run.exe" "AllUsersPrograms" "OpenVPN" "VPN-¬½¿Ñ¡Γ" "C:\Program Files\OpenVPN\openvpn.ico"4⤵
- Loads dropped DLL
PID:2488
-
-
C:\Windows\SysWOW64\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\OpenVPN\shortcut.vbs" "C:\Program Files\OpenVPN\cpau-run.exe" "AllUsersDesktop" "OpenVPN" "VPN-¬½¿Ñ¡Γ" "C:\Program Files\OpenVPN\openvpn.ico"4⤵
- Loads dropped DLL
PID:2656
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 114⤵
- Runs ping.exe
PID:2492
-
-
-
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{0fefe06a-ebbc-2c12-4116-6c521a955d70}\oemwin2k.inf" "9" "6d14a44ff" "00000000000004C8" "WinSta0\Default" "0000000000000574" "208" "c:\users\admin\appdata\local\temp\openvpn\files\tap\x64"1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1448
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2320
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot18" "" "" "6792c44eb" "0000000000000000" "00000000000005D0" "00000000000005CC"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2608
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oemwin2k.inf:tap0901.NTamd64:tap0901.ndi:9.0.0.9:tap0901" "6d14a44ff" "000000000000038C" "00000000000005C0" "00000000000005D8"1⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2644
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5bbec26e2402902591d21c4dad4206f30
SHA106d41d840116f75beeb56002b90182eb88cded86
SHA256e79f12b202712e3189ed34321eb20e0f82cc301450e1d13a8c739b399a7482ee
SHA512d54bde1bf9c6ecc77b6dbedf8db99f8b31a94b9788349b0a974d61bcd86b2bdb95501a49443b63734ecac3e0e737515256c189dfffcb2c369ad90b9bc67cb859
-
Filesize
8KB
MD57e54c20a0658b2691e95935231e2539e
SHA151a5b9a034104563100de5190220cfc8b73afadc
SHA25616c3bc3270665b4776b35936c12a30f28ba3d858b27d59827370c1bfb5b1b60d
SHA51298e72078f7e4e123be9e59a9bf91d27011448eddc90bf4229d0e8350a3d0c13a6751f395149928659587f8adf7d9b560eb84c1e5ae4a2dc7488f78114d6575b2
-
Filesize
542KB
MD57100f979b8516b8c1ae6ff858435626e
SHA1c6a596b10bc8fd05f8a13859fef8b2cf7a9360e7
SHA2565ac5867eafea23f57bfead8e84c366e2259490d8814ef0e3739853364055e4e3
SHA512d3f3acb9482df113eb2eadfcedc8ce869b4b9221df6f28497521fdb3042bc86d707dbda08df659258c706713ece89d5e0b81c5c85f8255923e96a55bb015a593
-
Filesize
1KB
MD5b47e8a3ea1bf24b7238471f3ef4c2012
SHA1b85a15c08e9c895e98ed7bdc5093dbc2d5d9623e
SHA256978364b033b906900d39def309c9ea5f62c4734e66731ffa15b4e04991b0ef46
SHA5124a4e84565ebd80845a129923aadf8e67337919b319e28ce0c2c784908defa460fdbedb136b8f851683bf9049b1f358059eb4945f41bdaa39b156ca7957f95237
-
Filesize
76KB
MD5b40fe65431b18a52e6452279b88954af
SHA1c25de80f00014e129ff290bf84ddf25a23fdfc30
SHA256800e396be60133b5ab7881872a73936e24cbebd7a7953cee1479f077ffcf745e
SHA512e58cf187fd71e6f1f5cf7eac347a2682e77bc9a88a64e79a59e1a480cac20b46ad8d0f947dd2cb2840a2e0bb6d3c754f8f26fcf2d55b550eea4f5d7e57a4d91d
-
Filesize
2.2MB
MD588a5e21b46019e6632820a7ab72c4897
SHA13829dade8363cc3000fee0adc760614755c69bc4
SHA2566fd2315f248473d4da77cec857500f47d93b91010504d40f81d650a0bebf7225
SHA512b75e85a7c38f39b418ac3f2ed023f21d88c83c6e69b13a4888456f2e8fb5074b4e1aeebf4dd7cc3d226ae57359b8bdb2300c6d88cd85447bdaec626d822c21d9
-
Filesize
170KB
MD533120addb41cebf8bef95c71cf2166c8
SHA107ad36f3303fc95c0c914224ce0ac66cbe191042
SHA25681d618e824c8fc4481f337f301b2cd8a1299ccacc85fc70186a84841999d21df
SHA512cc89dd35d0e8aef12d8eeb5dcafbaca9735a87622adc8d9fadf5771b2b88ef7fdadf973d2f58f7190c91444cd2e98abeda5d5f04d20ea829370afc8540f3e79f
-
Filesize
112KB
MD5b953c29a14e9a1de3634894ae338132d
SHA117adfb1793bcf320a8eab328b83caf1fff905dae
SHA25665848133a5efb6ce50cc34e5aece19b7f95496cfdeb704840db643a1a0799394
SHA5120f7238c25d92e1ac05a1a926e6c318560246dfd062dde6f868b3eebf2b01c68ef27cad28927e629fa0d8d67de29783430d25427593c1891ad9789c755f2a0808
-
Filesize
889KB
MD5482989dd49b3fd50dfc63d4555f7ac34
SHA18bd69d6f676992c37de9554b1be633a30298047b
SHA2562f89d2769625080c4f4d691edc189582bcfe7bc661f69b4254db20913d89e2ed
SHA5128647b21bfbe8664163c7569cb09ec1fe4de901fb4149fe9acc37c9aef9642eb4e18bf9156b3d343a0680d068d2cd2b4cd4844f89779cdff3ef15e21c3d0cd943
-
Filesize
400KB
MD5a6476027f3d13292599be72b672d0eba
SHA100fefcd36c7743499aec9a8d2c5076e1f1605639
SHA2569412723b811f33d33408b8a932cc389c95294f56b1cb622859dba1280c2e259b
SHA5128033f132797ce69fb074d7ac5e9771e126ed0757ab410b0ee17020f7728803e0c89483b2ba38b4ce13b5e4855172fcb41e8476060284ca8500e56fdba5c6a6bb
-
Filesize
7KB
MD5a04d972fa20f1b04802448756f9f3a49
SHA1a99c091155100c71b631386604bc045d86e843c5
SHA25697cb8862a4af8218a5c30dd51e219c23f8e3e1588fc890d65d8b12850d15a28d
SHA512413459b771e2d7404534c12d1d5844ef8a455402c7c2cc8925e1f7e9a9cbab66968a26c5c23aa1014bcadf894381fb453e1b3ba415a0ab6644c390102f495b16
-
Filesize
661KB
MD5abd63e52fd0eb910a8d3eccb247ab25d
SHA18ad3fc615e5190e7de79e98e6a4ddf8e4c5ec910
SHA25683bab0975ba4b8202b77a3ae6e6edada231ddbae30bafae1246d6fe886167bb4
SHA5126df9d32c5f455448fae85c2f0256db8cf64b688ca2852cd30ba57e3ce763fe28f6b0d169fc7db60afd817faab74cc5481268992854b9913848873b41c2ca6627
-
Filesize
575KB
MD5d5bbd87e924eb25c9dccf3cf719ec3f0
SHA153318e7eef3422af92669df2530542d830fe1985
SHA2567bb88ab66da575da9a78c4d6d92c52540b6f0346a836baded3aa9b7608996ba6
SHA5122793cb8f5d7764f09e01f364820c1b43594a6e6eaa25aa0ec57548b13c6afd31420e11d77625cf5de69aeeaa836885592c5672cda3ae854d87eae065026affcb
-
Filesize
7KB
MD535589b966c65a52a1c95791bbcd80543
SHA1d65994dd38de0e1971f8c99a048c46acc284e8bf
SHA2568892d224ae879cc35ffe216691fc6ba3266d88b6239838f7d38b3a4ff4ad74b6
SHA512ece01e898527ae2ce3039457ea1823bda6351871900c1a7a20057ff3250e33ed8ed216af3318edaa1c3825c17d348dee06078e946d10332e87af8ec45795fd5f
-
Filesize
10KB
MD5fb34d08569af3a01758d4bf629a3aa0d
SHA1d84aa4acf33724ea68d0f60ffbce0afebc583d95
SHA256aa83670a92681a19b6aed64cf0509c2b53b56c11352a88764fc25c7bf6f5c5f9
SHA512df6f9d33b38b0910cbfe9aa4449bc3793eac88160d9346cf4010985bfd1edd67e70376af4c6680f08c1fe7bea76b0ab396392b09f3ce22b1f5797b66fa235de2
-
Filesize
34KB
MD5432d9d823c4c26b6070c41bad4404ce4
SHA15e562e4b8a04dc61614423d0440f2057a0e55059
SHA256741b41f7467d312af4cc733ea31f647fbcd06985cbb6a14117e8a87a6f7b06f5
SHA512b53f7e036f7dabfae9d5a447ec134f43cf7c03b5c60a138e13ada19358e9b42bcd24244a220d8c00229319812fd6935a81c45233eafaf2603616846f27ae5084
-
Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
Filesize
80KB
MD53904d0698962e09da946046020cbcb17
SHA1edae098e7e8452ca6c125cf6362dda3f4d78f0ae
SHA256a51e25acc489948b31b1384e1dc29518d19b421d6bc0ced90587128899275289
SHA512c24ab680981d8d6db042b52b7b5c5e92078df83650cad798874fc09ce8c8a25462e1b69340083f4bcad20d67068668abcfa8097e549cfa5ad4f1ee6a235d6eea
-
Filesize
3KB
MD5069888d95f71a29ec6f8fe4b4e124adb
SHA1353821428d6dded375f64e2c75f6cfd44b4c3f49
SHA256bf445fb428e0ead0523322ddc9bdcdadd70ebbf83b7ff68aecdeb961a7d1be11
SHA5120875805467275597e7acbfae7d6edf5efad0228331b624a279b7cf485d4f8ac23c608829921e4ab372515750f66e4485c5c29d035f23baa905d42bd109546a97
-
Filesize
7KB
MD5b6aada0cbed06889053a05b66f146979
SHA1823025f02b355b37df7d7657b0f2b4d3584891a5
SHA256a6e72b88e42d2b478615c5a16bbedb3fd02b0dd3def3a79840fc6a5df8312707
SHA5129f8a6b0ad5ae4ea4c14043d663fd5aca2f1884ece0975b13c0533eb93103eb89120c1884121d71c8f9d09f5d210926fdba3b29fc6cf87f601bbc0f359c31d4ad
-
Filesize
1KB
MD51399f4d45f332e0b7443e91f601cc4e5
SHA14fafcd4d415f977a018b3fb169d4982de5e62aaf
SHA2569dba0f89b93b7880061dcc0b30d37d992ef99f15ee9b2e70124ebc70a55ae96b
SHA512fb805f85e566066ca40d8f04c52ed0f0a9aee09926b37eff41b318edfe880ca5a5e909642182e8f452b90becd368d64763e2329340d3986caedd2993da9ce178
-
Filesize
1KB
MD51d547f162cc179e515400745d47a9815
SHA1aa57115d87770d696b0a5ac810be261c06d623db
SHA2569de5b0471dbae91bdf1a140682c1e821616b715e96305ca8fe1556baa84599ab
SHA51218ce4d2a9879f098410debcf8f6e1792666cbe420a474dfbf8ff9c622f66fc1790a9a2377eb16c74f3077e4cd99add2a72ef0227009939019afb3198dcc4ca20
-
Filesize
1KB
MD53d5ffd53be77c32cbb147f32423c0a86
SHA1ec4f1d31686625ecc004993cd0e89a4136dd3344
SHA256669c56db590c0308ea25c4508375bb88611b06b1ae689a895dc6b19f4df5619c
SHA512bc2a1bf2dd5d4b135b7cc2b5d8cc24f1a6b6fed7fcfa092e5cfc5965dd368da86b24550338f925a36c458e154c3c4694d369d06cbc5e72e40983b760a39ee2d7
-
Filesize
493B
MD520be78849f16f8008914d8146b5a06f3
SHA17025a9cf11277fcafb527a1b6bd72fa9e467d6e2
SHA256fac6e63efe3b4fbf2013b68f8e420b4d6ab6dd820a1205f75cf774bf27c9d0b2
SHA5120f8f5b7a7b678667bc263017df6b43b48451c8d6a9dd111103504943a81feba7da89d2eec0b1fc2fc3129e11f8037f4877aa41f5583afb2a2750e2dfd05deae0
-
Filesize
802B
MD5d488d8de97683b833c32bbe531a3f8c1
SHA14d5e1461bf19d1e46ee184235913d5e83f638f6f
SHA256cc56e334b58dff595cec0ad534e4aeb95ea0bfc3c7e4c8d80b64c9d9603f028b
SHA512d16442c5f5bd902ae4d13e6abb87726f6608cfbb845d9de4db5018b5bf61bc4e88c618b98dc58f13443a83913105f2110bcd3ee5e91c1491ba880267370243b7
-
Filesize
952B
MD5204f9556853cf1f01dd6ef9b6e93c89e
SHA11f90491b6acf00025df95edcf485dacb0657c541
SHA256f61a6c64fb5dcaef02162c85083a650ab5874ba04121caea66925a88577401ae
SHA51201e208e5e82c788f45c17ff60a0ffcac981c1db5946307e5f665ec7a41b3697b04d5d5e292f043e1f1f9ca5caf5454cddf8456810054ba799b44e131ced8d177
-
Filesize
469B
MD553aff72e284f8b212a7d88abb0dc8763
SHA101eb94360f2190f963010b93147999a2e5c28e4e
SHA2564355121da1e8b1b40003e7c33b43145a4af9e6e86d2da1cb36327ffe10b69e35
SHA512940a2b59c3e160df0315968875b9a963ee0f72bc4698351d6839bbc48d103026b5839722e147aff901d4070c4211800a7eb9db8a120df6dc018ec78793f13a16
-
Filesize
7KB
MD53b400e42685b3fa8df13b8cd97bedc3c
SHA18cc19661310675e1a823168dcf14343514d6532c
SHA256eeffe81413b850dd41861be98bdf7f5a0da84502d0e91467cfc286b89c63c719
SHA512463a5bb6ce2d5af52895ca203c7cfcec6144c772b2b14130d0081c11e6ef9a3f9f44181541fbbb007528512c9dd2d84e6627b7744001bd0c08f712ee0d21dc55
-
Filesize
4KB
MD5106bcfcc67890864960720c1ef24d49c
SHA180afac8bf05f1aae0033b286f4e10e8ff15ef6d7
SHA256857f6e98200cd127165f602bc018b5e4d3dcc6e6c558eb65476d0a9da930f27b
SHA512ceb91976b8690d18ef61ebcb8912bcb4d0fda4e4da0489642ea76507648336cdd015a264a390ebda379b903a843887f8f47ee1f18a33a9246dbb089935552bfa
-
Filesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
C:\Windows\System32\DriverStore\FileRepository\oemwin2k.inf_amd64_neutral_5a1fec2fbbccefcc\oemwin2k.PNF
Filesize8KB
MD56855a9c34a2bd45ce302e8635a7913a5
SHA13b1a911a944eb1970a9fd8501a45bfbfca825f57
SHA25691e27001efcbc2ef7ac66bf564d296a42640899b75b821037ff607b13beefbcf
SHA512847183d9029374a7be71682a8bc7d9c748349c82b316bc013e29a88493dd6100b64614afbeb0a0e53e3eeedbb3ed56c0099642e352162bd3f7e74432c90db63e
-
Filesize
1.4MB
MD5e27e5ee5c5c2c8d742bdd8d187a101f2
SHA117e7ef7c6aff9a1858bc8db391b3841f0bb498ea
SHA2564c6f56bf5f87f209aeb6f0a38ab994b6948e6529b9d9e09601804791eaca3416
SHA5124ad3d84230ab62c37fca393970e24dd40ec4887915a61ef7b10aff9b41153f21e971890bb08d2a73a969cf0b239ff13d3e6e2c16aec99cee0e1d8cb92368af15
-
Filesize
29KB
MD5d59a6b36c5a94916241a3ead50222b6f
SHA1e274e9486d318c383bc4b9812844ba56f0cff3c6
SHA256a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53
SHA51217012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489
-
Filesize
81KB
MD5b13f51572f55a2d31ed9f266d581e9ea
SHA17eef3111b878e159e520f34410ad87adecf0ca92
SHA256725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15
SHA512f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c
-
Filesize
8KB
MD5e8b3eee05aeb838e7b93c27837d116db
SHA15ea7e83df7332f9fc9ba5fa63a0bbc034082a9f9
SHA2560117cb5a10a89d6f70b8cdb0058fd177cf5f4bc0d2d95c08113d9d97fd24d77b
SHA512c24172409b03bd27f458c4e6c93f65fe8460048fe2829e51f664e35393a2ab7123bd24ba9e30a1d9d0b61a6fab9c21c91ec64ce24849f4f92c492568db2b6675
-
Filesize
10KB
MD50365c95d5be2b3d314dcc019380c0e11
SHA1c269cee763f580e890d2eae42a8e98116e04a232
SHA2566f997d53abfc991e23f08256fbde3eb21a1680af2e504b7accfef0f1d8909503
SHA5129acfc1ce0b46d3edc9708c16ae39a0707dcfc86fc6ba66f7e1712c383babde4c4cfb25338abe511429b67c39f2c2e30e0eb4c94e9987a7919e9b5cae53b4d24c
-
Filesize
39KB
MD53c32ff010f869bc184df71290477384e
SHA19dec39ca0d13cd4aadf4120de29665c426be9f2b
SHA25655cfcec7f026c6e2e96a2fbe846ab513bb12bb0348735274fe1b71af019c837b
SHA5122443368fa5b93ebe112a169d1fff625a9a1a26f206dfeb6b85b4a2f9acec6ccfc7e821d15b69e93848cbad58b86c83114c83338162ea0fedd1a0798fab1700ff
-
Filesize
727KB
MD578c22df03127318893ce5b1fede8401c
SHA1d640359b4c5d04f666b3c57c762570a6bbb61c2c
SHA256be76e4e3109418b914a958deeeef9116df9c269d90a1e92e9656df70dcbecd9f
SHA5128070a452912c4a399496bd646857c3659111a9f6b6785ed0fdbde4020eabcc3aec28099534bd773b71c6b0d19dd013672441a3df1bbb287af8c1d222c3dd2664
-
Filesize
1KB
MD5abc6379205de2618851c4fcbf72112eb
SHA11ed7b1e965eab56f55efda975f9f7ade95337267
SHA25622e7528e56dffaa26cfe722994655686c90824b13eb51184abfe44d4e95d473f
SHA512180c7f400dd13092b470e3a91bf02e98ef6247c1193bf349e3710e8d1e9003f3bc9b792bb776eacb746e9c67b3041f2333cc07f28c5f046d59274742230fb7c1