Analysis
-
max time kernel
91s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
02/06/2024, 01:39
Static task
static1
Behavioral task
behavioral1
Sample
8c7d5a492d7680b8062055cc3ddb9b45_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
8c7d5a492d7680b8062055cc3ddb9b45_JaffaCakes118.exe
Resource
win10v2004-20240426-en
General
-
Target
8c7d5a492d7680b8062055cc3ddb9b45_JaffaCakes118.exe
-
Size
2.0MB
-
MD5
8c7d5a492d7680b8062055cc3ddb9b45
-
SHA1
0a8ab10ec6ccec645a7b40d4e5ca943475d2a5aa
-
SHA256
2af485626e4b3fac3c880cf16b950f17562169c0c3b01e8bcead75453e74ce0d
-
SHA512
8ea5a985fed7d884305558a8c2c2c0a93779e2efc803721f32d952df302bb208e101f83831f6df6611de3f6fbe860a305ee2c677a14b2e49726c4c6ade069a71
-
SSDEEP
49152:gco0o0emPUHFwm72hQ9y14tkANvHwXS245zSHNiK+UqbeCIRb:gcT6cEFwmS14tk4Hwl4haQ/xbY
Malware Config
Signatures
-
Drops file in Drivers directory 3 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\SET4BDE.tmp DrvInst.exe File created C:\Windows\System32\drivers\SET4BDE.tmp DrvInst.exe File opened for modification C:\Windows\System32\drivers\tap0901.sys DrvInst.exe -
Manipulates Digital Signatures 1 TTPs 5 IoCs
Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.1!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_CA_REVOCATION" certutil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.2!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_END_REVOCATION" certutil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.3!7\Name = "szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL" certutil.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\EC4F1D31686625ECC004993CD0E89A4136DD3344\Blob = 030000000100000014000000ec4f1d31686625ecc004993cd0e89a4136dd33442000000001000000b8060000308206b43082059ca00302010202100d587aa4bceb8da561ca0c5bca964fb2300d06092a864886f70d01010505003073310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d313230300603550403132944696769436572742048696768204173737572616e636520436f6465205369676e696e672043412d31301e170d3133303831333030303030305a170d3136303930323132303030305a308181310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a028201010094f1ac640a9673deff3484f827fe6aaf4047ed2007a959917ae23473bde33f1f027f414f3d25f21c334d915df7ee7f2e4defe55722ad8209d59f288b4e6ef4df24ac3cefd26719ad20234aca74c523b4cef70af782d0affe645e6f8ecb250d728d8b78b7473257b883b464a5e9679fbca648c5f1c08248d5b856328b086ba2f24202ff04a1c284e8f8ddf721a1354b92605c25602296cbc4e1b334d7b84319d29373877c266ece8728be2bbba994d166612b426cb3c65a80edde2b392151ada2d6d43f8b1bec9ae882b243c1658ba24bf5deb3e2842bb7ddec5c12f54ec9750a11aebdde907328e1c8c117db9e4d7d340e31c2de8738166e78a224abc69131b90203010001a38203333082032f301f0603551d23041830168014974803eb15086bb9b25823cc942ef1c665d2648e301d0603551d0e04160414894de782e940e255a6361318fe5050aea4d9ef3a300e0603551d0f0101ff04040302078030130603551d25040c300a06082b0601050507030330690603551d1f04623060302ea02ca02a8628687474703a2f2f63726c332e64696769636572742e636f6d2f68612d63732d32303131612e63726c302ea02ca02a8628687474703a2f2f63726c342e64696769636572742e636f6d2f68612d63732d32303131612e63726c308201c40603551d20048201bb308201b7308201b306096086480186fd6c0301308201a4303a06082b06010505070201162e687474703a2f2f7777772e64696769636572742e636f6d2f73736c2d6370732d7265706f7369746f72792e68746d3082016406082b06010505070202308201561e8201520041006e007900200075007300650020006f00660020007400680069007300200043006500720074006900660069006300610074006500200063006f006e0073007400690074007500740065007300200061006300630065007000740061006e006300650020006f00660020007400680065002000440069006700690043006500720074002000430050002f00430050005300200061006e00640020007400680065002000520065006c00790069006e0067002000500061007200740079002000410067007200650065006d0065006e00740020007700680069006300680020006c0069006d006900740020006c0069006100620069006c00690074007900200061006e0064002000610072006500200069006e0063006f00720070006f00720061007400650064002000680065007200650069006e0020006200790020007200650066006500720065006e00630065002e30818606082b06010505070101047a3078302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d305006082b060105050730028644687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274486967684173737572616e6365436f64655369676e696e6743412d312e637274300c0603551d130101ff04023000300d06092a864886f70d01010505000382010100571fa87e0b23db3ba76e725b615428a3d2673894b6516c76e7952911d3a143cd0d17c34acc87a56c58dffbb86614cf60c1614545a6db64d63cd9278536ec862d93d169e39fcc0677e634d19b1c885ff0315743e3d85b0865846b639df92424bf7fc213c5dd7cc5e4c37d0da01f827b36bf3dfd97ac3a8c0ba2e003f69440d23ae0a0dbf84249218d0b32d93e2f02d6697c330bf22f75b679c2fe286a1029744af33351996c02abf24173e675b28220ec59c10e6f82880630f0396f95399c4d3d19088c252f4b82b1d27f697e595c12f35ec18d243d547621e32bc1c30eef819213bc66023b1fb8e095a9775e0f650c1d55a25a846e6ad35a75d809a9c379d626 certutil.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\EC4F1D31686625ECC004993CD0E89A4136DD3344\Blob = 0f000000010000001400000070a56ed6a2c19243eb4083ddb3ab8118e8cb9501030000000100000014000000ec4f1d31686625ecc004993cd0e89a4136dd33442000000001000000b8060000308206b43082059ca00302010202100d587aa4bceb8da561ca0c5bca964fb2300d06092a864886f70d01010505003073310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d313230300603550403132944696769436572742048696768204173737572616e636520436f6465205369676e696e672043412d31301e170d3133303831333030303030305a170d3136303930323132303030305a308181310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a028201010094f1ac640a9673deff3484f827fe6aaf4047ed2007a959917ae23473bde33f1f027f414f3d25f21c334d915df7ee7f2e4defe55722ad8209d59f288b4e6ef4df24ac3cefd26719ad20234aca74c523b4cef70af782d0affe645e6f8ecb250d728d8b78b7473257b883b464a5e9679fbca648c5f1c08248d5b856328b086ba2f24202ff04a1c284e8f8ddf721a1354b92605c25602296cbc4e1b334d7b84319d29373877c266ece8728be2bbba994d166612b426cb3c65a80edde2b392151ada2d6d43f8b1bec9ae882b243c1658ba24bf5deb3e2842bb7ddec5c12f54ec9750a11aebdde907328e1c8c117db9e4d7d340e31c2de8738166e78a224abc69131b90203010001a38203333082032f301f0603551d23041830168014974803eb15086bb9b25823cc942ef1c665d2648e301d0603551d0e04160414894de782e940e255a6361318fe5050aea4d9ef3a300e0603551d0f0101ff04040302078030130603551d25040c300a06082b0601050507030330690603551d1f04623060302ea02ca02a8628687474703a2f2f63726c332e64696769636572742e636f6d2f68612d63732d32303131612e63726c302ea02ca02a8628687474703a2f2f63726c342e64696769636572742e636f6d2f68612d63732d32303131612e63726c308201c40603551d20048201bb308201b7308201b306096086480186fd6c0301308201a4303a06082b06010505070201162e687474703a2f2f7777772e64696769636572742e636f6d2f73736c2d6370732d7265706f7369746f72792e68746d3082016406082b06010505070202308201561e8201520041006e007900200075007300650020006f00660020007400680069007300200043006500720074006900660069006300610074006500200063006f006e0073007400690074007500740065007300200061006300630065007000740061006e006300650020006f00660020007400680065002000440069006700690043006500720074002000430050002f00430050005300200061006e00640020007400680065002000520065006c00790069006e0067002000500061007200740079002000410067007200650065006d0065006e00740020007700680069006300680020006c0069006d006900740020006c0069006100620069006c00690074007900200061006e0064002000610072006500200069006e0063006f00720070006f00720061007400650064002000680065007200650069006e0020006200790020007200650066006500720065006e00630065002e30818606082b06010505070101047a3078302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d305006082b060105050730028644687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274486967684173737572616e6365436f64655369676e696e6743412d312e637274300c0603551d130101ff04023000300d06092a864886f70d01010505000382010100571fa87e0b23db3ba76e725b615428a3d2673894b6516c76e7952911d3a143cd0d17c34acc87a56c58dffbb86614cf60c1614545a6db64d63cd9278536ec862d93d169e39fcc0677e634d19b1c885ff0315743e3d85b0865846b639df92424bf7fc213c5dd7cc5e4c37d0da01f827b36bf3dfd97ac3a8c0ba2e003f69440d23ae0a0dbf84249218d0b32d93e2f02d6697c330bf22f75b679c2fe286a1029744af33351996c02abf24173e675b28220ec59c10e6f82880630f0396f95399c4d3d19088c252f4b82b1d27f697e595c12f35ec18d243d547621e32bc1c30eef819213bc66023b1fb8e095a9775e0f650c1d55a25a846e6ad35a75d809a9c379d626 devcon64.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation 8c7d5a492d7680b8062055cc3ddb9b45_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation cmd.exe -
Executes dropped EXE 5 IoCs
pid Process 1696 hidec.exe 2448 devcon64.exe 2492 devcon64.exe 3424 autoit3.exe 1440 devcon64.exe -
Drops file in System32 directory 16 IoCs
description ioc Process File created C:\Windows\System32\DriverStore\Temp\{4a1016ac-cd0a-604b-84e7-78a0e17e8bef}\SET4A0A.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{4a1016ac-cd0a-604b-84e7-78a0e17e8bef}\tap0901.cat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{4a1016ac-cd0a-604b-84e7-78a0e17e8bef}\SET4A0B.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\oemwin2k.inf_amd64_5a1fec2fbbccefcc\tap0901.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\oemwin2k.inf_amd64_5a1fec2fbbccefcc\tap0901.cat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\oemwin2k.inf_amd64_5a1fec2fbbccefcc\oemwin2k.inf DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\oemwin2k.inf_amd64_5a1fec2fbbccefcc\oemwin2k.PNF devcon64.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{4a1016ac-cd0a-604b-84e7-78a0e17e8bef}\SET4A09.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{4a1016ac-cd0a-604b-84e7-78a0e17e8bef}\oemwin2k.inf DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{4a1016ac-cd0a-604b-84e7-78a0e17e8bef}\SET4A0B.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\drvstore.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{4a1016ac-cd0a-604b-84e7-78a0e17e8bef}\SET4A09.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{4a1016ac-cd0a-604b-84e7-78a0e17e8bef}\tap0901.sys DrvInst.exe File opened for modification C:\Windows\System32\CatRoot2\dberr.txt DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{4a1016ac-cd0a-604b-84e7-78a0e17e8bef} DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{4a1016ac-cd0a-604b-84e7-78a0e17e8bef}\SET4A0A.tmp DrvInst.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\inf\oem3.inf DrvInst.exe File created C:\Windows\inf\oem3.inf DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log devcon64.exe File opened for modification C:\Windows\INF\setupapi.dev.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID devcon64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 devcon64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID devcon64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\UpperFilters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs devcon64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs devcon64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs devcon64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs devcon64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID devcon64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom devcon64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs devcon64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID devcon64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\UpperFilters DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Filters DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 devcon64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID devcon64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\UpperFilters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom devcon64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Filters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs devcon64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags devcon64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Filters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 devcon64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LowerFilters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\LowerFilters DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 devcon64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 devcon64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags devcon64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID devcon64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID devcon64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Filters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LowerFilters DrvInst.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe -
Kills process with taskkill 2 IoCs
pid Process 748 taskkill.exe 4276 taskkill.exe -
Modifies data under HKEY_USERS 42 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 devcon64.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a devcon64.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a devcon64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\EC4F1D31686625ECC004993CD0E89A4136DD3344 devcon64.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\EC4F1D31686625ECC004993CD0E89A4136DD3344\Blob = 0f000000010000001400000070a56ed6a2c19243eb4083ddb3ab8118e8cb9501030000000100000014000000ec4f1d31686625ecc004993cd0e89a4136dd33442000000001000000b8060000308206b43082059ca00302010202100d587aa4bceb8da561ca0c5bca964fb2300d06092a864886f70d01010505003073310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d313230300603550403132944696769436572742048696768204173737572616e636520436f6465205369676e696e672043412d31301e170d3133303831333030303030305a170d3136303930323132303030305a308181310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a028201010094f1ac640a9673deff3484f827fe6aaf4047ed2007a959917ae23473bde33f1f027f414f3d25f21c334d915df7ee7f2e4defe55722ad8209d59f288b4e6ef4df24ac3cefd26719ad20234aca74c523b4cef70af782d0affe645e6f8ecb250d728d8b78b7473257b883b464a5e9679fbca648c5f1c08248d5b856328b086ba2f24202ff04a1c284e8f8ddf721a1354b92605c25602296cbc4e1b334d7b84319d29373877c266ece8728be2bbba994d166612b426cb3c65a80edde2b392151ada2d6d43f8b1bec9ae882b243c1658ba24bf5deb3e2842bb7ddec5c12f54ec9750a11aebdde907328e1c8c117db9e4d7d340e31c2de8738166e78a224abc69131b90203010001a38203333082032f301f0603551d23041830168014974803eb15086bb9b25823cc942ef1c665d2648e301d0603551d0e04160414894de782e940e255a6361318fe5050aea4d9ef3a300e0603551d0f0101ff04040302078030130603551d25040c300a06082b0601050507030330690603551d1f04623060302ea02ca02a8628687474703a2f2f63726c332e64696769636572742e636f6d2f68612d63732d32303131612e63726c302ea02ca02a8628687474703a2f2f63726c342e64696769636572742e636f6d2f68612d63732d32303131612e63726c308201c40603551d20048201bb308201b7308201b306096086480186fd6c0301308201a4303a06082b06010505070201162e687474703a2f2f7777772e64696769636572742e636f6d2f73736c2d6370732d7265706f7369746f72792e68746d3082016406082b06010505070202308201561e8201520041006e007900200075007300650020006f00660020007400680069007300200043006500720074006900660069006300610074006500200063006f006e0073007400690074007500740065007300200061006300630065007000740061006e006300650020006f00660020007400680065002000440069006700690043006500720074002000430050002f00430050005300200061006e00640020007400680065002000520065006c00790069006e0067002000500061007200740079002000410067007200650065006d0065006e00740020007700680069006300680020006c0069006d006900740020006c0069006100620069006c00690074007900200061006e0064002000610072006500200069006e0063006f00720070006f00720061007400650064002000680065007200650069006e0020006200790020007200650066006500720065006e00630065002e30818606082b06010505070101047a3078302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d305006082b060105050730028644687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274486967684173737572616e6365436f64655369676e696e6743412d312e637274300c0603551d130101ff04023000300d06092a864886f70d01010505000382010100571fa87e0b23db3ba76e725b615428a3d2673894b6516c76e7952911d3a143cd0d17c34acc87a56c58dffbb86614cf60c1614545a6db64d63cd9278536ec862d93d169e39fcc0677e634d19b1c885ff0315743e3d85b0865846b639df92424bf7fc213c5dd7cc5e4c37d0da01f827b36bf3dfd97ac3a8c0ba2e003f69440d23ae0a0dbf84249218d0b32d93e2f02d6697c330bf22f75b679c2fe286a1029744af33351996c02abf24173e675b28220ec59c10e6f82880630f0396f95399c4d3d19088c252f4b82b1d27f697e595c12f35ec18d243d547621e32bc1c30eef819213bc66023b1fb8e095a9775e0f650c1d55a25a846e6ad35a75d809a9c379d626 devcon64.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1644 PING.EXE -
Suspicious use of AdjustPrivilegeToken 10 IoCs
description pid Process Token: SeDebugPrivilege 748 taskkill.exe Token: SeAuditPrivilege 2244 svchost.exe Token: SeSecurityPrivilege 2244 svchost.exe Token: SeLoadDriverPrivilege 1440 devcon64.exe Token: SeRestorePrivilege 760 DrvInst.exe Token: SeBackupPrivilege 760 DrvInst.exe Token: SeLoadDriverPrivilege 760 DrvInst.exe Token: SeLoadDriverPrivilege 760 DrvInst.exe Token: SeLoadDriverPrivilege 760 DrvInst.exe Token: SeDebugPrivilege 4276 taskkill.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 316 wrote to memory of 1696 316 8c7d5a492d7680b8062055cc3ddb9b45_JaffaCakes118.exe 80 PID 316 wrote to memory of 1696 316 8c7d5a492d7680b8062055cc3ddb9b45_JaffaCakes118.exe 80 PID 316 wrote to memory of 1696 316 8c7d5a492d7680b8062055cc3ddb9b45_JaffaCakes118.exe 80 PID 1696 wrote to memory of 888 1696 hidec.exe 81 PID 1696 wrote to memory of 888 1696 hidec.exe 81 PID 1696 wrote to memory of 888 1696 hidec.exe 81 PID 888 wrote to memory of 748 888 cmd.exe 83 PID 888 wrote to memory of 748 888 cmd.exe 83 PID 888 wrote to memory of 748 888 cmd.exe 83 PID 888 wrote to memory of 2448 888 cmd.exe 85 PID 888 wrote to memory of 2448 888 cmd.exe 85 PID 888 wrote to memory of 2492 888 cmd.exe 86 PID 888 wrote to memory of 2492 888 cmd.exe 86 PID 888 wrote to memory of 916 888 cmd.exe 87 PID 888 wrote to memory of 916 888 cmd.exe 87 PID 888 wrote to memory of 916 888 cmd.exe 87 PID 888 wrote to memory of 4868 888 cmd.exe 88 PID 888 wrote to memory of 4868 888 cmd.exe 88 PID 888 wrote to memory of 4868 888 cmd.exe 88 PID 888 wrote to memory of 816 888 cmd.exe 89 PID 888 wrote to memory of 816 888 cmd.exe 89 PID 888 wrote to memory of 816 888 cmd.exe 89 PID 888 wrote to memory of 3532 888 cmd.exe 90 PID 888 wrote to memory of 3532 888 cmd.exe 90 PID 888 wrote to memory of 3532 888 cmd.exe 90 PID 888 wrote to memory of 2508 888 cmd.exe 91 PID 888 wrote to memory of 2508 888 cmd.exe 91 PID 888 wrote to memory of 2508 888 cmd.exe 91 PID 888 wrote to memory of 3020 888 cmd.exe 92 PID 888 wrote to memory of 3020 888 cmd.exe 92 PID 888 wrote to memory of 3020 888 cmd.exe 92 PID 888 wrote to memory of 1524 888 cmd.exe 93 PID 888 wrote to memory of 1524 888 cmd.exe 93 PID 888 wrote to memory of 1524 888 cmd.exe 93 PID 888 wrote to memory of 1004 888 cmd.exe 94 PID 888 wrote to memory of 1004 888 cmd.exe 94 PID 888 wrote to memory of 1004 888 cmd.exe 94 PID 888 wrote to memory of 1408 888 cmd.exe 95 PID 888 wrote to memory of 1408 888 cmd.exe 95 PID 888 wrote to memory of 1408 888 cmd.exe 95 PID 888 wrote to memory of 3936 888 cmd.exe 96 PID 888 wrote to memory of 3936 888 cmd.exe 96 PID 888 wrote to memory of 3936 888 cmd.exe 96 PID 888 wrote to memory of 1660 888 cmd.exe 97 PID 888 wrote to memory of 1660 888 cmd.exe 97 PID 888 wrote to memory of 1660 888 cmd.exe 97 PID 888 wrote to memory of 2008 888 cmd.exe 98 PID 888 wrote to memory of 2008 888 cmd.exe 98 PID 888 wrote to memory of 2008 888 cmd.exe 98 PID 888 wrote to memory of 3424 888 cmd.exe 99 PID 888 wrote to memory of 3424 888 cmd.exe 99 PID 888 wrote to memory of 3424 888 cmd.exe 99 PID 888 wrote to memory of 1440 888 cmd.exe 101 PID 888 wrote to memory of 1440 888 cmd.exe 101 PID 888 wrote to memory of 2728 888 cmd.exe 102 PID 888 wrote to memory of 2728 888 cmd.exe 102 PID 888 wrote to memory of 2728 888 cmd.exe 102 PID 2244 wrote to memory of 1264 2244 svchost.exe 104 PID 2244 wrote to memory of 1264 2244 svchost.exe 104 PID 2244 wrote to memory of 760 2244 svchost.exe 105 PID 2244 wrote to memory of 760 2244 svchost.exe 105 PID 888 wrote to memory of 1948 888 cmd.exe 108 PID 888 wrote to memory of 1948 888 cmd.exe 108 PID 888 wrote to memory of 1948 888 cmd.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\8c7d5a492d7680b8062055cc3ddb9b45_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8c7d5a492d7680b8062055cc3ddb9b45_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:316 -
C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\hidec.exe"C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\hidec.exe" "C:\Windows\system32\cmd.exe" /C "install.bat %~1 & ping 127.0.0.1 -n 11 & cd .. && rmdir /S /Q "C:\Users\Admin\AppData\Local\Temp\OpenVPN""2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C "install.bat %~1 & ping 127.0.0.1 -n 11 & cd .. && rmdir /S /Q "C:\Users\Admin\AppData\Local\Temp\OpenVPN""3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:888 -
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /F /T /IM "openvpn*" /IM "openssl.exe" /IM "autoit3.exe" /IM "devcon.exe" /IM "cpau-run.exe"4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:748
-
-
C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe"C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe" remove "tap0901"4⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2448
-
-
C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe"C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe" remove "tap0801"4⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2492
-
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKLM\SYSTEM\CurrentControlSet\Services\tap0801" /F4⤵PID:916
-
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKLM\SOFTWARE\OpenVPN" /F4⤵PID:4868
-
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKLM\SOFTWARE\OpenVPN-GUI" /F4⤵PID:816
-
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKLM\SOFTWARE\Wow6432Node\OpenVPN" /F4⤵PID:3532
-
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /F4⤵PID:2508
-
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKCR\.ovpn" /F4⤵PID:3020
-
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKCR\OpenVPN" /F4⤵PID:1524
-
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ovpn" /F4⤵PID:1004
-
-
C:\Windows\SysWOW64\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\OpenVPN\shortcut.vbs" "" "AllUsersPrograms" "OpenVPN"4⤵PID:1408
-
-
C:\Windows\SysWOW64\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\OpenVPN\shortcut.vbs" "" "AllUsersDesktop" "OpenVPN"4⤵PID:3936
-
-
C:\Windows\SysWOW64\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\OpenVPN\shortcut.vbs" "" "Desktop" "OpenVPN"4⤵PID:1660
-
-
C:\Windows\SysWOW64\certutil.execertutil.exe -addstore "TrustedPublisher" "C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\\tapadd.cer"4⤵
- Manipulates Digital Signatures
PID:2008
-
-
C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\autoit3.exe"C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\autoit3.exe" "tapadd.au3"4⤵
- Executes dropped EXE
PID:3424
-
-
C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe"C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\devcon64.exe" install "C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files\tap\x64\oemwin2k.inf" "tap0901"4⤵
- Manipulates Digital Signatures
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:1440
-
-
C:\Windows\SysWOW64\find.exefind.exe /I "successfully"4⤵PID:2728
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg.exe query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}" /S4⤵PID:1948
-
C:\Windows\SysWOW64\reg.exereg.exe query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}" /S5⤵PID:440
-
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0002" /V "Characteristics" /T REG_DWORD /D "0x89" /F4⤵PID:2196
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /F /T /IM "autoit3.exe"4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4276
-
-
C:\Windows\SysWOW64\xcopy.exexcopy.exe /E /C /Q /H /R /Y /Z "C:\Users\Admin\AppData\Local\Temp\OpenVPN\Files" "C:\Program Files\OpenVPN\"4⤵
- Enumerates system info in registry
PID:512
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN" /VE /T REG_SZ /D "C:\Program Files\OpenVPN" /F4⤵PID:3504
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN" /V "config_dir" /T REG_SZ /D "C:\Program Files\OpenVPN\config" /F4⤵PID:4216
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN" /V "config_ext" /T REG_SZ /D "ovpn" /F4⤵PID:2652
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN" /V "exe_path" /T REG_SZ /D "C:\Program Files\OpenVPN\openvpn.exe" /F4⤵PID:3856
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN" /V "log_dir" /T REG_SZ /D "C:\Program Files\OpenVPN\log" /F4⤵PID:2688
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN" /V "priority" /T REG_SZ /D "NORMAL_PRIORITY_CLASS" /F4⤵PID:1360
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN" /V "log_append" /T REG_SZ /D "0" /F4⤵PID:4532
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /VE /T REG_SZ /D "C:\Program Files\OpenVPN" /F4⤵PID:4100
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "config_dir" /T REG_SZ /D "C:\Program Files\OpenVPN\config" /F4⤵PID:1304
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "config_ext" /T REG_SZ /D "ovpn" /F4⤵PID:2548
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "exe_path" /T REG_SZ /D "C:\Program Files\OpenVPN\openvpn.exe" /F4⤵PID:2272
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "log_dir" /T REG_SZ /D "C:\Program Files\OpenVPN\log" /F4⤵PID:1164
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "priority" /T REG_SZ /D "NORMAL_PRIORITY_CLASS" /F4⤵PID:744
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "log_append" /T REG_SZ /D "0" /F4⤵PID:2140
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "allow_view" /T REG_SZ /D "0" /F4⤵PID:216
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "allow_edit" /T REG_SZ /D "0" /F4⤵PID:1088
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "allow_service" /T REG_SZ /D "0" /F4⤵PID:4424
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "allow_proxy" /T REG_SZ /D "1" /F4⤵PID:3324
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "allow_password" /T REG_SZ /D "0" /F4⤵PID:316
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "service_only" /T REG_SZ /D "0" /F4⤵PID:1772
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "log_viewer" /T REG_SZ /D "hidec.exe" /F4⤵PID:1616
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "passphrase_attempts" /T REG_SZ /D "3" /F4⤵PID:748
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "editor" /T REG_SZ /D "notepad.exe" /F4⤵PID:4396
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "connectscript_timeout" /T REG_SZ /D "15" /F4⤵PID:1924
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "disconnectscript_timeout" /T REG_SZ /D "10" /F4⤵PID:3688
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "preconnectscript_timeout" /T REG_SZ /D "10" /F4⤵PID:916
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "silent_connection" /T REG_SZ /D "0" /F4⤵PID:4868
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "show_balloon" /T REG_SZ /D "1" /F4⤵PID:816
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "show_script_window" /T REG_SZ /D "1" /F4⤵PID:3532
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\SOFTWARE\Wow6432Node\OpenVPN-GUI" /V "disconnect_on_suspend" /T REG_SZ /D "1" /F4⤵PID:1876
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers" /V "C:\Program Files\OpenVPN\openvpn-gui.exe" /T REG_SZ /D "RUNASADMIN" /F4⤵PID:1732
-
-
C:\Windows\SysWOW64\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\OpenVPN\shortcut.vbs" "C:\Program Files\OpenVPN\cpau-run.exe" "AllUsersPrograms" "OpenVPN" "VPN-¬½¿Ñ¡Γ" "C:\Program Files\OpenVPN\openvpn.ico"4⤵PID:4976
-
-
C:\Windows\SysWOW64\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\OpenVPN\shortcut.vbs" "C:\Program Files\OpenVPN\cpau-run.exe" "AllUsersDesktop" "OpenVPN" "VPN-¬½¿Ñ¡Γ" "C:\Program Files\OpenVPN\openvpn.ico"4⤵PID:3456
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 114⤵
- Runs ping.exe
PID:1644
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{f942a4e1-6238-f944-a88b-ce84c26b9810}\oemwin2k.inf" "9" "4d14a44ff" "0000000000000138" "WinSta0\Default" "0000000000000150" "208" "c:\users\admin\appdata\local\temp\openvpn\files\tap\x64"2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:1264
-
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem3.inf" "oem3.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.9:tap0901," "4d14a44ff" "0000000000000138"2⤵
- Drops file in Drivers directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:760
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
170KB
MD533120addb41cebf8bef95c71cf2166c8
SHA107ad36f3303fc95c0c914224ce0ac66cbe191042
SHA25681d618e824c8fc4481f337f301b2cd8a1299ccacc85fc70186a84841999d21df
SHA512cc89dd35d0e8aef12d8eeb5dcafbaca9735a87622adc8d9fadf5771b2b88ef7fdadf973d2f58f7190c91444cd2e98abeda5d5f04d20ea829370afc8540f3e79f
-
Filesize
112KB
MD5b953c29a14e9a1de3634894ae338132d
SHA117adfb1793bcf320a8eab328b83caf1fff905dae
SHA25665848133a5efb6ce50cc34e5aece19b7f95496cfdeb704840db643a1a0799394
SHA5120f7238c25d92e1ac05a1a926e6c318560246dfd062dde6f868b3eebf2b01c68ef27cad28927e629fa0d8d67de29783430d25427593c1891ad9789c755f2a0808
-
Filesize
400KB
MD5a6476027f3d13292599be72b672d0eba
SHA100fefcd36c7743499aec9a8d2c5076e1f1605639
SHA2569412723b811f33d33408b8a932cc389c95294f56b1cb622859dba1280c2e259b
SHA5128033f132797ce69fb074d7ac5e9771e126ed0757ab410b0ee17020f7728803e0c89483b2ba38b4ce13b5e4855172fcb41e8476060284ca8500e56fdba5c6a6bb
-
Filesize
7KB
MD5a04d972fa20f1b04802448756f9f3a49
SHA1a99c091155100c71b631386604bc045d86e843c5
SHA25697cb8862a4af8218a5c30dd51e219c23f8e3e1588fc890d65d8b12850d15a28d
SHA512413459b771e2d7404534c12d1d5844ef8a455402c7c2cc8925e1f7e9a9cbab66968a26c5c23aa1014bcadf894381fb453e1b3ba415a0ab6644c390102f495b16
-
Filesize
727KB
MD578c22df03127318893ce5b1fede8401c
SHA1d640359b4c5d04f666b3c57c762570a6bbb61c2c
SHA256be76e4e3109418b914a958deeeef9116df9c269d90a1e92e9656df70dcbecd9f
SHA5128070a452912c4a399496bd646857c3659111a9f6b6785ed0fdbde4020eabcc3aec28099534bd773b71c6b0d19dd013672441a3df1bbb287af8c1d222c3dd2664
-
Filesize
3KB
MD5bbec26e2402902591d21c4dad4206f30
SHA106d41d840116f75beeb56002b90182eb88cded86
SHA256e79f12b202712e3189ed34321eb20e0f82cc301450e1d13a8c739b399a7482ee
SHA512d54bde1bf9c6ecc77b6dbedf8db99f8b31a94b9788349b0a974d61bcd86b2bdb95501a49443b63734ecac3e0e737515256c189dfffcb2c369ad90b9bc67cb859
-
Filesize
8KB
MD57e54c20a0658b2691e95935231e2539e
SHA151a5b9a034104563100de5190220cfc8b73afadc
SHA25616c3bc3270665b4776b35936c12a30f28ba3d858b27d59827370c1bfb5b1b60d
SHA51298e72078f7e4e123be9e59a9bf91d27011448eddc90bf4229d0e8350a3d0c13a6751f395149928659587f8adf7d9b560eb84c1e5ae4a2dc7488f78114d6575b2
-
Filesize
542KB
MD57100f979b8516b8c1ae6ff858435626e
SHA1c6a596b10bc8fd05f8a13859fef8b2cf7a9360e7
SHA2565ac5867eafea23f57bfead8e84c366e2259490d8814ef0e3739853364055e4e3
SHA512d3f3acb9482df113eb2eadfcedc8ce869b4b9221df6f28497521fdb3042bc86d707dbda08df659258c706713ece89d5e0b81c5c85f8255923e96a55bb015a593
-
Filesize
1KB
MD5b47e8a3ea1bf24b7238471f3ef4c2012
SHA1b85a15c08e9c895e98ed7bdc5093dbc2d5d9623e
SHA256978364b033b906900d39def309c9ea5f62c4734e66731ffa15b4e04991b0ef46
SHA5124a4e84565ebd80845a129923aadf8e67337919b319e28ce0c2c784908defa460fdbedb136b8f851683bf9049b1f358059eb4945f41bdaa39b156ca7957f95237
-
Filesize
76KB
MD5b40fe65431b18a52e6452279b88954af
SHA1c25de80f00014e129ff290bf84ddf25a23fdfc30
SHA256800e396be60133b5ab7881872a73936e24cbebd7a7953cee1479f077ffcf745e
SHA512e58cf187fd71e6f1f5cf7eac347a2682e77bc9a88a64e79a59e1a480cac20b46ad8d0f947dd2cb2840a2e0bb6d3c754f8f26fcf2d55b550eea4f5d7e57a4d91d
-
Filesize
80KB
MD53904d0698962e09da946046020cbcb17
SHA1edae098e7e8452ca6c125cf6362dda3f4d78f0ae
SHA256a51e25acc489948b31b1384e1dc29518d19b421d6bc0ced90587128899275289
SHA512c24ab680981d8d6db042b52b7b5c5e92078df83650cad798874fc09ce8c8a25462e1b69340083f4bcad20d67068668abcfa8097e549cfa5ad4f1ee6a235d6eea
-
Filesize
1KB
MD5abc6379205de2618851c4fcbf72112eb
SHA11ed7b1e965eab56f55efda975f9f7ade95337267
SHA25622e7528e56dffaa26cfe722994655686c90824b13eb51184abfe44d4e95d473f
SHA512180c7f400dd13092b470e3a91bf02e98ef6247c1193bf349e3710e8d1e9003f3bc9b792bb776eacb746e9c67b3041f2333cc07f28c5f046d59274742230fb7c1
-
Filesize
2.2MB
MD588a5e21b46019e6632820a7ab72c4897
SHA13829dade8363cc3000fee0adc760614755c69bc4
SHA2566fd2315f248473d4da77cec857500f47d93b91010504d40f81d650a0bebf7225
SHA512b75e85a7c38f39b418ac3f2ed023f21d88c83c6e69b13a4888456f2e8fb5074b4e1aeebf4dd7cc3d226ae57359b8bdb2300c6d88cd85447bdaec626d822c21d9
-
Filesize
889KB
MD5482989dd49b3fd50dfc63d4555f7ac34
SHA18bd69d6f676992c37de9554b1be633a30298047b
SHA2562f89d2769625080c4f4d691edc189582bcfe7bc661f69b4254db20913d89e2ed
SHA5128647b21bfbe8664163c7569cb09ec1fe4de901fb4149fe9acc37c9aef9642eb4e18bf9156b3d343a0680d068d2cd2b4cd4844f89779cdff3ef15e21c3d0cd943
-
Filesize
661KB
MD5abd63e52fd0eb910a8d3eccb247ab25d
SHA18ad3fc615e5190e7de79e98e6a4ddf8e4c5ec910
SHA25683bab0975ba4b8202b77a3ae6e6edada231ddbae30bafae1246d6fe886167bb4
SHA5126df9d32c5f455448fae85c2f0256db8cf64b688ca2852cd30ba57e3ce763fe28f6b0d169fc7db60afd817faab74cc5481268992854b9913848873b41c2ca6627
-
Filesize
3KB
MD5069888d95f71a29ec6f8fe4b4e124adb
SHA1353821428d6dded375f64e2c75f6cfd44b4c3f49
SHA256bf445fb428e0ead0523322ddc9bdcdadd70ebbf83b7ff68aecdeb961a7d1be11
SHA5120875805467275597e7acbfae7d6edf5efad0228331b624a279b7cf485d4f8ac23c608829921e4ab372515750f66e4485c5c29d035f23baa905d42bd109546a97
-
Filesize
575KB
MD5d5bbd87e924eb25c9dccf3cf719ec3f0
SHA153318e7eef3422af92669df2530542d830fe1985
SHA2567bb88ab66da575da9a78c4d6d92c52540b6f0346a836baded3aa9b7608996ba6
SHA5122793cb8f5d7764f09e01f364820c1b43594a6e6eaa25aa0ec57548b13c6afd31420e11d77625cf5de69aeeaa836885592c5672cda3ae854d87eae065026affcb
-
Filesize
7KB
MD535589b966c65a52a1c95791bbcd80543
SHA1d65994dd38de0e1971f8c99a048c46acc284e8bf
SHA2568892d224ae879cc35ffe216691fc6ba3266d88b6239838f7d38b3a4ff4ad74b6
SHA512ece01e898527ae2ce3039457ea1823bda6351871900c1a7a20057ff3250e33ed8ed216af3318edaa1c3825c17d348dee06078e946d10332e87af8ec45795fd5f
-
Filesize
10KB
MD5fb34d08569af3a01758d4bf629a3aa0d
SHA1d84aa4acf33724ea68d0f60ffbce0afebc583d95
SHA256aa83670a92681a19b6aed64cf0509c2b53b56c11352a88764fc25c7bf6f5c5f9
SHA512df6f9d33b38b0910cbfe9aa4449bc3793eac88160d9346cf4010985bfd1edd67e70376af4c6680f08c1fe7bea76b0ab396392b09f3ce22b1f5797b66fa235de2
-
Filesize
34KB
MD5432d9d823c4c26b6070c41bad4404ce4
SHA15e562e4b8a04dc61614423d0440f2057a0e55059
SHA256741b41f7467d312af4cc733ea31f647fbcd06985cbb6a14117e8a87a6f7b06f5
SHA512b53f7e036f7dabfae9d5a447ec134f43cf7c03b5c60a138e13ada19358e9b42bcd24244a220d8c00229319812fd6935a81c45233eafaf2603616846f27ae5084
-
Filesize
7KB
MD5b6aada0cbed06889053a05b66f146979
SHA1823025f02b355b37df7d7657b0f2b4d3584891a5
SHA256a6e72b88e42d2b478615c5a16bbedb3fd02b0dd3def3a79840fc6a5df8312707
SHA5129f8a6b0ad5ae4ea4c14043d663fd5aca2f1884ece0975b13c0533eb93103eb89120c1884121d71c8f9d09f5d210926fdba3b29fc6cf87f601bbc0f359c31d4ad
-
Filesize
1KB
MD51399f4d45f332e0b7443e91f601cc4e5
SHA14fafcd4d415f977a018b3fb169d4982de5e62aaf
SHA2569dba0f89b93b7880061dcc0b30d37d992ef99f15ee9b2e70124ebc70a55ae96b
SHA512fb805f85e566066ca40d8f04c52ed0f0a9aee09926b37eff41b318edfe880ca5a5e909642182e8f452b90becd368d64763e2329340d3986caedd2993da9ce178
-
Filesize
1KB
MD51d547f162cc179e515400745d47a9815
SHA1aa57115d87770d696b0a5ac810be261c06d623db
SHA2569de5b0471dbae91bdf1a140682c1e821616b715e96305ca8fe1556baa84599ab
SHA51218ce4d2a9879f098410debcf8f6e1792666cbe420a474dfbf8ff9c622f66fc1790a9a2377eb16c74f3077e4cd99add2a72ef0227009939019afb3198dcc4ca20
-
Filesize
1KB
MD53d5ffd53be77c32cbb147f32423c0a86
SHA1ec4f1d31686625ecc004993cd0e89a4136dd3344
SHA256669c56db590c0308ea25c4508375bb88611b06b1ae689a895dc6b19f4df5619c
SHA512bc2a1bf2dd5d4b135b7cc2b5d8cc24f1a6b6fed7fcfa092e5cfc5965dd368da86b24550338f925a36c458e154c3c4694d369d06cbc5e72e40983b760a39ee2d7
-
Filesize
493B
MD520be78849f16f8008914d8146b5a06f3
SHA17025a9cf11277fcafb527a1b6bd72fa9e467d6e2
SHA256fac6e63efe3b4fbf2013b68f8e420b4d6ab6dd820a1205f75cf774bf27c9d0b2
SHA5120f8f5b7a7b678667bc263017df6b43b48451c8d6a9dd111103504943a81feba7da89d2eec0b1fc2fc3129e11f8037f4877aa41f5583afb2a2750e2dfd05deae0
-
Filesize
802B
MD5d488d8de97683b833c32bbe531a3f8c1
SHA14d5e1461bf19d1e46ee184235913d5e83f638f6f
SHA256cc56e334b58dff595cec0ad534e4aeb95ea0bfc3c7e4c8d80b64c9d9603f028b
SHA512d16442c5f5bd902ae4d13e6abb87726f6608cfbb845d9de4db5018b5bf61bc4e88c618b98dc58f13443a83913105f2110bcd3ee5e91c1491ba880267370243b7
-
Filesize
952B
MD5204f9556853cf1f01dd6ef9b6e93c89e
SHA11f90491b6acf00025df95edcf485dacb0657c541
SHA256f61a6c64fb5dcaef02162c85083a650ab5874ba04121caea66925a88577401ae
SHA51201e208e5e82c788f45c17ff60a0ffcac981c1db5946307e5f665ec7a41b3697b04d5d5e292f043e1f1f9ca5caf5454cddf8456810054ba799b44e131ced8d177
-
Filesize
469B
MD553aff72e284f8b212a7d88abb0dc8763
SHA101eb94360f2190f963010b93147999a2e5c28e4e
SHA2564355121da1e8b1b40003e7c33b43145a4af9e6e86d2da1cb36327ffe10b69e35
SHA512940a2b59c3e160df0315968875b9a963ee0f72bc4698351d6839bbc48d103026b5839722e147aff901d4070c4211800a7eb9db8a120df6dc018ec78793f13a16
-
Filesize
7KB
MD53b400e42685b3fa8df13b8cd97bedc3c
SHA18cc19661310675e1a823168dcf14343514d6532c
SHA256eeffe81413b850dd41861be98bdf7f5a0da84502d0e91467cfc286b89c63c719
SHA512463a5bb6ce2d5af52895ca203c7cfcec6144c772b2b14130d0081c11e6ef9a3f9f44181541fbbb007528512c9dd2d84e6627b7744001bd0c08f712ee0d21dc55
-
Filesize
4KB
MD5106bcfcc67890864960720c1ef24d49c
SHA180afac8bf05f1aae0033b286f4e10e8ff15ef6d7
SHA256857f6e98200cd127165f602bc018b5e4d3dcc6e6c558eb65476d0a9da930f27b
SHA512ceb91976b8690d18ef61ebcb8912bcb4d0fda4e4da0489642ea76507648336cdd015a264a390ebda379b903a843887f8f47ee1f18a33a9246dbb089935552bfa
-
Filesize
10KB
MD50365c95d5be2b3d314dcc019380c0e11
SHA1c269cee763f580e890d2eae42a8e98116e04a232
SHA2566f997d53abfc991e23f08256fbde3eb21a1680af2e504b7accfef0f1d8909503
SHA5129acfc1ce0b46d3edc9708c16ae39a0707dcfc86fc6ba66f7e1712c383babde4c4cfb25338abe511429b67c39f2c2e30e0eb4c94e9987a7919e9b5cae53b4d24c
-
Filesize
39KB
MD53c32ff010f869bc184df71290477384e
SHA19dec39ca0d13cd4aadf4120de29665c426be9f2b
SHA25655cfcec7f026c6e2e96a2fbe846ab513bb12bb0348735274fe1b71af019c837b
SHA5122443368fa5b93ebe112a169d1fff625a9a1a26f206dfeb6b85b4a2f9acec6ccfc7e821d15b69e93848cbad58b86c83114c83338162ea0fedd1a0798fab1700ff