Analysis Overview
SHA256
4c145cbe75b48f1dee957d833654be2e2519ec52a78c39e298d153557c2a8eb8
Threat Level: Known bad
The file 0478bbd07527cc07911a77377a09cdac_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
MetaSploit
Modifies security service
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of SetWindowsHookEx
Runs .reg file with regedit
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-20 08:49
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-20 08:49
Reported
2024-06-20 08:52
Platform
win7-20240611-en
Max time kernel
137s
Max time network
121s
Command Line
Signatures
MetaSploit
Modifies security service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Temp\25565.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\zonealarm.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\zonealarm.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\zonealarm.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\zonealarm.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\zonealarm.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\zonealarm.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\zonealarm.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\zonealarm.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\zonealarm.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\zonealarm.exe | N/A |
Loads dropped DLL
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\zonealarm.exe | C:\Windows\SysWOW64\zonealarm.exe | N/A |
| File created | C:\Windows\SysWOW64\zonealarm.exe | C:\Windows\SysWOW64\zonealarm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\zonealarm.exe | C:\Windows\SysWOW64\zonealarm.exe | N/A |
| File created | C:\Windows\SysWOW64\zonealarm.exe | C:\Windows\SysWOW64\zonealarm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\zonealarm.exe | C:\Windows\SysWOW64\zonealarm.exe | N/A |
| File created | C:\Windows\SysWOW64\zonealarm.exe | C:\Windows\SysWOW64\zonealarm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\zonealarm.exe | C:\Windows\SysWOW64\zonealarm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\zonealarm.exe | C:\Windows\Temp\25565.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\zonealarm.exe | C:\Windows\SysWOW64\zonealarm.exe | N/A |
| File created | C:\Windows\SysWOW64\zonealarm.exe | C:\Windows\SysWOW64\zonealarm.exe | N/A |
| File created | C:\Windows\SysWOW64\zonealarm.exe | C:\Windows\SysWOW64\zonealarm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\zonealarm.exe | C:\Windows\SysWOW64\zonealarm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\zonealarm.exe | C:\Windows\SysWOW64\zonealarm.exe | N/A |
| File created | C:\Windows\SysWOW64\zonealarm.exe | C:\Windows\SysWOW64\zonealarm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\zonealarm.exe | C:\Windows\SysWOW64\zonealarm.exe | N/A |
| File created | C:\Windows\SysWOW64\zonealarm.exe | C:\Windows\Temp\25565.exe | N/A |
| File created | C:\Windows\SysWOW64\zonealarm.exe | C:\Windows\SysWOW64\zonealarm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\zonealarm.exe | C:\Windows\SysWOW64\zonealarm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\zonealarm.exe | C:\Windows\SysWOW64\zonealarm.exe | N/A |
| File created | C:\Windows\SysWOW64\zonealarm.exe | C:\Windows\SysWOW64\zonealarm.exe | N/A |
| File created | C:\Windows\SysWOW64\zonealarm.exe | C:\Windows\SysWOW64\zonealarm.exe | N/A |
| File created | C:\Windows\SysWOW64\zonealarm.exe | C:\Windows\SysWOW64\zonealarm.exe | N/A |
Runs .reg file with regedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0478bbd07527cc07911a77377a09cdac_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0478bbd07527cc07911a77377a09cdac_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0478bbd07527cc07911a77377a09cdac_JaffaCakes118.exe"
C:\Windows\Temp\25565.exe
C:\Windows\Temp\25565.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c c:\a.bat
C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
C:\Windows\SysWOW64\zonealarm.exe
C:\Windows\system32\zonealarm.exe 504 "C:\Windows\Temp\25565.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c c:\a.bat
C:\Windows\SysWOW64\zonealarm.exe
C:\Windows\system32\zonealarm.exe 536 "C:\Windows\SysWOW64\zonealarm.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c c:\a.bat
C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
C:\Windows\SysWOW64\zonealarm.exe
C:\Windows\system32\zonealarm.exe 540 "C:\Windows\SysWOW64\zonealarm.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c c:\a.bat
C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
C:\Windows\SysWOW64\zonealarm.exe
C:\Windows\system32\zonealarm.exe 544 "C:\Windows\SysWOW64\zonealarm.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c c:\a.bat
C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
C:\Windows\SysWOW64\zonealarm.exe
C:\Windows\system32\zonealarm.exe 548 "C:\Windows\SysWOW64\zonealarm.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c c:\a.bat
C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
C:\Windows\SysWOW64\zonealarm.exe
C:\Windows\system32\zonealarm.exe 552 "C:\Windows\SysWOW64\zonealarm.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c c:\a.bat
C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
C:\Windows\SysWOW64\zonealarm.exe
C:\Windows\system32\zonealarm.exe 556 "C:\Windows\SysWOW64\zonealarm.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c c:\a.bat
C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
C:\Windows\SysWOW64\zonealarm.exe
C:\Windows\system32\zonealarm.exe 532 "C:\Windows\SysWOW64\zonealarm.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c c:\a.bat
C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
C:\Windows\SysWOW64\zonealarm.exe
C:\Windows\system32\zonealarm.exe 564 "C:\Windows\SysWOW64\zonealarm.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c c:\a.bat
C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
C:\Windows\SysWOW64\zonealarm.exe
C:\Windows\system32\zonealarm.exe 528 "C:\Windows\SysWOW64\zonealarm.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c c:\a.bat
C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
Network
Files
C:\Windows\Temp\25565.exe
| MD5 | dd18a6628a119b8695cef08da6c10b48 |
| SHA1 | d1f6c322aede47f1b13bdaef4a89ba4e477ef0fc |
| SHA256 | cac97e2a05108c09b0387b6ce6ee5e4824a898e76aea6ae3535500eabe3bfe09 |
| SHA512 | fa191bb38c2de3cbc17670e1ead306a4aa1eecc015444509283c858465cf6ed8fdac39620ac8c32bfaf1878a13f3475db57e86644beb4920e2227cb2622e8f23 |
C:\a.bat
| MD5 | 0019a0451cc6b9659762c3e274bc04fb |
| SHA1 | 5259e256cc0908f2846e532161b989f1295f479b |
| SHA256 | ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876 |
| SHA512 | 314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904 |
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | c93c561465db53bf9a99759de9d25f07 |
| SHA1 | 5386934828e2c2589bfe394ac1f03ffbfba93bfa |
| SHA256 | 32eae568e5a03070b122719c66798a0574658b85dc61bcf3c48eae29f4d77851 |
| SHA512 | bb0163e1a26f6b7cfd4ce214ae33a56e446fa74efca7682352ab52aa4b4d5b5b92a141e3e2a12b76f33827b1cd423f3d862cc973079d5da291832ce6a9fb9b18 |
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | 9e5db93bd3302c217b15561d8f1e299d |
| SHA1 | 95a5579b336d16213909beda75589fd0a2091f30 |
| SHA256 | f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e |
| SHA512 | b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a |
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | 584f47a0068747b3295751a0d591f4ee |
| SHA1 | 7886a90e507c56d3a6105ecdfd9ff77939afa56f |
| SHA256 | 927fd19c24f20ac1dff028de9d73094b2591842248c95a20a8264abf1333aea5 |
| SHA512 | ca945aad3c2d9ecadff2bc30cf23902b1254cffdf572ff9d4e7c94659255fc3467899053e4a45d3b155900c7b5b91abedf03d31af7e39870015c85e424d04257 |
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | 5088b4be1b90717121e76c1fc33c033a |
| SHA1 | 090676b012c30e6b0d6493ca1e9a31f3093cad6f |
| SHA256 | d1d8c8ac4136082ac60938e8148c43d81fa91a124eccf34048e629d22daeef3a |
| SHA512 | 0cac2dcf138b1a66f857a54c92afe467ef7544655cd1c4aec3b4084c92c9186d9ba10e0e74a54a6e43e676068d3747f668f7286d44fcefce7ee4d385a3a96962 |
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | 4117e5a9c995bab9cd3bce3fc2b99a46 |
| SHA1 | 80144ccbad81c2efb1df64e13d3d5f59ca4486da |
| SHA256 | 37b58c2d66ab2f896316ee0cdba30dcc9aac15a51995b8ba6c143c8ba34bf292 |
| SHA512 | bdb721bd3dea641a9b1f26b46311c05199de01c6b0d7ea2b973aa71a4f796b292a6964ddef32ba9dfc4a545768943d105f110c5d60716e0ff6f82914affb507c |
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | f31b2aa720a1c523c1e36a40ef21ee0d |
| SHA1 | 9c8089896c55e6e6a9cca99b1b98c544723d314e |
| SHA256 | cea90761ea6ef6fb8ac98484b5720392534a9774e884c3e343ae29559aa0a716 |
| SHA512 | a679ce1192e15cd9b8dd4a3d7ecf85707ec23fa944c020b226172497c0b5600460558cfa9304ddf2c582a95e0fcd7f1b26004c8fba0ed9afcddc6ded770c85bb |
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | 558ce6da965ba1758d112b22e15aa5a2 |
| SHA1 | a365542609e4d1dc46be62928b08612fcabe2ede |
| SHA256 | c11beaac10a5e00391ef4b41be8c240f59c5a2dc930aead6d7db237fcd2641fb |
| SHA512 | 37f7f10c3d201b11cc5224ae69c5990eb33b4430c601d3c21f6bec9323621120442e0cfa49e1f4eda459ea4ac750277e446dca78b9e44c1445bd891e4e460b5c |
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | 47985593a44ee38c64665b04cbd4b84c |
| SHA1 | 84900c2b2e116a7b744730733f63f2a38b4eb76e |
| SHA256 | 4a62e43cadba3b8fa2ebead61f9509107d8453a6d66917aad5efab391a8f8e70 |
| SHA512 | abdd7f2f701a5572fd6b8b73ff4a013c1f9b157b20f4e193f9d1ed2b3ac4911fa36ffc84ca62d2ceea752a65af34ec77e3766e97e396a8470031990faff1a269 |
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | ffbb389d817acf25cc38799c239d512c |
| SHA1 | 8b4854ed9e257c3da9ec11d0f145805c6ae6193f |
| SHA256 | f3aec599ccf14f9ee446772c26b24628ba08698be4dc66b5b54acd37d26b8e39 |
| SHA512 | 382e043195d74ed0e0978dcac0db8bc962bc41f2cbd1a8a80c1a5a54cb8831b5e63a74bb3f69ccd9e241a47c1a79fcc7e7dad71696bf957a349a0f7e62247931 |
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | bf7ee07851e04b2a0dbe554db62dc3aa |
| SHA1 | cad155b66053cd7ce2b969a0eb20a8f4812b1f46 |
| SHA256 | 13dc8dc70b7bb240f6f4cf6be5ff0ec55c606267a328bb9c9e34e5fa70cce0d9 |
| SHA512 | 9ed79305c81287cf01d0138d87c6ec981b5bdd9195c56f8def4c74fdbc9b4816661d084fc1314f99b40102945b61d05121f4eaadec6403d4295a80847b797bc4 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-20 08:49
Reported
2024-06-20 08:52
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
158s
Command Line
Signatures
MetaSploit
Modifies security service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Temp\25565.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\zonealarm.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\zonealarm.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\zonealarm.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\zonealarm.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\zonealarm.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\zonealarm.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\zonealarm.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\zonealarm.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\zonealarm.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\zonealarm.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\zonealarm.exe | C:\Windows\SysWOW64\zonealarm.exe | N/A |
| File created | C:\Windows\SysWOW64\zonealarm.exe | C:\Windows\SysWOW64\zonealarm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\zonealarm.exe | C:\Windows\SysWOW64\zonealarm.exe | N/A |
| File created | C:\Windows\SysWOW64\zonealarm.exe | C:\Windows\Temp\25565.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\zonealarm.exe | C:\Windows\SysWOW64\zonealarm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\zonealarm.exe | C:\Windows\SysWOW64\zonealarm.exe | N/A |
| File created | C:\Windows\SysWOW64\zonealarm.exe | C:\Windows\SysWOW64\zonealarm.exe | N/A |
| File created | C:\Windows\SysWOW64\zonealarm.exe | C:\Windows\SysWOW64\zonealarm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\zonealarm.exe | C:\Windows\Temp\25565.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\zonealarm.exe | C:\Windows\SysWOW64\zonealarm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\zonealarm.exe | C:\Windows\SysWOW64\zonealarm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\zonealarm.exe | C:\Windows\SysWOW64\zonealarm.exe | N/A |
| File created | C:\Windows\SysWOW64\zonealarm.exe | C:\Windows\SysWOW64\zonealarm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\zonealarm.exe | C:\Windows\SysWOW64\zonealarm.exe | N/A |
| File created | C:\Windows\SysWOW64\zonealarm.exe | C:\Windows\SysWOW64\zonealarm.exe | N/A |
| File created | C:\Windows\SysWOW64\zonealarm.exe | C:\Windows\SysWOW64\zonealarm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\zonealarm.exe | C:\Windows\SysWOW64\zonealarm.exe | N/A |
| File created | C:\Windows\SysWOW64\zonealarm.exe | C:\Windows\SysWOW64\zonealarm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\zonealarm.exe | C:\Windows\SysWOW64\zonealarm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\zonealarm.exe | C:\Windows\SysWOW64\zonealarm.exe | N/A |
| File created | C:\Windows\SysWOW64\zonealarm.exe | C:\Windows\SysWOW64\zonealarm.exe | N/A |
| File created | C:\Windows\SysWOW64\zonealarm.exe | C:\Windows\SysWOW64\zonealarm.exe | N/A |
Runs .reg file with regedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0478bbd07527cc07911a77377a09cdac_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0478bbd07527cc07911a77377a09cdac_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0478bbd07527cc07911a77377a09cdac_JaffaCakes118.exe"
C:\Windows\Temp\25565.exe
C:\Windows\Temp\25565.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\a.bat
C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
C:\Windows\SysWOW64\zonealarm.exe
C:\Windows\system32\zonealarm.exe 1168 "C:\Windows\Temp\25565.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\a.bat
C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
C:\Windows\SysWOW64\zonealarm.exe
C:\Windows\system32\zonealarm.exe 1164 "C:\Windows\SysWOW64\zonealarm.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\a.bat
C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
C:\Windows\SysWOW64\zonealarm.exe
C:\Windows\system32\zonealarm.exe 1136 "C:\Windows\SysWOW64\zonealarm.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\a.bat
C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3900 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
C:\Windows\SysWOW64\zonealarm.exe
C:\Windows\system32\zonealarm.exe 1140 "C:\Windows\SysWOW64\zonealarm.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\a.bat
C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
C:\Windows\SysWOW64\zonealarm.exe
C:\Windows\system32\zonealarm.exe 1148 "C:\Windows\SysWOW64\zonealarm.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\a.bat
C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
C:\Windows\SysWOW64\zonealarm.exe
C:\Windows\system32\zonealarm.exe 1144 "C:\Windows\SysWOW64\zonealarm.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\a.bat
C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
C:\Windows\SysWOW64\zonealarm.exe
C:\Windows\system32\zonealarm.exe 1152 "C:\Windows\SysWOW64\zonealarm.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\a.bat
C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
C:\Windows\SysWOW64\zonealarm.exe
C:\Windows\system32\zonealarm.exe 1156 "C:\Windows\SysWOW64\zonealarm.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\a.bat
C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
C:\Windows\SysWOW64\zonealarm.exe
C:\Windows\system32\zonealarm.exe 1172 "C:\Windows\SysWOW64\zonealarm.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\a.bat
C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
C:\Windows\SysWOW64\zonealarm.exe
C:\Windows\system32\zonealarm.exe 1116 "C:\Windows\SysWOW64\zonealarm.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\a.bat
C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 142.250.200.10:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pki.goog | udp |
| US | 8.8.8.8:53 | pki.goog | udp |
| US | 216.239.32.29:80 | pki.goog | tcp |
| US | 8.8.8.8:53 | 10.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.32.239.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 213.143.182.52.in-addr.arpa | udp |
Files
C:\Windows\Temp\25565.exe
| MD5 | dd18a6628a119b8695cef08da6c10b48 |
| SHA1 | d1f6c322aede47f1b13bdaef4a89ba4e477ef0fc |
| SHA256 | cac97e2a05108c09b0387b6ce6ee5e4824a898e76aea6ae3535500eabe3bfe09 |
| SHA512 | fa191bb38c2de3cbc17670e1ead306a4aa1eecc015444509283c858465cf6ed8fdac39620ac8c32bfaf1878a13f3475db57e86644beb4920e2227cb2622e8f23 |
\??\c:\a.bat
| MD5 | 0019a0451cc6b9659762c3e274bc04fb |
| SHA1 | 5259e256cc0908f2846e532161b989f1295f479b |
| SHA256 | ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876 |
| SHA512 | 314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904 |
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | 5a466127fedf6dbcd99adc917bd74581 |
| SHA1 | a2e60b101c8789b59360d95a64ec07d0723c4d38 |
| SHA256 | 8cd3b8dd28ac014cf973d9ab4b03af1c274bbc9b5ee0ee4ab8af0bdb01573b84 |
| SHA512 | 695cafc932bc8f0a514bc515860cb275297665de63ca3394b55f42c457761ebf654d29d504674681a77b34e3356a469e8c5b97ff7efc24de330d5375f025cba5 |
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | 6b0182442d6e09100c34904ae6d8ee0c |
| SHA1 | 6255e65587505629521ea048a4e40cc48b512f2c |
| SHA256 | cb34af7065e6c95f33fee397991045dae5dfae9d510660e6981ee6263542f9a4 |
| SHA512 | 64395a0c6fce50a64a2067522b798f9b27c577da96e8d68f830a075ba833f1d644af27a9c6fc941ebb3d79999ac31576763378c9997a5b38eb5fdf075918eb46 |
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | 9e5db93bd3302c217b15561d8f1e299d |
| SHA1 | 95a5579b336d16213909beda75589fd0a2091f30 |
| SHA256 | f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e |
| SHA512 | b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a |
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | f708dcfd087b5b3763678cfb8d63735e |
| SHA1 | a38fa7fa516c1402762425176ff1b607db36c752 |
| SHA256 | abf4c5f7dbed40d58dc982256535a56128f86d5eaf163d634037ae2b61027a10 |
| SHA512 | fa0e84032b88e19fc67c5be846983cf89c8ba021351a0aa9cab0162ea27a3933dade0b78146b2230b0c57f218b18da52a5ce1d04b6f9746b21e4285e2540049c |
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | d085cde42c14e8ee2a5e8870d08aee42 |
| SHA1 | c8e967f1d301f97dbcf252d7e1677e590126f994 |
| SHA256 | a15d5dfd655de1214e0aae2292ead17eef1f1b211d39fac03276bbd6325b0d9f |
| SHA512 | de2cebd45d3cf053df17ae43466db6a8b2d816bf4b9a8deb5b577cfedf765b5dcdc5904145809ad3ca03ccff308f8893ec1faa309dd34afcab7cc1836d698d7b |
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | 67a0c98a371995d5434cb9788ee1c42f |
| SHA1 | 7171d3dca52f038ca9d9e8b13f356462dbc8f3cc |
| SHA256 | 2ac5bd7466724458c6f36bbbe6be697bfbc95d3b8f8ad486b83d595bd295dbc3 |
| SHA512 | f5b31a9e68044db25853f9a158dd4ff1da717beb5802dd11a6d3b705b5bf065304c98df3c81c8487e922d4f94690ecfb2662077bffb50cba036bcd8e50935191 |
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | c6b0028a6f5508ef564d624eda0e72bc |
| SHA1 | 18901c9856a9af672c2e27383c15d2da41f27b6b |
| SHA256 | b41f477ecd348b1c3e12ef410d67b712627ed0696769c2c8cc2f087d02121d06 |
| SHA512 | 5d5f6fb437767096562f2ab9aac2cb75611afcc090b0a65ea63dfbadb3c4a73a3d45bbe139e43a7beea889370c76ac2eb2aa0fdffa92b69cfe47dd1ffbf10a71 |
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | e427a32326a6a806e7b7b4fdbbe0ed4c |
| SHA1 | b10626953332aeb7c524f2a29f47ca8b0bee38b1 |
| SHA256 | b5cfd1100679c495202229aede417b8a385405cb9d467d2d89b936fc99245839 |
| SHA512 | 6bd679341bec6b224962f3d0d229cff2d400e568e10b7764eb4e0903c66819a8fa99927249ab9b4c447b2d09ea0d98eb9823fb2c5f7462112036049795a5d8bd |
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | 8c6aa92ac8ffdfb7a0fb3dafd14d65f1 |
| SHA1 | cac3992d696a99a5dec2ab1c824c816117414b16 |
| SHA256 | dc98a84d679d0ba1e36e3142000fa9fd7c5cd4606e07cbcb33f12c98bc1510fa |
| SHA512 | f17a7cbfc11ce2a258aee2857720dcc72ddcfd17ebe9c9b1b04bedb52835c2b35ca4bb649fd5ef3d7ef3f9585f87ef321efec52cb7524be3b83a919999c4900c |
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | 5da7efcc8d0fcdf2bad7890c3f8a27ca |
| SHA1 | 681788d5a3044eee8426d431bd786375cd32bf13 |
| SHA256 | 7f142c13b7039582d0f10df0271f0e1feea35760a92bf0c5034f444066c92df8 |
| SHA512 | 6e3281f2350c524f9c24ab4455d4c5a109875ead35a35aba3c085d90f99cbc64c6645dfcb805d7a5e670869e67feb481a655305236be8d716347a7c4696a358b |
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | 1c6131354c6987300ea512b765475b82 |
| SHA1 | 2ad74e27ee9080f65d1b2b2e537f73d8f6b59f53 |
| SHA256 | 3a16ce0b62d9b7bc6832082d30e37163bbde0eddcffe9b09f20fc118b1e0d640 |
| SHA512 | b1274a40e10dea26834d3839a4c64a593252640a8a55bcbf642b661f1711451ea81ca712cc98d0c0b9132b4aaf5c8aaac6cc974fc8cbe0eed6ffc13d1b01db68 |
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | 872656500ddac1ddd91d10aba3a8df96 |
| SHA1 | ddf655aea7e8eae37b0a2dd4c8cabaf21cf681fc |
| SHA256 | d6f58d2fbf733d278281af0b9e7732a591cdd752e18a430f76cb7afa806c75f8 |
| SHA512 | e7fab32f6f38bde67c8ce7af483216c9965ab62a70aee5c9a9e17aa693c33c67953f817406c1687406977b234d89e62d7feb44757527de5db34e5a61462a0be9 |
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | a5d4cddfecf34e5391a7a3df62312327 |
| SHA1 | 04a3c708bab0c15b6746cf9dbf41a71c917a98b9 |
| SHA256 | 8961a4310b2413753851ba8afe2feb4c522c20e856c6a98537d8ab440f48853a |
| SHA512 | 48024549d0fcb88e3bd46f7fb42715181142cae764a3daeb64cad07f10cf3bf14153731aeafba9a191557e29ddf1c5b62a460588823df215e2246eddaeff6643 |
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | 6bf876cd9994f0d41be4eca36d22c42a |
| SHA1 | 50cda4b940e6ba730ce59000cfc59e6c4d7fdc79 |
| SHA256 | ff39ffe6e43e9b293c5be6aa85345e868a27215293e750c00e1e0ba676deeb2a |
| SHA512 | 605e2920cd230b6c617a2d4153f23144954cd4bae0f66b857e1b334cd66258fbc5ba049c1ab6ab83c30fd54c87235a115ec7bbfd17d6792a4bbbae4c6700e106 |
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | 895301bce84d6fe707b5cfd50f1f9f97 |
| SHA1 | 50a012f59655621768f624c4571654145663c042 |
| SHA256 | b2c6435e83784b85e7f4bdd4568bd954029caac9f5795e3111ae75db0f9874d4 |
| SHA512 | a75188afa7c01959bcbf7b832d92d0134072eecd3dd58d6179bc626024d4c9593cadc5cf9ab00deb3824853df003a0a73c84b60cefbdcb6944d216534ea7ffc4 |
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | c1e5f93e2bee9ca33872764d8889de23 |
| SHA1 | 167f65adfc34a0e47cb7de92cc5958ee8905796a |
| SHA256 | 8f5276e847b1c6beb572b1eeae20f98784aae11ea2d8f8860adcdb78fd9dca3a |
| SHA512 | 482741b0df7bf6e94ba9667892fe12125df30812e21de40fd60dee540922da70ffb6db4a0c0e17346e714d4bb6e49e2d4eca53c0d5194cd888903071c82b8859 |
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | bf7ee07851e04b2a0dbe554db62dc3aa |
| SHA1 | cad155b66053cd7ce2b969a0eb20a8f4812b1f46 |
| SHA256 | 13dc8dc70b7bb240f6f4cf6be5ff0ec55c606267a328bb9c9e34e5fa70cce0d9 |
| SHA512 | 9ed79305c81287cf01d0138d87c6ec981b5bdd9195c56f8def4c74fdbc9b4816661d084fc1314f99b40102945b61d05121f4eaadec6403d4295a80847b797bc4 |
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | ffbb389d817acf25cc38799c239d512c |
| SHA1 | 8b4854ed9e257c3da9ec11d0f145805c6ae6193f |
| SHA256 | f3aec599ccf14f9ee446772c26b24628ba08698be4dc66b5b54acd37d26b8e39 |
| SHA512 | 382e043195d74ed0e0978dcac0db8bc962bc41f2cbd1a8a80c1a5a54cb8831b5e63a74bb3f69ccd9e241a47c1a79fcc7e7dad71696bf957a349a0f7e62247931 |
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | c93c561465db53bf9a99759de9d25f07 |
| SHA1 | 5386934828e2c2589bfe394ac1f03ffbfba93bfa |
| SHA256 | 32eae568e5a03070b122719c66798a0574658b85dc61bcf3c48eae29f4d77851 |
| SHA512 | bb0163e1a26f6b7cfd4ce214ae33a56e446fa74efca7682352ab52aa4b4d5b5b92a141e3e2a12b76f33827b1cd423f3d862cc973079d5da291832ce6a9fb9b18 |
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | 3bd23392c6fcc866c4561388c1dc72ac |
| SHA1 | c4b1462473f1d97fed434014532ea344b8fc05c1 |
| SHA256 | 696a382790ee24d6256b3618b1431eaf14c510a12ff2585edfeae430024c7a43 |
| SHA512 | 15b3a33bb5d5d6e6b149773ff47ade4f22271264f058ad8439403df71d6ecfaa2729ef48487f43d68b517b15efed587b368bc6c5df549983de410ec23b55adb1 |
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | f31b2aa720a1c523c1e36a40ef21ee0d |
| SHA1 | 9c8089896c55e6e6a9cca99b1b98c544723d314e |
| SHA256 | cea90761ea6ef6fb8ac98484b5720392534a9774e884c3e343ae29559aa0a716 |
| SHA512 | a679ce1192e15cd9b8dd4a3d7ecf85707ec23fa944c020b226172497c0b5600460558cfa9304ddf2c582a95e0fcd7f1b26004c8fba0ed9afcddc6ded770c85bb |
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | 47985593a44ee38c64665b04cbd4b84c |
| SHA1 | 84900c2b2e116a7b744730733f63f2a38b4eb76e |
| SHA256 | 4a62e43cadba3b8fa2ebead61f9509107d8453a6d66917aad5efab391a8f8e70 |
| SHA512 | abdd7f2f701a5572fd6b8b73ff4a013c1f9b157b20f4e193f9d1ed2b3ac4911fa36ffc84ca62d2ceea752a65af34ec77e3766e97e396a8470031990faff1a269 |
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | 9e1df6d58e6c905e4628df434384b3c9 |
| SHA1 | e67dd641da70aa9654ed24b19ed06a3eb8c0db43 |
| SHA256 | 25bb4f644e47b4b64b0052ec7edfd4c27f370d07ef884078fea685f30b9c1bb0 |
| SHA512 | 93c9f24dc530e08c85776955c200be468d099d8f1d2efe5e20cbb3a1d803fe23e0ba9b589df2498832082a283d79f6f1053a26d15f49e31a0da395ecc7225ad3 |
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | 4be01c629881eddccb675ba267a66899 |
| SHA1 | 23324e7814bcd157b27e810f4c786b0c39bfc9b1 |
| SHA256 | 39c14522925e5e55bf1eefcd5beb8b7aae687158163082aac7ef5690c3524a30 |
| SHA512 | 7c3063badaa57e3a39eea5d87e6bdbeec00793f9afd2bea52d3aa354e0bbd83e2a63966438fe7305f29a0ee6f45cb77d4613fe2d3b4f6719e16860deae764d55 |
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | 908860a865f8ed2e14085e35256578dd |
| SHA1 | 7ff5ee35cc7e96a661848eb95a70d0b8d2d78603 |
| SHA256 | d2b73d92cf00a9dc61f2777a7f298e8c4bb72697236965f8931bdfc9d0924c5f |
| SHA512 | a93bb8cb180d957ef2b2c511d5ff66a25d2bcfb071af9884c146b8c422d1fadc9a4d390712bc2cb27640634854b3e59d5209803373cf1f42381d513747a65fd9 |
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | 748bce4dacebbbd388af154a1df22078 |
| SHA1 | 0eeeb108678f819cd437d53b927feedf36aabc64 |
| SHA256 | 1585c9ef77c37c064003bd746cd0a8da2523c99a10c3fb6eabd546e2a343646a |
| SHA512 | d9756851b4aa1108416b7a77f0c6b84b599d695850d704a094a1f83b322d892ab6706001d5322e876b93935b830bcb52a951b4c69004ea2be338f64b85be2ea1 |
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | f1cbbc2ce0d93c45a92edcc86780e9f0 |
| SHA1 | d893306caae2584cdeba4c80c3bfe18548fa227a |
| SHA256 | 6646122747280612f7cb0e88c16544e472aae7c20217b711bbee8f10562e49c7 |
| SHA512 | b4ba834ab846d1dc9bbeca52e54705cdbf010687a5c1c54a82fddc15c64025528ef874213a59d1be5fb7ada7abd0862235a0c924f10819fbbfb36bd2ba29adf7 |
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | b9dc88ed785d13aaeae9626d7a26a6a0 |
| SHA1 | ab67e1c5ca09589b93c06ad0edc4b5a18109ec1e |
| SHA256 | 9f1cba2944ed1a547847aa72ba5c759c55da7466796389f9a0f4fad69926e6fc |
| SHA512 | df6380a3e5565ff2bc66d7589af7bc3dcfa2598212c95765d070765341bba446a5a5d6206b50d860f6375c437622deb95a066440145a1b7917aee6dcef207b91 |
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | 0a839c0e3eb1ed25e6211159e43f4df1 |
| SHA1 | a227a9322f58b8f40b2f6f326dca58145f599587 |
| SHA256 | 717a2b81d076586548a0387c97d2dc31337a03763c6e7acb642c3e46ec94d6f0 |
| SHA512 | bd2b99fb43ccd1676f69752c1a295d1da0db2cb0310c8b097b4b5b91d76cff12b433f47af02b5f7d0dd5f8f16624b0c20294eebf5c6a7959b2b5d6fe2b34e508 |
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | f5fa5178657d29a36c5dc4ac9445cbdc |
| SHA1 | 4be1a87a89715d24d52b23c59006f9cb74437ba0 |
| SHA256 | f5df5a0913b98b4c5ef35c76ba8c7601adb2698300bef0a47f23845a95942114 |
| SHA512 | 54272b6eaead06588ac6605a5d995c928f2270c2bccb18891f83dc5cae98eb2c88a98b49bd553f6305659cbf51c36842840dd98fa0b44a3b693de8c7af1f6b6f |
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | 8a0897226da780b90c11da0756b361f1 |
| SHA1 | 67f813e8733ad75a2147c59cca102a60274daeab |
| SHA256 | 115ff7b8bbe33e1325a2b03fb279281b79b2b9c4c0d6147c049c99da39867bee |
| SHA512 | 55e0e0791fb8e76fb67511ef2bfe1bdb934c857a5a555f9c72dd063250c18b17c57ff9f220c0d3cdd219828d87f5c08bfe5e198476c9d38119c4cfb099b99642 |
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | a13ff758fc4326eaa44582bc9700aead |
| SHA1 | a4927b4a3b84526c5c42a077ade4652ab308f83f |
| SHA256 | c0915178e63bf84c54e9c942b5cc80327c24d84125042767d7e1e2ef3e004588 |
| SHA512 | 86c336086a1d0ca689e133df8e3c3ec83eeef86649dbf8b9d367c3e543358ad54f69d1a20d56c56200e294f22b2741186db0f359051159b4e670d3e9b5861842 |
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | f82bc8865c1f6bf7125563479421f95c |
| SHA1 | 65c25d7af3ab1f29ef2ef1fdc67378ac9c82098d |
| SHA256 | f9799dc2afb8128d1925b69fdef1d641f312ed41254dd5f4ac543cf50648a2f6 |
| SHA512 | 00a9b7798a630779dc30296c3d0fed2589e7e86d6941f4502ea301c5bce2e80a5d8a4916e36183c7064f968b539ae6dac49094b1de3643a1a2fedc83cf558825 |
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | 1b2949b211ab497b739b1daf37cd4101 |
| SHA1 | 12cad1063d28129ddd89e80acc2940f8dfbbaab3 |
| SHA256 | 3e906a8373d1dfa40782f56710768abd4365933ad60f2ca9e974743c25b4cb6c |
| SHA512 | a9e6555d435fe3e7a63059f20cd4c59531319421efcd90ca1d14498c28d9882ab0b7cd1af63dd50fa693b3b5a714db572d61867c56b86618423c7feaf043f2ef |
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | 9fa547ff360b09f7e093593af0b5a13b |
| SHA1 | 9debc99bb7450f59a7b09f16c0393e5c7a955ba4 |
| SHA256 | 7ff65c0be2004867f536ce9b94783da4b5e4bc06cca5bd899933c8b68a44c705 |
| SHA512 | 30e5aa130c6b0869dc3fbb79da54d42699be6de0af65c9127ea047548a22d98b68300f18432141207166687576ba86433d4ae9d3458dbcc2aec9f14198c58193 |
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | 2e2266221550edce9a27c9060d5c2361 |
| SHA1 | f39f2d8f02f8b3a877d5969a81c4cb12679609f3 |
| SHA256 | e19af90814641d2c6cd15a7a53d676a4a7f63b4a80a14126824d1e63fdccdcdb |
| SHA512 | e962cc55d1f9537159c34349a2fa5ffffc910de3e52cafa8347c43eded78b8e986ecb8e2e9ada5e2381b034151f17e6b984c279460e8e114e50ea58a64648864 |
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | 2b307765b7465ef5e4935f0ed7307c01 |
| SHA1 | c46a1947f8b2785114891f7905f663d9ae517f1b |
| SHA256 | a3f77536a922968bc49827a6c8553ed6b74eafd52e6c1fcfd62bfa20a83efc85 |
| SHA512 | fce4fbf9900f50368cb35ac40e60b54835912921848a45b196c6f68ad66a07549f27237956c751f511d2589cf91980658d4f1b743dd2c9c9506102da3be4bae2 |
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | e6d8af5aed642209c88269bf56af50ae |
| SHA1 | 633d40da997074dc0ed10938ebc49a3aeb3a7fc8 |
| SHA256 | 550abc09abce5b065d360dfea741ab7dd8abbe2ea11cd46b093632860775baec |
| SHA512 | 6949fc255c1abf009ecbe0591fb6dbfd96409ee98ae438dbac8945684ccf694c046d5b51d2bf7679c1e02f42e8f32e8e29a9b7bdbc84442bec0497b64dfa84cf |
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | 1daa413d1a8cd1692f2e4ae22b54c74a |
| SHA1 | 2e02e2a23cfaa62f301e29a117e291ff93cc5d31 |
| SHA256 | 10732e2612780d9694faf0bb9b27cdc6f3376ad327da7dfc346e9e5579493d33 |
| SHA512 | b947c70c7c4af971e3fbdc66fb7175b6624ac68c6a723dac7ecb5cf5f43bbe210fa0fa61fd4b6153dccf7de077d003ca03f061e209dc37773546b038e6aef277 |