Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
131s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
21/07/2024, 23:30
Behavioral task
behavioral1
Sample
61dde54dcf3f69051c3d08a36aa7a281_JaffaCakes118.exe
Resource
win7-20240708-en
windows7-x64
28 signatures
150 seconds
General
-
Target
61dde54dcf3f69051c3d08a36aa7a281_JaffaCakes118.exe
-
Size
255KB
-
MD5
61dde54dcf3f69051c3d08a36aa7a281
-
SHA1
0cb13ee09cfd2c14c17a54cd1a139b8d60bdb16f
-
SHA256
58cee81a760e523b1421260af8d9eec614d7b8706a770933e8c29d38fe32ee57
-
SHA512
a799ee5806ae8a381c05ccf1e95676a46d75bc830086506ccfb501724cc0da162b6c3fc6732e084a36e2546180c7f4caf9ba8c79e5a686bca642ca3d94c88383
-
SSDEEP
3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJa:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIt
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" qgasrvoxmf.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" qgasrvoxmf.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" qgasrvoxmf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" qgasrvoxmf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" qgasrvoxmf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" qgasrvoxmf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" qgasrvoxmf.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" qgasrvoxmf.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation 61dde54dcf3f69051c3d08a36aa7a281_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 1688 qgasrvoxmf.exe 1084 qsgbcfmbwtzfcxp.exe 1916 khioiaht.exe 4768 ebbsgaztqmktp.exe 1592 khioiaht.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/memory/1068-0-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x00070000000234ca-6.dat upx behavioral2/files/0x00080000000234c6-18.dat upx behavioral2/memory/1688-26-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x00070000000234cb-28.dat upx behavioral2/files/0x00070000000234cc-31.dat upx behavioral2/memory/1916-32-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1084-29-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4768-33-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1068-36-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1592-43-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x00080000000234ad-68.dat upx behavioral2/files/0x00070000000234da-71.dat upx behavioral2/files/0x00070000000234db-74.dat upx behavioral2/files/0x000a0000000234df-80.dat upx behavioral2/files/0x00080000000234e2-86.dat upx behavioral2/files/0x00070000000234e3-92.dat upx behavioral2/memory/1084-95-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1592-98-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4768-97-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1916-96-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1688-94-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1084-117-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x00090000000234fe-208.dat upx behavioral2/files/0x00090000000234fe-210.dat upx behavioral2/memory/1688-242-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1916-243-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x00090000000234fe-247.dat upx behavioral2/memory/1688-249-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4768-252-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1916-251-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1084-250-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1592-253-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1592-254-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1688-255-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4768-258-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1916-257-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1084-256-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1592-259-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1688-260-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1084-261-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4768-263-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1916-262-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1592-264-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1688-265-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1084-266-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1916-267-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4768-268-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1592-269-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1592-272-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1916-273-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1688-277-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4768-279-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1084-278-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1688-282-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4768-284-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1084-283-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4768-287-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1084-286-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1688-285-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4768-290-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1084-289-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1688-288-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1688-294-0x0000000000400000-0x00000000004A0000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" qgasrvoxmf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" qgasrvoxmf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" qgasrvoxmf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" qgasrvoxmf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" qgasrvoxmf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" qgasrvoxmf.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\xoxeeeap = "qgasrvoxmf.exe" qsgbcfmbwtzfcxp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vnbdqcqj = "qsgbcfmbwtzfcxp.exe" qsgbcfmbwtzfcxp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "ebbsgaztqmktp.exe" qsgbcfmbwtzfcxp.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\b: qgasrvoxmf.exe File opened (read-only) \??\v: khioiaht.exe File opened (read-only) \??\e: khioiaht.exe File opened (read-only) \??\l: khioiaht.exe File opened (read-only) \??\p: khioiaht.exe File opened (read-only) \??\s: qgasrvoxmf.exe File opened (read-only) \??\z: qgasrvoxmf.exe File opened (read-only) \??\a: khioiaht.exe File opened (read-only) \??\k: qgasrvoxmf.exe File opened (read-only) \??\l: qgasrvoxmf.exe File opened (read-only) \??\j: khioiaht.exe File opened (read-only) \??\n: khioiaht.exe File opened (read-only) \??\z: khioiaht.exe File opened (read-only) \??\e: qgasrvoxmf.exe File opened (read-only) \??\j: qgasrvoxmf.exe File opened (read-only) \??\i: khioiaht.exe File opened (read-only) \??\s: khioiaht.exe File opened (read-only) \??\y: khioiaht.exe File opened (read-only) \??\m: qgasrvoxmf.exe File opened (read-only) \??\x: qgasrvoxmf.exe File opened (read-only) \??\x: khioiaht.exe File opened (read-only) \??\k: khioiaht.exe File opened (read-only) \??\r: khioiaht.exe File opened (read-only) \??\a: khioiaht.exe File opened (read-only) \??\w: khioiaht.exe File opened (read-only) \??\a: qgasrvoxmf.exe File opened (read-only) \??\k: khioiaht.exe File opened (read-only) \??\o: khioiaht.exe File opened (read-only) \??\x: khioiaht.exe File opened (read-only) \??\z: khioiaht.exe File opened (read-only) \??\o: qgasrvoxmf.exe File opened (read-only) \??\q: qgasrvoxmf.exe File opened (read-only) \??\l: khioiaht.exe File opened (read-only) \??\o: khioiaht.exe File opened (read-only) \??\t: khioiaht.exe File opened (read-only) \??\i: qgasrvoxmf.exe File opened (read-only) \??\g: khioiaht.exe File opened (read-only) \??\t: khioiaht.exe File opened (read-only) \??\r: khioiaht.exe File opened (read-only) \??\b: khioiaht.exe File opened (read-only) \??\g: khioiaht.exe File opened (read-only) \??\h: khioiaht.exe File opened (read-only) \??\s: khioiaht.exe File opened (read-only) \??\n: qgasrvoxmf.exe File opened (read-only) \??\v: qgasrvoxmf.exe File opened (read-only) \??\p: qgasrvoxmf.exe File opened (read-only) \??\e: khioiaht.exe File opened (read-only) \??\m: khioiaht.exe File opened (read-only) \??\m: khioiaht.exe File opened (read-only) \??\n: khioiaht.exe File opened (read-only) \??\g: qgasrvoxmf.exe File opened (read-only) \??\y: qgasrvoxmf.exe File opened (read-only) \??\b: khioiaht.exe File opened (read-only) \??\j: khioiaht.exe File opened (read-only) \??\q: khioiaht.exe File opened (read-only) \??\u: qgasrvoxmf.exe File opened (read-only) \??\w: khioiaht.exe File opened (read-only) \??\v: khioiaht.exe File opened (read-only) \??\w: qgasrvoxmf.exe File opened (read-only) \??\p: khioiaht.exe File opened (read-only) \??\i: khioiaht.exe File opened (read-only) \??\y: khioiaht.exe File opened (read-only) \??\r: qgasrvoxmf.exe File opened (read-only) \??\t: qgasrvoxmf.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" qgasrvoxmf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" qgasrvoxmf.exe -
AutoIT Executable 59 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/1688-26-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4768-33-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1068-36-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1592-43-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1084-95-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1592-98-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4768-97-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1916-96-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1688-94-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1084-117-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1688-242-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1916-243-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1688-249-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4768-252-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1916-251-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1084-250-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1592-253-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1592-254-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1688-255-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4768-258-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1916-257-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1084-256-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1592-259-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1688-260-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1084-261-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4768-263-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1916-262-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1592-264-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1688-265-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1084-266-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1916-267-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4768-268-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1592-269-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1592-272-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1916-273-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1688-277-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4768-279-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1084-278-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1688-282-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4768-284-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1084-283-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4768-287-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1084-286-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1688-285-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4768-290-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1084-289-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1688-288-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1688-294-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1084-295-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4768-314-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4768-317-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1084-316-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1688-315-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4768-320-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1084-319-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1688-318-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1688-321-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1084-322-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4768-323-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe -
Drops file in System32 directory 12 IoCs
description ioc Process File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe khioiaht.exe File created C:\Windows\SysWOW64\qgasrvoxmf.exe 61dde54dcf3f69051c3d08a36aa7a281_JaffaCakes118.exe File created C:\Windows\SysWOW64\qsgbcfmbwtzfcxp.exe 61dde54dcf3f69051c3d08a36aa7a281_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\khioiaht.exe 61dde54dcf3f69051c3d08a36aa7a281_JaffaCakes118.exe File created C:\Windows\SysWOW64\ebbsgaztqmktp.exe 61dde54dcf3f69051c3d08a36aa7a281_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe khioiaht.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe khioiaht.exe File opened for modification C:\Windows\SysWOW64\qgasrvoxmf.exe 61dde54dcf3f69051c3d08a36aa7a281_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\qsgbcfmbwtzfcxp.exe 61dde54dcf3f69051c3d08a36aa7a281_JaffaCakes118.exe File created C:\Windows\SysWOW64\khioiaht.exe 61dde54dcf3f69051c3d08a36aa7a281_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ebbsgaztqmktp.exe 61dde54dcf3f69051c3d08a36aa7a281_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll qgasrvoxmf.exe -
Drops file in Program Files directory 22 IoCs
description ioc Process File opened for modification C:\Program Files\RenameInitialize.nal khioiaht.exe File opened for modification C:\Program Files\RenameInitialize.nal khioiaht.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe khioiaht.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal khioiaht.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal khioiaht.exe File opened for modification C:\Program Files\RenameInitialize.doc.exe khioiaht.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe khioiaht.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe khioiaht.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe khioiaht.exe File opened for modification \??\c:\Program Files\RenameInitialize.doc.exe khioiaht.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe khioiaht.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal khioiaht.exe File created \??\c:\Program Files\RenameInitialize.doc.exe khioiaht.exe File opened for modification \??\c:\Program Files\RenameInitialize.doc.exe khioiaht.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe khioiaht.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe khioiaht.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal khioiaht.exe File opened for modification C:\Program Files\RenameInitialize.doc.exe khioiaht.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe khioiaht.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe khioiaht.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe khioiaht.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe khioiaht.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe khioiaht.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe khioiaht.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe khioiaht.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe khioiaht.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe khioiaht.exe File opened for modification C:\Windows\mydoc.rtf 61dde54dcf3f69051c3d08a36aa7a281_JaffaCakes118.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe khioiaht.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe khioiaht.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe khioiaht.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe khioiaht.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe khioiaht.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe khioiaht.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe khioiaht.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe khioiaht.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe khioiaht.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe khioiaht.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe khioiaht.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32422C7F9C5782256D3E77D670522DD67D8364DF" 61dde54dcf3f69051c3d08a36aa7a281_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "193DC67F15E0DABFB9BC7CE7EC9F34BC" 61dde54dcf3f69051c3d08a36aa7a281_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh qgasrvoxmf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf qgasrvoxmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" qgasrvoxmf.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 61dde54dcf3f69051c3d08a36aa7a281_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BB4F9CEF96AF1E083083B4786963993B38803F04262033FE1CD45E809D1" 61dde54dcf3f69051c3d08a36aa7a281_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0866BC1FF6C21DDD20CD0D28A78906A" 61dde54dcf3f69051c3d08a36aa7a281_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc qgasrvoxmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC0B15B47E739ED53BEBAD3329DD4BB" 61dde54dcf3f69051c3d08a36aa7a281_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" qgasrvoxmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" qgasrvoxmf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg qgasrvoxmf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs qgasrvoxmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" qgasrvoxmf.exe Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings 61dde54dcf3f69051c3d08a36aa7a281_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EF4FFFC485D82129146D75F7EE6BC90E633594A67356243D6EB" 61dde54dcf3f69051c3d08a36aa7a281_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat qgasrvoxmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" qgasrvoxmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" qgasrvoxmf.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 3752 WINWORD.EXE 3752 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1068 61dde54dcf3f69051c3d08a36aa7a281_JaffaCakes118.exe 1068 61dde54dcf3f69051c3d08a36aa7a281_JaffaCakes118.exe 1068 61dde54dcf3f69051c3d08a36aa7a281_JaffaCakes118.exe 1068 61dde54dcf3f69051c3d08a36aa7a281_JaffaCakes118.exe 1068 61dde54dcf3f69051c3d08a36aa7a281_JaffaCakes118.exe 1068 61dde54dcf3f69051c3d08a36aa7a281_JaffaCakes118.exe 1068 61dde54dcf3f69051c3d08a36aa7a281_JaffaCakes118.exe 1068 61dde54dcf3f69051c3d08a36aa7a281_JaffaCakes118.exe 1068 61dde54dcf3f69051c3d08a36aa7a281_JaffaCakes118.exe 1068 61dde54dcf3f69051c3d08a36aa7a281_JaffaCakes118.exe 1068 61dde54dcf3f69051c3d08a36aa7a281_JaffaCakes118.exe 1068 61dde54dcf3f69051c3d08a36aa7a281_JaffaCakes118.exe 1068 61dde54dcf3f69051c3d08a36aa7a281_JaffaCakes118.exe 1068 61dde54dcf3f69051c3d08a36aa7a281_JaffaCakes118.exe 1068 61dde54dcf3f69051c3d08a36aa7a281_JaffaCakes118.exe 1068 61dde54dcf3f69051c3d08a36aa7a281_JaffaCakes118.exe 1084 qsgbcfmbwtzfcxp.exe 1084 qsgbcfmbwtzfcxp.exe 1084 qsgbcfmbwtzfcxp.exe 1084 qsgbcfmbwtzfcxp.exe 1084 qsgbcfmbwtzfcxp.exe 1084 qsgbcfmbwtzfcxp.exe 1084 qsgbcfmbwtzfcxp.exe 1084 qsgbcfmbwtzfcxp.exe 1084 qsgbcfmbwtzfcxp.exe 1084 qsgbcfmbwtzfcxp.exe 1688 qgasrvoxmf.exe 1688 qgasrvoxmf.exe 1688 qgasrvoxmf.exe 1688 qgasrvoxmf.exe 1688 qgasrvoxmf.exe 1688 qgasrvoxmf.exe 1688 qgasrvoxmf.exe 1688 qgasrvoxmf.exe 1688 qgasrvoxmf.exe 1688 qgasrvoxmf.exe 1916 khioiaht.exe 1916 khioiaht.exe 1916 khioiaht.exe 1916 khioiaht.exe 1916 khioiaht.exe 1916 khioiaht.exe 1916 khioiaht.exe 1916 khioiaht.exe 4768 ebbsgaztqmktp.exe 4768 ebbsgaztqmktp.exe 4768 ebbsgaztqmktp.exe 4768 ebbsgaztqmktp.exe 4768 ebbsgaztqmktp.exe 4768 ebbsgaztqmktp.exe 4768 ebbsgaztqmktp.exe 4768 ebbsgaztqmktp.exe 4768 ebbsgaztqmktp.exe 4768 ebbsgaztqmktp.exe 4768 ebbsgaztqmktp.exe 4768 ebbsgaztqmktp.exe 1084 qsgbcfmbwtzfcxp.exe 1084 qsgbcfmbwtzfcxp.exe 1592 khioiaht.exe 1592 khioiaht.exe 1592 khioiaht.exe 1592 khioiaht.exe 1592 khioiaht.exe 1592 khioiaht.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 1068 61dde54dcf3f69051c3d08a36aa7a281_JaffaCakes118.exe 1068 61dde54dcf3f69051c3d08a36aa7a281_JaffaCakes118.exe 1068 61dde54dcf3f69051c3d08a36aa7a281_JaffaCakes118.exe 1084 qsgbcfmbwtzfcxp.exe 1084 qsgbcfmbwtzfcxp.exe 1084 qsgbcfmbwtzfcxp.exe 1688 qgasrvoxmf.exe 1688 qgasrvoxmf.exe 1688 qgasrvoxmf.exe 1916 khioiaht.exe 1916 khioiaht.exe 1916 khioiaht.exe 4768 ebbsgaztqmktp.exe 4768 ebbsgaztqmktp.exe 4768 ebbsgaztqmktp.exe 1592 khioiaht.exe 1592 khioiaht.exe 1592 khioiaht.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 1068 61dde54dcf3f69051c3d08a36aa7a281_JaffaCakes118.exe 1068 61dde54dcf3f69051c3d08a36aa7a281_JaffaCakes118.exe 1068 61dde54dcf3f69051c3d08a36aa7a281_JaffaCakes118.exe 1084 qsgbcfmbwtzfcxp.exe 1084 qsgbcfmbwtzfcxp.exe 1084 qsgbcfmbwtzfcxp.exe 1688 qgasrvoxmf.exe 1688 qgasrvoxmf.exe 1688 qgasrvoxmf.exe 1916 khioiaht.exe 1916 khioiaht.exe 1916 khioiaht.exe 4768 ebbsgaztqmktp.exe 4768 ebbsgaztqmktp.exe 4768 ebbsgaztqmktp.exe 1592 khioiaht.exe 1592 khioiaht.exe 1592 khioiaht.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 3752 WINWORD.EXE 3752 WINWORD.EXE 3752 WINWORD.EXE 3752 WINWORD.EXE 3752 WINWORD.EXE 3752 WINWORD.EXE 3752 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1068 wrote to memory of 1688 1068 61dde54dcf3f69051c3d08a36aa7a281_JaffaCakes118.exe 86 PID 1068 wrote to memory of 1688 1068 61dde54dcf3f69051c3d08a36aa7a281_JaffaCakes118.exe 86 PID 1068 wrote to memory of 1688 1068 61dde54dcf3f69051c3d08a36aa7a281_JaffaCakes118.exe 86 PID 1068 wrote to memory of 1084 1068 61dde54dcf3f69051c3d08a36aa7a281_JaffaCakes118.exe 87 PID 1068 wrote to memory of 1084 1068 61dde54dcf3f69051c3d08a36aa7a281_JaffaCakes118.exe 87 PID 1068 wrote to memory of 1084 1068 61dde54dcf3f69051c3d08a36aa7a281_JaffaCakes118.exe 87 PID 1068 wrote to memory of 1916 1068 61dde54dcf3f69051c3d08a36aa7a281_JaffaCakes118.exe 88 PID 1068 wrote to memory of 1916 1068 61dde54dcf3f69051c3d08a36aa7a281_JaffaCakes118.exe 88 PID 1068 wrote to memory of 1916 1068 61dde54dcf3f69051c3d08a36aa7a281_JaffaCakes118.exe 88 PID 1068 wrote to memory of 4768 1068 61dde54dcf3f69051c3d08a36aa7a281_JaffaCakes118.exe 89 PID 1068 wrote to memory of 4768 1068 61dde54dcf3f69051c3d08a36aa7a281_JaffaCakes118.exe 89 PID 1068 wrote to memory of 4768 1068 61dde54dcf3f69051c3d08a36aa7a281_JaffaCakes118.exe 89 PID 1068 wrote to memory of 3752 1068 61dde54dcf3f69051c3d08a36aa7a281_JaffaCakes118.exe 90 PID 1068 wrote to memory of 3752 1068 61dde54dcf3f69051c3d08a36aa7a281_JaffaCakes118.exe 90 PID 1688 wrote to memory of 1592 1688 qgasrvoxmf.exe 92 PID 1688 wrote to memory of 1592 1688 qgasrvoxmf.exe 92 PID 1688 wrote to memory of 1592 1688 qgasrvoxmf.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\61dde54dcf3f69051c3d08a36aa7a281_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\61dde54dcf3f69051c3d08a36aa7a281_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1068 -
C:\Windows\SysWOW64\qgasrvoxmf.exeqgasrvoxmf.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\SysWOW64\khioiaht.exeC:\Windows\system32\khioiaht.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1592
-
-
-
C:\Windows\SysWOW64\qsgbcfmbwtzfcxp.exeqsgbcfmbwtzfcxp.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1084
-
-
C:\Windows\SysWOW64\khioiaht.exekhioiaht.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1916
-
-
C:\Windows\SysWOW64\ebbsgaztqmktp.exeebbsgaztqmktp.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4768
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3752
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
255KB
MD55e03cd171ff12620b0c0a42a075164d7
SHA13fdd230177a16affb0a17bc7a2af038c837c4b16
SHA25627fa7250f3515b1a265a6d5b5d165fe29af05042243684168b3cefa42304501e
SHA5124da846402a4875b1f6081aa28b21a57f8ce5bca059cbdebd41c2e74e121b395715faaf54759fb68aaf4108612a7fba1417828214df8f7f7e4b0df7ea5a230f21
-
Filesize
255KB
MD5457e8b96e564e4167f7f86f0e32dfd0e
SHA19b1358bfdcaed15e54b4de1c3bbe0ca4600201e5
SHA25639db9324e1056d176172428c74a654d242e3aad68bef2da083c02251029e53d3
SHA512c167f9eda08d3f96e79a02f8babf551e842b4261760b39d344042b2ddd2dec81ad9b8486795683d100579577529b49f412bcba28aa84efd9f607c221ee740541
-
Filesize
255KB
MD516e743d0f2213b13d833a7b034c1f798
SHA154a8e045289e1471e50644535978a6f656deefa6
SHA2561624e46384e8a4bfdbd8dbd9ca8993abcb68c7d9fa819ddb91055b5168b95c2c
SHA512b991ab38faf5d3676f87d7f5c5c1e15db0950b13192a6ceaa02e55c0844279a809f490f0380a2901e44f7360d153c0b6bb1ea135ca48ad1b45c64a533b2c4431
-
Filesize
263KB
MD5ff0e07eff1333cdf9fc2523d323dd654
SHA177a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA2563f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d
-
Filesize
413B
MD52aeaa039e38910f979579476b9b6e9df
SHA1c56d2d0b242ee5756d9bdd7fd3962ad860422ac9
SHA256f727521918dc6f38d2ffb572011916f5b6f4d752c20401c3e9f51000da34ee65
SHA512ecef974ed836530dd4e5c19f7fe3d63f582258a003bb6c486592ae9942625b0ff24b858520836f656a7f36c2fcb91ed2760f3f3639146c7210dae4de81002302
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize4KB
MD5c0b0f52f854ce75d4d77817ea066970e
SHA1d961e26d3eef9dbd1b718581911f2f36151ad9ef
SHA256f221e9f482a7ac006b749276b73fb13c47c8ee6bd22f68c883233e6208637965
SHA5125bf6609e1a8835053ec935de09797d69c68ccdc8f2fdf781f8dd731d6172854e4540584bf7edfae2404b211ca1c9fd5bcee25ac8292fdda64e0061e1976410cf
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5ce7a48eb32df28a246c175b7f3e77d33
SHA11b2bceb3aebaeeaf663f7130624a7fa30205a0b8
SHA2568f14718ed22b10e0646bb2c23800e17c06436ce0377283b27c614643bda9c158
SHA512ed449a8c3d0c2cbbc075011f07ca316ab9eb6a301181a2b08356d03ee360e5abb09672b6a78835651c7f45ab3942de3701b41c7c549a0ce1f1846411dfa3236b
-
Filesize
255KB
MD5a62bfce8211597f43d165fb272bdf54d
SHA18ce6d9e3bec20d4d76390f72acb8b9d1e592c926
SHA256d78d32ca9895e423cfaa45552a15d03210e23397ce0b6e7c8526fa40130ae5e8
SHA512bcba19d03846ba18dab6bc3b09599b42ca59004a4481883e95d9a33942ac3eed178687024f4c5789e32f869616a1b01416c4a39257aa2b4fc3c0e2e3ffaa7599
-
Filesize
255KB
MD5137f03e3ee76111273b7229163d5b142
SHA107a701ca8ca48483075cc85cd490ff7b6aec01cd
SHA256cc5ccabbc96a3767384ceeff25b7e26ad5f4b1efa74e79e55d9eeedd72066a81
SHA51259434919cfdd7732955bee99d553e5099d1d77f40857993b4f0ec366840a04e2c4ecaf2fe2ef26a1773e8c68d61c0aa876d200791cd9a44c0005ad519b73e9f1
-
Filesize
255KB
MD52b77636c8400ca859172760ed2dd7ae7
SHA12dfbc299c384ad6a6aaefab22d531327e4406cb6
SHA2566029729fffac47636a1dc90c938bd2edba252cce2ea687aa3e41fbbae9221834
SHA512d11fd593d8d9fb5371ddc621cfba51f74c39ae08b95953caa8473055f787e98c1ba9ca47a7c73871ad3a052d2d6e293f66a236b02817e8520c1eb4209327f8f4
-
Filesize
255KB
MD5b347602ab322d454b6be18edf5fb6b0a
SHA1d57bb7bc8df92d3f9831af6f3aad95201a560c86
SHA2565e42bc9a25db146d9875f2d2daa300c2f2cef40b13bc4e7c4faa6c492673652b
SHA512d9346b0281d0d6a241fb2e21612c7cf8150c408cb98860ee3585c0e7d4196b71ee6410259fd1a97bc7bd0f81aa9be360bfe6aa34ec4fe7f1ab5b0aa82e44ade4
-
Filesize
255KB
MD5bb90f7c26416b89e7cbe0e659aaa0a07
SHA12939f99c5a08153224108bdec5fb9081594f2ecc
SHA256b4ae319220156a74e1d08253811fb22c3ceb7a0c6d38cbf10bf8ecd5727f04b9
SHA512791d5453fdad4293c9721ff670f8bd6a0dc3c1f8db3f603a2b4a2178e389992d7ae46244039b5b41e16c0b46bbc8503dd5ee9480a75f19a3262694d68249564d
-
Filesize
255KB
MD55df2dde15f61135f8682d65ace9decaf
SHA195647ff025c3803a1b78c123e8bafdee96783d14
SHA256772eef31825c43450a4c322b2455733d2a4e1702861ca0207b69a3fafb8880dc
SHA5127a38a7ebf6b3ea473c06048d675c55215e750328189f86f589e59da2530476e985c14799a793779e1f28553417b4efc81717123a7897e2b72a19907de3bdfcc8
-
Filesize
255KB
MD5b9db96d1905a8c55232d5e67399b9541
SHA1f5c530972ecd2820cab3fe78fd583e395ce0c1d0
SHA256563ef5c8396cd1717ee528da08f83dc5bb6031ec26bdbcaa4606ded7194bcd8a
SHA5129d2f55088bc480cba5beb7139ed7a5323f072b4d0a237faa5c8eebcd146bf41a5a7588580dc1d58d7ebf06a8b8643726389bc07793f0f8a200f5c605a81af907
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
255KB
MD5d5f25a1339e85e3f307b0d93b8ec4dc2
SHA151714d39b8488cc27d8489f065a066c53931d3eb
SHA256ff43a8b129e3320fb35746ed65375963d308e80f9a78fdb5a9a1b406d1b7b6d2
SHA512b716f9cdf56a45ddbf5ddb460b767792bc07933a03fd3768d860c39c0e7ff9562f4f3ef77850184c4ed114f9a0ae1cef6680650292f370f66561b15995805300
-
Filesize
255KB
MD5a638a99df073930e89af58b17836078d
SHA16a9e6dd235cd07697f18f3ddf23cfb7218b714f8
SHA2567eece53d789182b9f566fa2b5e0baba15476532db27f467b70ca139050a1340c
SHA5129b49006ca3a8e07debe9b941f874783c82e2385b01f8699d48609acb8fab4a1904ecb3dcf7c7c5cf508535642601b1b259f27f583eda839e277769f77b94d9ca
-
Filesize
255KB
MD5172ac119855ad733a47dcaf36ab56880
SHA1ebe441f99f18d8482fc70e6b571b4e6e909ad3a5
SHA256d9deead37b5175fc10e2c1cdd77aab268c146ec019ecad092728636e25413020
SHA5121cc563b88d10bfc91965b14f3e9d124c68cba4cb8d08a067355216de025f4c624aa4eb8c3deda0bbd486ea59f8657bcb4d528a6c1450465bc40d3749975d924d