Analysis
-
max time kernel
149s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
23-07-2024 05:06
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
664141c2744c8abf397e4af29a407f86_JaffaCakes118.exe
Resource
win7-20240704-en
windows7-x64
32 signatures
150 seconds
Behavioral task
behavioral2
Sample
664141c2744c8abf397e4af29a407f86_JaffaCakes118.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
664141c2744c8abf397e4af29a407f86_JaffaCakes118.exe
-
Size
825KB
-
MD5
664141c2744c8abf397e4af29a407f86
-
SHA1
8bbb994ed7c0731b0ec15d4a48b92916bb892a29
-
SHA256
1dd1a3acac3cd85e1044029a930bf2cb743f92e8801c0caafc310432553dc5d4
-
SHA512
025098c1ca528fe30c3f80eb82656e56d802535c9f92d99e0009311fdb6c4fa6ffa46bca4c566f2561e05756028e8f34a56ff9227124273dc44655e690a443b9
-
SSDEEP
12288:cw6CMmjYMiI5ZP1kSbbHYgGgiHiWTHaZY6MRNZH32O2Y/OtOnonDXLh+y3hy:x6C9pPiSbMDNTL9Ze+K7My3U
Malware Config
Signatures
-
Modifies security service 2 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" svchost.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MpsSvc\Parameters\PortKeywords\DHCP Process not Found Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\DHCP\Collection Process not Found -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\FirewallOverride = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\FirewallOverride = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\AntiVirusOverride = "1" svchost.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\userinit\ImagePath = "\\\\.\\globalroot\\systemroot\\system32\\usеrinit.exe" usеrinit.exe -
Deletes itself 1 IoCs
pid Process 2368 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 1992 usеrinit.exe -
Loads dropped DLL 1 IoCs
pid Process 2052 664141c2744c8abf397e4af29a407f86_JaffaCakes118.exe -
Modifies system executable filetype association 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"exefile\" /shell <%1> %*" svchost.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks registry for disk virtualization 3 TTPs 1 IoCs
Detecting virtualization disks is order done to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet002\Enum\SCSI\Disk&Ven_Dell&Prod_VIRTUAL_DISK svchost.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\O: svchost.exe File opened (read-only) \??\K: svchost.exe File opened (read-only) \??\B: svchost.exe File opened (read-only) \??\Y: svchost.exe File opened (read-only) \??\W: svchost.exe File opened (read-only) \??\V: svchost.exe File opened (read-only) \??\H: svchost.exe File opened (read-only) \??\G: svchost.exe File opened (read-only) \??\T: svchost.exe File opened (read-only) \??\S: svchost.exe File opened (read-only) \??\J: svchost.exe File opened (read-only) \??\M: svchost.exe File opened (read-only) \??\I: svchost.exe File opened (read-only) \??\A: svchost.exe File opened (read-only) \??\Z: svchost.exe File opened (read-only) \??\X: svchost.exe File opened (read-only) \??\U: svchost.exe File opened (read-only) \??\N: svchost.exe File opened (read-only) \??\L: svchost.exe File opened (read-only) \??\E: svchost.exe File opened (read-only) \??\R: svchost.exe File opened (read-only) \??\Q: svchost.exe File opened (read-only) \??\P: svchost.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum svchost.exe Key value enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum svchost.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT usеrinit.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx Process not Found -
Suspicious use of NtCreateThreadExHideFromDebugger 33 IoCs
pid Process 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe -
Suspicious use of SetThreadContext 23 IoCs
description pid Process procid_target PID 2052 set thread context of 2368 2052 664141c2744c8abf397e4af29a407f86_JaffaCakes118.exe 30 PID 2928 set thread context of 284 2928 svchost.exe 16 PID 2928 set thread context of 284 2928 svchost.exe 16 PID 2928 set thread context of 284 2928 svchost.exe 16 PID 2928 set thread context of 284 2928 svchost.exe 16 PID 2928 set thread context of 284 2928 svchost.exe 16 PID 2928 set thread context of 284 2928 svchost.exe 16 PID 2928 set thread context of 284 2928 svchost.exe 16 PID 2928 set thread context of 284 2928 svchost.exe 16 PID 2928 set thread context of 284 2928 svchost.exe 16 PID 2928 set thread context of 284 2928 svchost.exe 16 PID 2928 set thread context of 284 2928 svchost.exe 16 PID 2928 set thread context of 284 2928 svchost.exe 16 PID 2928 set thread context of 284 2928 svchost.exe 16 PID 2928 set thread context of 284 2928 svchost.exe 16 PID 2928 set thread context of 284 2928 svchost.exe 16 PID 2928 set thread context of 284 2928 svchost.exe 16 PID 2928 set thread context of 284 2928 svchost.exe 16 PID 2928 set thread context of 284 2928 svchost.exe 16 PID 2928 set thread context of 284 2928 svchost.exe 16 PID 2928 set thread context of 284 2928 svchost.exe 16 PID 2928 set thread context of 284 2928 svchost.exe 16 PID 2928 set thread context of 284 2928 svchost.exe 16 -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 4 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh svchost.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh svchost.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh svchost.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh svchost.exe -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet002\Enum\SCSI svchost.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet002\Enum\SCSI svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet002\Enum\SCSI\Disk&Ven_Dell&Prod_VIRTUAL_DISK svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI svchost.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK svchost.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor svchost.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 svchost.exe -
Enumerates system info in registry 2 TTPs 41 IoCs
description ioc Process Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0 svchost.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 svchost.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0 svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 svchost.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus svchost.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 svchost.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses svchost.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 svchost.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 svchost.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 svchost.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral svchost.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 svchost.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 svchost.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 svchost.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000 svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 svchost.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1 svchost.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1 svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter svchost.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus svchost.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 svchost.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses svchost.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000 svchost.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 svchost.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 svchost.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{2C44FB91-48BA-11EF-9225-4E18907FF899} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0094000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A289AF1-B380-491D-BAF1-C7EE3A90ABE5} svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main usеrinit.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CTLs svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A289AF1-B380-491D-BAF1-C7EE3A90ABE5}\da-b6-48-d7-c5-cb svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 Process not Found Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\Certificates svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" usеrinit.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A289AF1-B380-491D-BAF1-C7EE3A90ABE5}\WpadDecision = "0" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A289AF1-B380-491D-BAF1-C7EE3A90ABE5}\WpadNetworkName = "Network 3" svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\My svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CTLs svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" usеrinit.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\da-b6-48-d7-c5-cb\WpadDecisionTime = 301f83b7c6dcda01 svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A289AF1-B380-491D-BAF1-C7EE3A90ABE5}\WpadDecisionTime = 301f83b7c6dcda01 svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\da-b6-48-d7-c5-cb\WpadDecisionReason = "1" svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CTLs svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\da-b6-48-d7-c5-cb svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\2d\52C64B7E svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ usеrinit.exe -
Modifies registry class 6 IoCs
description ioc Process Key created \registry\machine\Software\Classes\Wow6432Node\Interface\{2ea8c9d4-7b76-aecf-38db-17f923ffdd55} 664141c2744c8abf397e4af29a407f86_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2ea8c9d4-7b76-aecf-38db-17f923ffdd55}\u = "131087" 664141c2744c8abf397e4af29a407f86_JaffaCakes118.exe Key created \registry\machine\Software\Classes\Interface\{2ea8c9d4-7b76-aecf-38db-17f923ffdd55} 664141c2744c8abf397e4af29a407f86_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2ea8c9d4-7b76-aecf-38db-17f923ffdd55}\u = "131087" 664141c2744c8abf397e4af29a407f86_JaffaCakes118.exe Key created \registry\machine\Software\Classes\Interface\{507e1fac-b73d-1bbf-56af-f783afcbf39c} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"exefile\" /shell <%1> %*" svchost.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
pid Process 1992 usеrinit.exe 1992 usеrinit.exe 1992 usеrinit.exe 1992 usеrinit.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 672 Process not Found 672 Process not Found -
Suspicious behavior: MapViewOfSection 37 IoCs
pid Process 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
description pid Process Token: SeDebugPrivilege 2052 664141c2744c8abf397e4af29a407f86_JaffaCakes118.exe Token: SeSecurityPrivilege 2052 664141c2744c8abf397e4af29a407f86_JaffaCakes118.exe Token: SeDebugPrivilege 1992 usеrinit.exe Token: SeShutdownPrivilege 1184 Process not Found Token: SeShutdownPrivilege 1184 Process not Found Token: SeShutdownPrivilege 1184 Process not Found Token: SeShutdownPrivilege 1184 Process not Found Token: SeShutdownPrivilege 1184 Process not Found Token: SeShutdownPrivilege 1184 Process not Found -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 1184 Process not Found 1184 Process not Found 1184 Process not Found 1184 Process not Found 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe 2928 svchost.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 3040 iexplore.exe 3040 iexplore.exe 2964 IEXPLORE.EXE 2964 IEXPLORE.EXE 2964 IEXPLORE.EXE 2964 IEXPLORE.EXE -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 608 Process not Found 284 svchost.exe -
Suspicious use of WriteProcessMemory 51 IoCs
description pid Process procid_target PID 2052 wrote to memory of 2368 2052 664141c2744c8abf397e4af29a407f86_JaffaCakes118.exe 30 PID 2052 wrote to memory of 2368 2052 664141c2744c8abf397e4af29a407f86_JaffaCakes118.exe 30 PID 2052 wrote to memory of 2368 2052 664141c2744c8abf397e4af29a407f86_JaffaCakes118.exe 30 PID 2052 wrote to memory of 2368 2052 664141c2744c8abf397e4af29a407f86_JaffaCakes118.exe 30 PID 2052 wrote to memory of 2368 2052 664141c2744c8abf397e4af29a407f86_JaffaCakes118.exe 30 PID 2052 wrote to memory of 1992 2052 664141c2744c8abf397e4af29a407f86_JaffaCakes118.exe 32 PID 2052 wrote to memory of 1992 2052 664141c2744c8abf397e4af29a407f86_JaffaCakes118.exe 32 PID 2052 wrote to memory of 1992 2052 664141c2744c8abf397e4af29a407f86_JaffaCakes118.exe 32 PID 2052 wrote to memory of 1992 2052 664141c2744c8abf397e4af29a407f86_JaffaCakes118.exe 32 PID 1992 wrote to memory of 2928 1992 usеrinit.exe 33 PID 1992 wrote to memory of 2928 1992 usеrinit.exe 33 PID 1992 wrote to memory of 2928 1992 usеrinit.exe 33 PID 1992 wrote to memory of 2928 1992 usеrinit.exe 33 PID 1992 wrote to memory of 2928 1992 usеrinit.exe 33 PID 2928 wrote to memory of 284 2928 svchost.exe 16 PID 392 wrote to memory of 3040 392 Process not Found 35 PID 392 wrote to memory of 3040 392 Process not Found 35 PID 2928 wrote to memory of 3040 2928 svchost.exe 35 PID 2928 wrote to memory of 3040 2928 svchost.exe 35 PID 2928 wrote to memory of 3040 2928 svchost.exe 35 PID 392 wrote to memory of 3040 392 Process not Found 35 PID 392 wrote to memory of 3040 392 Process not Found 35 PID 392 wrote to memory of 3040 392 Process not Found 35 PID 392 wrote to memory of 2964 392 Process not Found 36 PID 392 wrote to memory of 2964 392 Process not Found 36 PID 392 wrote to memory of 2964 392 Process not Found 36 PID 392 wrote to memory of 2964 392 Process not Found 36 PID 3040 wrote to memory of 2964 3040 iexplore.exe 36 PID 3040 wrote to memory of 2964 3040 iexplore.exe 36 PID 3040 wrote to memory of 2964 3040 iexplore.exe 36 PID 3040 wrote to memory of 2964 3040 iexplore.exe 36 PID 392 wrote to memory of 2964 392 Process not Found 36 PID 392 wrote to memory of 2964 392 Process not Found 36 PID 392 wrote to memory of 3040 392 Process not Found 35 PID 392 wrote to memory of 2964 392 Process not Found 36 PID 332 wrote to memory of 2068 332 Process not Found 37 PID 608 wrote to memory of 2068 608 Process not Found 37 PID 608 wrote to memory of 2068 608 Process not Found 37 PID 608 wrote to memory of 2068 608 Process not Found 37 PID 392 wrote to memory of 2964 392 Process not Found 36 PID 392 wrote to memory of 2964 392 Process not Found 36 PID 488 wrote to memory of 3040 488 Process not Found 35 PID 488 wrote to memory of 3040 488 Process not Found 35 PID 488 wrote to memory of 3040 488 Process not Found 35 PID 488 wrote to memory of 3040 488 Process not Found 35 PID 488 wrote to memory of 3040 488 Process not Found 35 PID 488 wrote to memory of 3040 488 Process not Found 35 PID 488 wrote to memory of 3040 488 Process not Found 35 PID 488 wrote to memory of 3040 488 Process not Found 35 PID 488 wrote to memory of 3040 488 Process not Found 35 PID 392 wrote to memory of 3040 392 Process not Found 35 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService1⤵
- Modifies data under HKEY_USERS
- Suspicious use of UnmapMainImage
PID:284
-
C:\Users\Admin\AppData\Local\Temp\664141c2744c8abf397e4af29a407f86_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\664141c2744c8abf397e4af29a407f86_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Deletes itself
PID:2368
-
-
\??\globalroot\systemroot\system32\usеrinit.exe/install2⤵
- Sets service image path in registry
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\system32\svchost.exe"C:\Windows\system32\svchost.exe"3⤵
- Modifies security service
- Windows security bypass
- Modifies system executable filetype association
- Checks registry for disk virtualization
- Enumerates connected drives
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of SetThreadContext
- Event Triggered Execution: Netsh Helper DLL
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://secure.broxbilling.com/get/product.php?id=intsec&advert=131087&extern=0&lang=EN4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3040 CREDAT:275457 /prefetch:25⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2964
-
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵PID:2068
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
2Change Default File Association
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
2Change Default File Association
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize304B
MD5b6b0ea3cdfdd6051434f9209cf11b4cf
SHA1f0c73ce3d01e475ceee720e321826a91e6adb1b2
SHA256fb8e090e2e2c3a149d211cf7071a5e36ea84ade16d4903dd6fedff1d8dad0dde
SHA512e7b60571dc1e76edddcefc645b83ab7d227b3f725937e6a8c86eb919640fb1d3231cedea074fbc14bd9cbd3626fe22f9e07833d788ab3d53cbd783967bfa41a6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize304B
MD5b497edfd47863ef8a33a84aa9fed79eb
SHA119a5251a30f85e64b9acbe12e787959e3d9a1114
SHA2563725bd70461448dbf8581fd55720ae704c2b3d3843d1fd88fd9a86ed17927832
SHA512fb963a8965bf20944a1ddfe9071d66ed30472968e95a20f276987c6cb4d7c8f920df16cc333e4cc58b20c4576a4f19f0b48e3e645be69b67a648a6634f799d84
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize304B
MD5c5594f885ed9ccf2ee054d222c635a9a
SHA18e3594872b6930c5814254bd244e01a4686fbb8f
SHA256747d6d3a88ae61cdac2177d66379c957c933b82c685026477d135a560ae9fee6
SHA512c99c3db957e19acd6f659228b63467a6b77eb676d7169bad15381d6f71a119fe3ade823b2c874c025dcce8bcc16f6931063f0c26db651568bb7f344c88489592
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize304B
MD59e65f11105a28c498b6adaf7b5985dc8
SHA1062e71c4b735061a343f86e0a8f5673e6b7b3369
SHA256cce145e957d903bd3cba39c20fea28abe42f7ce93796b86c10bbdcb3332313e2
SHA512b73a3ce179df9247809e9446b0b017ec9e231bfde4b6254faed70e961b0f0a962b0e560e275954fbc222cfa3c9afb8c501e889dc2909d55b06ddb3a18290814a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize304B
MD52e6aba8a8053202035c2a70b2a164ed7
SHA13997843cb3c7deff32575ce3042f225812418383
SHA2568da4588b60e83ec1e1416a51230c4b182a31f6a3b44aeff500fd964f29414e46
SHA512748271944430080c2ffa77c76374cbc62266fb5b91d973b615c4552854e8584fcf118362b84078e68bcdfd2ec3d2b88255263f5f07eb49569e0761e842d9fce4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize304B
MD549fceb5d5af5cfb46e69e60597ab3516
SHA1a20a6a40fbde6a31198f708e7bbdbb6016557d71
SHA2566f83d38498a8ef1bc04e35f7c7b570bc2c4f7b6e5516bffb0a0b4db201b32a0d
SHA512059f6de6c09d14b486ba0da3c0b7c073cabfc242f082d6b7283335181a4c9f546d38c8635ff1a3f1d4bba519725d6cf8ad779c2186cc54e73a42d4d631e16b89
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize304B
MD5d7e69b9a736eed671f8da87fd0340009
SHA10a3d238086ffbaa150922e73240003fa28d3cdef
SHA2565d0708d8d47af44159782f0bacbf03bb148e36aed38ce819c3f072c3cb8ef52b
SHA512cea72253843eeb1481a89ae2d61eeacc7e535426a8828fc075fec32027c61f45e0d25d0594936656fbd87198f3b5f3c7bf3fcb9732859d4cab78262cabfdd779
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize304B
MD5dcac4ea585ba8f9efa9416ba4b2e57d2
SHA138adbc55d8760a517f12b0ff1b1eee97023a3cf0
SHA25652177b3a7502a33b9e743ea4eabfa3ab105686d491d8650350a74ab50d3966c6
SHA5127d58eba363dfc7d9a941989f372d331cd49666064fcfe597c111cd083126428ac31948a79a3ff2c337930829fcdb3cd107ff518cb44656f0a1b34bca7b37edb1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize304B
MD55c975bb3fc24a85d1a52b7b6d0a0943d
SHA1787a6f12903d67ad2b52a0cb69e45dd34ee792c8
SHA256738cb1d2fdddfffb8b6359df24f62f4403fe9a2a40b5f5b2a366e8276627a12e
SHA512b478ebbe2fbbfa8dcf139fce6357ea1dba357ef7f1801011626a3704380632938f346cc9c09f7e72f45f2660bfebbdc5fa4fc861fdc3fadb75ce8b85044a61cf
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
2KB
MD563881935b6ff930a39df13a27c18c3f5
SHA1d5464ca24d61b2efb562b1b4f4e0bef69c94cf04
SHA25650d712b007a3339855619a4ad283661c07e13ec0a74465ea3d121439005cd1e5
SHA512011d0307d088ac7a691ff504f8c3e99a06097fc27e10d40d62721cf6c6d0500120d040a7d32fd10aa50aeef1ef12be67501fff122bed129a354fb57c213a0ed9
-
Filesize
73KB
MD535261a0948eadab5fc511ab7b1c0a817
SHA1bc307de5ad569fa5cfa6527c20c8955538a5c924
SHA2565b742746ff0948e354a291a85fb798460958d8307fc75a77b722ac60205cea16
SHA512345598ac93132000f6f33d0d8ed8ca54c5758faf7586d6d97c3d72813d721d383d2ba22cb420d0b0a115fa1a946f5228ceb67b4e924e3738eab21d24299681c8
-
Filesize
68KB
MD5a4a82ca52085f81916e263e3d2ccdd2b
SHA12096fc588dc3206bd883533a69c7f7c6f3a434b2
SHA2568d91005a9f10cd6f10e44a4edbb8bdcfcf2f5afa6b8e682999853146e7e783eb
SHA51205690eab7d7032bace3e9a7278ac59779192a51e3bf31f61cbd06ca8dcc2bd6dff9cc6cdeb6c2e4d9a06fb9ad0c4b15c2cb14c911e87f5325ffc98d0f8581d5f
-
Filesize
139KB
MD54acd14244d2cd76d06939163127cfb10
SHA175f3e3c764f7d20c9950f5410f753f3210bcc2e7
SHA25629b5b65a1cdf119ac7c6c9df76c6843b25a81bd00aa5a5e995ec675e34bf1acb
SHA512001504da15c1825102479ba379b0be7ec15e779626d450d9d763552d7e1ac71f5bb86110f9361363bd401aabc53cdfd2d554480aec8bef85ed8c7b03cebf4031
-
Filesize
717KB
MD5778c2f45c2d3779ada9b70af95178c58
SHA1ebbb142c10177faff82dd15acd15b510a59709d2
SHA25693bfd69eb0adc2bddf8b7172ae68e370a3d6fd389c41981efb110d62bf976d95
SHA5125f8bc4c91bd4d824b57492d535b4d5be9b1ac52b41e890d103d7f006ab749315e4694ccf4009732fd2c57a42477ac565b125092dac9da466b6b9c7e7e6475f69