Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
25/07/2024, 19:06
Behavioral task
behavioral1
Sample
70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe
Resource
win7-20240705-en
General
-
Target
70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe
-
Size
255KB
-
MD5
70dac3709ac4bcd5d495cf300812cefb
-
SHA1
661ce55a624c4c6205a78e4060a8bb575bbf60a6
-
SHA256
674627bc518d403e7fef6c0a6922bd93fcc011f44b54e4d739fe0d98de0af16e
-
SHA512
86232f60b1feed396e8a5bf1ea00a4baf8d341ef4a9fb5648aba9af82e36686b7bdf1d9927ab45c87ce6e011fbb0c2ec222f2fd63740ad3b1b80918eb72cc23c
-
SSDEEP
3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJR:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIq
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" vgmdmdvrcp.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" vgmdmdvrcp.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" vgmdmdvrcp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" vgmdmdvrcp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" vgmdmdvrcp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" vgmdmdvrcp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" vgmdmdvrcp.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vgmdmdvrcp.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation 70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 3584 vgmdmdvrcp.exe 4164 axrxulccurfzzov.exe 1296 dcdhqrzs.exe 3508 xcphyhpmthxlj.exe 5048 dcdhqrzs.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/memory/1628-0-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0009000000023470-5.dat upx behavioral2/files/0x000c00000002345c-20.dat upx behavioral2/files/0x0007000000023475-28.dat upx behavioral2/memory/1296-32-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3508-33-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4164-31-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0007000000023476-30.dat upx behavioral2/memory/3584-24-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1628-35-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/5048-42-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0007000000023484-69.dat upx behavioral2/files/0x0007000000023485-74.dat upx behavioral2/memory/3584-83-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3508-86-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1296-85-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4164-84-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/5048-102-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x000a0000000234b1-332.dat upx behavioral2/files/0x000a0000000234b1-581.dat upx behavioral2/memory/3584-583-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4164-584-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3584-588-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/5048-587-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3508-586-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1296-585-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3508-589-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/5048-590-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3508-603-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/5048-604-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1296-602-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4164-601-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3584-600-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3584-605-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4164-606-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/5048-609-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3508-608-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1296-607-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3584-610-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3508-613-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/5048-614-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1296-612-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4164-611-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/5048-617-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1296-618-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3508-624-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4164-623-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3584-622-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4164-628-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3508-629-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3584-627-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3508-632-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4164-631-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3584-630-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3584-633-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4164-634-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3508-635-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3584-657-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4164-658-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3508-659-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3584-660-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4164-661-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3508-662-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3584-663-0x0000000000400000-0x00000000004A0000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" vgmdmdvrcp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" vgmdmdvrcp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" vgmdmdvrcp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" vgmdmdvrcp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" vgmdmdvrcp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" vgmdmdvrcp.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tsvenxfk = "vgmdmdvrcp.exe" axrxulccurfzzov.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ygnzxkad = "axrxulccurfzzov.exe" axrxulccurfzzov.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "xcphyhpmthxlj.exe" axrxulccurfzzov.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\r: dcdhqrzs.exe File opened (read-only) \??\v: dcdhqrzs.exe File opened (read-only) \??\z: dcdhqrzs.exe File opened (read-only) \??\h: vgmdmdvrcp.exe File opened (read-only) \??\j: vgmdmdvrcp.exe File opened (read-only) \??\k: vgmdmdvrcp.exe File opened (read-only) \??\o: vgmdmdvrcp.exe File opened (read-only) \??\q: dcdhqrzs.exe File opened (read-only) \??\w: dcdhqrzs.exe File opened (read-only) \??\x: dcdhqrzs.exe File opened (read-only) \??\q: dcdhqrzs.exe File opened (read-only) \??\i: vgmdmdvrcp.exe File opened (read-only) \??\l: vgmdmdvrcp.exe File opened (read-only) \??\n: vgmdmdvrcp.exe File opened (read-only) \??\r: vgmdmdvrcp.exe File opened (read-only) \??\p: dcdhqrzs.exe File opened (read-only) \??\u: dcdhqrzs.exe File opened (read-only) \??\y: dcdhqrzs.exe File opened (read-only) \??\b: dcdhqrzs.exe File opened (read-only) \??\h: dcdhqrzs.exe File opened (read-only) \??\n: dcdhqrzs.exe File opened (read-only) \??\r: dcdhqrzs.exe File opened (read-only) \??\k: dcdhqrzs.exe File opened (read-only) \??\v: dcdhqrzs.exe File opened (read-only) \??\w: dcdhqrzs.exe File opened (read-only) \??\m: vgmdmdvrcp.exe File opened (read-only) \??\u: dcdhqrzs.exe File opened (read-only) \??\z: dcdhqrzs.exe File opened (read-only) \??\h: dcdhqrzs.exe File opened (read-only) \??\i: dcdhqrzs.exe File opened (read-only) \??\a: dcdhqrzs.exe File opened (read-only) \??\o: dcdhqrzs.exe File opened (read-only) \??\j: dcdhqrzs.exe File opened (read-only) \??\s: dcdhqrzs.exe File opened (read-only) \??\u: vgmdmdvrcp.exe File opened (read-only) \??\v: vgmdmdvrcp.exe File opened (read-only) \??\t: dcdhqrzs.exe File opened (read-only) \??\e: dcdhqrzs.exe File opened (read-only) \??\g: dcdhqrzs.exe File opened (read-only) \??\s: dcdhqrzs.exe File opened (read-only) \??\t: dcdhqrzs.exe File opened (read-only) \??\e: dcdhqrzs.exe File opened (read-only) \??\t: vgmdmdvrcp.exe File opened (read-only) \??\y: vgmdmdvrcp.exe File opened (read-only) \??\i: dcdhqrzs.exe File opened (read-only) \??\s: vgmdmdvrcp.exe File opened (read-only) \??\l: dcdhqrzs.exe File opened (read-only) \??\l: dcdhqrzs.exe File opened (read-only) \??\a: vgmdmdvrcp.exe File opened (read-only) \??\o: dcdhqrzs.exe File opened (read-only) \??\z: vgmdmdvrcp.exe File opened (read-only) \??\n: dcdhqrzs.exe File opened (read-only) \??\p: dcdhqrzs.exe File opened (read-only) \??\g: vgmdmdvrcp.exe File opened (read-only) \??\k: dcdhqrzs.exe File opened (read-only) \??\m: dcdhqrzs.exe File opened (read-only) \??\g: dcdhqrzs.exe File opened (read-only) \??\p: vgmdmdvrcp.exe File opened (read-only) \??\q: vgmdmdvrcp.exe File opened (read-only) \??\y: dcdhqrzs.exe File opened (read-only) \??\b: vgmdmdvrcp.exe File opened (read-only) \??\x: vgmdmdvrcp.exe File opened (read-only) \??\j: dcdhqrzs.exe File opened (read-only) \??\a: dcdhqrzs.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" vgmdmdvrcp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" vgmdmdvrcp.exe -
AutoIT Executable 60 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/1296-32-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3508-33-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4164-31-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3584-24-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1628-35-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/5048-42-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3584-83-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3508-86-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1296-85-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4164-84-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/5048-102-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3584-583-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4164-584-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3584-588-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/5048-587-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3508-586-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1296-585-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3508-589-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/5048-590-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3508-603-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/5048-604-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1296-602-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4164-601-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3584-600-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3584-605-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4164-606-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/5048-609-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3508-608-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1296-607-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3584-610-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3508-613-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/5048-614-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1296-612-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4164-611-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/5048-617-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1296-618-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3508-624-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4164-623-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3584-622-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4164-628-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3508-629-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3584-627-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3508-632-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4164-631-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3584-630-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3584-633-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4164-634-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3508-635-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3584-657-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4164-658-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3508-659-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3584-660-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4164-661-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3508-662-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3584-663-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3508-665-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4164-664-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3584-666-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3508-668-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4164-667-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe -
Drops file in System32 directory 12 IoCs
description ioc Process File created C:\Windows\SysWOW64\vgmdmdvrcp.exe 70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\vgmdmdvrcp.exe 70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe File created C:\Windows\SysWOW64\axrxulccurfzzov.exe 70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe File created C:\Windows\SysWOW64\xcphyhpmthxlj.exe 70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\xcphyhpmthxlj.exe 70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe dcdhqrzs.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe dcdhqrzs.exe File opened for modification C:\Windows\SysWOW64\axrxulccurfzzov.exe 70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe File created C:\Windows\SysWOW64\dcdhqrzs.exe 70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\dcdhqrzs.exe 70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll vgmdmdvrcp.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe dcdhqrzs.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe dcdhqrzs.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe dcdhqrzs.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe dcdhqrzs.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal dcdhqrzs.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe dcdhqrzs.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe dcdhqrzs.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal dcdhqrzs.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe dcdhqrzs.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe dcdhqrzs.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe dcdhqrzs.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe dcdhqrzs.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal dcdhqrzs.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe dcdhqrzs.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe dcdhqrzs.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal dcdhqrzs.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe dcdhqrzs.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe dcdhqrzs.exe File opened for modification C:\Windows\mydoc.rtf 70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe dcdhqrzs.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe dcdhqrzs.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe dcdhqrzs.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe dcdhqrzs.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe dcdhqrzs.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe dcdhqrzs.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe dcdhqrzs.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe dcdhqrzs.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe dcdhqrzs.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe dcdhqrzs.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe dcdhqrzs.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe dcdhqrzs.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe dcdhqrzs.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe dcdhqrzs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vgmdmdvrcp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language axrxulccurfzzov.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dcdhqrzs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xcphyhpmthxlj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dcdhqrzs.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc vgmdmdvrcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" vgmdmdvrcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7FF9FFFF4F5B85199031D72F7E95BDE0E6365930664F6332D79E" 70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32452C7F9C2483206A3176D477202DDC7DF665D9" 70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB0B129479539EA52CFB9D0339FD4C5" 70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf vgmdmdvrcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" vgmdmdvrcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" vgmdmdvrcp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg vgmdmdvrcp.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" vgmdmdvrcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" vgmdmdvrcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6AB4F9BCFE16F29184753B3686983992B38A038F43150233E2C442EF09D3" 70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1949C60F15ECDBB1B9CC7C94ED9F34CD" 70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat vgmdmdvrcp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh vgmdmdvrcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" vgmdmdvrcp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs vgmdmdvrcp.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings 70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F568B6FF1D21DDD27ED1A68A7F9161" 70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 3484 WINWORD.EXE 3484 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1628 70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe 1628 70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe 1628 70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe 1628 70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe 1628 70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe 1628 70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe 1628 70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe 1628 70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe 1628 70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe 1628 70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe 1628 70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe 1628 70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe 1628 70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe 1628 70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe 1628 70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe 1628 70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe 3584 vgmdmdvrcp.exe 3584 vgmdmdvrcp.exe 3584 vgmdmdvrcp.exe 3584 vgmdmdvrcp.exe 3584 vgmdmdvrcp.exe 3584 vgmdmdvrcp.exe 3584 vgmdmdvrcp.exe 3584 vgmdmdvrcp.exe 3584 vgmdmdvrcp.exe 3584 vgmdmdvrcp.exe 4164 axrxulccurfzzov.exe 4164 axrxulccurfzzov.exe 4164 axrxulccurfzzov.exe 4164 axrxulccurfzzov.exe 4164 axrxulccurfzzov.exe 4164 axrxulccurfzzov.exe 4164 axrxulccurfzzov.exe 4164 axrxulccurfzzov.exe 4164 axrxulccurfzzov.exe 4164 axrxulccurfzzov.exe 1296 dcdhqrzs.exe 1296 dcdhqrzs.exe 1296 dcdhqrzs.exe 1296 dcdhqrzs.exe 1296 dcdhqrzs.exe 1296 dcdhqrzs.exe 1296 dcdhqrzs.exe 1296 dcdhqrzs.exe 3508 xcphyhpmthxlj.exe 3508 xcphyhpmthxlj.exe 3508 xcphyhpmthxlj.exe 3508 xcphyhpmthxlj.exe 3508 xcphyhpmthxlj.exe 3508 xcphyhpmthxlj.exe 3508 xcphyhpmthxlj.exe 3508 xcphyhpmthxlj.exe 3508 xcphyhpmthxlj.exe 3508 xcphyhpmthxlj.exe 3508 xcphyhpmthxlj.exe 3508 xcphyhpmthxlj.exe 5048 dcdhqrzs.exe 5048 dcdhqrzs.exe 5048 dcdhqrzs.exe 5048 dcdhqrzs.exe 5048 dcdhqrzs.exe 5048 dcdhqrzs.exe 5048 dcdhqrzs.exe 5048 dcdhqrzs.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 1628 70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe 1628 70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe 1628 70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe 3584 vgmdmdvrcp.exe 3584 vgmdmdvrcp.exe 3584 vgmdmdvrcp.exe 4164 axrxulccurfzzov.exe 4164 axrxulccurfzzov.exe 4164 axrxulccurfzzov.exe 1296 dcdhqrzs.exe 3508 xcphyhpmthxlj.exe 1296 dcdhqrzs.exe 3508 xcphyhpmthxlj.exe 1296 dcdhqrzs.exe 3508 xcphyhpmthxlj.exe 5048 dcdhqrzs.exe 5048 dcdhqrzs.exe 5048 dcdhqrzs.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 1628 70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe 1628 70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe 1628 70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe 3584 vgmdmdvrcp.exe 3584 vgmdmdvrcp.exe 3584 vgmdmdvrcp.exe 4164 axrxulccurfzzov.exe 4164 axrxulccurfzzov.exe 4164 axrxulccurfzzov.exe 1296 dcdhqrzs.exe 3508 xcphyhpmthxlj.exe 1296 dcdhqrzs.exe 3508 xcphyhpmthxlj.exe 1296 dcdhqrzs.exe 3508 xcphyhpmthxlj.exe 5048 dcdhqrzs.exe 5048 dcdhqrzs.exe 5048 dcdhqrzs.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 3484 WINWORD.EXE 3484 WINWORD.EXE 3484 WINWORD.EXE 3484 WINWORD.EXE 3484 WINWORD.EXE 3484 WINWORD.EXE 3484 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1628 wrote to memory of 3584 1628 70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe 84 PID 1628 wrote to memory of 3584 1628 70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe 84 PID 1628 wrote to memory of 3584 1628 70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe 84 PID 1628 wrote to memory of 4164 1628 70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe 85 PID 1628 wrote to memory of 4164 1628 70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe 85 PID 1628 wrote to memory of 4164 1628 70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe 85 PID 1628 wrote to memory of 1296 1628 70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe 86 PID 1628 wrote to memory of 1296 1628 70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe 86 PID 1628 wrote to memory of 1296 1628 70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe 86 PID 1628 wrote to memory of 3508 1628 70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe 87 PID 1628 wrote to memory of 3508 1628 70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe 87 PID 1628 wrote to memory of 3508 1628 70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe 87 PID 1628 wrote to memory of 3484 1628 70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe 88 PID 1628 wrote to memory of 3484 1628 70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe 88 PID 3584 wrote to memory of 5048 3584 vgmdmdvrcp.exe 90 PID 3584 wrote to memory of 5048 3584 vgmdmdvrcp.exe 90 PID 3584 wrote to memory of 5048 3584 vgmdmdvrcp.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\SysWOW64\vgmdmdvrcp.exevgmdmdvrcp.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3584 -
C:\Windows\SysWOW64\dcdhqrzs.exeC:\Windows\system32\dcdhqrzs.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5048
-
-
-
C:\Windows\SysWOW64\axrxulccurfzzov.exeaxrxulccurfzzov.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4164
-
-
C:\Windows\SysWOW64\dcdhqrzs.exedcdhqrzs.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1296
-
-
C:\Windows\SysWOW64\xcphyhpmthxlj.exexcphyhpmthxlj.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3508
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3484
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
255KB
MD5345b3cc7f1723cedfc0c3adf6581389d
SHA1b31924eae7e8129a4f54f039fd666cd12925b41d
SHA25642c58856cb873b8cdc8243e2570440f25d0e1b82c9adcdf7d1b6eef2972f437f
SHA5124081cbc6b9fac3e792ce0d7537c642eeb2e83a32ce1541e2de91f9906afe6cc17d7092da97ff4832831dcd36b85e285ff9b07457521c892f68752de81c40b016
-
Filesize
255KB
MD5d7b7f9884eaa5cb54017b4114d8bf742
SHA1aee73fc58b2c2cbf1f7d302d7a6ad5a7611395b1
SHA2565c9f454b649de7c1fff52ba829204c6a850d7473131921abaeb181c20a0831fd
SHA512eb76d86d8c5df8ce4e5e4318d39248c6964e95c1905426436cb9c3ed0d37fbfba997f30bf02f6835b5b2d99a1de0eb03aae5188c7fe15e58363050f326d47b50
-
Filesize
245KB
MD5f883b260a8d67082ea895c14bf56dd56
SHA17954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e
-
Filesize
236B
MD5b917200afa0a25ec4c85b85cd48fab69
SHA1f55e3d2165ac36d6ca786ebed33ce2d2a506ac0c
SHA2567426da0c897f0f27d99a3ec6d08f5fc5b1d7d34cdc4add21ee43b055ce1e1813
SHA512e4ab06f42da6b5b6f73ca174a65e8de40f4ff86dd00cf365f1eb54e2aec6f1578bbf50947741d88ba41c894567e3778224ff0001e36113f847fec27c1b4f1914
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize1KB
MD58808944bcd1a81c76488ab4bf4459bdb
SHA13df810a093860e223144e807f2947cb2b09f7191
SHA256341a8b775b08a935f9927ff60344107ff81378abd1c5ea528d36b6d931810a99
SHA5125f5ea281694cced4b792c27030435bf07c9d8e14b861f15da4c17a3d1a9dcede8ffd182cff492dbb678e79ac69249da439af84cbe76fb5e7b8b0bcfc6ca47f5f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize1KB
MD5b86faa6f12dd88dc1636239f2b97ee0d
SHA1008335580950a6f6833ef4f377abb2bfb2e42bbd
SHA2561398088b2f7343d1c22675e1e01ffd5eacd1a9706aaf579a4b3367f69260e817
SHA512e9cc150fe31618e38b61678e36fb46d23226c7e4747e3f2f09bef09a5bd89fe99c202ac60e36a745f1e45b86b700d7a5741f45085444ad2ff08910d6d3b8987c
-
Filesize
255KB
MD54e86371651a5e4ea87db2b9387eccf75
SHA1878024a1e8a802de42c1acab4959ab6099f13133
SHA2567862bdf846afbf0f4af086e20e79da6183e0a2d0e87c95dc8f56f67251f14cc6
SHA5125e78495aa4dec13541f8e6c25db81d0c19e14a6d4634b875dc83a1bf683bdcce8e1db2ab9c124aefd28a4f9e147aba3c0036ee3adce4cf9d84c620ed4e03c7dc
-
Filesize
255KB
MD523564e3906d2fa4499a773fcc6f319c9
SHA1d5b7e7ac7ffd9b762a35c36c2cc11e11681834c7
SHA256ba6f699c39143b50d7d9b33f50c89bee7188479747b2c63564dec7e8bb350d89
SHA51206f12b4507ffd5c8f4d81cdd4e21392f04ce991316471c26f1b775fa67b3697d817165241818552501f72d52a713ccf1e28c1459ca968098c9c601c9476a6b38
-
Filesize
255KB
MD59d07e6f7993c2563d32efc8f333df6ba
SHA12b57399bfb24dec2e1e45135436e714ecdef2a38
SHA25674d0468e0a24ab5d22312eaaa1f433d245ee0ad1df9025a66ee47ff2bab45c8d
SHA51204e323dfc2b7091e948edd5e81aeba989aba6801d361aa42b3e3b02a39d3fa94d30495d481778cb84f5c055a2af43e3743e066d1e1693f8c26667a7dc6598120
-
Filesize
255KB
MD52ceb56aa4898e5548f02ba0042a4098d
SHA11cff0d15ab39433d661284a8e5ad17cc8857e9f9
SHA25635e33744e78f3ac806ea07cdbed06e0a8c9a3a8b5ef92c6645d3a5c6a9519029
SHA5120e4251e2332e1fd376579a21c7d9bc09f4ddac8bf391aefc577ecad52dd018e62cd61a73330d0c64f8ed53d003cc0ab44b0a97e54db5a7a838c8774b3d13fd53
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
255KB
MD51caa0f71c578a9bb55b0dc028adf1f7d
SHA130f8e7a6b9d21cbf4a0e21e711bc9c71de4c7036
SHA256c7c5c7e492e8e4d26f333f8f291c76171ea008d4363d1d02654b68178841a165
SHA512a00834a8c5ade21de004eb9ef70501a7064feb2c8e6110679f0da78df61ddb0375a369b7989117d40a220c546a33e5de9e3f45ae9708ed51b1a08336f18e6d29
-
Filesize
255KB
MD59cdccd0163563cf4a16709aaf62ed1c0
SHA1fdd65bd206e543d63b64ea3252af0d8c5fdadfe8
SHA2569e49b01b62c8e04c0b8ec54407db3fd13b4b81b0e3331fa23bd2758d42306709
SHA51243a83b1bb5cf193ad6e0803d78d7f3ce8af0b77ca1441015be9de8b5d3a4639baa7234918a298247fd00ea0b4ea078ae94ad47e4883a7de5e63bfa4aa37a6653