Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
26-07-2024 03:12
Behavioral task
behavioral1
Sample
7261f85ec2a296d9cb6ecb34badf37cf_JaffaCakes118.exe
Resource
win7-20240705-en
windows7-x64
26 signatures
150 seconds
General
-
Target
7261f85ec2a296d9cb6ecb34badf37cf_JaffaCakes118.exe
-
Size
255KB
-
MD5
7261f85ec2a296d9cb6ecb34badf37cf
-
SHA1
a55ab46f5a7393d13929f3ea0610f364eeff46de
-
SHA256
9a539d6e8ba5a8215a627b74778002872b3952646de499b7aa38a47bfed55c70
-
SHA512
9f437d2b6a448c0ffe22003307914c0e31e65361604b5f9f2c52f46c0fc9b1353bc59a06b691a27cb1fbc970be2fe05057ff29f8e71127123c4272023b181f64
-
SSDEEP
3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJS:1xlZam+akqx6YQJXcNlEHUIQeE3mmBI7
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" tigoihdufw.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" tigoihdufw.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" tigoihdufw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" tigoihdufw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" tigoihdufw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" tigoihdufw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" tigoihdufw.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" tigoihdufw.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation 7261f85ec2a296d9cb6ecb34badf37cf_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 4760 tigoihdufw.exe 1504 pqbrdjbvcirnfny.exe 1932 nublzvhe.exe 4796 kivvtmzkqvruv.exe 4312 nublzvhe.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/memory/3548-0-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0008000000023391-5.dat upx behavioral2/files/0x000900000002338b-18.dat upx behavioral2/memory/4760-24-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0008000000023393-27.dat upx behavioral2/memory/4796-33-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1932-32-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0008000000023394-31.dat upx behavioral2/memory/1504-25-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3548-36-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4312-43-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x000b000000023386-74.dat upx behavioral2/files/0x000b000000023386-76.dat upx behavioral2/files/0x00080000000233ff-79.dat upx behavioral2/files/0x00030000000230ab-91.dat upx behavioral2/files/0x000800000002333a-94.dat upx behavioral2/memory/4760-112-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1504-113-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4796-115-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4312-116-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1932-114-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4796-597-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4312-598-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1932-596-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1504-595-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4760-594-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0022000000023480-601.dat upx behavioral2/memory/1504-606-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0022000000023480-610.dat upx behavioral2/memory/1932-612-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4796-613-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4312-614-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4760-615-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4796-618-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1932-617-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1504-616-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4312-619-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4760-620-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1932-622-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1504-621-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4796-623-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4312-624-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4760-625-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4796-628-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1932-627-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1504-626-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4312-629-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4760-630-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1932-632-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1504-631-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4796-633-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4312-637-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4312-641-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1932-640-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1504-643-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4760-642-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4796-644-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4760-645-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1504-646-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4796-647-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4796-650-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4760-648-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1504-649-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4760-676-0x0000000000400000-0x00000000004A0000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" tigoihdufw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" tigoihdufw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" tigoihdufw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" tigoihdufw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" tigoihdufw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" tigoihdufw.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kppknlvh = "tigoihdufw.exe" pqbrdjbvcirnfny.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kjafynoc = "pqbrdjbvcirnfny.exe" pqbrdjbvcirnfny.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "kivvtmzkqvruv.exe" pqbrdjbvcirnfny.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\y: nublzvhe.exe File opened (read-only) \??\g: nublzvhe.exe File opened (read-only) \??\w: tigoihdufw.exe File opened (read-only) \??\r: tigoihdufw.exe File opened (read-only) \??\s: tigoihdufw.exe File opened (read-only) \??\j: nublzvhe.exe File opened (read-only) \??\q: tigoihdufw.exe File opened (read-only) \??\u: tigoihdufw.exe File opened (read-only) \??\v: nublzvhe.exe File opened (read-only) \??\i: nublzvhe.exe File opened (read-only) \??\g: tigoihdufw.exe File opened (read-only) \??\o: tigoihdufw.exe File opened (read-only) \??\b: nublzvhe.exe File opened (read-only) \??\u: nublzvhe.exe File opened (read-only) \??\z: nublzvhe.exe File opened (read-only) \??\e: nublzvhe.exe File opened (read-only) \??\h: nublzvhe.exe File opened (read-only) \??\o: nublzvhe.exe File opened (read-only) \??\e: tigoihdufw.exe File opened (read-only) \??\v: nublzvhe.exe File opened (read-only) \??\z: nublzvhe.exe File opened (read-only) \??\k: tigoihdufw.exe File opened (read-only) \??\i: tigoihdufw.exe File opened (read-only) \??\t: nublzvhe.exe File opened (read-only) \??\j: nublzvhe.exe File opened (read-only) \??\q: nublzvhe.exe File opened (read-only) \??\s: nublzvhe.exe File opened (read-only) \??\y: nublzvhe.exe File opened (read-only) \??\a: tigoihdufw.exe File opened (read-only) \??\a: nublzvhe.exe File opened (read-only) \??\i: nublzvhe.exe File opened (read-only) \??\w: nublzvhe.exe File opened (read-only) \??\x: nublzvhe.exe File opened (read-only) \??\x: tigoihdufw.exe File opened (read-only) \??\m: nublzvhe.exe File opened (read-only) \??\l: nublzvhe.exe File opened (read-only) \??\r: nublzvhe.exe File opened (read-only) \??\h: nublzvhe.exe File opened (read-only) \??\y: tigoihdufw.exe File opened (read-only) \??\e: nublzvhe.exe File opened (read-only) \??\w: nublzvhe.exe File opened (read-only) \??\t: nublzvhe.exe File opened (read-only) \??\v: tigoihdufw.exe File opened (read-only) \??\t: tigoihdufw.exe File opened (read-only) \??\z: tigoihdufw.exe File opened (read-only) \??\k: nublzvhe.exe File opened (read-only) \??\m: nublzvhe.exe File opened (read-only) \??\o: nublzvhe.exe File opened (read-only) \??\p: nublzvhe.exe File opened (read-only) \??\q: nublzvhe.exe File opened (read-only) \??\m: tigoihdufw.exe File opened (read-only) \??\k: nublzvhe.exe File opened (read-only) \??\s: nublzvhe.exe File opened (read-only) \??\n: tigoihdufw.exe File opened (read-only) \??\u: nublzvhe.exe File opened (read-only) \??\j: tigoihdufw.exe File opened (read-only) \??\a: nublzvhe.exe File opened (read-only) \??\n: nublzvhe.exe File opened (read-only) \??\g: nublzvhe.exe File opened (read-only) \??\r: nublzvhe.exe File opened (read-only) \??\n: nublzvhe.exe File opened (read-only) \??\p: tigoihdufw.exe File opened (read-only) \??\l: nublzvhe.exe File opened (read-only) \??\x: nublzvhe.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" tigoihdufw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" tigoihdufw.exe -
AutoIT Executable 60 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/4760-24-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1932-32-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1504-25-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3548-36-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4312-43-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4760-112-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1504-113-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4796-115-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4312-116-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1932-114-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4796-597-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4312-598-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1932-596-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1504-595-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4760-594-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1504-606-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1932-612-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4796-613-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4312-614-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4760-615-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4796-618-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1932-617-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1504-616-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4312-619-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4760-620-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1932-622-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1504-621-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4796-623-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4312-624-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4760-625-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4796-628-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1932-627-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1504-626-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4312-629-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4760-630-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1932-632-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1504-631-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4796-633-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4312-637-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4312-641-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1932-640-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1504-643-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4760-642-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4796-644-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4760-645-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1504-646-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4796-647-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4796-650-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4760-648-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1504-649-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4760-676-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4796-678-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1504-677-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4760-679-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1504-680-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4796-681-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1504-683-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4796-684-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4760-682-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4760-685-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe nublzvhe.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe nublzvhe.exe File opened for modification C:\Windows\SysWOW64\tigoihdufw.exe 7261f85ec2a296d9cb6ecb34badf37cf_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\pqbrdjbvcirnfny.exe 7261f85ec2a296d9cb6ecb34badf37cf_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\nublzvhe.exe 7261f85ec2a296d9cb6ecb34badf37cf_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\kivvtmzkqvruv.exe 7261f85ec2a296d9cb6ecb34badf37cf_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll tigoihdufw.exe File created C:\Windows\SysWOW64\tigoihdufw.exe 7261f85ec2a296d9cb6ecb34badf37cf_JaffaCakes118.exe File created C:\Windows\SysWOW64\pqbrdjbvcirnfny.exe 7261f85ec2a296d9cb6ecb34badf37cf_JaffaCakes118.exe File created C:\Windows\SysWOW64\nublzvhe.exe 7261f85ec2a296d9cb6ecb34badf37cf_JaffaCakes118.exe File created C:\Windows\SysWOW64\kivvtmzkqvruv.exe 7261f85ec2a296d9cb6ecb34badf37cf_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe nublzvhe.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe nublzvhe.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe nublzvhe.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe nublzvhe.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe nublzvhe.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe nublzvhe.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe nublzvhe.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe nublzvhe.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe nublzvhe.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal nublzvhe.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe nublzvhe.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe nublzvhe.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal nublzvhe.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe nublzvhe.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe nublzvhe.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal nublzvhe.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal nublzvhe.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe nublzvhe.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe nublzvhe.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe nublzvhe.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe nublzvhe.exe File opened for modification C:\Windows\mydoc.rtf 7261f85ec2a296d9cb6ecb34badf37cf_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe nublzvhe.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe nublzvhe.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe nublzvhe.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe nublzvhe.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe nublzvhe.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe nublzvhe.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe nublzvhe.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe nublzvhe.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe nublzvhe.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe nublzvhe.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe nublzvhe.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe nublzvhe.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nublzvhe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7261f85ec2a296d9cb6ecb34badf37cf_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tigoihdufw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pqbrdjbvcirnfny.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nublzvhe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kivvtmzkqvruv.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg tigoihdufw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" tigoihdufw.exe Key created \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings 7261f85ec2a296d9cb6ecb34badf37cf_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BB5F9CCF916F2E083743B4B86993E97B08C02FD4211034EE1C842EE09A3" 7261f85ec2a296d9cb6ecb34badf37cf_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184BC67B15E3DAC4B9CD7C93ED9134CA" 7261f85ec2a296d9cb6ecb34badf37cf_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" tigoihdufw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" tigoihdufw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32472C089C5583506A3576A770222DDB7DF165DE" 7261f85ec2a296d9cb6ecb34badf37cf_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC5B02F479739EE52C4B9D4329DD7B8" 7261f85ec2a296d9cb6ecb34badf37cf_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" tigoihdufw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" tigoihdufw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc tigoihdufw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" tigoihdufw.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 7261f85ec2a296d9cb6ecb34badf37cf_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFAFF8E4F268268903CD72A7EE6BDE6E633584166456244D6E9" 7261f85ec2a296d9cb6ecb34badf37cf_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E78368B5FF1F21AAD27ED0A28B7F9162" 7261f85ec2a296d9cb6ecb34badf37cf_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh tigoihdufw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat tigoihdufw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf tigoihdufw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs tigoihdufw.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 468 WINWORD.EXE 468 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3548 7261f85ec2a296d9cb6ecb34badf37cf_JaffaCakes118.exe 3548 7261f85ec2a296d9cb6ecb34badf37cf_JaffaCakes118.exe 3548 7261f85ec2a296d9cb6ecb34badf37cf_JaffaCakes118.exe 3548 7261f85ec2a296d9cb6ecb34badf37cf_JaffaCakes118.exe 3548 7261f85ec2a296d9cb6ecb34badf37cf_JaffaCakes118.exe 3548 7261f85ec2a296d9cb6ecb34badf37cf_JaffaCakes118.exe 3548 7261f85ec2a296d9cb6ecb34badf37cf_JaffaCakes118.exe 3548 7261f85ec2a296d9cb6ecb34badf37cf_JaffaCakes118.exe 3548 7261f85ec2a296d9cb6ecb34badf37cf_JaffaCakes118.exe 3548 7261f85ec2a296d9cb6ecb34badf37cf_JaffaCakes118.exe 3548 7261f85ec2a296d9cb6ecb34badf37cf_JaffaCakes118.exe 3548 7261f85ec2a296d9cb6ecb34badf37cf_JaffaCakes118.exe 3548 7261f85ec2a296d9cb6ecb34badf37cf_JaffaCakes118.exe 3548 7261f85ec2a296d9cb6ecb34badf37cf_JaffaCakes118.exe 3548 7261f85ec2a296d9cb6ecb34badf37cf_JaffaCakes118.exe 3548 7261f85ec2a296d9cb6ecb34badf37cf_JaffaCakes118.exe 4796 kivvtmzkqvruv.exe 4796 kivvtmzkqvruv.exe 4796 kivvtmzkqvruv.exe 4796 kivvtmzkqvruv.exe 4796 kivvtmzkqvruv.exe 4796 kivvtmzkqvruv.exe 4796 kivvtmzkqvruv.exe 4796 kivvtmzkqvruv.exe 4796 kivvtmzkqvruv.exe 4796 kivvtmzkqvruv.exe 4796 kivvtmzkqvruv.exe 4796 kivvtmzkqvruv.exe 4760 tigoihdufw.exe 4760 tigoihdufw.exe 4760 tigoihdufw.exe 4760 tigoihdufw.exe 4760 tigoihdufw.exe 4760 tigoihdufw.exe 4760 tigoihdufw.exe 4760 tigoihdufw.exe 4760 tigoihdufw.exe 4760 tigoihdufw.exe 1932 nublzvhe.exe 1932 nublzvhe.exe 1932 nublzvhe.exe 1932 nublzvhe.exe 1932 nublzvhe.exe 1932 nublzvhe.exe 1932 nublzvhe.exe 1932 nublzvhe.exe 1504 pqbrdjbvcirnfny.exe 1504 pqbrdjbvcirnfny.exe 1504 pqbrdjbvcirnfny.exe 1504 pqbrdjbvcirnfny.exe 1504 pqbrdjbvcirnfny.exe 1504 pqbrdjbvcirnfny.exe 1504 pqbrdjbvcirnfny.exe 1504 pqbrdjbvcirnfny.exe 1504 pqbrdjbvcirnfny.exe 1504 pqbrdjbvcirnfny.exe 4796 kivvtmzkqvruv.exe 4796 kivvtmzkqvruv.exe 4796 kivvtmzkqvruv.exe 4796 kivvtmzkqvruv.exe 4312 nublzvhe.exe 4312 nublzvhe.exe 4312 nublzvhe.exe 4312 nublzvhe.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 3548 7261f85ec2a296d9cb6ecb34badf37cf_JaffaCakes118.exe 3548 7261f85ec2a296d9cb6ecb34badf37cf_JaffaCakes118.exe 3548 7261f85ec2a296d9cb6ecb34badf37cf_JaffaCakes118.exe 4760 tigoihdufw.exe 4760 tigoihdufw.exe 4760 tigoihdufw.exe 4796 kivvtmzkqvruv.exe 4796 kivvtmzkqvruv.exe 4796 kivvtmzkqvruv.exe 1504 pqbrdjbvcirnfny.exe 1932 nublzvhe.exe 1504 pqbrdjbvcirnfny.exe 1932 nublzvhe.exe 1504 pqbrdjbvcirnfny.exe 1932 nublzvhe.exe 4312 nublzvhe.exe 4312 nublzvhe.exe 4312 nublzvhe.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 3548 7261f85ec2a296d9cb6ecb34badf37cf_JaffaCakes118.exe 3548 7261f85ec2a296d9cb6ecb34badf37cf_JaffaCakes118.exe 3548 7261f85ec2a296d9cb6ecb34badf37cf_JaffaCakes118.exe 4760 tigoihdufw.exe 4760 tigoihdufw.exe 4760 tigoihdufw.exe 4796 kivvtmzkqvruv.exe 4796 kivvtmzkqvruv.exe 4796 kivvtmzkqvruv.exe 1504 pqbrdjbvcirnfny.exe 1932 nublzvhe.exe 1504 pqbrdjbvcirnfny.exe 1932 nublzvhe.exe 1504 pqbrdjbvcirnfny.exe 1932 nublzvhe.exe 4312 nublzvhe.exe 4312 nublzvhe.exe 4312 nublzvhe.exe -
Suspicious use of SetWindowsHookEx 17 IoCs
pid Process 468 WINWORD.EXE 468 WINWORD.EXE 468 WINWORD.EXE 468 WINWORD.EXE 468 WINWORD.EXE 468 WINWORD.EXE 468 WINWORD.EXE 468 WINWORD.EXE 468 WINWORD.EXE 468 WINWORD.EXE 468 WINWORD.EXE 468 WINWORD.EXE 468 WINWORD.EXE 468 WINWORD.EXE 468 WINWORD.EXE 468 WINWORD.EXE 468 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 3548 wrote to memory of 4760 3548 7261f85ec2a296d9cb6ecb34badf37cf_JaffaCakes118.exe 87 PID 3548 wrote to memory of 4760 3548 7261f85ec2a296d9cb6ecb34badf37cf_JaffaCakes118.exe 87 PID 3548 wrote to memory of 4760 3548 7261f85ec2a296d9cb6ecb34badf37cf_JaffaCakes118.exe 87 PID 3548 wrote to memory of 1504 3548 7261f85ec2a296d9cb6ecb34badf37cf_JaffaCakes118.exe 88 PID 3548 wrote to memory of 1504 3548 7261f85ec2a296d9cb6ecb34badf37cf_JaffaCakes118.exe 88 PID 3548 wrote to memory of 1504 3548 7261f85ec2a296d9cb6ecb34badf37cf_JaffaCakes118.exe 88 PID 3548 wrote to memory of 1932 3548 7261f85ec2a296d9cb6ecb34badf37cf_JaffaCakes118.exe 89 PID 3548 wrote to memory of 1932 3548 7261f85ec2a296d9cb6ecb34badf37cf_JaffaCakes118.exe 89 PID 3548 wrote to memory of 1932 3548 7261f85ec2a296d9cb6ecb34badf37cf_JaffaCakes118.exe 89 PID 3548 wrote to memory of 4796 3548 7261f85ec2a296d9cb6ecb34badf37cf_JaffaCakes118.exe 90 PID 3548 wrote to memory of 4796 3548 7261f85ec2a296d9cb6ecb34badf37cf_JaffaCakes118.exe 90 PID 3548 wrote to memory of 4796 3548 7261f85ec2a296d9cb6ecb34badf37cf_JaffaCakes118.exe 90 PID 3548 wrote to memory of 468 3548 7261f85ec2a296d9cb6ecb34badf37cf_JaffaCakes118.exe 91 PID 3548 wrote to memory of 468 3548 7261f85ec2a296d9cb6ecb34badf37cf_JaffaCakes118.exe 91 PID 4760 wrote to memory of 4312 4760 tigoihdufw.exe 93 PID 4760 wrote to memory of 4312 4760 tigoihdufw.exe 93 PID 4760 wrote to memory of 4312 4760 tigoihdufw.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\7261f85ec2a296d9cb6ecb34badf37cf_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\7261f85ec2a296d9cb6ecb34badf37cf_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3548 -
C:\Windows\SysWOW64\tigoihdufw.exetigoihdufw.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4760 -
C:\Windows\SysWOW64\nublzvhe.exeC:\Windows\system32\nublzvhe.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4312
-
-
-
C:\Windows\SysWOW64\pqbrdjbvcirnfny.exepqbrdjbvcirnfny.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1504
-
-
C:\Windows\SysWOW64\nublzvhe.exenublzvhe.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1932
-
-
C:\Windows\SysWOW64\kivvtmzkqvruv.exekivvtmzkqvruv.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4796
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:468
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
255KB
MD571db50bb06fe6d0773a224d1c02b1f81
SHA1d906bf8c639d09b051393a0f6f2678099a2ffe81
SHA2560630d4e4eeea5109f6a44194b80b9fe2bbd154d104fd9f7e2af4d8fcbc5067c4
SHA512b490fa8ccdc8d7b20b01fe23cfb0fac6d459d6fdcf7df222ed5ee05906363741eda480a6a8b2b266934ff0c3b586995e5af70606354c19d73dce68836ade6e29
-
Filesize
255KB
MD503f62169c384136f0c4e352abc0a418c
SHA16c46f409c94a9326a4f179f1cb51f5ff21c136ef
SHA25610c782f7878bea8a747676a62022de46141ad66137a4dfb0a11e35faed27e9ef
SHA51270b11a2f5814565a03134b32a877b471e5ddf3c1bd3777157741528546f5da6e47526faaeb56d4e670bf13c32e0feef88bb1dd3b853e81d812b3492e7d6fb672
-
Filesize
255KB
MD5d92b12ecd1d1ad0df376dcb65a7e8e08
SHA1dc9869489b643adea15ce99bdbf417bce58cf135
SHA256e3d30ac6881b969685a20f3e4da1b0ab204739a517850791d52f5a3740726ecf
SHA512d994d04af3f69061bef4514bf1eda79413adbc18e85f0dfab90ae21083c7ea894f786a58626bf6307d57e099cbecf530ef9fccd518d102041c5823817b4cd314
-
Filesize
262KB
MD551d32ee5bc7ab811041f799652d26e04
SHA1412193006aa3ef19e0a57e16acf86b830993024a
SHA2566230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA5125fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810
-
Filesize
234B
MD513d51cd384bfcc40baeae822a86d0fca
SHA1739d0805d20bf47ba91ec39b6db3afd0b72614d6
SHA2564d4a22075fa189be2708d296bed5b635a102893e038e631902c13661289e4338
SHA512a161facd47a22fa5694fbf2edf1eb38b9c268601323bf5893b8697dd43786ad3b4dfd98326a0080cd42f79b0487b06d19c4b333d42ca6430f277807b15762132
-
Filesize
18KB
MD5f5b6f6fa12b419ba526564c231d76984
SHA1e1b6edb2d40e35f214b0be1ad4536a484153e342
SHA256bfd47e1f6c5b0a2994b833100260aa7705d9de1546808f30d1de3818ac5eded8
SHA5125b8e2e87d25bc48301f55e90afc13431c5efa747e6ac0d0ed7e1b483adaacaf81907ed2fc13a41e7ce08122c721394953bb5b41d649b5bb7ddead718dfa9b945
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JAG8TD1325Q1EO8O5EP8.temp
Filesize679B
MD5c7a9d916c7bac52fa4c53bfb373111cf
SHA1c98ab21fc226bb5ab98c5d8e08d6772842915673
SHA2567caaa271de41c25b0a8875b1688b6ab40b8c2f5f1858c5ec56b05cb7c524a316
SHA5121d222fe6f16ef04f5274f5ec4b3ab49c2574e878b87d7be1ce47063bfc0d6fe88098bf39332442fadb79fdea6fe045d8e9b85f55c8b0e1489a2bb07d5fad8ff7
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize24B
MD54fcb2a3ee025e4a10d21e1b154873fe2
SHA157658e2fa594b7d0b99d02e041d0f3418e58856b
SHA25690bf6baa6f968a285f88620fbf91e1f5aa3e66e2bad50fd16f37913280ad8228
SHA5124e85d48db8c0ee5c4dd4149ab01d33e4224456c3f3e3b0101544a5ca87a0d74b3ccd8c0509650008e2abed65efd1e140b1e65ae5215ab32de6f6a49c9d3ec3ff
-
Filesize
255KB
MD58a48baa46b04b81c712268b09612f8ee
SHA1ef03759ca4b663b6769b7c42008a137e53bdab2e
SHA2565df4edca937d58eed15421532850bd8f22bd7343cd5c3e745e40b7c1e0d626e0
SHA5120ab9c654e7baab33a74be88b39016047802703dbeb6a8d9640bd527f11ff1fbba142d1d725cc1f04a9ea57a7a86a2bf80ea30b293c4c4359a4242f8774bb9029
-
Filesize
255KB
MD56aa6060b4d401bb73a7a13eba579a84e
SHA1f1e9f55b73584b8760d77310bf87b5203711ce48
SHA2568e873099324f4a54a2e6bd4654c598921a2a3017aacff9dd89044a21e3b95297
SHA5124cbf7d39054947a5b909bfbab4900a5530edb764b66abe38df33b1aaba094393b24c49e799a3427f3b8b89412b69ccda8ed1659c3e7ec684d84e480952192360
-
Filesize
255KB
MD56fd9a78fc30aa26cf7f8f53761bad40f
SHA1f1ce60103f09d88ed98e4e8d74b5ed38a5cf4b92
SHA2568e8d255c274cc02925789335052d7820a6f630608bf9b726031c707f73b00bf5
SHA51211b8fd4670614922115e0fe8611f497dfd4a47e5296d642d8dc26e01f9937aa1611934bebd144c148ad6ead4b9ce791b6f6982b2485e7d09973048e077bc34ee
-
Filesize
255KB
MD5bcb6de776606c42209d8f717a71a9abe
SHA1b4770393aaeaa4f97ce8765b41bb2bb818ca2b98
SHA2566fe1129bfd408781ed88cca34f7f7f3c4abbe5011bf3a630d5734dc9bb6d893d
SHA5128d5f61e04b7ea59a34b4a3202774f631b53e25f7853242a59ee5a7aacf2b66159de10f014613e6101ce1c764c929dd81c84a43421676dabf8193dacdfe070c49
-
Filesize
255KB
MD55c04ef9e59a599dfcfd8b5c504516603
SHA160017d79d227c698865dd0a9a4c989b95877b28c
SHA256d9d43a4ec3a711007e9bed7cb1c427823c448ff5a3a7da4e9a6d8ff3d00bbb77
SHA5129b31b1a0ff82815a942778c2bc7481f55ac9c84de738613fc1f1e124c682c4a5a59200c77afa8740f3512d9b628a51430aa31e781a66a17632f14d2fe1601cfb
-
Filesize
255KB
MD5c18d6aeb9ffdb031dc3933fadb72c445
SHA123f34fe6e9e3e925f33b9b02b68a031d4b983e61
SHA256ad859fc687f78ee08cf7c864eb808ad36e4d5597a12ec4c8486fc9781bc7ecb9
SHA512d1239fbfdc26afc8ca2c3cbad4e9f4f8ee4005993f2685812445a8684d49aae351eecd289c40980928faa686d7db2257cab7d6706624bc63b77fa9ab838f63e8
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
255KB
MD5dc01e29b8df3a453835fb2faea4aa590
SHA1c82fd06498a9e5202160ab70aef7c6a5088a0082
SHA2562bca00296a9183799128f4c0d5cac52d7372f20ca2d76c72d51bc8cecf1dadba
SHA512a79f7ecfbc3822f9623c0b61e42e77dfc4d0c4014d46a6cdd7812c69a00b971b4354c4055a817807ebf4131c847570e47318214e483508f38b3774e837fabefe
-
Filesize
255KB
MD5cdab433a6def27304a4fe12df7d120b9
SHA1d55d13d777de7fb829eabfd79a054fd56430715e
SHA256355df6512f22b49de5741023c859d9e5300301bf94f802373a749a7a22be37e6
SHA512fa9b37bc93457fe3d78d97e6f64f3e67ec5d97d1e4206ba5c150aa082da929577a9fe211125f28599c95ba4ee8951fc2ad896e353d5a66ece7fd968fe60211ad