Resubmissions
31-07-2024 14:36
240731-rykvcsshjd 1031-07-2024 14:35
240731-ryc5hssgrc 331-07-2024 14:02
240731-rb33esxakj 10Analysis
-
max time kernel
1199s -
max time network
1158s -
platform
windows11-21h2_x64 -
resource
win11-20240730-en -
resource tags
arch:x64arch:x86image:win11-20240730-enlocale:en-usos:windows11-21h2-x64system -
submitted
31-07-2024 14:36
Static task
static1
Behavioral task
behavioral1
Sample
7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe
Resource
win11-20240730-en
General
-
Target
7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe
-
Size
92KB
-
MD5
7cb12c7eac83f0bc7f581f4b28a041c5
-
SHA1
b47b064e27e0654d828f9911186e62ec385114e3
-
SHA256
97689f3967844dd326e7a2b68e7da5b6b3967eea7748d1e3313910a16cacdf16
-
SHA512
eb82b4431741921acdf899e3f9bf644341ccf31def0fcdb0d849a208e4ce82047c91ec08fb65ae13137d09c12382edda7c63bae8f5e6c486a9e75d8fbd97f199
-
SSDEEP
1536:mBwl+KXpsqN5vlwWYyhY9S4ANWh3WB+Yjy0bPwegunu6Jnd4H94A6:Qw+asqN5aW/hLXWZWB+N0bI8Jnud4
Malware Config
Extracted
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
Signatures
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (558) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
Processes:
MsiExec.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{A6EADE66-0000-0000-484E-7E8A45000000} MsiExec.exe -
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 4 IoCs
Processes:
msiexec.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32.exe msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RdrServicesUpdater.exe msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32Info.exe msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RdrCEF.exe msiexec.exe -
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Drops startup file 5 IoCs
Processes:
7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-535D73CE.[[email protected]].ROGER 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-535D73CE.[[email protected]].ROGER 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe -
Executes dropped EXE 3 IoCs
Processes:
OfficeClickToRun.exeMSI60F4.tmpMSI7AF8.tmppid process 2008 OfficeClickToRun.exe 4528 MSI60F4.tmp 5552 MSI7AF8.tmp -
Loads dropped DLL 58 IoCs
Processes:
MsiExec.exeMsiExec.exeMsiExec.exeMsiExec.exeMsiExec.exeMsiExec.exeMsiExec.exepid process 3324 576 MsiExec.exe 576 MsiExec.exe 5492 MsiExec.exe 5668 MsiExec.exe 8068 MsiExec.exe 4860 MsiExec.exe 4860 MsiExec.exe 4860 MsiExec.exe 4860 MsiExec.exe 4860 MsiExec.exe 4860 MsiExec.exe 4860 MsiExec.exe 4860 MsiExec.exe 4860 MsiExec.exe 4860 MsiExec.exe 4860 MsiExec.exe 4860 MsiExec.exe 4860 MsiExec.exe 6756 MsiExec.exe 6756 MsiExec.exe 6756 MsiExec.exe 6756 MsiExec.exe 6756 MsiExec.exe 6756 MsiExec.exe 4860 MsiExec.exe 6756 MsiExec.exe 6756 MsiExec.exe 6756 MsiExec.exe 6756 MsiExec.exe 6756 MsiExec.exe 6756 MsiExec.exe 6756 MsiExec.exe 6756 MsiExec.exe 6756 MsiExec.exe 6756 MsiExec.exe 6756 MsiExec.exe 6756 MsiExec.exe 6756 MsiExec.exe 6756 MsiExec.exe 4860 MsiExec.exe 4860 MsiExec.exe 4860 MsiExec.exe 4860 MsiExec.exe 3324 668 MsiExec.exe 668 MsiExec.exe 668 MsiExec.exe 668 MsiExec.exe 668 MsiExec.exe 668 MsiExec.exe 668 MsiExec.exe 668 MsiExec.exe 668 MsiExec.exe 668 MsiExec.exe 668 MsiExec.exe 668 MsiExec.exe 668 MsiExec.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe = "C:\\Windows\\System32\\7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe" 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\"" 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\"" 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe -
Drops desktop.ini file(s) 64 IoCs
Processes:
7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exedescription ioc process File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File opened for modification C:\Users\Public\Videos\desktop.ini 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File opened for modification C:\Program Files\desktop.ini 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File opened for modification C:\Users\Public\Desktop\desktop.ini 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File opened for modification C:\Users\Admin\Videos\desktop.ini 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File opened for modification C:\Users\Public\desktop.ini 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File opened for modification C:\Users\Admin\Links\desktop.ini 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-118640398-3063844760-4281400433-1000\desktop.ini 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-118640398-3063844760-4281400433-1000\desktop.ini 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File opened for modification C:\Users\Public\Downloads\desktop.ini 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File opened for modification C:\Users\Public\Pictures\desktop.ini 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File opened for modification C:\Users\Public\Documents\desktop.ini 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File opened for modification C:\Users\Public\Music\desktop.ini 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File opened for modification C:\Users\Admin\Music\desktop.ini 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\desktop.ini 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File opened for modification C:\Users\Admin\Searches\desktop.ini 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File opened for modification C:\Users\Public\Libraries\desktop.ini 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File opened for modification C:\Users\Admin\Documents\desktop.ini 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exedescription ioc process File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe -
Processes:
MsiExec.exemsiexec.exedescription ioc process Delete value \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32.exe\MitigationOptions MsiExec.exe Delete value \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RdrServicesUpdater.exe\MitigationOptions MsiExec.exe Delete value \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32Info.exe\DisableExceptionChainValidation msiexec.exe Delete value \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RdrServicesUpdater.exe\DisableExceptionChainValidation msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RdrServicesUpdater.exe msiexec.exe Delete value \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32Info.exe\MitigationOptions MsiExec.exe Delete value \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RdrCEF.exe\MitigationOptions MsiExec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32Info.exe msiexec.exe Delete value \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RdrCEF.exe\DisableExceptionChainValidation msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RdrCEF.exe msiexec.exe Delete value \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32.exe\DisableExceptionChainValidation msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32.exe msiexec.exe -
Drops file in System32 directory 19 IoCs
Processes:
msiexec.exeMsiExec.exe7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exedescription ioc process File opened for modification \??\c:\Windows\system32\mfc100rus.dll msiexec.exe File created C:\Windows\SysWOW64\Elevation.tmp MsiExec.exe File opened for modification \??\c:\Windows\system32\mfcm100.dll msiexec.exe File opened for modification \??\c:\Windows\system32\mfc100cht.dll msiexec.exe File opened for modification \??\c:\Windows\system32\mfc100chs.dll msiexec.exe File opened for modification \??\c:\Windows\system32\mfc100deu.dll msiexec.exe File opened for modification \??\c:\Windows\system32\mfc100esn.dll msiexec.exe File opened for modification \??\c:\Windows\system32\mfc100ita.dll msiexec.exe File created C:\Windows\System32\Info.hta 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File opened for modification \??\c:\Windows\system32\atl100.dll msiexec.exe File opened for modification \??\c:\Windows\system32\mfcm100u.dll msiexec.exe File opened for modification \??\c:\Windows\system32\mfc100enu.dll msiexec.exe File opened for modification \??\c:\Windows\system32\mfc100kor.dll msiexec.exe File opened for modification \??\c:\Windows\system32\vcomp100.dll msiexec.exe File created C:\Windows\System32\7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File opened for modification \??\c:\Windows\system32\mfc100jpn.dll msiexec.exe File opened for modification \??\c:\Windows\system32\mfc100.dll msiexec.exe File opened for modification \??\c:\Windows\system32\mfc100u.dll msiexec.exe File opened for modification \??\c:\Windows\system32\mfc100fra.dll msiexec.exe -
Drops file in Program Files directory 64 IoCs
Processes:
7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exeMsiExec.exemsiexec.exedescription ioc process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ru-ru\ui-strings.js.id-535D73CE.[[email protected]].ROGER 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe.id-535D73CE.[[email protected]].ROGER 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail-ul-oob.xrm-ms 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\goopdateres_uk.dll 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols.xml 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsNotepad_10.2102.13.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\NotepadAppList.scale-125.png 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1909.12456.0_x64__8wekyb3d8bbwe\Assets\PeopleAppList.targetsize-256.png 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_gridview.svg.id-535D73CE.[[email protected]].ROGER 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.PowerAutomateDesktop_1.0.65.0_x64__8wekyb3d8bbwe\Resources\hr-hr\Resources.resw 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\CourierStd-BoldOblique.otf 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\rhp_world_icon.png.id-535D73CE.[[email protected]].ROGER MsiExec.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\Images\Square44x44Logo.targetsize-30.png 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.scale-200_contrast-black.png 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\spectrum_spinner.svg.id-535D73CE.[[email protected]].ROGER 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libdshow_plugin.dll 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_KMS_ClientC2R-ul-oob.xrm-ms.id-535D73CE.[[email protected]].ROGER 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Retail-ppd.xrm-ms.id-535D73CE.[[email protected]].ROGER 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File opened for modification C:\Program Files\7-Zip\Lang\fy.txt.id-535D73CE.[[email protected]].ROGER 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File created C:\Program Files\VideoLAN\VLC\THANKS.txt.id-535D73CE.[[email protected]].ROGER 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_2.2106.2807.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\PresentationFramework.resources.dll 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File created C:\Program Files\VideoLAN\VLC\locale\zu\LC_MESSAGES\vlc.mo.id-535D73CE.[[email protected]].ROGER 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\hu-hu\ui-strings.js.id-535D73CE.[[email protected]].ROGER MsiExec.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\ro-ro\ui-strings.js.id-535D73CE.[[email protected]].ROGER MsiExec.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-heap-l1-1-0.dll.id-535D73CE.[[email protected]].ROGER 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\mlib_image.dll.id-535D73CE.[[email protected]].ROGER 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_cs_135x40.svg.id-535D73CE.[[email protected]].ROGER 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ONENOTEM.EXE 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarBadge.scale-400.png 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File created C:\Program Files\Java\jre-1.8\lib\jfr\default.jfc.id-535D73CE.[[email protected]].ROGER 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File created C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\en\Microsoft.PackageManagement.resources.dll.id-535D73CE.[[email protected]].ROGER 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\css\tool-view.css 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-locale-l1-1-0.dll.id-535D73CE.[[email protected]].ROGER 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.ThreadPool.dll.id-535D73CE.[[email protected]].ROGER 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File created C:\Program Files\Java\jre-1.8\lib\ext\access-bridge-64.jar.id-535D73CE.[[email protected]].ROGER 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\tr-tr\PlayStore_icon.svg.id-535D73CE.[[email protected]].ROGER 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BOLDSTRI\BOLDSTRI.INF.id-535D73CE.[[email protected]].ROGER 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_zh_HK.properties.id-535D73CE.[[email protected]].ROGER msiexec.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.6.3102.0_x64__8wekyb3d8bbwe\Win10\Classic\FreeCell.Large.png 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.41182.0_x64__8wekyb3d8bbwe\Assets\contrast-white\BadgeLogo.scale-400_contrast-white.png 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\Images\Square44x44Logo.targetsize-80_altform-unplated_contrast-white.png 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\utilities\lib\GlobalSettings.js 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail2-pl.xrm-ms.id-535D73CE.[[email protected]].ROGER 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File created C:\Program Files\Microsoft Office\root\Office15\pidgenx.dll.id-535D73CE.[[email protected]].ROGER 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\export.svg.id-535D73CE.[[email protected]].ROGER MsiExec.exe File opened for modification C:\Program Files\Microsoft Office\root\rsod\osmmui.msi.16.en-us.tree.dat.id-535D73CE.[[email protected]].ROGER 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\UIAutomationTypes.resources.dll 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-commonjs\Facepile.js 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_filterselected-dark-hover_32.svg 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\fi-fi\ui-strings.js.id-535D73CE.[[email protected]].ROGER 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PersonalDemoR_BypassTrial180-ppd.xrm-ms.id-535D73CE.[[email protected]].ROGER 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-crt-private-l1-1-0.dll 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Security.Cryptography.ProtectedData.dll.id-535D73CE.[[email protected]].ROGER 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_21.21030.25003.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\PhotosSplashScreen.contrast-black_scale-100.png 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\icons.png 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File created C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Retail-ul-oob.xrm-ms.id-535D73CE.[[email protected]].ROGER 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.143.57\msedgeupdateres_lo.dll 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\StudentReport.dotx 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\HxCalendarSplashLogo.scale-100.png 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\hr-hr\ui-strings.js.id-535D73CE.[[email protected]].ROGER 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp6-ppd.xrm-ms 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_folder-hover_32.svg.id-535D73CE.[[email protected]].ROGER 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt.id-535D73CE.[[email protected]].ROGER 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe -
Drops file in Windows directory 64 IoCs
Processes:
msiexec.exedescription ioc process File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AdobeXMP.dll msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\F_CENTRAL_msvcp120_x86.194841A2_D0F2_3B96_9F71_05BA91BEA0FA msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\ReadOutLoud.api msiexec.exe File opened for modification C:\Windows\Installer\MSI8D14.tmp msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\acrocef.exe.15EE1C08_ED51_465D_B6F3_FB152B1CC435 msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AXE8SharedExpat.dll msiexec.exe File opened for modification C:\Windows\Installer\MSIB024.tmp msiexec.exe File opened for modification \??\c:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfcm100_x64 msiexec.exe File opened for modification C:\Windows\Installer\MSI7AF8.tmp msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\prcr.x3d msiexec.exe File opened for modification \??\c:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfc100u_x64 msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\Edit_R_RHP.aapp msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\icudt40.dll msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\libcef.dll.15EE1C08_ED51_465D_B6F3_FB152B1CC435 msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\SendMail.api msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\CROATIAN.TXT msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\DataMatrix.pmp msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\Edit_R_Full.aapp msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\SYMBOL.TXT msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\CENTEURO.TXT msiexec.exe File opened for modification C:\Windows\Installer\MSIAF85.tmp msiexec.exe File opened for modification \??\c:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfc100cht_x64 msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\Onix32.dll msiexec.exe File opened for modification C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\SecStoreFile.ico msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AcroPDF.dll msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AcroRd32.exe msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\CYRILLIC.TXT msiexec.exe File opened for modification C:\Windows\Installer\MSI8D49.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI7A2A.tmp msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\ccme_ecc.dll msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\info.plist msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\logsession.dll msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\logtransport2.exe msiexec.exe File opened for modification C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\FDFFile_8.ico msiexec.exe File opened for modification \??\c:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfc100esn_x64 msiexec.exe File opened for modification C:\Windows\Installer\MSI328E.tmp msiexec.exe File opened for modification \??\c:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_msvcr100_x64 msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\acrosup64.dll msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AGM.dll msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\drvSOFT.x3d msiexec.exe File opened for modification C:\Windows\Installer\MSI8D13.tmp msiexec.exe File created \??\c:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\CacheSize.txt msiexec.exe File opened for modification C:\Windows\Installer\MSI7250.tmp msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\nppdf32.dll msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\_d.x3d msiexec.exe File opened for modification \??\c:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfc100rus_x64 msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\F_CENTRAL_vccorlib120_x86.194841A2_D0F2_3B96_9F71_05BA91BEA0FA msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\ICELAND.TXT msiexec.exe File opened for modification \??\c:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_msvcp100_x64 msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\fillsign.aapp msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\acrotextextractor.exe msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\CP1250.TXT2 msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\EPDF_RHP.aapp msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\adoberfp.dll msiexec.exe File opened for modification \??\c:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfc100chs_x64 msiexec.exe File opened for modification C:\Windows\Installer\MSIB18C.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI7B09.tmp msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AXSLE.dll msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\QuickTime.mpp msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\rt3d.dll msiexec.exe File opened for modification \??\c:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfc100fra_x64 msiexec.exe File opened for modification \??\c:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfc100ita_x64 msiexec.exe File opened for modification \??\c:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfc100jpn_x64 msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exeDllHost.exeDllHost.exeMsiExec.exeMsiExec.exeMSI7AF8.tmpdescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DllHost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DllHost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSI7AF8.tmp -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exedescription ioc process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000575fc739231626340000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000575fc7390000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900575fc739000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d575fc739000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000575fc73900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
msiexec.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 msiexec.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString msiexec.exe -
Interacts with shadow copies 3 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 5536 vssadmin.exe 6352 vssadmin.exe -
Processes:
iexplore.exeexplorer.exemsiexec.exeiexplore.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "8" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "9" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{BD57A9B2-4E7D-4892-9107-9F4106472DA4} msiexec.exe Key created \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1" iexplore.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8E1F80F4-953F-41E7-8460-E64AE5BE4ED3} msiexec.exe Set value (int) \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPMigrationVer = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy iexplore.exe Key created \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000\Software\Microsoft\Internet Explorer\BrowserEmulation iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateLowDateTime = "528066962" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{76E2369A-75BA-41F9-8B9E-16059E5CF9A6} msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B7278BD0-7970-47D6-8954-99B2343EED88} msiexec.exe Set value (int) \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\HomepagesUpgradeVersion = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Key created \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 explorer.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B3FB63-66F4-4EFC-B717-BB283B85E79B} msiexec.exe Set value (int) \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "13" iexplore.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9C6A861C-B233-4994-AFB1-C158EE4FC578} msiexec.exe Set value (int) \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateHighDateTime = "31122308" iexplore.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7AC06A6F-4C88-4707-8DEC-61017CB50E1E} msiexec.exe -
Modifies data under HKEY_USERS 28 IoCs
Processes:
msiexec.exeMsiExec.exeMSI60F4.tmpdescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\29 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\EUDC MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Printers MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Console MSI60F4.tmp Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28 msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Environment MSI60F4.tmp Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\28 msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\29 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Printers MSI60F4.tmp Key created \REGISTRY\USER\.DEFAULT\Software MSI60F4.tmp Key created \REGISTRY\USER\.DEFAULT\EUDC MSI60F4.tmp Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Environment MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\System MsiExec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" MsiExec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Console MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Keyboard Layout MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Keyboard Layout MSI60F4.tmp Key created \REGISTRY\USER\.DEFAULT\System MSI60F4.tmp Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\27 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software MsiExec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix MsiExec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel MSI60F4.tmp -
Modifies registry class 64 IoCs
Processes:
explorer.exemsiexec.exeOpenWith.exeMsiExec.exeMsiExec.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\6C5ADB75C34456D42B33823269140800 msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/vnd.adobe.xdp+xml msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA8A9780-280D-11CF-A24D-444553540000}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640} msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5007373A-20D7-458F-9FFB-ABC900E3A831} msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F1E6C7A4-6B15-4C06-B1EF-88A4F2A886CB}\ProxyStubClsid32 msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7CD069A0-50AA-11D1-B8F0-00A0C9259304}\ProxyStubClsid32 msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD57A9B2-4E7D-4892-9107-9F4106472DA4}\ProgID msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\AcroExch.pdfxml.1\shell\Read msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\AcroExch.FDFDoc\shell\Read\command msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{6236FF8C-E747-4173-86D3-99F511B61DF3} msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B4CD3EA-4981-101B-9CA8-9240CE2738AE}\ProxyStubClsid msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{81F9B44F-BA3A-4F5D-9B51-090C74A9B3A4}\ProxyStubClsid msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0F6D3808-7974-4B1A-94C2-3200767EACE8}\1.0 msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD57A9B2-4E7D-4892-9107-9F4106472DA4} msiexec.exe Set value (int) \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" OpenWith.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B801CA65-A1FC-11D0-85AD-444553540000}\InprocHandler32 msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0F6D3808-7974-4B1A-94C2-3200767EACE8}\1.0\FLAGS msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1926E8D15D0BCE53481466615F760A7F\SourceList msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B801CA65-A1FC-11D0-85AD-444553540000}\AuxUserType msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4A894040-247E-4AFF-BB08-3489E9905235}\TypeLib msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\acrobat2018\shell\open\ddeexec\application MsiExec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/vnd.fdf msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\AcroExch.XFDFDoc\shell\Open msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/vnd.adobe.pdfxml msiexec.exe Key created \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0 explorer.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B801CA65-A1FC-11D0-85AD-444553540000}\DataFormats\GetSet\7 msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F9F2FE81-F764-4BD0-AFA5-5DE841DDB625}\TypeLib msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{24DA047B-40C0-4018-841B-6B7409F730FC}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{17F2E344-8227-4AA7-A25A-E89424566BBA}\NumMethods msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.pdfxml\OpenWithList\Acrobat.exe msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CD069A1-50AA-11D1-B8F0-00A0C9259304}\ProgID msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\acrobat2018\shell\open MsiExec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{08A9E040-9A9C-4F42-B5F5-2029B8F17E1D}\ProxyStubClsid32 msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5AAABB05-F91B-4bce-AB18-D8319DEDABA8}\InprocServer32 msiexec.exe Key created \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 OpenWith.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2CE4D4CF-B278-4126-AD1E-B622DA2E8339}\VersionIndependentProgID msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B801CA65-A1FC-11D0-85AD-444553540000}\Verb\0 msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DC6EFB56-9CFA-464D-8880-44885D7DC193}\VersionIndependentProgID msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B801CA65-A1FC-11D0-85AD-444553540000}\DataFormats\GetSet\8 msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5007373A-20D7-458F-9FFB-ABC900E3A831}\ProxyStubClsid32 msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{81F9B44F-BA3A-4F5D-9B51-090C74A9B3A4}\TypeLib msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\AcroExch.pdfxml.1\shell\Printto msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\acrobat\shell\open\ddeexec\topic msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B4CD3EE-4981-101B-9CA8-9240CE2738AE}\ProxyStubClsid msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{36DE898D-AD48-40A5-B4B2-123F916BFBAB}\ProxyStubClsid msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA8A9780-280D-11CF-A24D-444553540000}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\AcroBroker.Broker.1 msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\AcroBroker.EXE msiexec.exe Key created \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings OpenWith.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B4CD3EB-4981-101B-9CA8-9240CE2738AE} msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2DEA7885-1846-411F-A41E-017A8FD778FF}\TypeLib msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{618736E0-3C3D-11CF-810C-00AA00389B71}\ProxyStubClsid32 msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F9F2FE81-F764-4BD0-AFA5-5DE841DDB625}\ProxyStubClsid32 msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{673E8452-7646-11D1-B90B-00A0C9259304}\TypeLib msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{24DA047B-40C0-4018-841B-6B7409F730FC}\VersionIndependentProgID msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\AcroExch.pdfxml.1\Insertable msiexec.exe Set value (data) \REGISTRY\USER\S-1-5-21-118640398-3063844760-4281400433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\MACHINE\Software\Classes\Applications\java.exe MsiExec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA8A9780-280D-11CF-A24D-444553540000}\MiscStatus msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{46B89F5A-769D-4792-AD9A-E3755915CBC3}\ProxyStubClsid32 msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\acrobat\shell\open\command msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\AcroExch.acrobatsecuritysettings.1\DefaultIcon msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{673E8454-7646-11D1-B90B-00A0C9259304}\ProxyStubClsid msiexec.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
explorer.exepid process 7192 explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exepid process 488 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe 488 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe 488 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe 488 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe 488 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe 488 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe 488 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe 488 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe 488 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe 488 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe 488 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe 488 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe 488 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe 488 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe 488 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe 488 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe 488 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe 488 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe 488 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe 488 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe 488 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe 488 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe 488 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe 488 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe 488 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe 488 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe 488 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe 488 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe 488 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe 488 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe 488 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe 488 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe 488 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe 488 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe 488 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe 488 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe 488 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe 488 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe 488 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe 488 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe 488 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe 488 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe 488 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe 488 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe 488 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe 488 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe 488 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe 488 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe 488 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe 488 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe 488 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe 488 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe 488 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe 488 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe 488 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe 488 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe 488 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe 488 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe 488 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe 488 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe 488 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe 488 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe 488 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe 488 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
explorer.exepid process 7192 explorer.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
vssvc.exeexplorer.exemsiexec.exevssvc.exedescription pid process Token: SeBackupPrivilege 4108 vssvc.exe Token: SeRestorePrivilege 4108 vssvc.exe Token: SeAuditPrivilege 4108 vssvc.exe Token: SeShutdownPrivilege 7192 explorer.exe Token: SeIncreaseQuotaPrivilege 7192 explorer.exe Token: SeSecurityPrivilege 2284 msiexec.exe Token: SeCreateTokenPrivilege 7192 explorer.exe Token: SeAssignPrimaryTokenPrivilege 7192 explorer.exe Token: SeLockMemoryPrivilege 7192 explorer.exe Token: SeIncreaseQuotaPrivilege 7192 explorer.exe Token: SeMachineAccountPrivilege 7192 explorer.exe Token: SeTcbPrivilege 7192 explorer.exe Token: SeSecurityPrivilege 7192 explorer.exe Token: SeTakeOwnershipPrivilege 7192 explorer.exe Token: SeLoadDriverPrivilege 7192 explorer.exe Token: SeSystemProfilePrivilege 7192 explorer.exe Token: SeSystemtimePrivilege 7192 explorer.exe Token: SeProfSingleProcessPrivilege 7192 explorer.exe Token: SeIncBasePriorityPrivilege 7192 explorer.exe Token: SeCreatePagefilePrivilege 7192 explorer.exe Token: SeCreatePermanentPrivilege 7192 explorer.exe Token: SeBackupPrivilege 7192 explorer.exe Token: SeRestorePrivilege 7192 explorer.exe Token: SeShutdownPrivilege 7192 explorer.exe Token: SeDebugPrivilege 7192 explorer.exe Token: SeAuditPrivilege 7192 explorer.exe Token: SeSystemEnvironmentPrivilege 7192 explorer.exe Token: SeChangeNotifyPrivilege 7192 explorer.exe Token: SeRemoteShutdownPrivilege 7192 explorer.exe Token: SeUndockPrivilege 7192 explorer.exe Token: SeSyncAgentPrivilege 7192 explorer.exe Token: SeEnableDelegationPrivilege 7192 explorer.exe Token: SeManageVolumePrivilege 7192 explorer.exe Token: SeImpersonatePrivilege 7192 explorer.exe Token: SeCreateGlobalPrivilege 7192 explorer.exe Token: SeBackupPrivilege 5376 vssvc.exe Token: SeRestorePrivilege 5376 vssvc.exe Token: SeAuditPrivilege 5376 vssvc.exe Token: SeBackupPrivilege 2284 msiexec.exe Token: SeRestorePrivilege 2284 msiexec.exe Token: SeRestorePrivilege 2284 msiexec.exe Token: SeTakeOwnershipPrivilege 2284 msiexec.exe Token: SeRestorePrivilege 2284 msiexec.exe Token: SeTakeOwnershipPrivilege 2284 msiexec.exe Token: SeRestorePrivilege 2284 msiexec.exe Token: SeTakeOwnershipPrivilege 2284 msiexec.exe Token: SeRestorePrivilege 2284 msiexec.exe Token: SeTakeOwnershipPrivilege 2284 msiexec.exe Token: SeRestorePrivilege 2284 msiexec.exe Token: SeTakeOwnershipPrivilege 2284 msiexec.exe Token: SeRestorePrivilege 2284 msiexec.exe Token: SeTakeOwnershipPrivilege 2284 msiexec.exe Token: SeRestorePrivilege 2284 msiexec.exe Token: SeTakeOwnershipPrivilege 2284 msiexec.exe Token: SeRestorePrivilege 2284 msiexec.exe Token: SeTakeOwnershipPrivilege 2284 msiexec.exe Token: SeRestorePrivilege 2284 msiexec.exe Token: SeTakeOwnershipPrivilege 2284 msiexec.exe Token: SeRestorePrivilege 2284 msiexec.exe Token: SeTakeOwnershipPrivilege 2284 msiexec.exe Token: SeRestorePrivilege 2284 msiexec.exe Token: SeTakeOwnershipPrivilege 2284 msiexec.exe Token: SeRestorePrivilege 2284 msiexec.exe Token: SeTakeOwnershipPrivilege 2284 msiexec.exe -
Suspicious use of FindShellTrayWindow 9 IoCs
Processes:
explorer.exepid process 7192 explorer.exe 7192 explorer.exe 7192 explorer.exe 7192 explorer.exe 7192 explorer.exe 7192 explorer.exe 7192 explorer.exe 7192 explorer.exe 7192 explorer.exe -
Suspicious use of SetWindowsHookEx 15 IoCs
Processes:
OpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeMiniSearchHost.exeOfficeClickToRun.exeOpenWith.exeOpenWith.exepid process 7576 OpenWith.exe 5772 OpenWith.exe 6740 OpenWith.exe 1548 OpenWith.exe 8116 OpenWith.exe 8116 OpenWith.exe 8116 OpenWith.exe 8116 OpenWith.exe 8116 OpenWith.exe 8116 OpenWith.exe 436 MiniSearchHost.exe 2008 OfficeClickToRun.exe 2008 OfficeClickToRun.exe 3872 OpenWith.exe 6712 OpenWith.exe -
Suspicious use of WriteProcessMemory 39 IoCs
Processes:
7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.execmd.execmd.exemsiexec.exedescription pid process target process PID 488 wrote to memory of 1120 488 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe cmd.exe PID 488 wrote to memory of 1120 488 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe cmd.exe PID 1120 wrote to memory of 1460 1120 cmd.exe mode.com PID 1120 wrote to memory of 1460 1120 cmd.exe mode.com PID 1120 wrote to memory of 5536 1120 cmd.exe vssadmin.exe PID 1120 wrote to memory of 5536 1120 cmd.exe vssadmin.exe PID 488 wrote to memory of 8076 488 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe cmd.exe PID 488 wrote to memory of 8076 488 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe cmd.exe PID 8076 wrote to memory of 5152 8076 cmd.exe mode.com PID 8076 wrote to memory of 5152 8076 cmd.exe mode.com PID 8076 wrote to memory of 6352 8076 cmd.exe vssadmin.exe PID 8076 wrote to memory of 6352 8076 cmd.exe vssadmin.exe PID 488 wrote to memory of 7968 488 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe mshta.exe PID 488 wrote to memory of 7968 488 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe mshta.exe PID 488 wrote to memory of 7632 488 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe mshta.exe PID 488 wrote to memory of 7632 488 7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe mshta.exe PID 2284 wrote to memory of 3984 2284 msiexec.exe srtasks.exe PID 2284 wrote to memory of 3984 2284 msiexec.exe srtasks.exe PID 2284 wrote to memory of 576 2284 msiexec.exe MsiExec.exe PID 2284 wrote to memory of 576 2284 msiexec.exe MsiExec.exe PID 2284 wrote to memory of 5492 2284 msiexec.exe MsiExec.exe PID 2284 wrote to memory of 5492 2284 msiexec.exe MsiExec.exe PID 2284 wrote to memory of 4528 2284 msiexec.exe MSI60F4.tmp PID 2284 wrote to memory of 4528 2284 msiexec.exe MSI60F4.tmp PID 2284 wrote to memory of 5668 2284 msiexec.exe MsiExec.exe PID 2284 wrote to memory of 5668 2284 msiexec.exe MsiExec.exe PID 2284 wrote to memory of 8068 2284 msiexec.exe MsiExec.exe PID 2284 wrote to memory of 8068 2284 msiexec.exe MsiExec.exe PID 2284 wrote to memory of 4860 2284 msiexec.exe MsiExec.exe PID 2284 wrote to memory of 4860 2284 msiexec.exe MsiExec.exe PID 2284 wrote to memory of 4860 2284 msiexec.exe MsiExec.exe PID 2284 wrote to memory of 6756 2284 msiexec.exe MsiExec.exe PID 2284 wrote to memory of 6756 2284 msiexec.exe MsiExec.exe PID 2284 wrote to memory of 6756 2284 msiexec.exe MsiExec.exe PID 2284 wrote to memory of 5552 2284 msiexec.exe MSI7AF8.tmp PID 2284 wrote to memory of 5552 2284 msiexec.exe MSI7AF8.tmp PID 2284 wrote to memory of 5552 2284 msiexec.exe MSI7AF8.tmp PID 2284 wrote to memory of 668 2284 msiexec.exe MsiExec.exe PID 2284 wrote to memory of 668 2284 msiexec.exe MsiExec.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\7cb12c7eac83f0bc7f581f4b28a041c5_JaffaCakes118.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:488 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1120 -
C:\Windows\system32\mode.commode con cp select=12513⤵PID:1460
-
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:5536
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:8076 -
C:\Windows\system32\mode.commode con cp select=12513⤵PID:5152
-
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:6352
-
-
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"2⤵PID:7968
-
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"2⤵PID:7632
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4108
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\23c7aa7985464b329c5fb5c04ea9214a /t 7672 /p 79681⤵PID:6572
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\62cf1f5d6ccd4aeb9dc83dece3fd578a /t 5124 /p 76321⤵PID:7112
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:7576
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\FILES ENCRYPTED.txt1⤵PID:7592
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:7784
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:5772
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:6740
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:1548
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:8116
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\FILES ENCRYPTED.txt1⤵PID:7948
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\FILES ENCRYPTED.txt1⤵PID:8084
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -nohome1⤵
- Modifies Internet Explorer settings
PID:6956
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵PID:7176
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -nohome1⤵
- Modifies Internet Explorer settings
PID:5800
-
C:\Windows\system32\CompMgmtLauncher.exe"C:\Windows\system32\CompMgmtLauncher.exe"1⤵PID:5676
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.131⤵PID:5868
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:436
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵
- System Location Discovery: System Language Discovery
PID:6708
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,Control_RunDLL C:\Windows\System32\srchadmin.dll ,1⤵PID:5680
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵
- System Location Discovery: System Language Discovery
PID:3760
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:7192
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Event Triggered Execution: Image File Execution Options Injection
- Enumerates connected drives
- Indicator Removal: Clear Persistence
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:3984
-
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding 57DD048F9EBAA0A613CF5763486AF25C2⤵
- Loads dropped DLL
PID:576
-
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding 3C93D06E6E10A349BF26BFCD87FC08BB E Global\MSI00002⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Modifies registry class
PID:5492
-
-
C:\Windows\Installer\MSI60F4.tmp"C:\Windows\Installer\MSI60F4.tmp" INSTALLDIR="C:\Program Files\Java\jre-1.8\\" ProductCode={77924AE4-039E-4CA4-87B4-2F64180381F0}2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4528
-
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding E20F63220FFDBBF2A95792603844A545 E Global\MSI00002⤵
- Loads dropped DLL
PID:5668
-
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding F7AB8FDF17C13ED88AD308D8341A50D82⤵
- Loads dropped DLL
PID:8068
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 47E3621C6CAD3805BC1D79EC1A72EBDA2⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4860
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding F81007D9380C831CFAACF579B625378E E Global\MSI00002⤵
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
- Indicator Removal: Clear Persistence
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:6756
-
-
C:\Windows\Installer\MSI7AF8.tmp"C:\Windows\Installer\MSI7AF8.tmp" /b 3 120 02⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5552
-
-
\??\c:\Windows\System32\MsiExec.exec:\Windows\System32\MsiExec.exe -Embedding 553AF88C170FA6DD87FEC2CABFDD36422⤵
- Loads dropped DLL
PID:668
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:5376
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" scenario=install scenariosubtype=ARP sourcetype=None productstoremove=ProPlusRetail.16_en-us_x-none culture=en-us version.16=16.01⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2008
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:3872
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:6712
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Image File Execution Options Injection
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Image File Execution Options Injection
1Defense Evasion
Direct Volume Access
1Indicator Removal
3Clear Persistence
1File Deletion
2Modify Registry
3Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
135KB
MD5a2bcd54a8f8824e488059f6a46471cc6
SHA1b8f342233a5745e75198f5c71b3f75a4cd62981e
SHA25649f7a38f0890e61f2886937d63da2099d3a6224aaaff6da39f11e8c124bd0986
SHA5120c948cdbc39104dfb0c3c71d162018985b7b5546885f06efc08ed6898c2fe58f6f0b4da9ef231ff832eee646fb70f45fb9810fdf965e721cd58f9706750480d6
-
Filesize
59KB
MD5ef91505bac0bc2c1d58cfdb20a20c0be
SHA11b9716a3201ab02e4b5deb331312acabcc0cb1fb
SHA2568023057a120a14d897e2565c33f182f3a989c68fbae75a25f18e449461a75c04
SHA512aedf18785729738a066b8f7b051f4a3c04f45fcda902b1066e7e480ba39714c5dd669ce5d88359b2a2b11ba3f7663ee098c2642142b83670fafa2edc39603bf3
-
Filesize
1.7MB
MD5c48d2d2958360666531c96753af4add3
SHA1a6febbbf66352f8e5096eeea256ba53c5424aeca
SHA256cdb87c4c481f674a7c295c3f504e57bbca447435eb7cd291ab4f208ac74f4a65
SHA5128d305d1074c29f9fa4baced1669175b019f1fba3516605e8f5611f3735e1eccdaf566607659798bfa82d254e3016580673dac07b875e7564735da6e4a4011ef9
-
Filesize
3B
MD521438ef4b9ad4fc266b6129a2f60de29
SHA15eb8e2242eeb4f5432beeec8b873f1ab0a6b71fd
SHA25613bf7b3039c63bf5a50491fa3cfd8eb4e699d1ba1436315aef9cbe5711530354
SHA51237436ced85e5cd638973e716d6713257d692f9dd2e1975d5511ae3856a7b3b9f0d9e497315a058b516ab31d652ea9950938c77c1ad435ea8d4b49d73427d1237
-
Filesize
49KB
MD5cb6ac43aa5c0b0a5df3d7d3b6ddba204
SHA1bebec03a7d4bf2f76e136d68867c705b079deccc
SHA25661ec4c988d2a2a8831aa80ec02c0b5c181361db672e6fe91fb22bf099795788f
SHA512a52033c73edcd37b20dadf080aef2d0f6d2d4a78deac732d72c22a59f3a7bcd2d315f990ab28ef693fcab2925486f3dfe4fa0a10f1b3175ef4a4675f39861673
-
Filesize
176B
MD5b7fc6d81ab41fbd8e286d4007f98fe14
SHA130b53b63564471309527150196d1ed7fdcb42878
SHA256424a5f6925aa87b781c0ada4fce323cd87b2457217b5c89ae92b1e42235e485f
SHA51286cb459c3768c733c1b519c18f2c610fe0fc7793c105c8ec4a4d2122e8395e64bd223f4e5761643e60be74ad64113a6c3a30e80bcbce727da990a281f97a4e5e
-
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe.id-535D73CE.[[email protected]].ROGER
Filesize2.9MB
MD5dd7dcc01970eaacd8fe23966d176c1d6
SHA1e3f6c3627e21f0d345873521c6c09dbf365d6356
SHA25609850c69d95d411cc32217c6e9677a153a18f02074fa64be97d1ce887bba7101
SHA5127ca2a3c99765e09fe523bd455d3c03d4155ce427f56435454f538ab5cf9cf5e15c34bac3c289ee5f7dd37bdb7cc9913da79cbd6871d7255e653d76aa28e2360c
-
C:\Program Files\Java\jdk-1.8\COPYRIGHT.id-535D73CE.[[email protected]].ROGER
Filesize3KB
MD5d4d02c4e18b7af0576651b61b3ae7269
SHA1eb56d53a07862e680a72d00f735dfff9a244c634
SHA256d2a1d9abd78c6abbbfa9b925b255fdf6b0c3f6f16c9f836d57ec8f1d77740f26
SHA512c59b75c896794cc5b53aa24e4f8652fa8fe9b4514900a9febb7e4e63f681570bc1fe97e4dca50ae39f23d746e305e2f84332ab646c042592728f96caf0f6ae9f
-
C:\Program Files\Java\jdk-1.8\LICENSE.id-535D73CE.[[email protected]].ROGER
Filesize274B
MD547e1782a6eabe58d21825257d5e7f8c1
SHA1fe5d4bea7eb968df4f48dfd45ab3361031cb5948
SHA25634ce2c36ea6290ded7f311480036541eb7b550403237c368fc17f49420be6bf2
SHA51212f2727434ded1849b35fd1af6db2220136efa7939b97c31d05ac38b377f0fa5624d27450a23338ccdb370ab598fc960ea42609d68d2ff62f054e118ae1b1306
-
C:\Program Files\Java\jdk-1.8\README.html.id-535D73CE.[[email protected]].ROGER
Filesize394B
MD5bade1c3c73169fda0e3b428627b5f8be
SHA1a491a79d8426fc0b2e919b91503c67117d17d0d1
SHA256f5dc78150e04f3ca313d430aa29ffc5c3f9ae01d11b759ad8dae71c4682758bd
SHA5125ae03b0210f7933048e576e9c33c11245e7164ee41f9f3bc34c70efd8a1839a289502ae891a98cb18c8072e14cbf15b8e6f6131ee046e8bad90df63292d90254
-
C:\Program Files\Java\jdk-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt.id-535D73CE.[[email protected]].ROGER
Filesize472B
MD5bd2dac5b78f7894d90b4bfe669468369
SHA17b85948c5312eec2dd597d9550d5e9dcb8466c1c
SHA256116709372bc7591ae695bb5084ef133becdbe75d0a7aa8a372a934588c36aeb0
SHA512ffe833120a65ed9a80ed28af6d576748a08a11eaa4baa16f62ec8179a1418a03cb21a0e9c38b75551849c94439e7fbc644094fcac27a6033b91baf974b151f14
-
C:\Program Files\Java\jdk-1.8\THIRDPARTYLICENSEREADME.txt.id-535D73CE.[[email protected]].ROGER
Filesize458B
MD5ba5f46f6a1cbfa9396c23f01e45173fb
SHA1177afbdac26a099eb0b6f045d1388afff076630f
SHA256681c691efd34e4b02c32a6dfeb219147f86cae34d37df3bc38f07d757125be5e
SHA5124545211446d50020b8fc48f6e82e85cb57f7a5ff92711fdf3c0fca1062008acaf6115ae6d49e50b9eea9647456f50688578259ec9ba79a3bdba2be10af4be73e
-
C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-console-l1-1-0.dll.id-535D73CE.[[email protected]].ROGER
Filesize12KB
MD5128cbb282e1c55f1ffd0c92fc98efaa0
SHA140234c860ac752b6ce939e48bf014fd2f69c7af1
SHA256b7ba73915e06b2d6269bc06d6b30d6458feb414528d507331bc1f4c72a71754e
SHA512a44597cb0f7d875b3425aa79e5148f564ffe9f9de98c88c226a5df7523a2486069c238459100a6c087cac6c9209379e4cabbff2f10c9dffc92909702b29a0453
-
C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-console-l1-2-0.dll.id-535D73CE.[[email protected]].ROGER
Filesize12KB
MD5cee672bd542efe34adc01430ba11a3f8
SHA105c259d14b03d30af689d1cdbefad0ade25c9713
SHA256c7c9aecb90463048492425cf562c3992881181d1f4dc334e204661dba13a0327
SHA512d05ca626b613a0ce02d80e85298dac761743c10bd03e1030e516e7cfae7e97ac87b00eea86de994054023d6663217743669e3ac0d1d2ecccc847677b093cc125
-
C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-datetime-l1-1-0.dll.id-535D73CE.[[email protected]].ROGER
Filesize11KB
MD5ef49479cd97137f56a4300a73f104ea7
SHA1f76c769100e554556337ea73abf7e0b79200a0e9
SHA256937aaab433d21a3e1ab9e876b9362e180222aa386f69e16508a1e13cd74237d5
SHA51217ffd8c8040ac9f705dab803422a46fd7adecdac1569ea9eb20b29702c19819e3c923d8903db576b5812f4ee692f2043b56ca17ab3bd48d6b07831fdb4025c6f
-
C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-debug-l1-1-0.dll.id-535D73CE.[[email protected]].ROGER
Filesize11KB
MD550b15f48f556a7e200c7a3f7bf4a9b1a
SHA1210a6e954161ce54b84c50101dec6de3f0c5c484
SHA256060a2728575d510521412cb152554541a63acf59ab8d603148555998b5abe3bd
SHA5127cd18d191ca06b5b41427efd8850c826db6ca6b5e27c349c5017a73283ff4aedd50e6238d7a11608b559c2919c3fae113c9b658ae8cefeebf9dc4481a1cb1313
-
C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-errorhandling-l1-1-0.dll.id-535D73CE.[[email protected]].ROGER
Filesize11KB
MD551ca4e7dac23e72197bc917bbd916742
SHA10a515794462183dffdaab39b8b72f15cb65f8c03
SHA2569ca4e5e80b5e72184a652e7b15ee962301386231efa2068bdb863861d602ac6e
SHA512dba5ac680afb01383187e6f72ca14f2572f282b2822263f445721dca5a7a7a996d4e6712362a9bbad8c52e290d55493e07c3c61d3976867683499a2091b79e40
-
C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-file-l1-1-0.dll.id-535D73CE.[[email protected]].ROGER
Filesize15KB
MD5adab561b9bb10bb409b159ea1befd522
SHA187e7fb4a31efbe0aa11be689f880131ea3c4792b
SHA25676f68ba1296c27e5286ed422ade6e3c15b68e5768208f36c570de48fab5893e4
SHA512b3ea407c6a7be6e7784d2cf459108f3016bba5ab437878f4a3fcb394ca5fa33f9b397b5d1d5b3765aa44c69ccf97d91ef00c2a17797c4eb13433378c194376fe
-
C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-file-l1-2-0.dll.id-535D73CE.[[email protected]].ROGER
Filesize11KB
MD52e5cf326bacef3c01dd296d953a40680
SHA19d53433b517c093afa9658c1c6bd33dca7b515db
SHA2567cd7dc2a6354cc192a34301e49e19af463f3716f7ec084b2da1da3df67222173
SHA5120a041e7263f9f38c2dd4f8e92f562868f583fc7e907b79e785cd32cc7f242672893a6d75febf2fd344d53104819d958e629cb28bb1651a2888976e196be8788d
-
C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-file-l2-1-0.dll.id-535D73CE.[[email protected]].ROGER
Filesize11KB
MD5748f439ca90ba36556b92f4ff75efdb8
SHA1c2cd5c8b7da87d26cd19e3b58edf56d6bcf5d0a1
SHA25605c3fb06c7f1f8e53a64a150441b55dc250c55abcade9e50f47cfc0fe3d1790a
SHA512674f53c504ce95a9c9bcb1c1d6fc665702b890dda4c21aa7c17c9c3e3d9a92a5d9ff6ae82aa8acee98134f4414cb8dfca842739c2d99c8a4fc867d39be839966
-
C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-handle-l1-1-0.dll.id-535D73CE.[[email protected]].ROGER
Filesize11KB
MD5b72cbbfb374602a967c9a3cc5780fae1
SHA18a62e3069a91284f87d931d095a1b26547309c55
SHA256d619b04a2a22e53b07131a87b11e715ac533e03c51d2b28f5d63ca322789a9df
SHA5123eead0dba787395baec2f95a76bfaffc8d12e4817cee382fe3a69b713e9f31d3b8868afe7f6ec57065fb06a88d1929ee480c8d8a7f7de5421f0766ca94e5eb8b
-
C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-heap-l1-1-0.dll.id-535D73CE.[[email protected]].ROGER
Filesize12KB
MD5f5a91cfd4d601b0f87a50d4ad8b0cf99
SHA16ea19d27aa78f28baccff9b770a18a25e0fbf794
SHA2569464b2e9e6538cce8d9968365ac29e94d029ea55116a817b0fcd3e7b62d18841
SHA512ded7ad25c867fc665bd80d7e8b12f6c523987e883f977f5b281c082b604e99ec6927aec96a2bd2e2453c9b1b0b9676d74437e518533ab9eeaf2f4ec97c62bab7
-
C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-interlocked-l1-1-0.dll.id-535D73CE.[[email protected]].ROGER
Filesize11KB
MD5a2cab4c23c9a39c039b7c55751d0423b
SHA1d817b8b556d45ac1ba07ac9caba6eb5e212e2f1a
SHA2567ead6da9ef7548546ebc89e26f894d2901cd7821b276b4017aab9422dbf24e58
SHA51217e06dd0fbc8c1015d2926b295002154a602f94595ccfb0d35fadffa21e8660d76161301520668c52e9c0e2faf9464f61780326cfeff86d758fb0d06f699d0a4
-
C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-libraryloader-l1-1-0.dll.id-535D73CE.[[email protected]].ROGER
Filesize12KB
MD5acf8f826c4d1e735dca752df21bfc030
SHA1db8fcc26c1d37df13d908bd03c5802c7daee0e7b
SHA256aef3b6d7d2421edc1856e5055e92dc232dcb93b3582127563924a797f7d8fca6
SHA512e3a53591992f8ed6a7f7071fcab30449de2939fd192619a02d03457fbfac7c7a8ee04788a86b09929e57afcc3d13bb7e52e0bf56b2f36a1b7ba736c5e3a99b35
-
C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-localization-l1-2-0.dll.id-535D73CE.[[email protected]].ROGER
Filesize14KB
MD549d5f8394e9b48ef13d202203372c8b2
SHA1d42f26b69dff48eb6a2637869a94d12111f67732
SHA2562a151f6881f61500260e32cd20b5802ab39da0a31fa99d1bf61b880413410337
SHA5124f4445ba392476e9068e158f7f20de110abf035cbc3bed36108e1750b6eba0dc8b319a1e67e11844ddadb3af323105a539fe4af3fc600f06cca64a926a6320ba
-
C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-memory-l1-1-0.dll.id-535D73CE.[[email protected]].ROGER
Filesize12KB
MD5615a52aac78596bd6106686580641ea4
SHA1dd1d02fd2aa00023f2a27c3e48bd21e7e1591a11
SHA256b84a4eea174a7c31d8b64dde11ebfff6dfe76b4c1088f431f7ee4e49afdd441c
SHA5123ad918c56a66bcbe8c56e36732132e31f481ab87a84624237481d5a2f0cb1c7211570bfcfba2c9391a7e24c0a61d408d111fb6a4d4a4e3693256edc32f4e37fd
-
C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-namedpipe-l1-1-0.dll.id-535D73CE.[[email protected]].ROGER
Filesize11KB
MD559c4b15cd3252aef769d7d6efa821578
SHA1b1f9ae001f63376ca3b27c04054a28dafbc8132f
SHA25605d8879e65ce39e0f21ca02ba800d4f65b819959590f0697c907e571888882ad
SHA512d5bf5e1ce5ff2ae2fdf80608c609692e78c5c3b9700813e08e358d2c071feb7315b15fca319279c3813ea34afb1d4e4589d4a188bca5ef120ba538c608931ffe
-
C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-processenvironment-l1-1-0.dll.id-535D73CE.[[email protected]].ROGER
Filesize12KB
MD5659be63d07747c422d6f2c5ae903c63a
SHA102bb7177d038097189d6cb54b376e5de0e9d61f6
SHA256bc8db79adb22e344d66f861c4a8e2fcc4ffab5c43fc1ca176aa275597f007d40
SHA512fbfe7ee837a5f365ccc2ba46767ed0cbd150463554d7b11382663db9316582794b438f6e1faffe730450914fef128d07a871434ddad33a111dcea61dd2f59c05
-
C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-processthreads-l1-1-0.dll.id-535D73CE.[[email protected]].ROGER
Filesize14KB
MD569b4fce13c00860b4b9d294856f96887
SHA159327362cb112cf7f5c932cfc927f199499009ff
SHA256179e1355b550ed9bfe16c0b453000aa36b6a87458cd9de1d88b1e9b1afbac417
SHA51225dc158da80ff873d701f95253a80b021be028326b0c590f1b7c33b627250e7fd5797ae9704d5ff7bddcf2092e6c1e7889575d4943cb1715b9b5b41f5883385e
-
C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-processthreads-l1-1-1.dll.id-535D73CE.[[email protected]].ROGER
Filesize12KB
MD55b0fba4954aa2bb46fa8ef30fb28e552
SHA155b329e318eca390e4aefb98a514a3ad34f7adae
SHA2561a3d53cdc21998f254c78f0a7a14cdeab6ddd1027028388cf7afecc1f8cf3ec1
SHA512faf4eb9a0a13a7970abc3507454cb26436e5c2f2b337a78ffdd714517560e99f2d10961ab1e38383762e8a80663fdddab7526cf48b16cecdb5b1accaba2528cf
-
C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-profile-l1-1-0.dll.id-535D73CE.[[email protected]].ROGER
Filesize11KB
MD59e08fd363aa8f211ddd32fb738490eb8
SHA1737fa55b18450cd72fb3773661a6953891b4d647
SHA256f90898f286f6d8d1dcacef846005f6cade9f9a162da7ce16e5095e6f7f44fcf4
SHA5126214a410fb3b46edd5fc0717902f9e88a42097b00a6366adbb55a42dd3bc683e41724ad685df9836569f29512d573fb0395c6e55d2b2a5fbc75dbf50ff11fead
-
C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-rtlsupport-l1-1-0.dll.id-535D73CE.[[email protected]].ROGER
Filesize12KB
MD5b36c0e321e3dfd5b621967e263a267c9
SHA1862105d34eb10a31c00908ef46d285b414c6cca5
SHA2565420fb0595fc6dc994c0a94d9d7113ea3ceca8cc9afa87013eeac0265b3fa4a1
SHA512fb0c1eb8d42d5980f8716d813a57f646c50534bfa6ac78f60247fc7ef38b2bd308cff00147f7a45a28af262822ae80f74015a936c13d8ae9b1398ada24ca6cc1
-
C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-string-l1-1-0.dll.id-535D73CE.[[email protected]].ROGER
Filesize11KB
MD561963619eafcbdaadd3117c1b6545aef
SHA1881056a71a63f66c1a229daadb64a0a0cee2085d
SHA256db1cb8770bcfaeb1e0892ddeccd33144c9d0a1ceab6e86524120fd40ede327d2
SHA512aadf00243c99c119e7c059ac4afe30169d2ce5dbfa673cfa1ba73200c77675c5dd1ff2f73a3f09baf23f4f0b1130d8dc4a9fc88b5cccaabc8f6a7ef582182cff
-
C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-synch-l1-1-0.dll.id-535D73CE.[[email protected]].ROGER
Filesize13KB
MD52ca66b1891c86610a681005d34a73343
SHA158253f11b6b57a96333d4b643464a56c5415ad9a
SHA25636e18a09ac85c277da605ec385c8171eb26c6aeb57cc2dfa04e96cea43e61fe4
SHA51287533803f9f76aec85075809db7e31ab5f13328c724099123970cd4bf77a40f65dc8ee13535677cde11ccf60dbe1c41511396043b3d3bfe1166b54a0f3d2409e
-
C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-synch-l1-2-0.dll.id-535D73CE.[[email protected]].ROGER
Filesize12KB
MD5f5acf05be8ae0e45abb0eb05090a13d1
SHA1a1a853d3831c524c5507dbec35cff2a093fc5542
SHA25630cb29026cde4ed3197a9473589c145ffff262e69767fa10b665b3a7b8f5aa5e
SHA512bed46b1feaa528896614a1ff62b4f893a92beeb06b6470d3bc29ee6ce3bd9c242a0aa296d4c32aea692e2753eb1ebfe67a55af0b97092bfb6c70c00fc9d905f6
-
C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-sysinfo-l1-1-0.dll.id-535D73CE.[[email protected]].ROGER
Filesize12KB
MD50f2a4ca36f685f2e5d57f22b56a4a06f
SHA105c9fafd08078dd13615b95e18d08910d4f1fdda
SHA256706fc189595b7b336ceff3e61b9415e404b11e90435b718b4b9418b8ecb1a665
SHA512ada28d342ac5c8e2f121f4364738fe37888251ba5f2b643f55a5318101a1b73f9d5ab5105b273f32b34088b058c1b3242a395a7fa9968392a9d11a0e72d5f5d7
-
C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-timezone-l1-1-0.dll.id-535D73CE.[[email protected]].ROGER
Filesize12KB
MD5cd219cf8a880a46f8fa4259fe30a47b5
SHA120e2a89c635d90edf04ee7879f6fda2653502e1c
SHA2563338e6a8411fa4b8e0cec51794c241cdbdd460efaea844ea564c6ba9b8b0383b
SHA512f6e61c6b102ada809ed0ddf694bb17bd7c977ef0f75a5d0da313f093d935ecb446b972840d8e248997b720158a387957544ea0c491162719d2d30c4e8e6ee231
-
C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-util-l1-1-0.dll.id-535D73CE.[[email protected]].ROGER
Filesize11KB
MD5f851a41272ef794e5b4c2898f7dd67ca
SHA1dc3d9a7a1d600048b63c49b2e66b5e3cba28ed51
SHA25671d3754227b2711ad38c52c60040167cbd2481dd01e9ce3da545aa0275f15e5f
SHA51227f1040d156469fc655bc0f1d8c0e02a043d2731754efc8e0239f9cf6f8a2acddbfda1fccc81460240da3cde59503d1a0466c20c306ba00b3676b569f6a0e59e
-
C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-conio-l1-1-0.dll.id-535D73CE.[[email protected]].ROGER
Filesize12KB
MD5a125d0a1bff087da34edf154efc0b0a6
SHA1e05e90aa9b7b428a8b48148a3c888174b36a95e7
SHA256c60978cda1972f13e0e7a57243af0dd85e77054ef33d23fbdba3af34a9aae7fc
SHA512a7114e94bcd5bed6b1ef84e9f270716c4443593ad10a2725f05f02f9cec88936e2f7e7def4d73e4047674bca88f67559ee886d7c423dbe5670a8d3a7f2137732
-
C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-convert-l1-1-0.dll.id-535D73CE.[[email protected]].ROGER
Filesize15KB
MD5d2c863e5537dda85ee2d923392e43e4b
SHA155f53e60317be9e4fa5cfe56a6f886cb06b5d054
SHA256c77b8744a5c77e05ae74cb21720624c595241586e2cca58c986d0b8d23e0a050
SHA512fb3de4cdbf719fd54f8e0b51e700174e7e42ae9de87551b7ee56894d3ccab9a3c3ed24d7cdd3a6b51872e0af0cd6066bd208c63626bbbd7b2e44bb2dc3b05f17
-
C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-environment-l1-1-0.dll.id-535D73CE.[[email protected]].ROGER
Filesize12KB
MD5bfe08ce56120dacd35754df5fa858051
SHA1a6b23b8dc68cd58d76abab8a1ae23713e9194fc5
SHA256dfcef90484301753a0fe09309560a1e05d27ceb176dd33282e7910b1ac3b1566
SHA512c71f334a3c9f410013a5a79c32ecf8b8e6f8a5b58713d0519908352d1fd48a6c114417eb491bce4752cb14e7b9ed591c65b014c986f7207240b8de616e366e02
-
C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-filesystem-l1-1-0.dll.id-535D73CE.[[email protected]].ROGER
Filesize13KB
MD59d29df81ae3cd9d5bfffbe70258ac3c1
SHA12f2b02b98310a0f9a06869a775d7c86bf761eba4
SHA25674df5bcc72bbe102202edaec760a760091cd9017c59ce1809aa3465eb0b7245e
SHA5121d9c19dfe19afb8b77087f04d52f4d9f3163f39fe5199cae16bbb0e7f367142b8411b8664de9377ffeef31fa1d5feccc4011acbd8d1e51dbf027901a886f8df6
-
C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-heap-l1-1-0.dll.id-535D73CE.[[email protected]].ROGER
Filesize12KB
MD50bc1161b50d0e18f96d39ef402c7ae3f
SHA191aad31aa4f7af59a5df317621e90d58c1126f37
SHA2561b5c45a7aa1a33565994efa9df05b339087405f5e053c6fcce31273fde6bf522
SHA5124f7e1398fb38a13eef696a4a83be9919511225c2178c8fbaeeddf432c370a0cbefa8edf6d98db416ae213bb248122c1e1b87816b04974e1fbb7a75f52c9f1716
-
C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-locale-l1-1-0.dll.id-535D73CE.[[email protected]].ROGER
Filesize12KB
MD5ee766804b1510e17701eeb438b5cc8c4
SHA1a2517b98994968ffc0d53f3be06f93c5177497fa
SHA256736d4c13d5978fa8c25a2d210a716d2415946698edf37612e18643820bdf0d2d
SHA51294576058dc23a1b7cb77f5c82602852b79a5d2810855c233d7334fa99a6ad3aab5151b1810b6ca5081fff9b01668a8d687daa47c6400f60512c4f211c9f6094a
-
C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-math-l1-1-0.dll.id-535D73CE.[[email protected]].ROGER
Filesize20KB
MD59d3c196852e98b3c1f0a736c6ea4911a
SHA1e1cb38a5c9227903f7a2e542dc4715373e721bb4
SHA25690a43509a724473bf33d8bad93a5ba5fbd2a327827fb67cc0dde87deea15498a
SHA512a6b29c41a07e0d4bfa67a94f0a519cb9154e64529faa3d9e18f9f9b6389da532290ac3a70f9fbf0f5c814d28bf335418ecd91512675c7b456b02d9c3f3ae9050
-
C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-multibyte-l1-1-0.dll.id-535D73CE.[[email protected]].ROGER
Filesize19KB
MD540c0fd9aa3846fc540dd4f03eee27648
SHA171059bede9f251d658de14ee35749eb60cee960c
SHA256a54811827792852536c3527cfbd867338084338f5332cd33b2c10d2ba8d156a0
SHA5121d8a6c7e5fef11e338f355eb0c68c4cf9381b41f360ef6af89fb1a91e2001f58c4f12722f0cb3a08e9833bedd265c252cbe4ef0c992da165eb1572822fdebcf6
-
C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-private-l1-1-0.dll.id-535D73CE.[[email protected]].ROGER
Filesize63KB
MD511437ddf526c52211d39f54e7f7ae710
SHA16f21fcce598bbafbd9374da93673e01aabef8c31
SHA25651b1f17c67131cfd18dd7801c01ed2f19037335d4988b66ec99935dafa7e812c
SHA512daa99605dedb0defadf96a08851bd4562e63513e3b4b4609c15ca9944d32c9eef42610bebadd869c8bf53bb6bdecc9aa1e2d99cbf6dcab80b89e8dfee134039e
-
C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-process-l1-1-0.dll.id-535D73CE.[[email protected]].ROGER
Filesize12KB
MD5537c1380cf1d340bd8e15386554c8001
SHA10d44306f07b2deb9750802134796a890a9eb7278
SHA2568ef5a4afa8e6345e01b21d6173f385fa87df51cc81bcbb05bbbae81b63466b34
SHA512de04aceb5380322a8dbc6998460f6ebbd6ba4df6a6fd10a4e723255ac2dc950425059b53815a872c4140c37db64076bea2c5636f67e1fa285a9771a92f17d46c
-
C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-runtime-l1-1-0.dll.id-535D73CE.[[email protected]].ROGER
Filesize16KB
MD54a9a379aa485270a25b33218d098ebe2
SHA1a3facc4f353ad425f257734a3bc99b315c6ea7b8
SHA256a543f08c353cc312443a13cd99aa3f5e84b254823705e3d6cdc07de2298f4f21
SHA5124304fae2c8ee4b189bb63dc97e11764490dab145dd3999287c09ae4abfa24af062f3024937dc127eaf0d3899e21a3ec8cc006e66fba38ff74f5f4197354ad83b
-
C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-stdio-l1-1-0.dll.id-535D73CE.[[email protected]].ROGER
Filesize17KB
MD5d15b1da94d2717a32adf055e699612a0
SHA15b8ca14afa06799ddd882d2d3b0b2df392d508cd
SHA2568082092a9d264e324ec95c4c8c2740c827672af78e5e31796b5b34a1bf4b499a
SHA51278add60abcdffe0d1c07c386171ee24e177932bc4007a44d404c9c459155592d22b774998b7278db612abc7692ba01557cd6b52e9beaf175f3bfc1e2e31dd4b3
-
C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-string-l1-1-0.dll.id-535D73CE.[[email protected]].ROGER
Filesize18KB
MD5def5ea99723f47db027e28fca3cba3af
SHA1e2b84198d18974fda2b126ddd32dc508567cfc63
SHA25632ae8c25330a40436e6f9f8946381f64f5940bad4cd768d99436890b01762354
SHA51234193b42f52b9db1f1da055a45afbb735b69c6332341362d0bb8786cdddf0cf3d70299fe8c602cb3dc817eb0e046c26065f555fc90af41a370fd3ed98c1c58fb
-
C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-time-l1-1-0.dll.id-535D73CE.[[email protected]].ROGER
Filesize14KB
MD533113cd5912cb64b9e3be1e525b09605
SHA1a31c52afefbedf6a8fb0366a5dc668a878668a6a
SHA25684957a1267548f910fc4b06871d7584d7292176a8db0630ef888bfb3c6c848f8
SHA512a809149d8b82ad6b0c16ec0784d8d7812cef2ee8ff1875b5671460c35201e1bef342d8bd2b4799f259b61704413f2ae2500f9e425293d0db448b73978610ff76
-
C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-utility-l1-1-0.dll.id-535D73CE.[[email protected]].ROGER
Filesize12KB
MD571262156b291ccb3d74f9710f74248bc
SHA1b2693d0b19deebe4fc8acbc6b557b116cb5d881f
SHA25638e88f8d6ca2a02daa918ec2af1735813a8aa1fd2d5936d92aa55d5d5d0485ee
SHA51209fee2b689ee81d4cf5080b897643f61f1cfa63bd6c97605abb144681a0e15f564baf6a5d00cee885a8619335405e68e32c3ccb050d9827c199e71b9591f0d5e
-
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe.id-535D73CE.[[email protected]].ROGER
Filesize23KB
MD5a25851448342066e10edfacaed50c49b
SHA16d365e93bae0a27ff62cb3c2cfdfd1d328576688
SHA25663c8cf9445a318472639e0a71269ce384e549fcd2539b9efb8701cd71106f5f2
SHA5125cd221dca342b75ed951022d109e246b384580c6b38b234f3e0eca1e79737f4725968bb81d1d99bbb1f77bd5934825f03f947cc8df9ec60a99b98cc902a2a180
-
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe.id-535D73CE.[[email protected]].ROGER
Filesize23KB
MD598d5b7e43e89ec5e9d2e4e90ac54438c
SHA117f3b53cb687533576af8e5ccbd49eb0f97c27e1
SHA2564f3be284bef75405b44a07073d3d40d405e9d3e078aa5c826c332743e6aa2888
SHA512a2f12d8297b0a78ccda269c5610c0e8026128771a1dbed2fe8c00316dc7f6a9958693360309e10db8a504b1922a084d2973289f30ee540c93b67b3a6704dedae
-
C:\Program Files\Java\jdk-1.8\bin\idlj.exe.id-535D73CE.[[email protected]].ROGER
Filesize23KB
MD54ad2c643b11871e507226c114382a4c1
SHA19e64f9750fe1364e0955c1ecdb0be4cd0449bac7
SHA256bbb26ffb08a134d0203bc5ceb9c9b528cfd152ffa92e5e7c16b007609bd7ffc4
SHA512cd802b663de4bdbdb3d15656b5b72d63d3d6a5e477e623dee0bc5c431c93b095b817a755b851fef44b31ef8189e46cf26b95f83141f62e7ee91155d691bc4a25
-
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe.id-535D73CE.[[email protected]].ROGER
Filesize44KB
MD58af28c93419582e1c6ce18385befa441
SHA10f917f69f2ac09d064afa3a600125058274319cc
SHA25629268e0687bf64f8fcee0d60a803214484fc2435b785d1eac5a658d926720a1b
SHA5127a9e91cd0e9e019f71bde5ffd27b7aca87e116c85c3752c9571aa0a73d02710d93602e04b59298844eb6d70121e554ae2c376b14dedcbdb30d50f921007ba9b4
-
C:\Program Files\Java\jdk-1.8\bin\jar.exe.id-535D73CE.[[email protected]].ROGER
Filesize23KB
MD57d9a769652c6255a452bed74f54d8979
SHA166962e9da5d7c66f20e5cf15bb5cd85564503796
SHA2564f67e3bb9725b43ebeda2b879fcb6e7850c57084b5ff217ed1b6a4e485eead9c
SHA5121593f8d6b9da90cef6b7978eedad4c6d3cbfe57e43526b7bc30aece4a88c5b7562b655c0ec1fbc7a2c66aabfa9f5dbc0d2ec7704e6ec5b323873f127ced983bf
-
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe.id-535D73CE.[[email protected]].ROGER
Filesize23KB
MD5649e0d1771f6eadb859c53694ff56c63
SHA1a2a637f0dc012dcfe57ffc4aeadc488d4b6145fe
SHA256d7235ad0d3fa3a7bc7caf7ccd4d625d67e7ba57543ce522029cf496dfc7be8a4
SHA512dae4343791b321a0f219d8467c64d2b11352c853119deec85943d925caf48b6bda6a9fb0359249bf5fcef045c645b6e9cea91ce4d01757a725782fe124b49317
-
C:\Program Files\Java\jdk-1.8\javafx-src.zip.id-535D73CE.[[email protected]].ROGER
Filesize5.7MB
MD5c807180fbc49aaa507c6a6f4297854af
SHA111e2a58ccf33458cd5ac0a143d91e2a0f2ab1bac
SHA256fc20bddeda0d40b4d6e7e9e454f99690e17fc4180b01d2705db6d204e67663f3
SHA512083649f17d8e91d4677eefe26252719df85134a3a9a99bf0e0f09b2566e79bc95383be402479468603d3c4eb5e18feabed19060ec817c5fff7e809c9c2116157
-
C:\Program Files\Java\jdk-1.8\jmc.txt.id-535D73CE.[[email protected]].ROGER
Filesize434B
MD5baa7760005ac56fdd9825042e551bc43
SHA1d02abedff2b2b8722edd936c331c571f8d7a6cb5
SHA256867ea92092e047e75573361b4b8734eb1d9f9658e29c7431abefca3366ac5f93
SHA512943e2b6abe800120257fc5ccccdd76b0b91a5fb9809fb04676769a99506369af0dee4bb9f94587287dc8aa8bd17e2155d0c2ebe6244c29e945bb9f48b255bf55
-
C:\Program Files\Java\jdk-1.8\jvisualvm.txt.id-535D73CE.[[email protected]].ROGER
Filesize430B
MD5d08422c51ddc652caea4636648e154b6
SHA19f339ca815ff22905b0f5e732366f6c3c250da95
SHA25657c0e6c6127c1472c8a27b51d110a8c6c13c87135a167ba8d961a2a767dd558a
SHA512f358b102568bd551529f9271fb4309027d10618e7ad0656f0f9f23aac77367f1da15899823503a65584b16a2212e9f461f3017af75ec5bded9b5d07677b91ed7
-
C:\Program Files\Java\jdk-1.8\release.id-535D73CE.[[email protected]].ROGER
Filesize402B
MD5f282dd024314f2eac55c1f2295149189
SHA163e612d4fd998d27cbd64bfaec57121289ce66d0
SHA2560215364b2c9916fac5e903170393a289fa611a0127c69e13080e536f90d56ec6
SHA5120113e74f2f5e318a007d92e375f716c410d059073baf5506f1516128d9a308a2e758714d957a3d03074775db5d043530a14103ba9219fe257e588d197542b43b
-
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll
Filesize1.7MB
MD5c606bd7c9c733dd27f74157c34e51742
SHA1aab92689723449fbc3e123fb614dd536a74b74d4
SHA256606390649012b31b5d83630f1186562e4b1ce4023d8870d8c29eb62e7e0769e0
SHA5125f8fabe3d9753413d1aedcc76b9568c50dd25a5a6aeacd1ce88aecc28c0ba96dac80177679d380708213a0997946e49383bdaca7114c8c9526a24ed999194e38
-
Filesize
177B
MD5a55fb7769c8c3be66219e8ca2b322d51
SHA150c5a0e965307903119126e54351a5a47f0dc3d9
SHA2564de0a9dec604cde18e16cae6eeed86f85adc687d19c12943f5a3abd08c1e785c
SHA512ed4ae845d5172aa96f7a24f0c307c0c535e563c0b35bddc99953e3d993d57af86f820189d0ece08f1858b1c9d5bddfc42e55b491fdde802d657c59d23b6c76d1
-
Filesize
173B
MD58d2ea0247cae891e2786f4265f151c96
SHA1fd072605314c81207e14988d12ca0206c7e31122
SHA256dbb6eadf1e8331965d112f6428fc864412240b8595964e25cb00bec14e69cc3d
SHA512389598be3b6ebb2d11383e98c16ef517f0eb3f82a9c1fde88a8d85f5bb537636704602148f33529d2033e50b839b2fa5d8fcdc60e60ad5849fa29f2e26948ec7
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\ad03363c-36ee-40b1-bf2a-150d59ac40c0.down_data
Filesize555KB
MD55683c0028832cae4ef93ca39c8ac5029
SHA1248755e4e1db552e0b6f8651b04ca6d1b31a86fb
SHA256855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e
SHA512aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
Filesize11KB
MD5906a645298724cccd069cfc23991f8d4
SHA163e47e8e72b6c5490dec955a2fe400c908d5b6b5
SHA25659ef0186d2c9c0a84fbbf202260feaceec7562c09ec02c0bb4d17b73e02f5868
SHA5120e53bbe6a0950352ad630b46c524b738b84e9da94cb7cb0b562261cf1544f198e436227c247159d7340a95726a75fc10e5a8c411ad48c39e68a8dd7f4fa7ff2a
-
Filesize
5KB
MD51e9cb93fdc822ba5fb7411e1cc622b3a
SHA16a8b13e0d2cb7eb34721613b3ace349b282a5573
SHA25655851cde0f6cdec597923b3c4ba43970c6c4becc45fd6e2a3527654d905c458f
SHA512ae7dd4d6f183a743292bf891e98ca1ccf3a191e636355efcd416c9e8edec73563dea441a4d35b0804bcf4e4dd7e9c05c812c655c0e4485d0d096cd0a89a782f3
-
Filesize
7KB
MD5a465fa51affabf999002d7d3c1be8511
SHA102912cb7430aa4e3b8e1771cccc5542153297ff8
SHA256529a46f0a2afdab8595666f26c858c4c6e87353c5da72fe4e05439b52e2011f9
SHA512d1e60982d0f8c57fd7c01aa94d1ada6c801cd870504ba46e911141baaa838e4520907167bf003981876b1c49c826687d39ca1a32327d10711d38280357953149
-
Filesize
885KB
MD51f0af45ebb41a281e1842cf13ec0a936
SHA1ed725de3bfb61f9614d76497ce88488925502977
SHA25618c9929344a096d80a051b2513c1c91ca89ba22c9e8d24240faf1566767a9e66
SHA5123c414d6ea6f929d9710ffb9a8dbfa737b36ded9b2cdf8260d6a8a9224ffb005e1dc090d331b9f69b9c7c8871570f437288fcc3c8b51dd619df9975d374085c8c
-
Filesize
418KB
MD567f23a38c85856e8a20e815c548cd424
SHA116e8959c52f983e83f688f4cce3487364b1ffd10
SHA256f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40
SHA51241fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d
-
Filesize
148KB
MD5be0b6bea2e4e12bf5d966c6f74fa79b5
SHA18468ec23f0a30065eee6913bf8eba62dd79651ec
SHA2566bac226fb3b530c6d4b409dd1858e0b53735abb5344779b6dfe8859658b2e164
SHA512dddb9689ad4910cc6c40f5f343bd661bae23b986156f2a56ab32832ddb727af5c767c9f21f94eec3986023bae9a4f10f8d24a9af44fa6e8e7e8610d7b686867b
-
Filesize
209KB
MD50e91605ee2395145d077adb643609085
SHA1303263aa6889013ce889bd4ea0324acdf35f29f2
SHA2565472237b0947d129ab6ad89b71d8e007fd5c4624e97af28cd342919ba0d5f87b
SHA5123712c3645be47db804f08ef0f44465d0545cd0d435b4e6310c39966ccb85a801645adb98781b548472b2dfd532dd79520bf3ff98042a5457349f2380b52b45be
-
Filesize
93KB
MD5186694813c3d5e33202a1a72c5079cc3
SHA190a9c2bf6419be6f46999e137c2149feca62cd13
SHA256fb13d67c05d0e3c693701d782a55bc002ab62e972e4f018bd6b1717493bf1ae2
SHA51257bf8ef4bdc08bcd7a83f82d14556710a2ef0cc7ef63366c48b144002a5f70cd58a130011cce648dcb3e9f62eafd6b188aa908b3b8f324448fb38567e499383b
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e