Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
23/08/2024, 20:17
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
bd02dd4aeb54e99962d72649846388e7_JaffaCakes118.exe
Resource
win7-20240705-en
windows7-x64
14 signatures
150 seconds
Behavioral task
behavioral2
Sample
bd02dd4aeb54e99962d72649846388e7_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
16 signatures
150 seconds
General
-
Target
bd02dd4aeb54e99962d72649846388e7_JaffaCakes118.exe
-
Size
20KB
-
MD5
bd02dd4aeb54e99962d72649846388e7
-
SHA1
45e4bee4b2dfddfab1f8de0b9cdc564617a1b561
-
SHA256
0e36eb0d6f2b882a23358d5fdd98c812c8139d64bf26a4cee2a2d43b2a43d4f9
-
SHA512
ff804b2c036b08191e5b157c34ddcb1a0aa57c354b82f7cf65e180f235b1037d03da99be7d5b842733445c6fc0e6f66cd618fd10fe07e26b04ceb92d68b56f1b
-
SSDEEP
192:1l5E3krTuntKy0peHDfCpHfBv+I4QwXt9V+jqu0G5KDJBf:1M3PnQoHDCpHf4I4Qwdc0G5KDJZ
Score
8/10
Malware Config
Signatures
-
Drops file in Drivers directory 60 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe bd02dd4aeb54e99962d72649846388e7_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\it-IT\bfe.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\scfilter.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\bfe.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\UMDF\de-DE AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\de-DE AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\es-ES\pacer.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\es-ES\scfilter.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\bfe.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\tcpip.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\es-ES\qwavedrv.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\es-ES\tcpip.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\qwavedrv.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\gm.dls AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\bfe.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\qwavedrv.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\it-IT\scfilter.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\drivers\ja-JP AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\es-ES\bfe.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\it-IT\qwavedrv.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\de-DE\pacer.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\Msvbvm60.dll winlogon.exe File opened for modification C:\Windows\SysWOW64\drivers\es-ES AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\fr-FR AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\wimmount.sys AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\pacer.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\de-DE\tcpip.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\pacer.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\it-IT\pacer.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\scfilter.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\UMDF\en-US AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\UMDF\es-ES AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\it-IT AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\de-DE\scfilter.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\scfilter.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\tcpip.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\UMDF AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\UMDF\it-IT AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\Msvbvm60.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\de-DE\bfe.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\tcpip.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\de-DE\qwavedrv.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\UMDF\ja-JP AE 0124 BE.exe File created C:\Windows\SysWOW64\drivers\Msvbvm60.dll winlogon.exe File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\qwavedrv.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\it-IT\tcpip.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\UMDF\fr-FR AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\pacer.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui AE 0124 BE.exe -
Manipulates Digital Signatures 2 IoCs
Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.
description ioc Process File opened for modification C:\Windows\SysWOW64\wintrust.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\pwrshsip.dll AE 0124 BE.exe -
Executes dropped EXE 4 IoCs
pid Process 2580 winlogon.exe 2976 AE 0124 BE.exe 1052 winlogon.exe 2828 winlogon.exe -
Loads dropped DLL 8 IoCs
pid Process 3016 bd02dd4aeb54e99962d72649846388e7_JaffaCakes118.exe 3016 bd02dd4aeb54e99962d72649846388e7_JaffaCakes118.exe 2580 winlogon.exe 2580 winlogon.exe 1052 winlogon.exe 2976 AE 0124 BE.exe 2976 AE 0124 BE.exe 2828 winlogon.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..soundthemes-savanna_31bf3856ad364e35_6.1.7600.16385_none_8501e89d0b011992\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Globalization\MCT\MCT-GB\Wallpaper\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Globalization\MCT\MCT-US\Link\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Media\Raga\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Media\Sonata\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Web\Wallpaper\Architecture\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Web\Wallpaper\Landscapes\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Media\Quirky\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Media\Savanna\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ie-objectcontrolviewer_31bf3856ad364e35_8.0.7600.16385_none_add5a10aa4d614d5\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..ini-systemtoolsuser_31bf3856ad364e35_6.1.7600.16385_none_7ca09f65fd387e58\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Downloaded Program Files\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ehome-reg-inf_31bf3856ad364e35_6.1.7601.17514_none_535245f3d98ecb9a\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..allpaper-characters_31bf3856ad364e35_6.1.7600.16385_none_bde0eaed84920a21\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..sktopini-sendtouser_31bf3856ad364e35_6.1.7600.16385_none_64398328adc9c59d\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-shell-wallpaper-scenes_31bf3856ad364e35_6.1.7600.16385_none_a4393b1a254aeaee\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Media\Characters\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Media\Cityscape\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..ktopini-maintenance_31bf3856ad364e35_6.1.7600.16385_none_ba8f25a3b6d81a68\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..oundthemes-festival_31bf3856ad364e35_6.1.7600.16385_none_121f20b55f0bde68\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-shell-sounds_31bf3856ad364e35_6.1.7600.16385_none_73076dd9cf3a9dce\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Media\Garden\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Media\Heritage\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Media\Landscape\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ie-offlinefavorites_31bf3856ad364e35_11.2.9600.16428_none_4382f60666c7c23b\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-us-component_31bf3856ad364e35_6.1.7601.17514_none_b52573ad8e4c2d89\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..-soundthemes-garden_31bf3856ad364e35_6.1.7600.16385_none_f7a4bf1e15863e21\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..ktopini-accessories_31bf3856ad364e35_6.1.7600.16385_none_480c0d8bd31ae43f\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..oundthemes-heritage_31bf3856ad364e35_6.1.7600.16385_none_5872c0830d0c4747\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Fonts\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Web\Wallpaper\Scenes\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-gb-component_31bf3856ad364e35_6.1.7601.17514_none_92d51a492ae12096\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-photosamples_31bf3856ad364e35_6.1.7600.16385_none_f36e0e659b8042be\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..-soundthemes-quirky_31bf3856ad364e35_6.1.7600.16385_none_e55404efe49bb9cb\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..undthemes-afternoon_31bf3856ad364e35_6.1.7600.16385_none_2a05e57d5ab3659e\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..undthemes-landscape_31bf3856ad364e35_6.1.7600.16385_none_7a83a914edc3de49\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-shell-wallpaper-nature_31bf3856ad364e35_6.1.7600.16385_none_d5909570704a09c0\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\assembly\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-au-component_31bf3856ad364e35_6.1.7601.17514_none_36a5754e72dd8aff\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..opini-accessibility_31bf3856ad364e35_6.1.7600.16385_none_36604ea896f9a97d\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Offline Web Pages\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-ca-component_31bf3856ad364e35_6.1.7601.17514_none_fae061a2e0ae5019\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..allpaper-landscapes_31bf3856ad364e35_6.1.7600.16385_none_e57abb2f66db71a9\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-shell-soundthemes-raga_31bf3856ad364e35_6.1.7600.16385_none_2fe300bf8e73cdbd\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-videosamples_31bf3856ad364e35_6.1.7600.16385_none_51a21f033003affd\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Globalization\MCT\MCT-US\Wallpaper\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-gameexplorer_31bf3856ad364e35_6.1.7601.17514_none_a026547dd7dc8bbc\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Media\Festival\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ie-offlinefavorites_31bf3856ad364e35_8.0.7601.17514_none_da0c2f9edf5b1353\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_subsystem-for-unix-based-applications_31bf3856ad364e35_6.1.7601.17514_none_d20e5d35068f261a\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..ini-accessoriesuser_31bf3856ad364e35_6.1.7600.16385_none_7ff91f5d2dd6c770\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Globalization\MCT\MCT-GB\Link\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Media\Calligraphy\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Web\Wallpaper\Nature\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-za-component_31bf3856ad364e35_6.1.7601.17514_none_a5926b147a413e6a\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_4f7e32f76654bd3c\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..i-accessibilityuser_31bf3856ad364e35_6.1.7600.16385_none_bf396ba9226e0702\Desktop.ini AE 0124 BE.exe -
Drops autorun.inf file 1 TTPs 28 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification \??\P:\Autorun.inf winlogon.exe File opened for modification \??\V:\Autorun.inf winlogon.exe File opened for modification C:\Autorun.inf winlogon.exe File opened for modification \??\H:\Autorun.inf winlogon.exe File opened for modification \??\L:\Autorun.inf winlogon.exe File opened for modification \??\M:\Autorun.inf winlogon.exe File opened for modification \??\S:\Autorun.inf winlogon.exe File opened for modification \??\X:\Autorun.inf winlogon.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-s..ccessagent-binaries_31bf3856ad364e35_6.1.7600.16385_none_de06b4fbd5b45f78\autorun.inf AE 0124 BE.exe File opened for modification \??\G:\Autorun.inf winlogon.exe File opened for modification \??\J:\Autorun.inf winlogon.exe File opened for modification \??\N:\Autorun.inf winlogon.exe File opened for modification F:\Autorun.inf winlogon.exe File opened for modification \??\R:\Autorun.inf winlogon.exe File opened for modification \??\Z:\Autorun.inf winlogon.exe File opened for modification \??\I:\Autorun.inf winlogon.exe File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf AE 0124 BE.exe File opened for modification \??\A:\Autorun.inf winlogon.exe File opened for modification \??\E:\Autorun.inf winlogon.exe File opened for modification D:\Autorun.inf winlogon.exe File opened for modification \??\Y:\Autorun.inf winlogon.exe File opened for modification \??\B:\Autorun.inf winlogon.exe File opened for modification \??\O:\Autorun.inf winlogon.exe File opened for modification \??\Q:\Autorun.inf winlogon.exe File opened for modification \??\T:\Autorun.inf winlogon.exe File opened for modification \??\U:\Autorun.inf winlogon.exe File opened for modification \??\W:\Autorun.inf winlogon.exe File opened for modification \??\K:\Autorun.inf winlogon.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\mstext40.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\provsvc.dll AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\es-ES\WceISVista.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPF4BK3L.GPD AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\wiabr004.inf_amd64_neutral_b1d90b3749c5e6a6\BrUs2Sti.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\fr-FR\reagent.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnep00b.inf_amd64_neutral_2e6b718b2b177506\Amd64\EP0NGP9H.GPD AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnep00c.inf_amd64_neutral_f0d9ddf52f04765c\Amd64\EP0NOJ6A.DXT AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\wiaca00c.inf_amd64_neutral_27f4ad26fea72eb1\CNHW06A.DLL AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\fr-FR\AtBroker.exe.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\ja-JP\adprovider.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\ja-JP\remotepg.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-OpticalMediaDisc-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\de-DE\Licenses\OEM\Enterprise\license.rtf AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpl7700t.xml AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\it-IT\wship6.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\msidle.dll AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnky306.inf_amd64_ja-jp_97f0de39317f6837\Amd64\KYLS6950.PPD AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\it-IT\mdmhayes.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\es-ES\wcncsvc.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\ja-JP\ntprint.exe.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\ja-JP\tpmcompc.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\ja-JP\Licenses\eval\StarterN\license.rtf AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnnr003.inf_amd64_neutral_c07c33bfb5764bdb\Amd64\NR3350B6.GPD AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\es-ES\extrac32.exe.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\it-IT\msdtc.exe.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_debuggers.help.txt AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\ImportAllModules.psd1 AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\odbcjt32.dll AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Killbits-Package~31bf3856ad364e35~amd64~~8.0.7600.16385.cat AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-MediaPlayer-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\de-DE\Licenses\OEM\Enterprise AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnca00f.inf_amd64_neutral_777b6911d18869b7\Amd64\CNB_0292.GPD AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnep00c.inf_amd64_neutral_f0d9ddf52f04765c\Amd64\EP0NGE6A.GPD AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\it-IT\hcproviders.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\ja-JP\WLanConn.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_debuggers.help.txt AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\ehstorpwddrv.inf_amd64_neutral_ecd233d7cabbdebf AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnnr003.inf_amd64_neutral_c07c33bfb5764bdb\Amd64\NR410NL6.GPD AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnsv004.inf_amd64_neutral_fc4526bbfbd5feb1\Amd64\SV4172E3.PPD AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\fr-FR\Licenses\eval\Starter\license.rtf AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\spp\tokens\channels\OCUR\Security-SPP-Component-SKU-OCUR-ul-oob.xrm-ms AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnbr004.inf_amd64_neutral_a78e168d6944619a\Amd64\BRCI08A.GPD AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-StickyNotes-Package~31bf3856ad364e35~amd64~~6.1.7600.16385.cat AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\de-DE\msrating.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\de-DE\wlanpref.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnep00b.inf_amd64_neutral_2e6b718b2b177506\Amd64\EP0NGX7C.GPD AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpk8600t.xml AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Win8IP-Microsoft-Windows-Graphics-Package~31bf3856ad364e35~amd64~nl-NL~7.1.7601.16492.cat AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnbr009.inf_amd64_neutral_fd2ac5b9c40bd465\prnbr009.PNF AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\it-IT\dhcpcsvc.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\MUI\0C0A AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\SyncHostps.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\de-DE\fms.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\iscsi.inf_amd64_neutral_2ef24e9270d8b2a9\iscsi.inf AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\mdmrock3.inf_amd64_neutral_9fdc5d710dd63e80\mdmrock3.inf AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\rndiscmp.inf_amd64_neutral_4ca64d28e1be8fa9\rndiscmp.PNF AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\mdmnis5t.inf_amd64_neutral_6c50ee5cb1ea2780 AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPFRES50.DLL AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\en-US\aaclient.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\es-ES\IpsmSnap.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\en-US\unknown.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\mdmrock4.inf_amd64_neutral_e45293c539584293\mdmrock4.PNF AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnky004.inf_amd64_neutral_5db759db19acd3ae\Amd64\KYKM1650.GPD AE 0124 BE.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-linkinfo_31bf3856ad364e35_6.1.7600.16385_none_945a23c3bf051859 AE 0124 BE.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-i..libraries.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e554186cc6940473 AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_6.1.7600.16385_none_3b995fcfc0e586ab\requiredBang.gif AE 0124 BE.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-d2d.resources_31bf3856ad364e35_7.1.7601.16492_es-es_8a62d143346cdaec\d2d1.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_netfx-aspnet_personalization_sql_b03f5f7f11d50a3a_6.1.7600.16385_none_d5842bb2904185f4 AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-msconfig-exe.resources_31bf3856ad364e35_6.1.7600.16385_es-es_d3e0cbab6c604e12\msconfig.exe.mui AE 0124 BE.exe File opened for modification C:\Windows\winsxs\Manifests\amd64_microsoft-windows-i..oyment-languagepack_31bf3856ad364e35_6.1.7601.17514_fr-fr_da1680296efa7ca3.manifest AE 0124 BE.exe File opened for modification C:\Windows\winsxs\Manifests\amd64_microsoft-windows-r..intmapper.resources_31bf3856ad364e35_6.1.7600.16385_de-de_9d9ce5902463654d.manifest AE 0124 BE.exe File opened for modification C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-DownlevelApisets-Shell-WinIP-Package~31bf3856ad364e35~amd64~it-IT~7.1.7601.16492.mum AE 0124 BE.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-s..nter-core.resources_31bf3856ad364e35_6.1.7600.16385_it-it_04f593108f3c7bec AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_prnlx005.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_7bf2197108022b87\prnlx005.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-appid.resources_31bf3856ad364e35_6.1.7600.16385_de-de_e92ea4b1d7adbfab_appidapi.dll.mui_b6af37bb AE 0124 BE.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-mlang.resources_31bf3856ad364e35_6.1.7600.16385_da-dk_dffc8dc2836de4f0_mlang.dll.mui_2904864a AE 0124 BE.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-u..erservice.resources_31bf3856ad364e35_6.1.7600.16385_it-it_7d4895febd530047.manifest AE 0124 BE.exe File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_64\ReachFramework\babca4e23fdb41b83fc500b5f9c07349\ReachFramework.ni.dll.aux AE 0124 BE.exe File opened for modification C:\Windows\inf\msmouse.PNF AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\MUI\0409\mscorsecr.dll AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-w..e-ws2ifsl.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_b47a8e54a5b667dd\ws2ifsl.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\winsxs\Manifests\wow64_microsoft-windows-i..atibility.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_1f1e4a341cebfc48.manifest AE 0124 BE.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_56cc3687acc564e8\about_Assignment_Operators.help.txt AE 0124 BE.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-cryptdlg-dll.resources_31bf3856ad364e35_6.1.7600.16385_de-de_9c2fb07f74b42dc1\cryptdlg.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-e..ntication.resources_31bf3856ad364e35_6.1.7600.16385_de-de_066d72eea576b5a8 AE 0124 BE.exe File opened for modification C:\Windows\winsxs\msil_microsoft.visualbasic.vsa_b03f5f7f11d50a3a_6.1.7600.16385_none_c75fb31a08c6c4d2\Microsoft.VisualBasic.Vsa.dll AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\PresentationCore.dll AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-t..lishing-wmiprovider_31bf3856ad364e35_6.1.7601.17514_none_935e5e07aa28aa00 AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-r..e-rassstp.resources_31bf3856ad364e35_6.1.7600.16385_es-es_449f95d072a7ae4d\sstpsvc.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-wmviddsp_31bf3856ad364e35_6.1.7600.16385_none_02d8e5538eeeec51\COLORCNV.DLL AE 0124 BE.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-credui.resources_31bf3856ad364e35_6.1.7601.17514_en-us_64222f560083ded6_credui.dll.mui_34721171 AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..gtool-app.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_346bde8e572d3bfe\SnippingTool.exe.mui AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..oundthemes-heritage_31bf3856ad364e35_6.1.7600.16385_none_5872c0830d0c4747\Windows User Account Control.wav AE 0124 BE.exe File opened for modification C:\Windows\winsxs\Manifests\amd64_microsoft-windows-b..erservice.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_f3fb8ab258b3ab92.manifest AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-f..rcluster-clientcore_31bf3856ad364e35_6.1.7601.17514_none_ef6d8ddb4eff2674\clusapi.dll AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-m..iagnostic.resources_31bf3856ad364e35_6.1.7601.17514_it-it_70d81229e66b1d93\CL_LocalizationData.psd1 AE 0124 BE.exe File opened for modification C:\Windows\winsxs\FileMaps\$$_system32_inetsrv_e6240a381854fe3d.cdf-ms AE 0124 BE.exe File opened for modification C:\Windows\winsxs\Manifests\amd64_microsoft-windows-o..s-service.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b478b9e3e9b9a4f4.manifest AE 0124 BE.exe File opened for modification C:\Windows\winsxs\Manifests\amd64_microsoft-windows-tapi2xclient.resources_31bf3856ad364e35_6.1.7600.16385_de-de_9c1297fc2051bd3a.manifest AE 0124 BE.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-certutil.resources_31bf3856ad364e35_6.1.7600.16385_it-it_5ca3ec2949b05ddf\certutil.exe.mui AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_prnca00i.inf.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7fe9001b90f46630\CNBP_336.DLL.mui AE 0124 BE.exe File opened for modification C:\Windows\winsxs\Catalogs\495a6a435d7686562d2f809d9c73215792481692c687959b768bf17786a4be66.cat AE 0124 BE.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-gadgets-cpu.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_efed75e2fbac9517\gadget.xml AE 0124 BE.exe File opened for modification C:\Windows\Help\Windows\fr-FR\artui2.h1s AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-w..ouppolicy.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_c992dbc0e2b8fcf5 AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_prnep00a.inf_31bf3856ad364e35_6.1.7600.16385_none_aca456a8af7f0d6c\Amd64\EP0NIP46.DLL AE 0124 BE.exe File opened for modification C:\Windows\winsxs\Manifests\amd64_prnbr002.inf-languagepack_31bf3856ad364e35_6.1.7600.16385_ja-jp_e3ae032cbae53073.manifest AE 0124 BE.exe File opened for modification C:\Windows\winsxs\msil_system.drawing.design.resources_b03f5f7f11d50a3a_6.1.7600.16385_it-it_0f21cbc1f53355d7\System.Drawing.Design.Resources.dll AE 0124 BE.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-wmadmoe_31bf3856ad364e35_6.1.7600.16385_none_8696c88e7f02ab7b\WMADMOE.DLL AE 0124 BE.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\CustomMarshalers\e41fccd68a6543f2528f6f6118f5f7e2 AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\RedistList\FrameworkList.xml AE 0124 BE.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-UltimateEdition-wrapper~31bf3856ad364e35~amd64~~6.1.7601.17514.cat AE 0124 BE.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-findstr.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1fb68944608185e5 AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-security-netlogon_31bf3856ad364e35_6.1.7601.17514_none_5bddbcb24e997298 AE 0124 BE.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-i..-wow64-setupdll040c_31bf3856ad364e35_6.1.7600.16385_none_4810dbc2cb7913f3 AE 0124 BE.exe File opened for modification C:\Windows\winsxs\Manifests\amd64_microsoft-windows-a..orecodecs.resources_31bf3856ad364e35_6.1.7600.16385_it-it_2cbc397aa695fff9.manifest AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-c..entsnapin.resources_31bf3856ad364e35_6.1.7600.16385_de-de_2a4829fe19f1aaec\compmgmt.msc AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\Users\App_LocalResources\findUsers.aspx.fr.resx AE 0124 BE.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-SimpleTCP-Package~31bf3856ad364e35~amd64~it-IT~6.1.7601.17514.cat AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_mdmbr005.inf.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_bfcd338840ee79ef AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..onal-codepage-28595_31bf3856ad364e35_6.1.7600.16385_none_b1681068fdcecd6a AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-m..ic-module.resources_31bf3856ad364e35_6.1.7600.16385_en-us_6e8e7629e72640d3 AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-qwave.resources_31bf3856ad364e35_6.1.7600.16385_it-it_5f55efd9e512ef9f AE 0124 BE.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-wlancoinstaller_31bf3856ad364e35_6.1.7600.16385_none_4e924d1dbd31b3c1 AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-o..c-style-performance_31bf3856ad364e35_6.1.7600.16385_none_1d8aecb671a2bda5\Scene_loop.wmv AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_prnsh002.inf.resources_31bf3856ad364e35_6.1.7600.16385_it-it_6d073a0591289da2\SH_1_RES.DLL.mui AE 0124 BE.exe File opened for modification C:\Windows\winsxs\Manifests\amd64_microsoft-windows-w..oradapter.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_975c169ee90ab1ac.manifest AE 0124 BE.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AE 0124 BE.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bd02dd4aeb54e99962d72649846388e7_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003125cc29be9a0e41b44a3d73dc8faf71000000000200000000001066000000010000200000008feb0a150d9787857b5d4149d0b49e4328208f3b83d9784bcf8c6b424c5afcef000000000e80000000020000200000004547f24340b5669845aa04984be6673443233dbfea9f0fce5cca89513d09240790000000a612b1ce29a79736b13b9788d4492ee7c0e4db0bab147df5bfd9076a9b775ffda4dd885930f3b06b200c90d7653cc6a8b146bd51de2db57598519a01c924395b3b93fdc04bf1b5e666ffdf07c4d350dd76f6767b5d23c44784ff4063260d932bf69e13a8a53eb62af8f5a9bfb3dd20887e80c5e500e614a70d3daa3801e8edfc57341d9344b4dc7b432f0568d97e5e02400000009a63accbd8f000bc0ff601c9640437a131e67078d8d1c3de55f8065ef1a6f412842fd8a88cef459f8e8c89252c78709cbb8e9a065e375a7cabf8181ac5705434 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 301373b599f5da01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003125cc29be9a0e41b44a3d73dc8faf710000000002000000000010660000000100002000000061e3d68a55d565b229d978dfaaa0a209ee373e3b8486cabd6a563193cf5ed182000000000e800000000200002000000095993f97cb7a0d4ce415719724dce175c69aaee052f9913e5a753dfd3877c6c62000000072a11970e0fbb4892442883c0c52f7f3db53248e2c7691daa210cb9beb89bbcf40000000004913cf75b2f3f249d5dfd34053321364693479eed5533e6366f65ac499116be6d6dc3490006ab5099e06c6600ec6df05619617ac3b17acbe7b514f016155c1 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "430606184" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E0A84AC1-618C-11EF-884B-46FE39DD2993} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2660 iexplore.exe -
Suspicious use of SetWindowsHookEx 11 IoCs
pid Process 3016 bd02dd4aeb54e99962d72649846388e7_JaffaCakes118.exe 2660 iexplore.exe 2660 iexplore.exe 2852 IEXPLORE.EXE 2852 IEXPLORE.EXE 2580 winlogon.exe 2976 AE 0124 BE.exe 1052 winlogon.exe 2828 winlogon.exe 2852 IEXPLORE.EXE 2852 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 3016 wrote to memory of 2660 3016 bd02dd4aeb54e99962d72649846388e7_JaffaCakes118.exe 30 PID 3016 wrote to memory of 2660 3016 bd02dd4aeb54e99962d72649846388e7_JaffaCakes118.exe 30 PID 3016 wrote to memory of 2660 3016 bd02dd4aeb54e99962d72649846388e7_JaffaCakes118.exe 30 PID 3016 wrote to memory of 2660 3016 bd02dd4aeb54e99962d72649846388e7_JaffaCakes118.exe 30 PID 2660 wrote to memory of 2852 2660 iexplore.exe 31 PID 2660 wrote to memory of 2852 2660 iexplore.exe 31 PID 2660 wrote to memory of 2852 2660 iexplore.exe 31 PID 2660 wrote to memory of 2852 2660 iexplore.exe 31 PID 3016 wrote to memory of 2580 3016 bd02dd4aeb54e99962d72649846388e7_JaffaCakes118.exe 32 PID 3016 wrote to memory of 2580 3016 bd02dd4aeb54e99962d72649846388e7_JaffaCakes118.exe 32 PID 3016 wrote to memory of 2580 3016 bd02dd4aeb54e99962d72649846388e7_JaffaCakes118.exe 32 PID 3016 wrote to memory of 2580 3016 bd02dd4aeb54e99962d72649846388e7_JaffaCakes118.exe 32 PID 2580 wrote to memory of 2976 2580 winlogon.exe 33 PID 2580 wrote to memory of 2976 2580 winlogon.exe 33 PID 2580 wrote to memory of 2976 2580 winlogon.exe 33 PID 2580 wrote to memory of 2976 2580 winlogon.exe 33 PID 2580 wrote to memory of 1052 2580 winlogon.exe 34 PID 2580 wrote to memory of 1052 2580 winlogon.exe 34 PID 2580 wrote to memory of 1052 2580 winlogon.exe 34 PID 2580 wrote to memory of 1052 2580 winlogon.exe 34 PID 2976 wrote to memory of 2828 2976 AE 0124 BE.exe 35 PID 2976 wrote to memory of 2828 2976 AE 0124 BE.exe 35 PID 2976 wrote to memory of 2828 2976 AE 0124 BE.exe 35 PID 2976 wrote to memory of 2828 2976 AE 0124 BE.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\bd02dd4aeb54e99962d72649846388e7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\bd02dd4aeb54e99962d72649846388e7_JaffaCakes118.exe"1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Windows\AE 0124 BE.gif2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2660 CREDAT:275457 /prefetch:23⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2852
-
-
-
C:\Windows\SysWOW64\drivers\winlogon.exe"C:\Windows\System32\drivers\winlogon.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops autorun.inf file
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\AE 0124 BE.exe"C:\Windows\AE 0124 BE.exe"3⤵
- Drops file in Drivers directory
- Manipulates Digital Signatures
- Executes dropped EXE
- Loads dropped DLL
- Drops desktop.ini file(s)
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\drivers\winlogon.exe"C:\Windows\System32\drivers\winlogon.exe"4⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2828
-
-
-
C:\Windows\SysWOW64\drivers\winlogon.exe"C:\Windows\System32\drivers\winlogon.exe"3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1052
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5180da1708a61dbb94052f765ad1d4768
SHA19b59087ca41434fe10fd508a20a54094b4b6721d
SHA256adb3033294a10214cec0a9b4ec2015024cb19d1ef506e9298e23fbfd67211f4f
SHA512ce86708f360ed98888336cb5f87b6ef2675898a7b5d8f5ad41ac95cc9966e754c7703701c89454da4747e4db205bfdfde0954b377999e4651178f28ab09d56f9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5612a093651036f2844727dd85d0d7c82
SHA15f0700270b8320bee873c038fb5aba88d261e601
SHA25624b0f6016e131d4c0980f0a633cdcbc0729d212d5e40beb7b35f8909f0d3a4e0
SHA512edf34ffd7dbf61900fa351944fd021e05043c19a6e679e6956e030ab0290b551f72a5a89738ee1772686a48ca860896f9b5fcf00ff925a72838effea66fc876e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d6530dada6c7f479faed3c7ea28cdc0d
SHA1ecf30fae2e50a4bbd8beb66a968d5daf45419010
SHA256a982c5da1a4b388437d7b74469c081ac614485d0b66cfb323ed4158356979bea
SHA512dec19f5ec3109ea072f0de2ddc5817019aad42fcad2da27466764ec607234d02b77c976679c86bfc8143a8d3b368970b13f1e0554b1bfd975b2eab3ec5489647
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5434cfd6bb34e87c01869ba3d61e53a7c
SHA18b319208309601d13cc77eb8af1e5ab9ccf934ef
SHA25696f55c8df7d75eb1d61cd26cbd999985342577d50193a12ef48e4b87cf490347
SHA512f615fd107014c6b11cd4fa0eb8a4c6cb6afb870b231ffb14abbeddf2cf0d0ffc2092b450371003ecbb511aae84c196c055b6961275f31ece48b7fac697d7fc48
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59564433a0c82ae68ebd5e2814db62737
SHA1b6f752ad56380138b74bac3c83a80d3c01259a91
SHA256874a6f3d8fb7d46d7b4044581ad13478eb65a3403f6a9472b5602b12be9c0a80
SHA512785ffba8fbbd1e72d3fce11e8a0c34af7f8ffec476cd8d2101df1174dcf85960ce94e582390febaebb4e7e674ca07783bb0dc3dd5a3c7074849d682ced45f38f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b6fe6538bf5c111c11b0cc03120a913a
SHA19fec6f7c9bbfd12f47ea1ec91dfb911c970ff83c
SHA256e5cb1abeb23ed8016e836108867d0fba7d099356fab0091c0470a400c60fba50
SHA51243de8b86d948498c2054e1a6c7471c1127d108e5f200dd4cf276814c041d6ef4d4960691b9efe6354d5ea2e1211781863e411d7bfa968a38513c5b157d3bf0ce
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55ae9ed4aff18685b5bad70c5a7fbcbe7
SHA1d0e43b1f91e2825de1485500a6d4c4f3b38f520e
SHA2562e8be90aac7ecd486eb7b536b047e7b5526c727bf46d42b4b11dbd6eaa9d7df7
SHA5120615459905246439ff1a2acb8c28715f370c165163d93372e7f16c909b92253df8ca289e78ef08c5bd7f7cb3ca3bcfa256547bc34a2ae85b7928eea1625911b3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD522cc4819c58635d64dc40dd24744dabf
SHA19ffd65491c6bb2cc81e36c27b6b6286f1ccdb87a
SHA256c19817be9dd4a943883aeb452d6ada9ea171a1cc9ad175cb8bbe4acbc33c4bee
SHA5123547974e368d84d9a769e3a0a8b9d97d8219dcf4a7f1a9520ed2a1d70ff6a72214a661707da33eb8c5a849de127f566f8d1b1611382274c185528206e347a2f8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD554dcb0002bd79794328477bf35c1d971
SHA16cb162a9897edcb2eaf401fc6c3add1c04486a7a
SHA2566b09f8ad923dddf89548d2e0978c335cd8a82de73586479ed7d0c5c4c43428c7
SHA5128637d9d08f69f2db67fa00bb886a2a4ba02cd73797a125a7532f66f33e3b9292bd6e98a6b0b1a003c29fe6bb87dbaded5ff54c89dd38b96f1fd29ba180dd662f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD558ae27fb846616d9a1fcde0a0f5d24f9
SHA1d37e2660330593e51ea2478f988e3b17ea1852d0
SHA256aa96750c9b91943792e08773715a3b6eeac1def3b11071397ce2b462ae1d3475
SHA5126572ee230354a8077e4f53702a8e81835fe051d41e0c701933b752c1d0588657b518c4ca8a4214881a6b9feb1c26c89555a910b21efc494654698c6fa3ff2ee8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD536dc436854e504be286f06c40abf69bc
SHA13137c1cefdf66f0bcad6f21a6111066a9e89995b
SHA25601e9b93d1089a556842a19fcce6b551d0825e3ca25bc46209e7a84d8f674dee7
SHA5127626040e8ca8efe2b3f47e2c7b68b5f7199f5d3b57af1938d1f56753911546c753efa25d910d2476726e6efbf99055704b9050138a44b6f21f22774a90e301f2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55e1d4e781af47f53dd746225be9c3802
SHA14be6c0489ad4d75eac86228b9d134da9adafc133
SHA2560c0f3acb4c29be064856db1a1640290d69e8e7b9347fa8803b78b447e6c51c42
SHA5121841c8a04143be1d4e3ef8e4a1db772963c0614f913de690ef2e587cbcbaa6bc75b411f1afe95ec7e0408708889bd2009ccf6c0ae4312959591709a3ec4b69c1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53db7abdc9ffa11272eec52ebfe28ce87
SHA1a9f7c1f36249c55a920e78844efa304ddc29a6c6
SHA256c7b30efa2c31ef8dcca317d4d7e8866e5b1c496f9655caf5ba51d8e7e19eadb9
SHA512e79607150c921b579adedc70429b3e7df40aa9aba23b5f0e835659df9b87ebc9ecdee6c3c1c33847df87b9389d1b1ec2edb4c8d1709c67372b1ee8a948100875
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD561cac1fa32611db63e3249f41bd092e9
SHA1429381f281073bf9b6e0fa61c7e870ce324c37f8
SHA2562a8a09051ce436c492a14a342ca63dfc4b2ee61d7afb968036a8e2a33a1c2736
SHA512d2dadf19f43f941525bfdec411eaaa880253a76f0cf4b339269c630ce85255701a46833fef284e91820b808b0a10b45c089e43fbeb2e4d12d912f5ab8cbcb21e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ddaae3fd919cd168c36eef5cd13b89ef
SHA17e1597468518ef8a344ff4c31035c1756002b954
SHA25664f5a06cfd01362ec1d2050415ddf3f04ddc7e070a34c4ace481d82074383fdf
SHA5127ac82816efabfec56c48a81d465c979ad1895a34600d454a717a4d4add01fac7121e066feaf3484bea424a429018924f53cec5b59c0cced5327ed3787eb26527
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52fcef9e428ea811d4912d5401673edc8
SHA1c49f098209d2d83d4e9d11bf95288771a74ceabd
SHA2564dfa964305e67bbc47c38b1e0fc92809180ef52f28430d3cd4dec68f111810c8
SHA5121fc8f25ff3ba402ad2ced24105f756d89dbb1bc209d5f7bc65968c1ad98a6c589e96fa7eec6695f8018dac173ad92677fabeaefd107993b00c15361d34bab243
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59ab6f7b1d1ac9e92b61c6882b8aa50f8
SHA1cb1c13ef7e3fb14974525503e4effa291e4694a3
SHA2562e821a126a809b77434fedd61a1663726fc9a124876ad42171dd60fc3c3be8fc
SHA5127179771de62fe6080cb38feb072eeaba7cf9bb8b2cda107f790d6322af6a962f2539806bb2ea346db0310e978146d77660cb0a6795b13118164da60b1f53226b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5be113cbf20289737c54adcdbd84be510
SHA18150f98c3f297dd74912c515907493f5be67682e
SHA2568c76f71ce12ad82fdc561fb49677026701d5b4bcc8d3cb86db1672cba7ba258e
SHA512971dd924eabb58aaa51418f01a2589302ba150b075c40d89196b79336d7598f8ab54e76a3e9abfc7142fc6d8442a755db971efba32e05033a5851dbec599c4e3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a86fe9549ded22834ba563f200169460
SHA15d84a1cf78f930647fdf91e42e62b1f5ebfd29e9
SHA256efbb6a8837cd6660856593f873f7910a8c9ad3a73d8de69445a6b4e3fcee4096
SHA5123d1b286ce1c3ba670a085d7a7fa4a41e64032e01cea9faaed1abffd04dc024d6c02d075c876a11a70e301ac66ce02d95db91a96127119d2681abc6519f830e2e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5120b84c7ec22e2708a13b8727b3d8ae6
SHA17772c37ab499c192bb948c482dbb5bc465f716f1
SHA2561d02c1cb13c70da765188b261708a13fa0741a44752dae8d01793e31ec5faae5
SHA512a6cb0f9b1bcbb9cdd69b1ba7b0d38fe1e5cc3c26a2cfc43678bf1933dcd2871eaf7b12b2823d4428adcd8008b08b9b14b6715e5a9422d3b97754c6b78a5ebe95
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
20KB
MD5cb6939883139c3e42d3929c5ad9d2835
SHA1837b47e4fb2965f496f615139bb0f977a76f8e72
SHA2567a592adb0f88f8b0e2e02dc63c6d4a1515e2306418c71967284fd40c5b93d98f
SHA512e739ac2a7d1bb3a9fe72fa3f25d56cf9f4e8fdc053a64761dd7cf882228652e74635e3e8a20fe792f6deb7b0c0030bb621ae0af43032c32aa0984ad76c697204
-
Filesize
40KB
MD5e8e58247e82ab01f6b632d8312ef1c98
SHA1c5bc58b2572a0747b8320e094eb45f356619b54a
SHA2561139c2f8ced9d3cc2bb625f50f6f16d2e89aef9680a229e3e2f6b7c680212503
SHA5120dc880625ed703c2ba204b967b77260e45eaa33a44876ea0fdc91c8d72ef7ad66dab2f552ab392e889f1078406a96e236777537d45518f34b54e1eb7592d67d7
-
Filesize
1.3MB
MD55343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
Filesize
25B
MD5589b6886a49054d03b739309a1de9fcc
SHA10ec1dff7a03f13dea28eea5e754d5b0e5e1dc308
SHA256564815feb9c5bdadb145cd0d16738c4e5fbc6a46cf65c62ac6a985c43d1939e8
SHA5124b6f567398863aba39eec00e9f071364b79d5c29867b93fb968725e10e33a9bfff60f8ab6acceae44e715a35ec7139d12da06c33fa074b6be02ff5357c53c0eb
-
Filesize
40KB
MD5f825399e1fe984d85e4883b67fc01eee
SHA1ac8e3d8e53482cdb0ed7fceeabb4a3bbc2d1f96f
SHA256651ece11587162fbfbce9005128e320b3f6319310aedbb5721837e74225ed936
SHA512c43ce49bb75a8dbb8397c71420a86b0d0ae05b991fc56a19f9b3139719cab1dd42d65d8a1ea8388d475c039ef847c7a5b85c98d4b6904f2f4278b2f64afa35bc
