Analysis
-
max time kernel
148s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
25/08/2024, 09:17
Static task
static1
Behavioral task
behavioral1
Sample
c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe
-
Size
532KB
-
MD5
c06bc6914d0027f75bb4d381a806a193
-
SHA1
832f2ddc005856724f646bb6f32b9a47e37fd39d
-
SHA256
a1c2da26a3aec23b7d2caf96d5b5dbf05bf8c817e6b3d48522a2403d4f8e1eca
-
SHA512
16cbae77a71904d7aa0a89d305659ec5d73854be0ef92070f693fafc817078e7845ad45e187937c16fb83f006352432883987cb3ce17d19714fa5bec803ac941
-
SSDEEP
12288:EU9Xiuiqn0QP5vpBcRFIh66M5XjQ5SoMyF7+crn580L7:EUdHNn0a5sRWI5TQMNw7+a580L7
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts cmd.exe -
resource yara_rule behavioral1/files/0x000400000001cb98-404.dat aspack_v212_v242 -
Executes dropped EXE 1 IoCs
pid Process 3020 server.exe -
Loads dropped DLL 6 IoCs
pid Process 2404 WScript.exe 2404 WScript.exe 3020 server.exe 3020 server.exe 3020 server.exe 3020 server.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\empezar.bat = "C:\\Windows\\system32\\6095\\empezar.bat" c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\server.exe = "C:\\Windows\\system32\\6095\\server.exe" c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\6095\bcp\OperacionesEnLinea\images\new\herramientas.gif c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\iconos\banca_emprenon.gif c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\images\zona_segura.css c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\iconos\fot_personasder.jpg c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\404.html c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\principa.js c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\zona_publica\01_persona\index.html c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\bcp\OperacionesEnLinea\index.html c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\iconos\cajeroexpresslogo_.jpg c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\iconos\logosbnew2.gif c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\iconos\scot_raya.gif c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\iconos\trans.gif c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\iconos\banca_empren.gif c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\images\esq_lila.gif c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\bcp\OperacionesEnLinea\images\new\fl_nar02.gif c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\bcp\OperacionesEnLinea\scriptsnew\comunes.js c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\iconos\1_p.gif c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\iconos\atm.jpg c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\imagesEdit\1\zop\7\bullet_mage.gif c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\empezar.bat c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\listo.vbs c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\server.exe c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\bcp\OperacionesEnLinea\images\new\logo.gif c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\EnLinea\imagenes\login\operacionesLogin.gif c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\iconos\ira.gif c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\imagesEdit\banners\248\grade_ctaplazo.gif c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\bcp\OperacionesEnLinea\images\5.gif c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\iconos\banca_empresason.gif c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\iconos\imprimirbl.gif c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\iconos\banca_personas.gif c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\iconos\scotiabank.gif c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\bcp\OperacionesEnLinea\images\9.gif c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\EnLinea\imagenes\trans.gif c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\iconos\2_p.gif c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\images\fl_blan.gif c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\bcp\OperacionesEnLinea\scriptsnew\formbcp.js c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\iconos\fondo_tbdere.gif c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\iconos\fonmenu2.gif c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\iconos\boton_portal.jpg c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\iconos\bot_irx.gif c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\iconos\dot.gif c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\images\esq_azul.gif c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\images\herramientas.gif c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\bcp\OperacionesEnLinea\images\3.gif c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\bcp\OperacionesEnLinea\images\new\fl_nar.gif c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\iconos\acceso_rapido.gif c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\imagesEdit\banners\243\chico_seguridad.gif c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\tlpu\jsp\pe\esp\home\index.html c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\MSWINSCK.OCX c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\iconos\2.gif c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\iconos\logoPeruahora.bmp c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\imagesEdit\1\zop\1\bullet_nara.gif c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\index2.html c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\iconos\3.gif c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\iconos\abajogrisder.gif c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\iconos\enviarbl.gif c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\iconos\3_p.gif c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\iconos\ptsderecha.gif c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\iconos\viaja_seguro.gif c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\bcp\OperacionesEnLinea\images\4.gif c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\bcp\OperacionesEnLinea\images\new\fl_blan.gif c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\bcp\OperacionesEnLinea\zona_segura.css c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\css\portada_new.css c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\images\f_ingresa.jpg c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E3F6F9B1-62C2-11EF-A504-6205450442D7} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003125cc29be9a0e41b44a3d73dc8faf7100000000020000000000106600000001000020000000d4df7f4cec1e947b5a4db4f3559877829c4b91888e448b5255182c761947ef76000000000e8000000002000020000000946cfd4dc7f4388c2602cb2a2af93820691f48c90f0a2d18d6d04af5d48ada6e200000004af74ad99569b66c01b157fd83935e5d20bd617ef3c6be4fa2240df90fe2485f4000000054eb2197d90481599ff33d1b886d1c76ba1856ef9b33b3fd7c7786c15c94413e024608cc0b49248f0308721ba6d9c70bc7e4f60de4813e9b1ebe4c30787d2cc1 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 105fcbb8cff6da01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003125cc29be9a0e41b44a3d73dc8faf7100000000020000000000106600000001000020000000996fd3a725f841069b5ac48da0c533bd0d60727ec79c1294a8bf89f653b63ed4000000000e8000000002000020000000a5577df1f978b5bc3c68ed0ff1d839e5bcae625c113a1753e4597a1b137d3f4490000000c820cbf09d14975cc214d4e3070eba87b553e4db46e15745666466efab121edef1fd6600f2de151e1a6304b9fafc004abf549bd18b09afe64e3b97b88f4b04e80281e87126602d823e1ce6c1c4f7cff934d0071b1a17883ab064d8f98072d821ae1514a240e72dd434ed1d4f9ee650c78a2ccca479ded458c13364aec59717440b3f8c7ee74ee012f50d07de0731fcc540000000e22af2fd139603c45f2a98da29e3f3d933c5f8128102ec09b18ec62cf8acc06dce562eacc5fc8c6142779ff5e3493c7896a3380f1366c3cec59665ce2e069c4b iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "430739333" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1 server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Control server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D} server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ = "DMSWinsockControlEvents" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0" server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CurVer server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1 server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32 server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D} server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}" server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D} server.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D} server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CLSID\ = "{248DD896-BB45-11CF-9ABC-0080C7E7B78D}" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID\ = "MSWinsock.Winsock" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1\ = "132497" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0" server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502} server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\ = "Microsoft Winsock Control 6.0" server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0" server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32 server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\CLSID\ = "{248DD896-BB45-11CF-9ABC-0080C7E7B78D}" server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D} server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ = "Microsoft WinSock Control, version 6.0" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ = "C:\\Windows\\SysWOW64\\6095\\MSWINSCK.OCX" server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D} server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32 server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32 server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ThreadingModel = "Apartment" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\ = "Microsoft WinSock Control, version 6.0" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID\ = "MSWinsock.Winsock.1" server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352} server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\ = "Winsock General Property Page Object" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR\ server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32 server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ = "IMSWinsockControl" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D} server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32 server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32 server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ = "IMSWinsockControl" server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\CLSID server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Programmable server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\ = "0" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS\ = "2" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\ = "Microsoft WinSock Control, version 6.0" server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CLSID server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CurVer\ = "MSWinsock.Winsock.1" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}" server.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D} server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ = "DMSWinsockControlEvents" server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID server.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2824 iexplore.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 3020 server.exe 2824 iexplore.exe 2824 iexplore.exe 2220 IEXPLORE.EXE 2220 IEXPLORE.EXE 2220 IEXPLORE.EXE 2220 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 1052 wrote to memory of 2404 1052 c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe 30 PID 1052 wrote to memory of 2404 1052 c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe 30 PID 1052 wrote to memory of 2404 1052 c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe 30 PID 1052 wrote to memory of 2404 1052 c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe 30 PID 2404 wrote to memory of 2868 2404 WScript.exe 31 PID 2404 wrote to memory of 2868 2404 WScript.exe 31 PID 2404 wrote to memory of 2868 2404 WScript.exe 31 PID 2404 wrote to memory of 2868 2404 WScript.exe 31 PID 2404 wrote to memory of 3020 2404 WScript.exe 33 PID 2404 wrote to memory of 3020 2404 WScript.exe 33 PID 2404 wrote to memory of 3020 2404 WScript.exe 33 PID 2404 wrote to memory of 3020 2404 WScript.exe 33 PID 2868 wrote to memory of 2656 2868 cmd.exe 34 PID 2868 wrote to memory of 2656 2868 cmd.exe 34 PID 2868 wrote to memory of 2656 2868 cmd.exe 34 PID 2868 wrote to memory of 2656 2868 cmd.exe 34 PID 2656 wrote to memory of 2932 2656 net.exe 35 PID 2656 wrote to memory of 2932 2656 net.exe 35 PID 2656 wrote to memory of 2932 2656 net.exe 35 PID 2656 wrote to memory of 2932 2656 net.exe 35 PID 2868 wrote to memory of 2824 2868 cmd.exe 36 PID 2868 wrote to memory of 2824 2868 cmd.exe 36 PID 2868 wrote to memory of 2824 2868 cmd.exe 36 PID 2868 wrote to memory of 2824 2868 cmd.exe 36 PID 2824 wrote to memory of 2220 2824 iexplore.exe 37 PID 2824 wrote to memory of 2220 2824 iexplore.exe 37 PID 2824 wrote to memory of 2220 2824 iexplore.exe 37 PID 2824 wrote to memory of 2220 2824 iexplore.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\6095\listo.vbs"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Windows\System32\6095\inicio.bat" "3⤵
- Drops file in Drivers directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\net.exenet stop SharedAccess4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SharedAccess5⤵
- System Location Discovery: System Language Discovery
PID:2932
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://srvr.timwe.com/timwe_prod/PROD_COL/PERU/CLARO/minisite/index.php4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2824 CREDAT:275457 /prefetch:25⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2220
-
-
-
-
C:\Windows\SysWOW64\6095\server.exe"C:\Windows\System32\6095\server.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3020
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5162f3461f9834447edf31a3213d71a29
SHA1777a0c517bf967c1d7e4e4e4541dba54e2115146
SHA25655b1d9f5dbdae16e29933f0792f48d85163410654bb93b61047f058df3b9cbd6
SHA512199432b09e4050955d61daf8d2b9253d77f18680dbc5e10301ec7d8398d124a1833dc5946e0ccb827c8ec3bf9192e42830b6276cb3c0bb6ec95dec7fea0bdb55
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5543550372ee202d1fb5be5498f3e3f78
SHA1da84753329ceef76c8f85e059062cccd96675f05
SHA2565b7acf205f6ff36900f4376dae14283519b2f0e4f79a1fd8094e106ef4fdcde3
SHA512b6eb6579f2ccd0554cc238016b1a35ebefb663e181dbf7e3897863612be1ba93d4423437dd0931606c783af0080bbd39079fdf961e18f56ce90dcaba66b5d18a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ecd38af5e73d6f1c3293ee97e002829e
SHA169040ebdb72a6a679cf3d3ea1523698eb51a5e42
SHA256dc9c3485de418f631d870acc8e6e723648f24cc20cc0e6264109a0f6552f127b
SHA512203c2636eaf504ad93fa069b142824c938371110f0edf3a6177267b108efc6b27d106f7aebdefa6d3ef0b22c3fa7ea8a84519262878f429b7c84e649dbca8edf
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD551f5dab44284ec6244f7b385aa409296
SHA11cf1f833554cf1413d612e4a4d4daffdf8faa74c
SHA256bca225a06e325be96416f72a237470330244b7b276d621f2e660dd410a425e0b
SHA512515a1f8d96422944957f000b8f6a0a88a6593221f24ab83e2130d89166a646f35d00620cec23a92117e96e49bdfcb4bc664039d6ecc502c0ab817669181f9505
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b745f57c2806a50fbfe09ee1da376afb
SHA18ef9736d25ca36ca11502ed9e69d4c06147ad3fd
SHA2565238a12fd26cd0e0f3dd42d4a492aadffdd656004eeb14d7c2bd89404c539961
SHA51264a3be2b1a3b5a9e4c0d4369f31d9506430c72c8663dd53b6fce8449a452c692cd1fee4e9b1eee325b74ea0f12bf5be2dee4549fbb47f04da103725075b1a1af
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5084155b45750bf0f0e3cfcb495f1e979
SHA1c4d1c9b82f03a3e2c254f9ed97619db1a83bf550
SHA256ee0abbcff0068738c0ab4c73a9806a38f4dc9445adc654bbb248d1719714be8f
SHA512d5c21ad61317bbe8be9c96cfa9dba9c9fe89e8dfd630c4eb149144c9d161deb27d9da7044544edc47d3b090daf05a19ae25b369872c96a84a0c94cd3915d1af1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b3e1ed73894321cb86921e444f14e859
SHA1a4cecbf174b8b56bc8d948f4f8a02fe88ca9d6e6
SHA256523918a06108a290fae6ba0716468918568a9007968abb80f64331cbeb36d302
SHA51201b23f864a7d6fa7a32a5b03b66b40d467673c19d7fce62530671914a46dbb3c89fec3d7f507359a189028ecb376e8712a3c5e256a3f6f4edfa076f0c711f460
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD581061bcaa67fbc618945aa0255ab6e74
SHA1b62c7d0008652f71448592b11fef901c5e2fa640
SHA256e9d8bef0ea8575a0c01888667f0803d6088a641142000e48f38974b3bde3e87f
SHA512da6c909ea931589abe105ac75b6775e70db10a8635da6336594bd1f84cac0e6b61b4b7f5a5b84b4f87e28af0b232a185bc670e729e774e57b40cadb5aa875037
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57f7fb351e370fa863170e5d5cae29fbf
SHA12e419f88e7a34bf77a34d4b2ee69878d8cb4428e
SHA25653bb47ab427bb4c35deb573c27b794539e108b712d02116a2030e6530bfcb803
SHA512f1e3311d60d8a8098872e14b739861db7745045df5bde392a5014937a25c8d7063d5edd92a0862e24d0af5d71824f03b2acdf05e628bb59dc5b174fc6bba02a1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5dacdb24f9362bb89073837bf2c1a3d71
SHA162c877bf55b52bc2bd931081c19b08f2f3aedf65
SHA2565f57ce0f542f4a99d0ee8b5d45460b18e489beb879d2becacabc30b973d5359f
SHA51227835de6827bc50595e4317f950689b232783a5374bf3beaefa438d03ca8c9107c9057e223973a81cc227edac82c23975e2f5d8a601b068a9b54fc6147c63b1d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD597eb5b4f3d28c5ba2535ad9b5017cfa8
SHA14b6f9c9a464d5e44f61f64e0255c1fc720484323
SHA25697ac8a3ffae2930c87372bd89b9c09f3b764ccfe75ba9e19ce858bd7b17ad9cf
SHA512dc469e8673b0d248289cba3a529f8e45a3a1fc84ad1c38ca2309aa7ce10226f4887847666f7fac1885492126282d412dbd76d6bbda5e3cbe52e4e7aa5fe82056
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e779e2c3f524dd94aec03b9b9dff3978
SHA1061435b3a764aadb1658b54635256d588d878e71
SHA25659b07287d1dcca41589dfd4e3138356247b8fd982bef369bb96eb21de68c6b17
SHA5129a8dafaef59c7db7ae21da814caef25014a03c7dc01d00ffabc37fe505fef7596adb8a9e607e41954faaebf6f2e747b823caeafe0242c4475cfdd9a277105f36
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ce772684c9d8cb0fa9677f345afabd66
SHA11223f62bd1b8e6fa3d69ba894ecc362f45e9f118
SHA256bcca9b26a949ceff644233f44e8550b19b862b7ffeb9855bad8a1044c55a8516
SHA512a7753c9e11825b2b319ccc582b8807689876c9e24d6db61c5f6352c040dae65c387118170be49a3200a4a98f005066fe574c4a3b4c56d460f8cd5ab2337ff96e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD530d654359c901139364603642bb33902
SHA1e3053cdcb138cd451011d7efd38f73fa942bfaec
SHA2563f75c854ac86bdea326c307fbc1ffd27037a17416b89e1bafb3b755271320cd0
SHA512ea4532abd01d554aeaaca2e5313b2df79f42f79a75e0e16dcc8d46e9fd834c5979eaa24ee5f7e07b4414c01d3dde31e37058fae847f2b418c4911aaa9c1dc2e2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b91e803e50704135cee27107763a1a79
SHA1cde25a48b8ce8c650a6fb71fd791a9786c7e6d65
SHA2562beea81c5af23b13bb2e0c80734383162fc4d4494db9197f804d22b9cda94b9e
SHA51267b1fae92f49be8cf65698d03385c0c02e7f10da88ea3e066862a23c1a18e5d88f3cc95dd724793b0d9a798fb1505b2ab7084096b5836240601a181efaed2297
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5561701c696426a177245d68524fa6f22
SHA1e6c4269791951824a9a0559723b4d76d30ab4716
SHA2561f2edb9361ce424860101d00a9adb65ef71ed8f31f634314b0d555d6e55ce457
SHA512239412be20b0fd51241bd3c510690563f166909dc936fcbf9a93114bbebf0891b795393a220edb6b5cb836e9d46fd28e5709fbba200047b81ab48bae0c618566
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a19816f6eae179d5654dce0e6ff56bda
SHA1d5a7ca5ea38aac661e9e35f5f4cfc03825b1fdbe
SHA256c6ce9a68a73ad0fc7e78add616fdf1d1b4411c2e2af74b7b448e2ccd2a5a8bc2
SHA512b8d31eff107ebda0cb483d5fad1e746285be950057695d267e48a0e2bd16dad4f7ea394b919f1ffa720a046dedd8ad011b0958e2bff5c2c0375f2270371035a9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53efd09acde32b8b89a914f406e7ddc2c
SHA10d50fed1afa9d951303b1299a9b60913c03ca92d
SHA256e2b279931932e7a6ecf25d521971b51bfbb483901c55424ff3d151c8df47271a
SHA5121806580df468a84e02e3f4a1b411e757d2e8e9d617f671735bd801ea3b821cd1b5897714bade4ec31fcc934d8d0261b74781e5b8275c93df6a5e9b340b91e1c9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5afa19d5ec926a7c6c178ee1882cb72dd
SHA172cc9a6197bd4148be0b42fd0550edb7642a9872
SHA256e1956e9f58becb2538e55434b6aad002980961afe5c3952dc2ee582893f82210
SHA5124a6ba32298109d297224d198a045dd69edc2931355e628dd3692c11bf84e0f590953a50c32396f97aa30c03afec8910b8d9f0ba4e6880a0e689b607b2d21f1e0
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
54B
MD5b70875abc68acdda52465961e52d7f22
SHA1a1e96c97fe86f5c920f3b4f6a55eb38d6f42979e
SHA2567bdaeff8903cd47126213fad77a50309ccce60039dcd3c24491912c5961a6274
SHA512db7d0a5f750cf4f27e88b0f65633097d662d6c7045ae5adf6b82f9891f2c1e18242d75d57a939d7dd9c1e7f91374fa928ad34b5e3bf605cf9c8caaa3f0786235
-
Filesize
152B
MD58588fe42b88c8813b38b4130b50263e2
SHA136293570a1ee26d87b4924f74001b3b9db09f8ce
SHA256c444fd18800314f402b3390411b766d8aea965b2b1196a85e8a382c8a4021984
SHA512a0b6939ae213568316f6d6100a20043cae333a86593c7326bed394d6069ea71fda385561c2b74b209f5bf64b36717d191238f855aff15c1b4c81c7362e5e599c
-
Filesize
56B
MD58e7e35d6069b7f3cfffc2552366b8d77
SHA1eca95ebf49cc4e5ebdfd1c5898b08c761786ef48
SHA2562483283737104c74a80a0d87aafda6158380b8eb5b320dcf0dd16f1bfdca9b10
SHA51212e69f747206795fbaa83d47498a589fafc9e7b76e6e876d12d8b94f990a11b428093bdc6a0030d0101e5d50b7b71e184d1909454935300d65054d4fd8e36fb8
-
Filesize
55B
MD54448424a0727f28efafa40d30149c379
SHA1636da7194bcadff563932b4de1d5d66c9abf80d3
SHA256264e559dbeb149890848186acbca26f2bd0232c3eba38694bb8c36a85a663872
SHA512ece247d66a2940fe7fe724a062e0c69344822ed8cade60bc95663432f9cc37f412986dcf43ac8a9e214e1afde83f786d063ac7b663ecca30a0ea209b7feeb097
-
Filesize
55B
MD56ce0387d66549f45f0881bb9077e192d
SHA1f6b41cd1c0598345c71a65bce08e25bc6da9d70a
SHA2560a12e034b28fac8e819b5e9b1cce37b5e831834b5bbf6e9a64070b53533e6a8c
SHA512462782de67b91ba3169bdaf47b65db4b26e020fe68e43a3bfb9e17e61925e80cd58c9100a9277e1db09e90a7cfce34c458216c79440e0ba83d44fee9d9604d66
-
Filesize
53B
MD5bbefc514ca3b7b4e1ef7e1c62f9b1d3e
SHA17d9b89999b7fb235bb9f0759ee63ef5f73c98627
SHA2562dfa7d8aa4d292b6c84f518b69f26be52b06c5104f0e527e8a295f66e1730e17
SHA512a3155a4e06c32096774cd37d6bdb59252f2cdfeb14d426b14b5e471bc3850ed1e8f6517e2bfbdf4ee7c23864aec4f9d5c050f9b43c880dcdfbf61395e282a8bb
-
Filesize
48B
MD5ada7ea4a9123bcee2828d3520a514c06
SHA193f1b122b57109081ff4c567c81e177981800a7c
SHA256cca4e955402ad5f676f2e7f56782812526c4233538b15957436f4b2c1feaf60f
SHA512473b0baec60d55cb4186f66fff8606711f480273a8b2d0c78580e90fd52c47d40492ffbefe34693b1eae7b3967c50d9f966c1f35f28e848361d49e0a84ced1a2
-
Filesize
76B
MD59b769432f88cdba9df37f3bbf5680dcb
SHA1c394c97606ad96dfeb00a4c12756e2fe8b54240a
SHA256041e15100772ad4aa977949ba324181861a6c9e25b78e702a80801e20d9c5f8b
SHA51202f96f5df2d5c9405b6a4b9117e99f255496a87d7ca4650e36871d37e1c2215a0bc96577b6b0f161e694b8548d4507896b12deb819321c906ccbf84cbf3f7029
-
Filesize
1KB
MD50af4ea969033d065c1d9e1e00fac7ab2
SHA1dfc0c441493178427875d13f8738eefb328745bd
SHA2565bd86f0c7b9488952472273d994a2c12fc50cf7293825df767bcc5218be5393f
SHA512310c3f05542af52950232d7cb4a15c2cb086f21fc7899184e12114ce8348fa5e49f684999ff3a6ba59fcc587b05dfd1c6127629d64794b685d82e6c67a4a0801
-
Filesize
43B
MD5325472601571f31e1bf00674c368d335
SHA12daeaa8b5f19f0bc209d976c02bd6acb51b00b0a
SHA256b1442e85b03bdcaf66dc58c7abb98745dd2687d86350be9a298a1d9382ac849b
SHA512717ea0ff7f3f624c268eccb244e24ec1305ab21557abb3d6f1a7e183ff68a2d28f13d1d2af926c9ef6d1fb16dd8cbe34cd98cacf79091dddc7874dcee21ecfdc
-
Filesize
1KB
MD5174a762ede78de6b9f2aa8ce0d39b060
SHA17fba4fc75ba3e9dea1b5eb098c1a33939f1bcf46
SHA25641450915dcebef37b44954f00e96de58391db1b2f614d82213554e5467b53885
SHA512d5c4031784e59f7bacbfb0f42d14409cb912dc25964991b0a8ec9bf1bc05a5bd5f97c2ffdaa1d054dfd758e32f8914d5d3e1ba089ab742715ae7253508d352aa
-
Filesize
626B
MD5159eee2c69357c834edb81cf878184ab
SHA13ed002de0f2a06025c4443bf3f2989cfc2f3685e
SHA2562c5a687cf8efe6c7617470c70ddfa817c2a14e12a0fd5e045950759f3dabeca2
SHA5123049c7bd6c7cf6e2eae72ddd3c65087bbe3ad1197a47e654318fe8378bc183200e49ce8558eeb16848c02f557cffa27d444c6ef2a10baed2335d88bbba1fcc25
-
Filesize
106B
MD5ed9ab547e8782ae58904eb302b508bee
SHA1e0c674b714fe356860cbb2706b3d313a10bad21b
SHA25659c4d73ca93def31d0c496f1c7e66360484de1053d9c084faad280adad12666a
SHA512dc63f4db230e5471e14ade740b748f7317bfbfd5e641ceb09c88cdc2c2e45f6906fb5a3744daaf950c7e95ac898f3f3934b86dbb4082e3c2f60beb5115e9f9ae
-
Filesize
16KB
MD5d824fd5dc0fcb7d8b685afee4335ecdf
SHA1365f4667af283423bb730f3041293896b3198c34
SHA256f76aaa2369bac454921482500e332b451b890e1f56bced1c166d8037bd79f441
SHA5128025d2d457551c304910b9ac76c1db5e69d1a67b27389e8dbcc2529c90bb031d4e27770715de8836286e9388dcff3d56e21edfcd3779e7c4f3b528f7fbb0272f
-
Filesize
105KB
MD59484c04258830aa3c2f2a70eb041414c
SHA1b242a4fb0e9dcf14cb51dc36027baff9a79cb823
SHA256bf7e47c16d7e1c0e88534f4ef95e09d0fd821ed1a06b0d95a389b35364b63ff5
SHA5129d0e9f0d88594746ba41ea4a61a53498619eda596e12d8ec37d01cfe8ceb08be13e3727c83d630a6d9e6d03066f62444bb94ea5a0d2ed9d21a270e612db532a0