Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
25/08/2024, 09:51
Static task
static1
Behavioral task
behavioral1
Sample
c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe
-
Size
1.5MB
-
MD5
c07a58218ce9fe1f80bc6da7940d520d
-
SHA1
279407aebe4756b53cb166d0e2ff9ad2d7745e1f
-
SHA256
115aa826395b6da44910d052c62907328c8d54f0bce306d5669f42364694a67e
-
SHA512
2da6e69b801da12998574dee313e2c7101fe4c2da4fb1c96c8f0c43e0b6740f3ecb211d99f9cf4112333479c2ba65a42dfe8e9c1ee78d804d055e06443e06e7c
-
SSDEEP
3072:0RsBiWyDJP1j11BJIcBzeFxFtMuqnBJIF+DbCu/bU+99:QxRJPnJwMu6dXCsQi
Malware Config
Signatures
-
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\recovery = "C:\\Windows\\system32\\mshostsql.exe" c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\Version = "1,1,1,2" c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\ComponentID = "DOTNETFRAMEWORKS" c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\DontAsk = "2" c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\IsInstalled = "1" c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\ = "Themes Setup" c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95} c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\StubPath = "rundll32.exe C:\\Windows\\system32\\themeuichk.dll,ThemesSetupInstallCheck" c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\IconsBinary = 43003a005c00570069006e0064006f00770073005c00730079007300740065006d00330032005c006d006f006e006e0065007400730071006c002e006500780065000000 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe -
Executes dropped EXE 36 IoCs
pid Process 2944 rassvcmon.exe 2460 smss.exe 2580 smss.exe 548 smss.exe 2012 smss.exe 1120 smss.exe 2812 smss.exe 3024 smss.exe 1240 smss.exe 2892 smss.exe 784 smss.exe 2252 smss.exe 2276 smss.exe 2444 smss.exe 2124 smss.exe 1584 smss.exe 800 smss.exe 1052 smss.exe 2540 smss.exe 2364 smss.exe 1344 smss.exe 1728 smss.exe 896 smss.exe 2392 smss.exe 2184 smss.exe 2332 smss.exe 2600 smss.exe 884 smss.exe 1076 smss.exe 2288 smss.exe 2304 smss.exe 2064 smss.exe 2528 smss.exe 1140 smss.exe 2624 smss.exe 1708 smss.exe -
Loads dropped DLL 37 IoCs
pid Process 3012 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3012 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 960 cmd.exe 960 cmd.exe 960 cmd.exe 960 cmd.exe 960 cmd.exe 960 cmd.exe 960 cmd.exe 960 cmd.exe 960 cmd.exe 960 cmd.exe 960 cmd.exe 960 cmd.exe 960 cmd.exe 960 cmd.exe 960 cmd.exe 960 cmd.exe 960 cmd.exe 960 cmd.exe 960 cmd.exe 960 cmd.exe 960 cmd.exe 960 cmd.exe 960 cmd.exe 960 cmd.exe 960 cmd.exe 960 cmd.exe 960 cmd.exe 960 cmd.exe 960 cmd.exe 960 cmd.exe 960 cmd.exe 960 cmd.exe 960 cmd.exe 960 cmd.exe 960 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rassvcmon.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\recovery = "C:\\Windows\\system32\\mshostsql.exe" c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Installs/modifies Browser Helper Object 2 TTPs 3 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\ = "AcroIEHelperStub" c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\NoExplorer = "1" c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe -
Drops file in System32 directory 12 IoCs
description ioc Process File created C:\Windows\SysWOW64\dispipctf.exe c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\dispipctf.exe c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe File created C:\Windows\SysWOW64\pptpipdhcp.exe c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\pptpipdhcp.exe c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe File created C:\Windows\SysWOW64\rasctfobj.exe c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\rasctfobj.exe c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe File created C:\Windows\SysWOW64\mshostsql.exe c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\mshostsql.exe c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe File created C:\Windows\SysWOW64\rassvcmon.ocx c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\rassvcmon.ocx c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe File created C:\Windows\SysWOW64\monnetsql.exe c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\monnetsql.exe c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rassvcmon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{AD630381-62C7-11EF-960D-6A8D92A4B8D0} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main regedit.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bb7c5835718279428690b074aa627b7000000000020000000000106600000001000020000000da81151633c6d24639cfc1c969ef10c74224040d1297b03386202b0845e2c1b0000000000e8000000002000020000000820b262f9f4f639fad951ce56d853f8bf66c5cf97671b56bf1e67c724152e31d200000004596df5075d3c3b819abe9be23c9366a2ab0a84c703dd739ec6bae250522bc53400000000c4b1c267c8c43666f15fc976fc30b4fee3ccf4df1dba62882448cfccf07e4d3f99698c6419782dca877bf8e48377bc9f9101bbcc3d32ce95f7566feff0017ff iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c040e89bd4f6da01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "430741391" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\Check_Associations = "no" regedit.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bb7c5835718279428690b074aa627b7000000000020000000000106600000001000020000000ba294b7eedf6a267eaf30e79d9ed504bd011a238e2f0a5ec3706ea295f7ee220000000000e800000000200002000000027c7cac0a6342470b3c1c7e195d8817f41397f849f846ecd5679becf195e9d3e90000000931c4f22a60f47cc9c646670778f09095a12cb7c44e30e5c5a0e6de0d127ad2f0c35fe4b9dfcb3ff853d445a52a8b92d9445ca9a2191e5af2349029088ecdace0718fc4c9799ec7b5c768c49645874044514029b833fa75e74902ed7a6adc7d9725cd59627a950d0e77f708bd89ffd90c442c197bbae736fb7785a60e3b7d4ddcc86082cf9171b69cedacbe712b34994400000004fa98ddec04d93cfd73854a7818f381a33618cd62282fbab2de0015cf57850492fbbe1e79be4b352f76044acd985ae78dd418049e72861b6525a836c76574725 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe -
Modifies registry class 9 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\ProgID c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\ProgID\ = "AcroIEHelperShim.AcroIEHelperShimObj.1" c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\VersionIndependentProgID c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\InprocServer32\ = "C:\\Windows\\SysWow64\\rassvcmon.ocx" c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\ = "Adobe PDF Link Helper" c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\InprocServer32 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\InprocServer32\ThreadingModel = "Apartment" c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\VersionIndependentProgID\ = "AcroIEHelperShim.AcroIEHelperShimObj" c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe -
Runs regedit.exe 1 IoCs
pid Process 2744 regedit.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3012 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3012 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3012 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3012 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3012 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3012 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3012 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3012 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3012 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3012 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3012 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3012 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3012 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3012 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3012 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3012 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3012 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3012 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3012 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3012 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3012 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3012 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3012 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3012 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3012 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3012 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3012 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3012 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3012 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3012 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3012 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3012 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3012 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3012 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3012 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3012 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3012 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3012 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3012 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3012 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3012 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3012 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3012 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3012 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3012 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3012 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3012 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3012 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3012 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3012 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3012 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3012 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3012 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3012 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3012 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3012 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3012 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3012 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3012 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3012 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3012 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3012 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3012 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3012 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeDebugPrivilege 3012 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Token: SeBackupPrivilege 3012 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Token: SeBackupPrivilege 3012 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Token: SeBackupPrivilege 3012 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Token: SeBackupPrivilege 3012 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Token: SeBackupPrivilege 3012 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Token: SeBackupPrivilege 3012 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Token: SeBackupPrivilege 3012 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Token: SeBackupPrivilege 3012 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Token: SeBackupPrivilege 3012 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Token: SeBackupPrivilege 3012 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Token: SeBackupPrivilege 3012 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Token: SeBackupPrivilege 3012 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Token: SeBackupPrivilege 3012 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Token: SeBackupPrivilege 3012 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Token: SeBackupPrivilege 3012 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Token: SeBackupPrivilege 3012 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Token: SeBackupPrivilege 3012 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Token: SeBackupPrivilege 3012 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Token: SeBackupPrivilege 3012 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Token: SeBackupPrivilege 3012 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Token: SeBackupPrivilege 3012 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Token: SeBackupPrivilege 3012 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Token: SeBackupPrivilege 3012 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Token: SeBackupPrivilege 3012 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Token: SeBackupPrivilege 3012 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Token: SeBackupPrivilege 3012 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Token: SeBackupPrivilege 3012 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Token: SeBackupPrivilege 3012 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Token: SeBackupPrivilege 3012 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Token: SeBackupPrivilege 3012 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Token: SeBackupPrivilege 3012 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Token: SeBackupPrivilege 3012 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Token: SeBackupPrivilege 3012 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Token: SeBackupPrivilege 3012 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Token: SeBackupPrivilege 3012 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Token: SeBackupPrivilege 3012 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Token: SeBackupPrivilege 3012 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Token: SeBackupPrivilege 3012 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Token: SeBackupPrivilege 3012 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Token: SeBackupPrivilege 3012 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Token: SeBackupPrivilege 3012 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Token: SeBackupPrivilege 3012 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Token: SeBackupPrivilege 3012 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Token: SeDebugPrivilege 2944 rassvcmon.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2992 iexplore.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2992 iexplore.exe 2992 iexplore.exe 2828 IEXPLORE.EXE 2828 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3012 wrote to memory of 2944 3012 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 29 PID 3012 wrote to memory of 2944 3012 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 29 PID 3012 wrote to memory of 2944 3012 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 29 PID 3012 wrote to memory of 2944 3012 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 29 PID 2944 wrote to memory of 960 2944 rassvcmon.exe 30 PID 2944 wrote to memory of 960 2944 rassvcmon.exe 30 PID 2944 wrote to memory of 960 2944 rassvcmon.exe 30 PID 2944 wrote to memory of 960 2944 rassvcmon.exe 30 PID 960 wrote to memory of 2460 960 cmd.exe 32 PID 960 wrote to memory of 2460 960 cmd.exe 32 PID 960 wrote to memory of 2460 960 cmd.exe 32 PID 960 wrote to memory of 2460 960 cmd.exe 32 PID 960 wrote to memory of 1772 960 cmd.exe 33 PID 960 wrote to memory of 1772 960 cmd.exe 33 PID 960 wrote to memory of 1772 960 cmd.exe 33 PID 960 wrote to memory of 1772 960 cmd.exe 33 PID 960 wrote to memory of 2580 960 cmd.exe 34 PID 960 wrote to memory of 2580 960 cmd.exe 34 PID 960 wrote to memory of 2580 960 cmd.exe 34 PID 960 wrote to memory of 2580 960 cmd.exe 34 PID 960 wrote to memory of 1028 960 cmd.exe 35 PID 960 wrote to memory of 1028 960 cmd.exe 35 PID 960 wrote to memory of 1028 960 cmd.exe 35 PID 960 wrote to memory of 1028 960 cmd.exe 35 PID 960 wrote to memory of 548 960 cmd.exe 36 PID 960 wrote to memory of 548 960 cmd.exe 36 PID 960 wrote to memory of 548 960 cmd.exe 36 PID 960 wrote to memory of 548 960 cmd.exe 36 PID 960 wrote to memory of 704 960 cmd.exe 37 PID 960 wrote to memory of 704 960 cmd.exe 37 PID 960 wrote to memory of 704 960 cmd.exe 37 PID 960 wrote to memory of 704 960 cmd.exe 37 PID 960 wrote to memory of 2012 960 cmd.exe 38 PID 960 wrote to memory of 2012 960 cmd.exe 38 PID 960 wrote to memory of 2012 960 cmd.exe 38 PID 960 wrote to memory of 2012 960 cmd.exe 38 PID 960 wrote to memory of 1868 960 cmd.exe 39 PID 960 wrote to memory of 1868 960 cmd.exe 39 PID 960 wrote to memory of 1868 960 cmd.exe 39 PID 960 wrote to memory of 1868 960 cmd.exe 39 PID 960 wrote to memory of 1120 960 cmd.exe 40 PID 960 wrote to memory of 1120 960 cmd.exe 40 PID 960 wrote to memory of 1120 960 cmd.exe 40 PID 960 wrote to memory of 1120 960 cmd.exe 40 PID 960 wrote to memory of 2716 960 cmd.exe 41 PID 960 wrote to memory of 2716 960 cmd.exe 41 PID 960 wrote to memory of 2716 960 cmd.exe 41 PID 960 wrote to memory of 2716 960 cmd.exe 41 PID 960 wrote to memory of 2812 960 cmd.exe 42 PID 960 wrote to memory of 2812 960 cmd.exe 42 PID 960 wrote to memory of 2812 960 cmd.exe 42 PID 960 wrote to memory of 2812 960 cmd.exe 42 PID 2944 wrote to memory of 2744 2944 rassvcmon.exe 43 PID 2944 wrote to memory of 2744 2944 rassvcmon.exe 43 PID 2944 wrote to memory of 2744 2944 rassvcmon.exe 43 PID 2944 wrote to memory of 2744 2944 rassvcmon.exe 43 PID 960 wrote to memory of 2408 960 cmd.exe 44 PID 960 wrote to memory of 2408 960 cmd.exe 44 PID 960 wrote to memory of 2408 960 cmd.exe 44 PID 960 wrote to memory of 2408 960 cmd.exe 44 PID 960 wrote to memory of 3024 960 cmd.exe 45 PID 960 wrote to memory of 3024 960 cmd.exe 45 PID 960 wrote to memory of 3024 960 cmd.exe 45 PID 960 wrote to memory of 3024 960 cmd.exe 45 -
Views/modifies file attributes 1 TTPs 34 IoCs
pid Process 1528 attrib.exe 2156 attrib.exe 1488 attrib.exe 2724 attrib.exe 424 attrib.exe 672 attrib.exe 2700 attrib.exe 2160 attrib.exe 1040 attrib.exe 2360 attrib.exe 544 attrib.exe 2584 attrib.exe 1868 attrib.exe 1368 attrib.exe 2388 attrib.exe 1496 attrib.exe 2576 attrib.exe 1748 attrib.exe 1028 attrib.exe 704 attrib.exe 2128 attrib.exe 1580 attrib.exe 2120 attrib.exe 1772 attrib.exe 2408 attrib.exe 2700 attrib.exe 2716 attrib.exe 1740 attrib.exe 2148 attrib.exe 1396 attrib.exe 1184 attrib.exe 2480 attrib.exe 2696 attrib.exe 2864 attrib.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rassvcmon.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe"1⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
- Adds Run key to start application
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Users\Admin\AppData\Local\Temp\rassvcmon.exe"C:\Users\Admin\AppData\Local\Temp\rassvcmon.exe"2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_win_path
PID:2944 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1.tmp.cmd "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE""3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Users\Admin\AppData\Local\Temp\smss.exe"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 54⤵
- Executes dropped EXE
PID:2460
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1772
-
-
C:\Users\Admin\AppData\Local\Temp\smss.exe"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2580
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"4⤵
- Views/modifies file attributes
PID:1028
-
-
C:\Users\Admin\AppData\Local\Temp\smss.exe"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:548
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:704
-
-
C:\Users\Admin\AppData\Local\Temp\smss.exe"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2012
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1868
-
-
C:\Users\Admin\AppData\Local\Temp\smss.exe"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1120
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2716
-
-
C:\Users\Admin\AppData\Local\Temp\smss.exe"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2812
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2408
-
-
C:\Users\Admin\AppData\Local\Temp\smss.exe"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 54⤵
- Executes dropped EXE
PID:3024
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2480
-
-
C:\Users\Admin\AppData\Local\Temp\smss.exe"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1240
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2700
-
-
C:\Users\Admin\AppData\Local\Temp\smss.exe"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2892
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1740
-
-
C:\Users\Admin\AppData\Local\Temp\smss.exe"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:784
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2160
-
-
C:\Users\Admin\AppData\Local\Temp\smss.exe"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2252
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"4⤵
- Views/modifies file attributes
PID:2388
-
-
C:\Users\Admin\AppData\Local\Temp\smss.exe"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2276
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1528
-
-
C:\Users\Admin\AppData\Local\Temp\smss.exe"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2444
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2128
-
-
C:\Users\Admin\AppData\Local\Temp\smss.exe"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2124
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1368
-
-
C:\Users\Admin\AppData\Local\Temp\smss.exe"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1584
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:544
-
-
C:\Users\Admin\AppData\Local\Temp\smss.exe"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:800
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2696
-
-
C:\Users\Admin\AppData\Local\Temp\smss.exe"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1052
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1496
-
-
C:\Users\Admin\AppData\Local\Temp\smss.exe"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2540
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1580
-
-
C:\Users\Admin\AppData\Local\Temp\smss.exe"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2364
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2148
-
-
C:\Users\Admin\AppData\Local\Temp\smss.exe"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1344
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2156
-
-
C:\Users\Admin\AppData\Local\Temp\smss.exe"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1728
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1488
-
-
C:\Users\Admin\AppData\Local\Temp\smss.exe"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:896
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"4⤵
- Views/modifies file attributes
PID:1396
-
-
C:\Users\Admin\AppData\Local\Temp\smss.exe"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2392
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"4⤵
- Views/modifies file attributes
PID:2724
-
-
C:\Users\Admin\AppData\Local\Temp\smss.exe"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 54⤵
- Executes dropped EXE
PID:2184
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2864
-
-
C:\Users\Admin\AppData\Local\Temp\smss.exe"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2332
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2700
-
-
C:\Users\Admin\AppData\Local\Temp\smss.exe"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2600
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2576
-
-
C:\Users\Admin\AppData\Local\Temp\smss.exe"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 54⤵
- Executes dropped EXE
PID:884
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:424
-
-
C:\Users\Admin\AppData\Local\Temp\smss.exe"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1076
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1184
-
-
C:\Users\Admin\AppData\Local\Temp\smss.exe"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2288
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:672
-
-
C:\Users\Admin\AppData\Local\Temp\smss.exe"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2304
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"4⤵
- Views/modifies file attributes
PID:1748
-
-
C:\Users\Admin\AppData\Local\Temp\smss.exe"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2064
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1040
-
-
C:\Users\Admin\AppData\Local\Temp\smss.exe"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2528
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2120
-
-
C:\Users\Admin\AppData\Local\Temp\smss.exe"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1140
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2584
-
-
C:\Users\Admin\AppData\Local\Temp\smss.exe"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2624
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2360
-
-
C:\Users\Admin\AppData\Local\Temp\smss.exe"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1708
-
-
-
C:\Windows\SysWOW64\regedit.exeregedit.exe /s C:\Users\Admin\AppData\Local\Temp\win5.tmp3⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Runs regedit.exe
PID:2744
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2992 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2992 CREDAT:275457 /prefetch:22⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2828
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Browser Extensions
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
5Credential Access
Unsecured Credentials
2Credentials In Files
1Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5509017a4c7c18ee03a95d1e418677ca3
SHA1a022b0d1092a17dd5cfedb3e5916b85d7822ed59
SHA256afdbc82e8943450c2b89b3ebb92c67ea3a19706e96d35205d3582230f9708347
SHA5127ce39591021e488b7753a02dc9cc7819f73b1e70b71427f3f4f7f3cb7bc942aa1eb3a5b348f3171647ecbebb2f975127a7d5229c9cafe58f5f0624b52c1cd22d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD54574115816c3ed54ea1b5a2fd77ec063
SHA11b572b975848185c704dc2dc3b5dd2069c2cdfb7
SHA2560bc646dd5c8114adfd1e18450309508f189c710ea9f7ffbd2535e400df8e346d
SHA512feeb9e5b570ccbc2155c8d931b0b7974d0e255066303c0b95fef7f5f52e9190635ce7fd5bc6c7645aee2a940fd911b5405dd737d1211a6098c3e7bedca3f42ed
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c1bc4900a5bbe76da0ae4ac01af016fc
SHA10941307b2852d112a9541250775ad020e9bfac1b
SHA256040c639781babc522049164660c0ee71b7700f84f192f38b4e6af5d64d0a568c
SHA512fb444a3b64a2fc8bd8383692c7ceec4e0ad9ba0595eafaf178da65f2add1839ce6577f539e94363e7ae29cd6803ee10b2256b7cf15fe16c24555bce6b2a30745
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5592273012067181412907c8af4da7651
SHA18c344570b9d98a0616089068fd51264563e05369
SHA2560ad2ef578dec553d65da385d8b75a52e57c707d636925e49b2789abc1e145981
SHA512c73db9df789b1060509c127bb1e99cff6ac756073f9954fdd8bc9118063716231dc49b90682d29f1682590086079651c050988c63f27d89f55724ba614ce3343
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58af10c10fd45b5c3351f33c2a59c6584
SHA1aba9f43f8200cf749d7f01ba43adc6b75593ec83
SHA256727f542cb64a5cd947ad103f6ef7763a7266af817c891f363c7d1d7145ae64eb
SHA5124db17ca63cd8ce582329ec313ee91850f400c032900880e35d24b4252268d20063a770d1991de9c39bb8ab7174b4d97a6ce7d1ef66470c5e6195c1d6d2f2caf3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD535abf60b8fba418664b65b731c9f437e
SHA183f15a145d2d97808208886701ce87319ed055cb
SHA256f9b1c1b6db26fb3c0f444ea3da4038d7f1e02bee9e87eb9695113bad15d0fb3c
SHA512f75c5014ebe970dfaef34148a1d263f311429056ce287f75d6a52b5863d1c0d40a49212d3d433eb7b424d3cbf6e9a252fd57e8ce392d0255e4a13c86db5f3a08
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b8430e5e373f3d8fe70e1b9300735a87
SHA121415a41a5676def9b26655a4aa3c9c15b6dcf23
SHA2560688fdbe6753578950c32415a114bdd3466eaf8a90e3393f13668e6a2f9512dc
SHA51214fe0b44448ef6770291dd40ad293291dca3e9dc87d09a3171e4ecac00fe69fa066bc474711c61f5df05d5fa6c3dfc35c1333d85b552de5da50ed65c4b8b9446
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD519a5f9fbb2066e5985cb9cd5cd8dda35
SHA1499e273aded9beb4bf147d5126fbb34184945fae
SHA2568702c1985b596c17170a5f6012f1d61af2b8bf0afba54f80b01c00a075d71d54
SHA51224479b17c15270bae573bd149c533ad2ea3078194a71bd649aea48fdb132665aa75bc7711fe74475a6349b4577cfe13fdab3217fe8d02b6e1ed9f545061a0689
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD593c635f51e47ea067964ecbef5372c19
SHA125a15f2f915d3d5615bfc1014e5340bc46b7279d
SHA2566c21c421a618a3f6992b50b51c77420960e02907b4289287dc2bf6e355dc41fe
SHA512a5bd798218c32d35a4fd4590baa3ba90d2bbfdeeb13df625ca6d125eaec3d6896610e7af3c490282b32421d9dc673f08dfeb4d892d6ed314f027d752b8ab52b7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5bce140e953437ba78349c9e4f3c02de7
SHA1113880de05ca40a014364da2f293f0f2bb944220
SHA256d865dc10f6514bb8b62066a57321a0fa3f5222c8c2aa34e40ce719e94b2f0faf
SHA512d174386f08eed3a5f207018ff13175a378e0058ae2da543c083c478912b233aa41094109b0dd92fb324961dc0cf4c41560f1250da893b8c2b66b2cfe0d592e4c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5fbe0ed1be7f90f34ba8b43f821ee7824
SHA1c040f7ae57223ab80051584111f45d31e95e9573
SHA256c565c8cc37552dca9a285f1c6f210ade3bb8fa53068d65fbafb6e3e353537538
SHA5128902c379d699aa7e01d02124d70a8f139b28bdf27a06b34db81bf39cfef827826b6738bf90cf810828da5296504b6cc8c4fea06a00bf958f7cecebdaeae177ce
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5df4749e7c97565e893408c8a2d66c60e
SHA1252890a9ffda1d3071d6dadd4cc6763e2419c5dd
SHA256ba545440c62d697a6c1f5159271121d806535cdf4eea049f7b7eda616682e15b
SHA512facdce589090d4927ccd3e4b750d3b22477bf05432ad4630274ad6e7be609a2472e5d51afba08bdd8593151193570aaeb0b457e8f916e35e38d09016804b0e52
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD54ca9c3f88e5a34a1cad9d5f89b5495f1
SHA1b3269d5d3643e988209b227aef309c33b1a394c3
SHA2565791de24ef7a79daab727228e12d971686a6b988dbc9133b2fba3a8fb863e871
SHA5127473d17dd31c2f5c72455a807400108ab8456b19569c98d7e41af4c72ccfa1d5520a280f6fa5ade07d97814c6a75796e551b39312d68e8a878741e21c7b91d25
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57786ae91d170b0c8d5078a15c4183c98
SHA1c352e2c00f40c4f896b2b987fd9373a83d516c81
SHA2569bfd4302e601f1975b8b60fb22531259c98bbddfe07667af3cf835e77905876a
SHA5127e41b9327dd262b9702c4cdaf510ad5b6313906727603d3688058dfc094c26965a229e0e3fbe1dc914290774cb11d0a70e5f332da23be2ea4bfc07248e9a00c7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e21d661f00e0eb54e6c409d72ae6ddb2
SHA155cfd64a3bbb8ced0944fd2d0ec2eee9385cc5cf
SHA2563a2368f9250d008ce10226fc32293209b8c93539e47ecea4763b5b873cca3ea6
SHA5129443514e11e65b208a1997ba939a043b7d77f20e2ec1479ef6fc44babdb048646d8569386c675169a88c1a75a4091d236e0cb7f4fc8795432e450ecc931b36aa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5de6af5157deb87fe447c709adf3cb0b0
SHA10e0e06ab44a071ca8479d5f81cf3a9d280e608c9
SHA256c8b12bcf4f76843541cab8f0820dffdf8dba8a9e1b6aff1a2130f03d9332b5a8
SHA512701df665656d3629253a182d362a7a5cf6b11ff49788297bdbf533a84d77090ea6b333d8dd07bedddaeb4bff36b882bfd0eca01cd7d1de7a01cc6a1cfb884c7a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD539e9183a2ada78930b8c9d84a9f80cac
SHA134218188cd20b9ccc69bd0652b3a2a4d523952c6
SHA2567a140698348096b0de57d17aabbaec09841c979fc00e2a334a11d8c44af98568
SHA512ee9268aea366eb537fbc4be13143e25c0e50eb7c72b4c83a29f52bea21f5ebf1eaf64fb6fc2e6bed455cfd4c16e288c3a45583bf091dc0c19f0ed9fd613bdfd9
-
Filesize
168B
MD5e7efc2c945a798b4dab3fe50f1524592
SHA10bb937ccd89e40c91c0e58b376873ef909fe805b
SHA256624acac79fdcfe30592f5321b4ab73d360f393dbcdbe8daa50fcce63c710f5dc
SHA512e75840979404587aa15fd4d1e46707c33e32dca086ca72c7666045e14191e29857d06dc8ba737e69925c71b2e2d6a5ee3b63c36ecd2f32ae515f85a985d8f257
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
4KB
MD5e6c6dadce4b7b24873c0cefa7f9fcc9e
SHA1dc26a848b0f0afe4f2e5e29a0c48955b9083a8ae
SHA2561387e0e74004a224f499daee26bcb423c834677bc91ac77460e7d6226cd2703b
SHA5127dfb668b682d210d61d35f552fbcceb4b7626f11a5ba9641cf61fb30aade05ba72b0405963dcc82538eb0aca6286152911c3b704b15fc15e321f9d2e4a704f74
-
Filesize
240B
MD5ee926df00618b73a370f2dbcbe19ebeb
SHA1eb775efca19c657d4cc02d21190db4f522ae750d
SHA2566aa561c0cd6879efa55a085e9020c4827f4e51e8b44902e72b908d06bb454c32
SHA5126b4d1f2d897b6876755d1a6370f849d1241bbb9d462a5347b0b157bb4b7efe80c0d171e14e0277bd72dfbcdf31cdc055e500341a6e0c444513cb47cddecaaf54
-
Filesize
2.2MB
MD538ad28dea89f24e2161a9d156c20df1c
SHA15dd31a3867d8e368c8056ca24e94b4f231d4dd03
SHA2567fdbadeee16a8502fb70ff1af33d02337c31dd7e83c26a128f66392dbadebc38
SHA512b8595c647e1f4a050bc0bbc098ec575f882ea9d663a9b423c25793292d5fea95a5b9776d6216cafe30ca0aba15ec929a1bc183b1bfc659d812976f1c0a987645
-
Filesize
4KB
MD53adea70969f52d365c119b3d25619de9
SHA1d303a6ddd63ce993a8432f4daab5132732748843
SHA256c9f5a19c7b11fd866483adc93aa5bc4bd3515bd995ca79297b227e3e5ef1a665
SHA512c4d836fcbdab4c859a6fc0f849d1e41e98c7e23fc0fe0fe0a09cb68e9a57d60b2ae9ad46762d7a5e05db28d6179bd431ef179ee1f9ff016db74cc3b1d74ed7f8
-
Filesize
104KB
MD5bf839cb54473c333b2c151ad627eb39f
SHA134af1909ec77d2c3878724234b9b1e3141c91409
SHA256d9cfcd9e64cdd0a4beba9da2b1cfdf7b5af9480bc19d6fdf95ec5b1f07fceb1d
SHA51223cb63162d3f8acc4db70e1ecb36b80748caaaa9993ee2c48141fd458d75ffb1866e7b6ca6218da2a77bd9fcb8eed3b893a705012960da233b080c55dc3d8c3d
-
Filesize
15KB
MD56242e3d67787ccbf4e06ad2982853144
SHA16ac7947207d999a65890ab25fe344955da35028e
SHA2564ca10dba7ff487fdb3f1362a3681d7d929f5aa1262cdfd31b04c30826983fb1d
SHA5127d0d457e1537d624119a8023bcc086575696a5739c0460ef11554afac13af5e5d1edc7629a10e62834aba9f1b3ab1442011b15b4c3930399d91dca34b3b1cbaf