wannacry | 57d3f6b3bebac1922ddfc9805b2fc1f5e779b2a3ce53a65022d3a29a135b686b

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
30-08-2024 21:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Size

1.6MB
MD5

cbaf4e5b4e4ebb82872138404bc3a9c6
SHA1

c639e1981bb95af59f17a3f3bbabab799cc0784d
SHA256

57d3f6b3bebac1922ddfc9805b2fc1f5e779b2a3ce53a65022d3a29a135b686b
SHA512

7ba4ce138d3657cce04814dc89c48213e82f7017578d7635561900f1e06d55d8a1a3a239e8c00cd33bcf9165f63b2d742f5de1dc135b03cfd4a09d4851453d6a
SSDEEP

49152:K0XgjwXY5vE30thnB1j3qxNU+fMv6x1J85vGVXvhXRyIQXs:K0XgSlkt50U+fMQDgvGVXZXiXs

Score

10^/10

wannacry discovery evasion persistence ransomware upx worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Renames multiple (3590) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Disables Task Manager via registry modification
evasion

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KISLnchr.exe	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adam.exe \Debugger	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvReport.kxp	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UIHost.exe	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WoptiClean.exe \Debugger	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WoptiClean.exe	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRegEx.exe	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmqczj.exe	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmsk.exe \Debugger\ = "cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe"	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavStub.exe \Debugger	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavTask.exe \Debugger	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxPol.exe \Debugger\ = "cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe"	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVSetup.exe \Debugger	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Iparmor.exe \Debugger\ = "cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe"	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPFW.exe \Debugger	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPFW.exe \Debugger\ = "cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe"	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFWSvc.exe \Debugger\ = "cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe"	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32krn.exe	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavTask.exe \Debugger\ = "cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe"	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwProxy.exe \Debugger	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Iparmor.exe	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojDie.kxp	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MagicSet.exe \Debugger	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QHSET.exe \Debugger\ = "cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe"	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavStub.exe	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safelive.exe \Debugger	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxCfg.exe \Debugger\ = "cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe"	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvDetect.exe	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KMFilter.exe \Debugger	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvol.exe \Debugger	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwcfg.exe	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UpLive.EXE.exe	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASMain.exe	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrssvc.exe \Debugger\ = "cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe"	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASMain.exe \Debugger\ = "cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe"	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\isPwdSvc.exe \Debugger	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FileDsty.exe \Debugger	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KaScrScn.SCR \Debugger\ = "cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe"	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runiep.exe	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AgentSvr.exe	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe \Debugger	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.exe \Debugger	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32kui.exe \Debugger	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvMonitor.exe \Debugger\ = "cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe"	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IceSword.exe	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iparmo.exe \Debugger\ = "cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe"	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvfwMcl.exe \Debugger	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32krn.exe \Debugger	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rsaupd.exe \Debugger	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SREng.exe \Debugger\ = "cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe"	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxFwHlp.exe \Debugger	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FTCleanerShell.exe \Debugger\ = "cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe"	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVCenter.kxp \Debugger\ = "cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe"	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\symlcsvc.exe \Debugger\ = "cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe"	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UpLive.EXE.exe \Debugger\ = "cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe"	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe \Debugger\ = "cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe"	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVSetup.exe \Debugger	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RfwMain.exe \Debugger\ = "cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe"	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SREng.exe \Debugger	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32X.exe \Debugger	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32X.exe \Debugger\ = "cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe"	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFW.exe \Debugger	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe

Loads dropped DLL 6 IoCs

pid	Process
2280	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
2280	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
2280	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
2280	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
2280	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
2280	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe

Modifies system executable filetype association 2 TTPs 3 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "exe"	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Roaming\\Virus.exe,0"	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Roaming\\Virus.exe %1"	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2280-0-0x0000000000400000-0x0000000000480000-memory.dmp	upx
behavioral1/memory/2280-25-0x0000000000400000-0x0000000000480000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Deathgame = "C:\\Users\\Admin\\AppData\\Roaming\\Virus.exe"	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe

Drops desktop.ini file(s) 11 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
File created	C:\Users\Admin\Desktop\desktop.ini	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
File created	F:\$RECYCLE.BIN\S-1-5-21-3434294380-2554721341-1919518612-1000\desktop.ini	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
File created	C:\Program Files\desktop.ini	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Games\Chess\desktop.ini	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Games\Hearts\desktop.ini	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-attach.xml	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Africa\Johannesburg	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pt_BR\LC_MESSAGES\vlc.mo	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Dushanbe	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-output2.xml	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\com-sun-tools-visualvm-modules-startup_ja.jar	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Kentucky\Monticello	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Antarctica\Davis	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\VSTOInstallerUI.dll	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\photoedge_buttongraphic.png	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Tijuana	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\tipskins.dll	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_elf.dll	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
File created	C:\Program Files\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Palmer	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Riyadh88	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-masterfs-nio2.xml	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jaas_nt.dll	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\bin\net.dll	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\crashreporter-override.ini	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access_output\libaccess_output_http_plugin.dll	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
File created	C:\Program Files\Windows Media Player\en-US\wmpnetwk.exe.mui	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\TipRes.dll.mui	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Prague	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaireMCE.png	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\vlc.mo	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\nl\LC_MESSAGES\vlc.mo	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
File created	C:\Program Files\Windows Media Player\ja-JP\wmpnscfg.exe.mui	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
File created	C:\Program Files\Windows NT\TableTextService\TableTextServiceSimplifiedZhengMa.txt	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\ja-JP\gadget.xml	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\nav_rightarrow.png	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.jsp.jasper_1.0.400.v20130327-1442.jar	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\weather.html	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\3.png	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-core_zh_CN.jar	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt.txt	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\NavigationButtonSubpicture.png	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ky\LC_MESSAGES\vlc.mo	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
File created	C:\Program Files\Windows NT\Accessories\WordpadFilter.dll	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_right_disabled.png	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\css\slideShow.css	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_glass_Thumbnail.bmp	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Indiana\Indianapolis	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\lib\fontconfig.properties.src	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\text_renderer\libfreetype_plugin.dll	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
File created	C:\Program Files\Windows Media Player\Media Renderer\DMR_48.jpg	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\js\timeZones.js	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\circleround_selectionsubpicture.png	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\AccessBridgeCalls.h	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_diagonals-thick_20_666666_40x40.png	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libgme_plugin.dll	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-first-quarter.png	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\af.pak	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy.jar	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.jarprocessor.nl_ja_4.4.0.v20140623020002.jar	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-windows.xml	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-process-l1-1-0.dll	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\misc\libaudioscrobbler_plugin.dll	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
File created	C:\Program Files\Windows Defender\de-DE\MsMpRes.dll.mui	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationUp_ButtonGraphic.png	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\license.html	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\javafx-mx.jar	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Curacao	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Roaming\\Virus.exe %1"	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\docfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Roaming\\Virus.exe %1"	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WNCRYfile\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Roaming\\Virus.exe,0"	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\7zfile\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Roaming\\Virus.exe,0"	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\efile\ = "e"	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\ = "txt"	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\docfile\shell\open\command	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\zipfile\ = "zip"	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\zipfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Roaming\\Virus.exe %1"	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\rarfile\shell	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\7zfile\shell	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\efile\shell\open	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Roaming\\Virus.exe,0"	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\docfile\shell\open	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\zipfile\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Roaming\\Virus.exe,0"	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\rarfile\DefaultIcon	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WNCRYfile\shell\open\command	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\docfile\DefaultIcon	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\rarfile\shell\open\command	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\7zfile\ = "7z"	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\efile	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.e	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\efile\DefaultIcon	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WNCRYfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Roaming\\Virus.exe %1"	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\zipfile\shell	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\zipfile\shell\open	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\rarfile\shell\open	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\7zfile\shell\open	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.WNCRY\ = "WNCRYfile"	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\7zfile\DefaultIcon	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\7zfile\shell\open\command	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\efile\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Roaming\\Virus.exe,0"	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.WNCRY	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\rarfile\ = "rar"	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\rarfile\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Roaming\\Virus.exe,0"	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.e\ = "efile"	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\efile\shell	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\docfile\ = "doc"	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\docfile\shell	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\efile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Roaming\\Virus.exe %1"	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WNCRYfile\ = "WNCRY"	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.zip\ = "zipfile"	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\rarfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Roaming\\Virus.exe %1"	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\zipfile	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Roaming\\Virus.exe,0"	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.doc\ = "docfile"	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\docfile\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Roaming\\Virus.exe,0"	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\zipfile\shell\open\command	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "exefile"	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\rarfile	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.7z\ = "7zfile"	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WNCRYfile	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WNCRYfile\DefaultIcon	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.txt\ = "txtfile"	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Roaming\\Virus.exe %1"	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\7zfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Roaming\\Virus.exe %1"	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\efile\shell\open\command	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\zipfile\DefaultIcon	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "exe"	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\7zfile	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\docfile	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.rar\ = "rarfile"	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WNCRYfile\shell	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WNCRYfile\shell\open	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2280	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
2280	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
2280	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
2280	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
2280	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
2280	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
2280	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
2280	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
2280	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
2280	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
2280	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
2280	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
2280	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
2280	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
2280	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
2280	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
2280	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
2280	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
2280	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
2280	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
2280	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
2280	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
2280	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
2280	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
2280	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
2280	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
2280	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
2280	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
2280	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
2280	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
2280	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
2280	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
2280	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
2280	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
2280	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
2280	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
2280	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
2280	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
2280	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
2280	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
2280	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
2280	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
2280	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
2280	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
2280	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
2280	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
2280	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
2280	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
2280	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
2280	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
2280	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
2280	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
2280	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
2280	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
2280	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
2280	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
2280	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
2280	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
2280	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
2280	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
2280	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
2280	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
2280	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
2280	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
2280	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
2280	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
2280	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
2280	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
2280	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
2280	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
2280	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
2280	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
2280	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
2280	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
2280	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
2280	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
2280	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
2280	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
2280	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
2280	cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\cbaf4e5b4e4ebb82872138404bc3a9c6_JaffaCakes118.exe"
1⤵
- Event Triggered Execution: Image File Execution Options Injection
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Image File Execution Options Injection

T1546.012

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Image File Execution Options Injection

T1546.012

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk1.7.0_80\db\bin\NetworkServerControl

Filesize
5KB

MD5
042c94b8bdb14996241b2ae5d7b5f4c2

SHA1
8b78fa17d12893f07fd4f19e0442e3ba669203f8

SHA256
d734844f39dc75a514cf5bb1fdb8a8c80530dbf2371cee3ae888f5eab359ce2b

SHA512
a0aa52e2f5299eb863546ff67bb5e514ae8e4057bce0cf52ca7c1fc37af37f5be63327456b963b1ebd3466124e1711ff487048856c6f3d2d479f8a2a37cd6bc3

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\msvcr100.dll

Filesize
809KB

MD5
98c0d835e1639e1b75ed4036c30f43d6

SHA1
3d322c09cfcee097038c1a4a8d550385b4b5dd03

SHA256
a45b1525b4e48c052a58da449dcec93bc6575502b5de25d58e0c9abd06b918d8

SHA512
9c4ea8f28b1077060c24c04da0bfdca26584c8661221eb6a3cdab0d8b33bc70080b19fa605f47ce0473b59d9ba128d5e6c4b5a595fb9bae128ae14b309ee23e9

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif

Filesize
153B

MD5
de56608874c4f699572421cbd1c7f738

SHA1
1b87d5e42fe86b1e6f55ad3d8a427bf1691e0755

SHA256
46cda9e1dc66623823d7be5ff7c2de0257e5f85e60f7d3a6d9471220f9d27d3f

SHA512
83d8d68b513bdca2b42bf19a2367384c3d9c9b024f69bbbb4c22ad6900cec9ab7ddf39612baed780393996e1e31166aa595b6a06f3122a2f2ec981cf9ab27e47

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\UCT

Filesize
27B

MD5
e342b8d9bb482e574039b42eda739a4c

SHA1
585e8e0e314897a513f5120729ca475274a60b33

SHA256
ee303ff92706654fa909fb86a903bc97bbb82d59e0bac0ff0d6f46a81d39a678

SHA512
20253d14cbf17fd40aac2e054d1be3cb685da96a9c1d0535548c6f69de46bba40e6506ecc559520b2f53e8b1fed1b64b4e443ed795b6bdd47d3f5a55d9e35bb0

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\EST5

Filesize
27B

MD5
3f5793bd121d70fc048293e3f1e64adb

SHA1
343b64e8a401ba9b6e9ef837635b00f7d31ebf34

SHA256
d9dc452fb1133e5545e53e9f2022835493209d7c774837e2a4c12f19d74bec94

SHA512
7f696f460fdacdd3dc85d7ba3319ac281b32b8cd26a7838657034370ee219c8e155f728f812bd07edb1821cc316a22e2cdbf761814f7119b74e17026fe9ccc31

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\HST10

Filesize
27B

MD5
9d32a69758f438be1465c7c0505b0f76

SHA1
8cc697bf9a433f750ea9a6abe5df48d73e5bdd2f

SHA256
360a9a3ded2e6914f066822a43634d079af6bda3d321d79c7a7071af8e0c8a9a

SHA512
ebbf38227fab313e5296f6290e05b9a2d725dfa8c66391b6dc5c989103eb1548d63a150d805f81eb5f5dae2dc71e29132470aa6fd8e4c09383c0b0a3e56a10cd

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\MST7

Filesize
27B

MD5
6854beea7debfb35a3347368d4e27dae

SHA1
24126621e5b9a3d0c8375bf2e885fd762360dac0

SHA256
7031f909b24bcf769c573ac45d7ab524f4a35d006f946e67b1c6c0fe01af8f7e

SHA512
d98da112ab0ac385de00535b1179801c4db1e7298f571cdd6f7e4eab7262abf238f829367dd8a493998bbbe84a0c26f6913cda63483d431f072de218d26c8651

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
12KB

MD5
cbcaa4461b5386b51f1523510616a2b8

SHA1
5b1e6c413418a451c54e369cdeec0a1d8da21b1f

SHA256
57df0736eb5f81e8bce0be02cc97df089f187354d1bad5cc01eefc42bfed33da

SHA512
156eefa3effb3d09cba66ce82080be1eb3178acfd93267098e73b06f931606231190ab5417ade872d540fd07e224da7005b4b49d04ef1631abde177b9ec3160e

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
8KB

MD5
5f5360fbb9cc3e88b36fc7fde28c4513

SHA1
665682bbd6aa2127785457985610e75764c2ab52

SHA256
643e6998fe687549b8ffead9670140caac178ac27a96cb925368998360fce5ce

SHA512
07ddb5d0cde65d039858db77cc125c0911b5ffa195e126af29f38603ed2ca4554df4c4a9b6015ddf5073939c215970a6629d589edec069e5d3279feb7190e76d

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\eclipse.inf

Filesize
57B

MD5
6d838e02827860904cfbd36feefa67f5

SHA1
133ce7af93bfd01c0d613b7c4934631a64ddfffe

SHA256
b56032147e641f3608ba7a2c7106f8cc37a5f6d49ad188efea101f05198c9e0d

SHA512
ff21273478e3f715f6d1aa38eeb43c7ddbe7e8966b2db7721e5a89d93b0ccae570f903a82d0eba37f801e1c12945740785ccbb9d9d7743b41484f19b779cf87f

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
6285a81f124ee7c6d539c94d17311f0c

SHA1
d3a704f411ee7536c0d3688f6b913a8dea65802e

SHA256
df940872411b38fcf9de18bcf1631d5002c5500d8d19315ff2edc1b7d9188569

SHA512
20778a1c3e08e8e1e5c8749d1f25b98aeaf14179a3ead8316bcb3456c2a5b598f66195052b1e4796152a26ae57b0baf9be07c229b01050397bf02b0caf66f7ad

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.RSA

Filesize
7KB

MD5
9e99afe25f0e5d24e873420af158e304

SHA1
b508d03ab72753b0901c22e2b33986e9e5c72c9e

SHA256
82c78bbaf047d53eb0936354553474614a6e27592aa93e51239594f2f7604741

SHA512
65884942fade98e322c7912ff6f0fcac3bd11f14de8b1f09b34d4733f29f9704079f503bbda1627b4f12e6f76a72f9fc1831c17509db4b34a9367e977915f49c

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\ECLIPSE_.RSA

Filesize
7KB

MD5
95b2001d06bc040465d8a6e907ff6cca

SHA1
bf092135e569b4fd8bee0ea12eed8609ca0cd456

SHA256
9174c99f46c548c719c0e36205c6e820476ce0fa9d846c35ae486f891d9388a0

SHA512
8d74d55f2571482f240d1ac7d8930b3bb1cf47a06f4db2fb3dec1d2e2a885b0b827e8c0eaf37e7c4390b02c8a906fff8d219407df0badfef785375da48df6ba0

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\MANIFEST.MF

Filesize
133B

MD5
1ac8d2b6f91f8bb065313d67359814d0

SHA1
3bcff7aca09533bb346fb9cd8a474c18d45d597f

SHA256
5250d45d22734322fe4f4bc31d001358a4b39e57f196de2a89f46362f3c97041

SHA512
2903d4137961b05c8eac08309911e96921f6a83335e480c4066c34be07ff7b8435a644cec42b77ba0a743c88abe3e551a048b3be5281ca01f5ca4b228a8d6ca5

Download Submit
C:\Program Files\Java\jre7\COPYRIGHT

Filesize
3KB

MD5
dedff4024288b45ca4d98434850849fb

SHA1
4f73565a7e35c886fae63ae497b2740f10d79d85

SHA256
8971a3dacab348f8852513ecf24d4222b0ac5ffa4d3f62c8ede8b4ae85af2aae

SHA512
4e01e4d09189db93be3bbfc9b1b23709bad8905f24a0c3f1717e5da869d54e86d12e157900ed9edc394d3bc1aeb44280caf3b240bfe52b6c5ee003334c0acce7

Download Submit
C:\Program Files\Java\jre7\LICENSE

Filesize
41B

MD5
20bd00c93b3f4e1b86f29b7ffdc40476

SHA1
5952f48cf428986bebe06fb754bf88f758e55077

SHA256
8c0d31ae63f3c6aa76456b61c6cabcc4bbd779e2b14ddc446022aa7543f2f6ad

SHA512
e86a3220d3ab4ef8d032d74ca6ab3e49bdc94ce2faf49ae9ad88d1dbb0cbac25390258d4a1c2cf1b98507ee14cb2e2e1eabcc2cb11dc847542ba28db01605a81

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
1e1314e6b08ecba13bd62d57f69c536a

SHA1
4ed5f61236439ac2120cfd691b83fe6f80cf16a6

SHA256
5d20422384823cb549d00269f0d56fa50c5b5eb5cfdd398e3a918d47a3faa1d2

SHA512
254572395c7a4a38f0ac7cdad106be835a975bbd40faf89fb8222437b666a42806c0f337defefe0f328003bc8e538e92f45c24a5a88ae61e0fcd8503b06be2ce

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
172KB

MD5
c41ecf2318ca144f00b1efbc91786908

SHA1
58a7c818c90603e4b8d3ef364ceb8a2130e56dc1

SHA256
14d27e44502b9335568cff2dc3d5a6650263cd21aaf1bc7fbb26cbd52c973478

SHA512
3411fa767ed887c459051a5899a883160d0fc16b0a221524b8f5e88c8c909103224b7ed22bf7e2f4fc296c7064ec2675be38d9a1822e8addffd2445a0ca353db

Download Submit
C:\Program Files\Java\jre7\lib\deploy\messages_zh_HK.properties

Filesize
3KB

MD5
10f4a7013c27b2acb01a7213d96594cf

SHA1
f53ea400b82f0d9cc7ac864c4becc97a32d97400

SHA256
4f8ed95947925bdd35eeccaf7564609335d7e934dc41d90be772ab4936424d57

SHA512
d21e1d57f691dfdb8bb6ef998739eccf65e5836167b3888c9ae007b7d3362c17a5cb16518f394ffd2da19cf23c26ac28b94518c984cc55538efbf0f9c9b7d4f5

Download Submit
C:\Program Files\Java\jre7\lib\zi\Atlantic\South_Georgia

Filesize
27B

MD5
b9199686259d2920cda73ed62e4d6328

SHA1
12fbd12fc2e8dad76965a152c66c3242d7d58911

SHA256
9f60b51eb4610dbfe3e66e088aab08d4f5bd51974c2c0e4d01d8c7a80acdef6e

SHA512
b7b77bad0a1da25bfc00678a46f4775d2ad20d9bde6a009260a54c7df3f2f0e6b37e502f33e34c9bb784646387c5a5e14035b816d8aabac4247b95442fb8a771

Download Submit
C:\Program Files\Java\jre7\lib\zi\CET

Filesize
1KB

MD5
d45611d2c22f2fc2a1d04a6d7f675724

SHA1
7398399fb6512df5752fe2025ddc7baf69bcda51

SHA256
e941081396f73cc032aee12e146500ce0eb251e459498279e9624232d3c60989

SHA512
14bb810f81c73da2ac3e6a138f52e05afdb19061ec66419f78ee6ca16af66995d6fac77ba3f0bbc1c755f58a5734449f0de534913aa2a0f5124982412645f36a

Download Submit
C:\Program Files\Java\jre7\lib\zi\Etc\GMT+4

Filesize
27B

MD5
3f83c3b2904ee3df13e7c66f6025bc9b

SHA1
0dd583b18bc07c4b06a737a2e46df7bcb14541a9

SHA256
2040ca903454571c0e1dc5941876538a4d19281a1a8207a7c5165d57ea94909f

SHA512
70cad0b7904d1fad52cce82a2c112b932ad1bfc2f70522d8d76cd254a3231b5e7bc05f8c8895bb00e4c740b157e624ecf206bb29276772046a55d206d7ff2779

Download Submit
C:\Program Files\Java\jre7\lib\zi\Etc\GMT+6

Filesize
27B

MD5
1fb2465c9fd54f3530993244c5a54016

SHA1
e81c9d999a583a8924b3eb8a13104da0c18fcda5

SHA256
36221d176a135f3f08aa2ea4242b813743fe63fb330854a053c441405de658ff

SHA512
584ebe3d04f218de411e0a2568195411504d72e392bf62e1f2f5a671180abeb25e8fcf328eadf1278e8d937f278ec5a4d8d778c67793a495d7b5548b5839a090

Download Submit
C:\Program Files\Java\jre7\lib\zi\Etc\GMT+8

Filesize
27B

MD5
7b69962b71a0fd2097acb99d18e56097

SHA1
ba28857c336dc3c54713a7141ef877877098ee43

SHA256
23ff35a8988697fd94a9e16878f7d9cea8f93a39de34759659eb33137d8acb93

SHA512
6ee9f1a8d2e902baa169fb6f36e9f70259479f071b8dbfb9d0cc49451a59a57602de9fd2e77005bffe8e3f325fc2990327839807ae7e68aa163e1f2feeeec344

Download Submit
C:\Program Files\Java\jre7\lib\zi\Etc\GMT+9

Filesize
27B

MD5
4cd6e675a3566ee6fb4385716f775953

SHA1
ceab9addb7a9c7ec2b8541264b25776fba2a35b6

SHA256
b617cb14883cf412c94d701d6348d4101eda81e96d76e9afe7f2868ed2b6ffa3

SHA512
5c31141a6a84376038285c85179da04c21e7ecc36c21e8507411a0fe38b2eafd7d02642861dcf99635cffc1873b132afa0011a81d37e8ed3d2771c06639f1b2d

Download Submit
C:\Program Files\Java\jre7\lib\zi\Etc\GMT-10

Filesize
27B

MD5
61e867680714dada7c35017982cd2681

SHA1
a3326e2a2234e6378a62d73cebd8d134f3103488

SHA256
d14329ae0d179a51b39ed6a7de1ea25802c1fc726847b695dbbb3daf317e0995

SHA512
072277fff810d875d09960bdd40bcfef35474f4e45060389e1fb59c999957aea04e1897857768275b1ecfb3755dcf8dc9357ab35bee99ff138c7cd7f59889495

Download Submit
C:\Program Files\Java\jre7\lib\zi\Etc\GMT-7

Filesize
27B

MD5
38d0bdf84421b6bc04cf390f382e2c02

SHA1
288488bfb72645e73caf3d6129e7e6310eb84009

SHA256
221c4b1e49cc084e1c40ceb136b590e55a1e0d68a7e88ab7d9b49ca1077982d6

SHA512
33ea75c53c5374b2828ff7baac1ec3c2403e26148fa47e0d328cc0d9fc7fe1f27c3b8f7c8e96b8d18ceecf23b34c896ecdc53e3dbbba1cd9ac3974d6fa9aabd0

Download Submit
C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\vlc.mo

Filesize
584KB

MD5
6e910b8fecd204980ae47ef14c0e52ca

SHA1
7a5542a591c4f1588cf0c9da4b361fc8c88abdb5

SHA256
33e82dfd06b9c82cb37d798ea775f57988cb8ffb8cdebe5c69bbff0053c4984c

SHA512
2645e3ed33afb28da71df04064a3e7a823b4a4acd44cdb4c4ffd0f022247edcdac81169a6c82424600ea9a5498ab838f4463380d6fde8f559bdda54fd616a81f

Download Submit
C:\Users\boot1.ini

Filesize
64B

MD5
8cc2dc37ef1d6e096840516da80f5f6d

SHA1
f51b9f9b2d4305da20417e3805e593c46f56b7cf

SHA256
3f018c152f89943781d8b8ff2d5286e00307f0af36ad8a2a676c3064fbdc4208

SHA512
6a0e541ba7ff049b134c7e73bac5a07729e694bb18721e55629e22af536654e5a4ea056b60c308f316ae0ec4741981bfedfa0ac602985fb7c70ce7a81cf5d050

Download Submit
\Users\Admin\AppData\Local\Temp\E_N60005\EDataStructure.fne

Filesize
112KB

MD5
6a30e23a7c7c1466a2ce99764946eb40

SHA1
8f7fe3f24629b3face1ce0c72a3d3eda0734731f

SHA256
c654c0d0dae76e02b0bfa2c47093a203990b864d82792ead9ba35be9c5e8334e

SHA512
40972733375e1ffbe30f4b5d83b5289278b90c6b2a40f5cdbfc321ec69433ae0d2b462787aff6d76b58ca3b3649d4fc708fc815df11bce1abf838ee447e171ae

Download Submit
\Users\Admin\AppData\Local\Temp\E_N60005\dp1.fne

Filesize
128KB

MD5
920cb59c7a996b8857da3c070941d277

SHA1
ce5320946160cce3c9a242cf72673777479a9160

SHA256
33ee75183b71057534c20d7f62428f1c0db5d192e25ddcf4ca290dfb20469e98

SHA512
14b19f0691f7751719d27b9a95be2a71b67f72d1ffb15bdcaf3817b31a9281964122f7f06a9595d1b5791fcaf23ac361948cce4150f351b4d1d52ebc811c4c03

Download Submit
\Users\Admin\AppData\Local\Temp\E_N60005\iext.fnr

Filesize
204KB

MD5
4c977e09b483d7b837aae8af5a9efe17

SHA1
b82fe069821cbc6d775efdae3fa1f6fcbf946f43

SHA256
5c1d7bcb0bbb3e8eebbb0d25534d56454b640f6fdaa1448060af48556dded789

SHA512
54b514beff4721e047e513749ab19c4f87a634bb421a8b123dd2b4bad912d34cc4e5812e4a2691c0e2e8f2fe6d08b715dc8a15dabd0f43af4250bacd46d46692

Download Submit
\Users\Admin\AppData\Local\Temp\E_N60005\internet.fne

Filesize
188KB

MD5
4a870520ae56e37114b434bb7e49f129

SHA1
b4aa3bcd0a843dc65a8ae1005ae8a53718404050

SHA256
24ef1ec7487d6ee2bdbd9f1cb661864a42836b55a4fec8a58b48943679fdf1dd

SHA512
71e698e8839dcf3a7ea9fb97b55ac3f393e7cc63b78ab61756e02ffa36c5df0491fe85acfa6faf70826b079956288079521e944d5013700383fadd29bedcf744

Download Submit
\Users\Admin\AppData\Local\Temp\E_N60005\krnln.fnr

Filesize
1.2MB

MD5
c82e5f20bdc6fcb9e258332dc413217e

SHA1
daf2d2a9edd8f7dd1ed5f5a95778a190411d8faa

SHA256
8fbac3885d39c34822bd73873b43309a87e7c26071884858a887bbe2dcce6fe3

SHA512
613f410bd7babaa66b58570c38b27f5d23ab6f3bdc0d4236884c16a92879c8b3860dcaddd7891ab7ceab63b41cf042f41cf59d08f661cda1550b1b62d5c98156

Download Submit
\Users\Admin\AppData\Local\Temp\E_N60005\shell.fne

Filesize
64KB

MD5
75430e1204be1e6e3ec68ceb99ce681c

SHA1
96b17f023e197f2476af0ae068c7d2968944000a

SHA256
54b377bf121b08d47b31be755ec33597b4c37acb1d95cb5bf950e795674f0d81

SHA512
cb9228e07f018cb6310f9d40e3056da412549f49d6cef7fc3fe707e42dcda2dd38eecbeb5991a7569fcc1739579be2c52b1f99b6c6a1f69155c12156e5057b6b

Download Submit
memory/2280-19-0x0000000000580000-0x0000000000596000-memory.dmp

Filesize
88KB

Download
memory/2280-0-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2280-10-0x0000000010000000-0x000000001014B000-memory.dmp

Filesize
1.3MB

Download
memory/2280-13-0x0000000001F20000-0x0000000001F61000-memory.dmp

Filesize
260KB

Download
memory/2280-16-0x0000000000350000-0x000000000036D000-memory.dmp

Filesize
116KB

Download
memory/2280-23-0x0000000001ED0000-0x0000000001F0E000-memory.dmp

Filesize
248KB

Download
memory/2280-25-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2280-49-0x0000000001F90000-0x0000000001FBE000-memory.dmp

Filesize
184KB

Download
memory/2280-12883-0x0000000010000000-0x000000001014B000-memory.dmp

Filesize
1.3MB

Download
memory/2280-12884-0x0000000001F20000-0x0000000001F61000-memory.dmp

Filesize
260KB

Download
memory/2280-12885-0x0000000000350000-0x000000000036D000-memory.dmp

Filesize
116KB

Download
memory/2280-12887-0x0000000001ED0000-0x0000000001F0E000-memory.dmp

Filesize
248KB

Download
memory/2280-12890-0x0000000001F90000-0x0000000001FBE000-memory.dmp

Filesize
184KB

Download