Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
01/10/2024, 19:53
Behavioral task
behavioral1
Sample
07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe
Resource
win7-20240704-en
General
-
Target
07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe
-
Size
255KB
-
MD5
07302e8a2533fd1b255a1e7ffa67e1f0
-
SHA1
1fc108bcfee2c334545241be97b7db200342437d
-
SHA256
4a58739beb97d2a3dc4d5d8c58157c16a80d486121292a96204beb72abbbaae6
-
SHA512
159a0b9fa62d37c6d3e789df679c44324333046d4f25883b82a1a4b20c59ad01f76bd82ef2f3717fd95c6ed89302d0bee50e5e62b06fdd0a16cb35f223e4cbf5
-
SSDEEP
3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJw:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIx
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" pmulnvyvco.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" pmulnvyvco.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" pmulnvyvco.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" pmulnvyvco.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" pmulnvyvco.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" pmulnvyvco.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" pmulnvyvco.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" pmulnvyvco.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation 07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 3380 pmulnvyvco.exe 2808 zbmdcnvhtztycdj.exe 1648 plshmjob.exe 4272 lasjdswuopdvs.exe 1804 plshmjob.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" pmulnvyvco.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" pmulnvyvco.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" pmulnvyvco.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" pmulnvyvco.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" pmulnvyvco.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" pmulnvyvco.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\xtilmnhc = "pmulnvyvco.exe" zbmdcnvhtztycdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\baahdirn = "zbmdcnvhtztycdj.exe" zbmdcnvhtztycdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "lasjdswuopdvs.exe" zbmdcnvhtztycdj.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\n: pmulnvyvco.exe File opened (read-only) \??\w: pmulnvyvco.exe File opened (read-only) \??\x: pmulnvyvco.exe File opened (read-only) \??\g: plshmjob.exe File opened (read-only) \??\j: plshmjob.exe File opened (read-only) \??\z: pmulnvyvco.exe File opened (read-only) \??\b: plshmjob.exe File opened (read-only) \??\o: plshmjob.exe File opened (read-only) \??\m: plshmjob.exe File opened (read-only) \??\o: plshmjob.exe File opened (read-only) \??\u: plshmjob.exe File opened (read-only) \??\x: plshmjob.exe File opened (read-only) \??\k: pmulnvyvco.exe File opened (read-only) \??\m: pmulnvyvco.exe File opened (read-only) \??\t: plshmjob.exe File opened (read-only) \??\i: plshmjob.exe File opened (read-only) \??\r: plshmjob.exe File opened (read-only) \??\w: plshmjob.exe File opened (read-only) \??\j: pmulnvyvco.exe File opened (read-only) \??\o: pmulnvyvco.exe File opened (read-only) \??\b: plshmjob.exe File opened (read-only) \??\g: plshmjob.exe File opened (read-only) \??\h: plshmjob.exe File opened (read-only) \??\i: plshmjob.exe File opened (read-only) \??\l: plshmjob.exe File opened (read-only) \??\p: plshmjob.exe File opened (read-only) \??\e: pmulnvyvco.exe File opened (read-only) \??\p: pmulnvyvco.exe File opened (read-only) \??\q: pmulnvyvco.exe File opened (read-only) \??\j: plshmjob.exe File opened (read-only) \??\z: plshmjob.exe File opened (read-only) \??\x: plshmjob.exe File opened (read-only) \??\e: plshmjob.exe File opened (read-only) \??\q: plshmjob.exe File opened (read-only) \??\w: plshmjob.exe File opened (read-only) \??\r: plshmjob.exe File opened (read-only) \??\s: plshmjob.exe File opened (read-only) \??\y: plshmjob.exe File opened (read-only) \??\u: pmulnvyvco.exe File opened (read-only) \??\v: pmulnvyvco.exe File opened (read-only) \??\a: pmulnvyvco.exe File opened (read-only) \??\s: pmulnvyvco.exe File opened (read-only) \??\u: plshmjob.exe File opened (read-only) \??\v: plshmjob.exe File opened (read-only) \??\q: plshmjob.exe File opened (read-only) \??\t: plshmjob.exe File opened (read-only) \??\v: plshmjob.exe File opened (read-only) \??\g: pmulnvyvco.exe File opened (read-only) \??\h: pmulnvyvco.exe File opened (read-only) \??\h: plshmjob.exe File opened (read-only) \??\n: plshmjob.exe File opened (read-only) \??\z: plshmjob.exe File opened (read-only) \??\i: pmulnvyvco.exe File opened (read-only) \??\s: plshmjob.exe File opened (read-only) \??\a: plshmjob.exe File opened (read-only) \??\t: pmulnvyvco.exe File opened (read-only) \??\l: plshmjob.exe File opened (read-only) \??\m: plshmjob.exe File opened (read-only) \??\l: pmulnvyvco.exe File opened (read-only) \??\p: plshmjob.exe File opened (read-only) \??\y: plshmjob.exe File opened (read-only) \??\e: plshmjob.exe File opened (read-only) \??\k: plshmjob.exe File opened (read-only) \??\r: pmulnvyvco.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" pmulnvyvco.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" pmulnvyvco.exe -
AutoIT Executable 60 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/2808-26-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3468-36-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1804-42-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3380-86-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2808-87-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1648-88-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4272-89-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3380-90-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1648-92-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4272-93-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2808-91-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1804-94-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1804-95-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3380-599-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2808-600-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1804-603-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4272-602-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1648-601-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3380-604-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2808-605-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1648-606-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4272-607-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1804-608-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3380-609-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4272-612-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1648-611-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2808-610-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1804-613-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1648-616-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1804-617-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3380-618-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2808-619-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4272-620-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3380-621-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2808-622-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4272-623-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2808-630-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4272-631-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3380-629-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3380-632-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4272-634-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2808-633-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3380-635-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4272-637-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2808-636-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2808-639-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3380-638-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4272-640-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2808-642-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4272-643-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3380-641-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3380-644-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2808-645-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4272-646-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2808-648-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4272-649-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3380-647-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3380-650-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2808-651-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4272-652-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe plshmjob.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe plshmjob.exe File created C:\Windows\SysWOW64\pmulnvyvco.exe 07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\plshmjob.exe 07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe File created C:\Windows\SysWOW64\lasjdswuopdvs.exe 07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll pmulnvyvco.exe File opened for modification C:\Windows\SysWOW64\lasjdswuopdvs.exe 07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe plshmjob.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe plshmjob.exe File opened for modification C:\Windows\SysWOW64\pmulnvyvco.exe 07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe File created C:\Windows\SysWOW64\zbmdcnvhtztycdj.exe 07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\zbmdcnvhtztycdj.exe 07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe File created C:\Windows\SysWOW64\plshmjob.exe 07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe -
resource yara_rule behavioral2/memory/3468-0-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x00090000000233cc-3.dat upx behavioral2/files/0x0008000000023429-23.dat upx behavioral2/files/0x000700000002342d-24.dat upx behavioral2/memory/1648-27-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2808-26-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x000700000002342e-31.dat upx behavioral2/memory/4272-32-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3468-36-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1804-42-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x000700000002343b-78.dat upx behavioral2/files/0x000700000002343a-72.dat upx behavioral2/memory/3380-86-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2808-87-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1648-88-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4272-89-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3380-90-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1648-92-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4272-93-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2808-91-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1804-94-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1804-95-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x000200000001e4e3-113.dat upx behavioral2/files/0x000200000001e4e3-118.dat upx behavioral2/memory/3380-599-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2808-600-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1804-603-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4272-602-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1648-601-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3380-604-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2808-605-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1648-606-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4272-607-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1804-608-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3380-609-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4272-612-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1648-611-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2808-610-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1804-613-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1648-616-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1804-617-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3380-618-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2808-619-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4272-620-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3380-621-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2808-622-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4272-623-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2808-630-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4272-631-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3380-629-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3380-632-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4272-634-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2808-633-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3380-635-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4272-637-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2808-636-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2808-639-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3380-638-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4272-640-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2808-642-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4272-643-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3380-641-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3380-644-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2808-645-0x0000000000400000-0x00000000004A0000-memory.dmp upx -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal plshmjob.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe plshmjob.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal plshmjob.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe plshmjob.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe plshmjob.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal plshmjob.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe plshmjob.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal plshmjob.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe plshmjob.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe plshmjob.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe plshmjob.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe plshmjob.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe plshmjob.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe plshmjob.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe plshmjob.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe plshmjob.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe plshmjob.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe plshmjob.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe plshmjob.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe plshmjob.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe plshmjob.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe plshmjob.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe plshmjob.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe plshmjob.exe File opened for modification C:\Windows\mydoc.rtf 07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe plshmjob.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe plshmjob.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe plshmjob.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe plshmjob.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe plshmjob.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe plshmjob.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language plshmjob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lasjdswuopdvs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language plshmjob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pmulnvyvco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zbmdcnvhtztycdj.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2ECBB15F449439EA53BABAA7329AD7C4" 07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E08668B1FE6D21ABD27DD0A08A0E9110" 07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1839C60915E3DAB3B8C07C92ECE734C7" 07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" pmulnvyvco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32432C0C9D2C83536A3277D6772F2DD87DF664D6" 07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" pmulnvyvco.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc pmulnvyvco.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf pmulnvyvco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" pmulnvyvco.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs pmulnvyvco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" pmulnvyvco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFDFFF94F5A851B913CD65D7E92BC93E13D584767436241D6EE" 07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat pmulnvyvco.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh pmulnvyvco.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg pmulnvyvco.exe Key created \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings 07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BBFFACDF960F1E283083B30819D3999B38B03FE4213024BE1CD429D08A0" 07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" pmulnvyvco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" pmulnvyvco.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4200 WINWORD.EXE 4200 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3468 07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe 3468 07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe 3468 07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe 3468 07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe 3468 07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe 3468 07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe 3468 07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe 3468 07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe 3468 07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe 3468 07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe 3468 07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe 3468 07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe 3468 07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe 3468 07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe 3468 07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe 3468 07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe 3380 pmulnvyvco.exe 3380 pmulnvyvco.exe 3380 pmulnvyvco.exe 3380 pmulnvyvco.exe 3380 pmulnvyvco.exe 3380 pmulnvyvco.exe 3380 pmulnvyvco.exe 3380 pmulnvyvco.exe 3380 pmulnvyvco.exe 3380 pmulnvyvco.exe 2808 zbmdcnvhtztycdj.exe 2808 zbmdcnvhtztycdj.exe 2808 zbmdcnvhtztycdj.exe 2808 zbmdcnvhtztycdj.exe 2808 zbmdcnvhtztycdj.exe 2808 zbmdcnvhtztycdj.exe 2808 zbmdcnvhtztycdj.exe 2808 zbmdcnvhtztycdj.exe 1648 plshmjob.exe 1648 plshmjob.exe 1648 plshmjob.exe 1648 plshmjob.exe 1648 plshmjob.exe 1648 plshmjob.exe 1648 plshmjob.exe 1648 plshmjob.exe 2808 zbmdcnvhtztycdj.exe 2808 zbmdcnvhtztycdj.exe 4272 lasjdswuopdvs.exe 4272 lasjdswuopdvs.exe 4272 lasjdswuopdvs.exe 4272 lasjdswuopdvs.exe 4272 lasjdswuopdvs.exe 4272 lasjdswuopdvs.exe 4272 lasjdswuopdvs.exe 4272 lasjdswuopdvs.exe 4272 lasjdswuopdvs.exe 4272 lasjdswuopdvs.exe 4272 lasjdswuopdvs.exe 4272 lasjdswuopdvs.exe 2808 zbmdcnvhtztycdj.exe 2808 zbmdcnvhtztycdj.exe 1804 plshmjob.exe 1804 plshmjob.exe 1804 plshmjob.exe 1804 plshmjob.exe 1804 plshmjob.exe 1804 plshmjob.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 3468 07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe 3468 07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe 3468 07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe 3380 pmulnvyvco.exe 3380 pmulnvyvco.exe 3380 pmulnvyvco.exe 2808 zbmdcnvhtztycdj.exe 1648 plshmjob.exe 2808 zbmdcnvhtztycdj.exe 1648 plshmjob.exe 2808 zbmdcnvhtztycdj.exe 1648 plshmjob.exe 4272 lasjdswuopdvs.exe 4272 lasjdswuopdvs.exe 4272 lasjdswuopdvs.exe 1804 plshmjob.exe 1804 plshmjob.exe 1804 plshmjob.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 3468 07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe 3468 07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe 3468 07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe 3380 pmulnvyvco.exe 3380 pmulnvyvco.exe 3380 pmulnvyvco.exe 2808 zbmdcnvhtztycdj.exe 1648 plshmjob.exe 2808 zbmdcnvhtztycdj.exe 1648 plshmjob.exe 2808 zbmdcnvhtztycdj.exe 1648 plshmjob.exe 4272 lasjdswuopdvs.exe 4272 lasjdswuopdvs.exe 4272 lasjdswuopdvs.exe 1804 plshmjob.exe 1804 plshmjob.exe 1804 plshmjob.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 4200 WINWORD.EXE 4200 WINWORD.EXE 4200 WINWORD.EXE 4200 WINWORD.EXE 4200 WINWORD.EXE 4200 WINWORD.EXE 4200 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 3468 wrote to memory of 3380 3468 07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe 82 PID 3468 wrote to memory of 3380 3468 07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe 82 PID 3468 wrote to memory of 3380 3468 07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe 82 PID 3468 wrote to memory of 2808 3468 07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe 83 PID 3468 wrote to memory of 2808 3468 07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe 83 PID 3468 wrote to memory of 2808 3468 07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe 83 PID 3468 wrote to memory of 1648 3468 07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe 84 PID 3468 wrote to memory of 1648 3468 07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe 84 PID 3468 wrote to memory of 1648 3468 07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe 84 PID 3468 wrote to memory of 4272 3468 07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe 85 PID 3468 wrote to memory of 4272 3468 07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe 85 PID 3468 wrote to memory of 4272 3468 07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe 85 PID 3468 wrote to memory of 4200 3468 07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe 86 PID 3468 wrote to memory of 4200 3468 07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe 86 PID 3380 wrote to memory of 1804 3380 pmulnvyvco.exe 88 PID 3380 wrote to memory of 1804 3380 pmulnvyvco.exe 88 PID 3380 wrote to memory of 1804 3380 pmulnvyvco.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\07302e8a2533fd1b255a1e7ffa67e1f0_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3468 -
C:\Windows\SysWOW64\pmulnvyvco.exepmulnvyvco.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3380 -
C:\Windows\SysWOW64\plshmjob.exeC:\Windows\system32\plshmjob.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1804
-
-
-
C:\Windows\SysWOW64\zbmdcnvhtztycdj.exezbmdcnvhtztycdj.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2808
-
-
C:\Windows\SysWOW64\plshmjob.exeplshmjob.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1648
-
-
C:\Windows\SysWOW64\lasjdswuopdvs.exelasjdswuopdvs.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4272
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4200
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
255KB
MD52f245fb5a087da491a79eb2d18b2fe0b
SHA19cc8a36ba747be09d185444da4da8daf407d8d50
SHA256501c71c6162d19b89652448e7160409e96da013274c0cc4aae25415a1f74d804
SHA512cad25f745f0f5bcca8887318d8a078e293c48e0c598e7a36a0d7ff211971c0888d0b083c60ecb4f654e1a7d5da1137c4c3127fa3992fce31e75c413de8e19e97
-
Filesize
255KB
MD53c1812b0f44eedab4dea494096f19169
SHA1a8e63f7d8664e166bc8838eb07784b6e9ff5aa1f
SHA2565e3294d61cb18dd15ccfee3371a28a78d2a732f0ff8e4504d2ee02af6cae6240
SHA51276fbe1a011526ef6e3604074839367ac216c8c163f9e8c3b0d2d4343b768eaa3b11744835a1c4288a41fb0b90f639787ac58a2a6cc721559eb86a537b6bbc0f0
-
Filesize
245KB
MD5f883b260a8d67082ea895c14bf56dd56
SHA17954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e
-
Filesize
327B
MD5f6e9124567924c6efcb0042d87971722
SHA1299f7f9820c613a5422d687686efefb0f329a444
SHA256ba1ad5c1496d6178c12fff875b208b0b2c0ea68d3d3635304c29c4903e2d6c9d
SHA512c2a375a5cab7c81c87607d1629c5ecea2b3e504d47ae6a22247b9f227f8bfc4760b615d2ce8b91a4fcc93b619106c9062c22407377b19faa8fc7a61872c6dd9f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize1KB
MD52841fa0b0451404b9372c67e40387929
SHA13981488ebd35a6fe1b28d2fb339eebda953967c9
SHA2568f3627fc13617d5711186dfdf996cfa01fb485232d8ae94a325bd2fb331aeddc
SHA512b487d7e157df63fc3309c2993b83d2808ed5e53dca495380a7f5d6431d136978d703d44b57a667bd4f53d9f7c2699b03da36d2f74e7780ef11d8829cc53e4e52
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize1KB
MD5ca8acd755b2c675c86ab06f5e574a029
SHA184b2e014761c4f2b0d8dca65beaf5beb03dbb7b9
SHA25676b9c582c5bb2e070460a44ea13e4813e9841fab3dc23fce31696e65992b74dd
SHA512f377fb4a5ec8b547ac03c2b25c49cf9d704204fd369069926ecea1d986afb36695b5b7ec4ddba0a2fd98a83c6613bc7b009fea34f5457116a1157aa41f360c44
-
Filesize
255KB
MD51efae9a43574015843b6411ccdabec77
SHA1a53e7ac3ff3d35cf075b529680f963094d333d61
SHA25685c4bffbbded3de08b39a93ded99407f30c620ab07353514c5f2eeda816ac8b6
SHA5121b62c2d983df9d08ea67b2209a636bbbb670bf86e9913ea96d9fd5e79f5ca03d5554ac8f2dc9a90c8726adb8dea811296700c09ad6ba75f8419f4843ab27fa93
-
Filesize
255KB
MD5555c74dfa7a6d482d1dc70fe7c4de9db
SHA155956f7b74694002a7d025fbf165112ba0b59edf
SHA2568067c2ca19a5c81b12d25bdd59d229366fb5cc1627fb84857147b9af700d8e35
SHA5122c695c5f5468273c5ebd1f86e5b3b0afa025489f9ce9021156bcfed2420625719a50fa14e557ae13cb33857688c8d4938d0395f7313ce571e98631ea4f8f95e0
-
Filesize
255KB
MD58bd34c14b4977d68fc2a99d3403937d9
SHA1d03e829263330700e07afdd705ed4d37d6a707c5
SHA256726c44c31a75650893c44363156c42ffc48939dd99b7bfb44d52b4ffc825dd5d
SHA51292017d2302baeab6ab11a642d5e71fd10a4df999084538161715de1f7ff91caee946a209a514b7acfc0f5cad48f898fe210037caaff4dce06f9b0b2c70be0db8
-
Filesize
255KB
MD528c1b22ef8879b4ca841a86e4d6911ed
SHA1b1e0cac7cffe3472067c904ee0ffcb093eac3182
SHA256ec92935c04b1f9e07a5c2c05ab9a0183286632d06e46899532ef1ac4a88cc308
SHA512f5a08809ca3ca9c5caa0bc5ba4a8bc230fd867374130fa0cbf2fa6bacae1b40869fc46921f274c4b128b23a7c03378b1543fcda12c785696338303b623d6d973
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
255KB
MD5e9ebad333de4d41392c2a84b2b66048e
SHA12f5df2753ea1f1f4461d125db78e80fe1c757af3
SHA25613def1048be94d955baea0b09dcc02e71154fdb7c38b9f0535230ad1b6146a5f
SHA512353229d7db4dcb06f3ed7834917bd6d9d29644eb4580fa6273c416142d1b1d2fe8eb27821664994218fbb9cefcaeeafaec91a9b46790b45cbcec18dc97b5133c
-
Filesize
255KB
MD55231b797ee76ca7153c8eb33fe2d8cef
SHA1f069543ae3dbb8fba172c4818557c48046429d5c
SHA256e87b3e13f1c61c78833aa0203536a988f72e0ec126f2515e1c34dbc94e2d39a4
SHA512db466fe04c27c9ae2dafb9d34d684710791ae9180ef85e0fbd336c936dfa90a281c413a3b23f350c05c94d22b3a1314cd546f7fb2092c838b86b80c752ce6b7b