Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
02/10/2024, 18:28
Behavioral task
behavioral1
Sample
0bfa9cf3d04c2e33af496dac3aedac0d_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
29 signatures
150 seconds
General
-
Target
0bfa9cf3d04c2e33af496dac3aedac0d_JaffaCakes118.exe
-
Size
255KB
-
MD5
0bfa9cf3d04c2e33af496dac3aedac0d
-
SHA1
6c32e2e0df76ef05869da736a73dda519d12f0e0
-
SHA256
cb59cf15b8adbf8cbed38f9c97c7e5b8cf31e4445ad28cac7c79836f86b0a07c
-
SHA512
97f1970b33545f74e188fc3fe50ccc43789fb20b358ded3b6021a1e58eafea4bc981fab34dae50db6ae884c74694326c16d200626effc68f3166daf5c9b6ee82
-
SSDEEP
3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJh:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIK
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" cnzbeanvjc.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" cnzbeanvjc.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" cnzbeanvjc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" cnzbeanvjc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" cnzbeanvjc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" cnzbeanvjc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" cnzbeanvjc.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" cnzbeanvjc.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation 0bfa9cf3d04c2e33af496dac3aedac0d_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 3440 cnzbeanvjc.exe 3060 jfantlfrtzubiwj.exe 4720 kcuwipat.exe 4728 zheuudcbrmicj.exe 4336 kcuwipat.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" cnzbeanvjc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" cnzbeanvjc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" cnzbeanvjc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" cnzbeanvjc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" cnzbeanvjc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" cnzbeanvjc.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "zheuudcbrmicj.exe" jfantlfrtzubiwj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vsudcget = "cnzbeanvjc.exe" jfantlfrtzubiwj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\egwyhzfm = "jfantlfrtzubiwj.exe" jfantlfrtzubiwj.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\y: kcuwipat.exe File opened (read-only) \??\a: kcuwipat.exe File opened (read-only) \??\h: kcuwipat.exe File opened (read-only) \??\p: kcuwipat.exe File opened (read-only) \??\m: cnzbeanvjc.exe File opened (read-only) \??\w: cnzbeanvjc.exe File opened (read-only) \??\q: kcuwipat.exe File opened (read-only) \??\u: kcuwipat.exe File opened (read-only) \??\r: kcuwipat.exe File opened (read-only) \??\l: kcuwipat.exe File opened (read-only) \??\z: cnzbeanvjc.exe File opened (read-only) \??\x: kcuwipat.exe File opened (read-only) \??\e: kcuwipat.exe File opened (read-only) \??\k: cnzbeanvjc.exe File opened (read-only) \??\y: cnzbeanvjc.exe File opened (read-only) \??\m: kcuwipat.exe File opened (read-only) \??\q: kcuwipat.exe File opened (read-only) \??\r: cnzbeanvjc.exe File opened (read-only) \??\x: cnzbeanvjc.exe File opened (read-only) \??\e: kcuwipat.exe File opened (read-only) \??\h: kcuwipat.exe File opened (read-only) \??\j: kcuwipat.exe File opened (read-only) \??\r: kcuwipat.exe File opened (read-only) \??\z: kcuwipat.exe File opened (read-only) \??\n: kcuwipat.exe File opened (read-only) \??\y: kcuwipat.exe File opened (read-only) \??\g: cnzbeanvjc.exe File opened (read-only) \??\i: cnzbeanvjc.exe File opened (read-only) \??\q: cnzbeanvjc.exe File opened (read-only) \??\b: kcuwipat.exe File opened (read-only) \??\v: cnzbeanvjc.exe File opened (read-only) \??\s: kcuwipat.exe File opened (read-only) \??\e: cnzbeanvjc.exe File opened (read-only) \??\h: cnzbeanvjc.exe File opened (read-only) \??\j: cnzbeanvjc.exe File opened (read-only) \??\t: cnzbeanvjc.exe File opened (read-only) \??\a: cnzbeanvjc.exe File opened (read-only) \??\a: kcuwipat.exe File opened (read-only) \??\o: kcuwipat.exe File opened (read-only) \??\n: kcuwipat.exe File opened (read-only) \??\t: kcuwipat.exe File opened (read-only) \??\w: kcuwipat.exe File opened (read-only) \??\b: cnzbeanvjc.exe File opened (read-only) \??\p: cnzbeanvjc.exe File opened (read-only) \??\w: kcuwipat.exe File opened (read-only) \??\k: kcuwipat.exe File opened (read-only) \??\i: kcuwipat.exe File opened (read-only) \??\l: kcuwipat.exe File opened (read-only) \??\s: kcuwipat.exe File opened (read-only) \??\v: kcuwipat.exe File opened (read-only) \??\x: kcuwipat.exe File opened (read-only) \??\s: cnzbeanvjc.exe File opened (read-only) \??\p: kcuwipat.exe File opened (read-only) \??\m: kcuwipat.exe File opened (read-only) \??\u: kcuwipat.exe File opened (read-only) \??\o: kcuwipat.exe File opened (read-only) \??\z: kcuwipat.exe File opened (read-only) \??\l: cnzbeanvjc.exe File opened (read-only) \??\g: kcuwipat.exe File opened (read-only) \??\b: kcuwipat.exe File opened (read-only) \??\g: kcuwipat.exe File opened (read-only) \??\j: kcuwipat.exe File opened (read-only) \??\n: cnzbeanvjc.exe File opened (read-only) \??\o: cnzbeanvjc.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" cnzbeanvjc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" cnzbeanvjc.exe -
AutoIT Executable 64 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/4728-32-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3060-27-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1948-38-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4336-42-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3440-79-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3060-80-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4720-81-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4728-82-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3440-89-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4336-94-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4336-93-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4728-92-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4720-91-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3060-90-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3060-228-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3440-227-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4720-229-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4728-230-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4336-231-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3440-243-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3060-244-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4720-245-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4728-246-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4336-247-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3440-248-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3060-249-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4728-251-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4720-250-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4336-252-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3440-253-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4728-256-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4720-255-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3060-254-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4336-257-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3440-258-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3060-262-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4336-265-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4728-264-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4720-263-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4336-269-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4720-268-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3060-273-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3440-272-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4728-274-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4728-277-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3060-276-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3440-275-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3440-278-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3060-279-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4728-280-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3440-281-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4728-283-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3060-282-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3440-284-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3060-285-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4728-286-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3440-287-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3060-288-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4728-289-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3440-290-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4728-292-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3060-291-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4728-295-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3060-294-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File created C:\Windows\SysWOW64\cnzbeanvjc.exe 0bfa9cf3d04c2e33af496dac3aedac0d_JaffaCakes118.exe File created C:\Windows\SysWOW64\jfantlfrtzubiwj.exe 0bfa9cf3d04c2e33af496dac3aedac0d_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\jfantlfrtzubiwj.exe 0bfa9cf3d04c2e33af496dac3aedac0d_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\kcuwipat.exe 0bfa9cf3d04c2e33af496dac3aedac0d_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\zheuudcbrmicj.exe 0bfa9cf3d04c2e33af496dac3aedac0d_JaffaCakes118.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe kcuwipat.exe File opened for modification C:\Windows\SysWOW64\cnzbeanvjc.exe 0bfa9cf3d04c2e33af496dac3aedac0d_JaffaCakes118.exe File created C:\Windows\SysWOW64\kcuwipat.exe 0bfa9cf3d04c2e33af496dac3aedac0d_JaffaCakes118.exe File created C:\Windows\SysWOW64\zheuudcbrmicj.exe 0bfa9cf3d04c2e33af496dac3aedac0d_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll cnzbeanvjc.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe kcuwipat.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe kcuwipat.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe kcuwipat.exe -
resource yara_rule behavioral2/memory/1948-0-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x000800000002361f-5.dat upx behavioral2/files/0x000900000002361c-18.dat upx behavioral2/memory/3440-20-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0007000000023624-29.dat upx behavioral2/memory/4728-32-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0007000000023623-31.dat upx behavioral2/memory/3060-27-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1948-38-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4336-42-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x00080000000234ea-69.dat upx behavioral2/files/0x00080000000234eb-74.dat upx behavioral2/memory/3440-79-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3060-80-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4720-81-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4728-82-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x000200000001e537-87.dat upx behavioral2/memory/3440-89-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4336-94-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4336-93-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4728-92-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4720-91-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3060-90-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3060-228-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3440-227-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4720-229-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4728-230-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4336-231-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x000900000002364b-234.dat upx behavioral2/files/0x000900000002364b-241.dat upx behavioral2/memory/3440-243-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3060-244-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4720-245-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4728-246-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4336-247-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3440-248-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3060-249-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4728-251-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4720-250-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4336-252-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3440-253-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4728-256-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4720-255-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3060-254-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4336-257-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3440-258-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3060-262-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4336-265-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4728-264-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4720-263-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4336-269-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4720-268-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3060-273-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3440-272-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4728-274-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4728-277-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3060-276-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3440-275-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3440-278-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3060-279-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4728-280-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3440-281-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4728-283-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3060-282-0x0000000000400000-0x00000000004A0000-memory.dmp upx -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal kcuwipat.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal kcuwipat.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe kcuwipat.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe kcuwipat.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal kcuwipat.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe kcuwipat.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe kcuwipat.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal kcuwipat.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe kcuwipat.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe kcuwipat.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe kcuwipat.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe kcuwipat.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe kcuwipat.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe kcuwipat.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe kcuwipat.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe kcuwipat.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe kcuwipat.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe kcuwipat.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe kcuwipat.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe kcuwipat.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe kcuwipat.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe kcuwipat.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe kcuwipat.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe kcuwipat.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe kcuwipat.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe kcuwipat.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe kcuwipat.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe kcuwipat.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe kcuwipat.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe kcuwipat.exe File opened for modification C:\Windows\mydoc.rtf 0bfa9cf3d04c2e33af496dac3aedac0d_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0bfa9cf3d04c2e33af496dac3aedac0d_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cnzbeanvjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jfantlfrtzubiwj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zheuudcbrmicj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kcuwipat.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kcuwipat.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg cnzbeanvjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1845C60F14E5DBB2B8CC7F97EDE334BD" 0bfa9cf3d04c2e33af496dac3aedac0d_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" cnzbeanvjc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf cnzbeanvjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" cnzbeanvjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABFFAC9F917F19784743B36869D3E93B38B03FE4214033BE1BE45E708A0" 0bfa9cf3d04c2e33af496dac3aedac0d_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat cnzbeanvjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" cnzbeanvjc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc cnzbeanvjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33402C769D2383226A4276D170512DD87D8464DA" 0bfa9cf3d04c2e33af496dac3aedac0d_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC0B1294492389E53BEB9D232EDD4BB" 0bfa9cf3d04c2e33af496dac3aedac0d_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F768B6FF1821DCD273D0A98A7C9011" 0bfa9cf3d04c2e33af496dac3aedac0d_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings 0bfa9cf3d04c2e33af496dac3aedac0d_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs cnzbeanvjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" cnzbeanvjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" cnzbeanvjc.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 0bfa9cf3d04c2e33af496dac3aedac0d_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7FFBFF8F485C826D903DD7587D96BDEFE630594A674E6346D79E" 0bfa9cf3d04c2e33af496dac3aedac0d_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh cnzbeanvjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" cnzbeanvjc.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4964 WINWORD.EXE 4964 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1948 0bfa9cf3d04c2e33af496dac3aedac0d_JaffaCakes118.exe 1948 0bfa9cf3d04c2e33af496dac3aedac0d_JaffaCakes118.exe 1948 0bfa9cf3d04c2e33af496dac3aedac0d_JaffaCakes118.exe 1948 0bfa9cf3d04c2e33af496dac3aedac0d_JaffaCakes118.exe 1948 0bfa9cf3d04c2e33af496dac3aedac0d_JaffaCakes118.exe 1948 0bfa9cf3d04c2e33af496dac3aedac0d_JaffaCakes118.exe 1948 0bfa9cf3d04c2e33af496dac3aedac0d_JaffaCakes118.exe 1948 0bfa9cf3d04c2e33af496dac3aedac0d_JaffaCakes118.exe 1948 0bfa9cf3d04c2e33af496dac3aedac0d_JaffaCakes118.exe 1948 0bfa9cf3d04c2e33af496dac3aedac0d_JaffaCakes118.exe 1948 0bfa9cf3d04c2e33af496dac3aedac0d_JaffaCakes118.exe 1948 0bfa9cf3d04c2e33af496dac3aedac0d_JaffaCakes118.exe 1948 0bfa9cf3d04c2e33af496dac3aedac0d_JaffaCakes118.exe 1948 0bfa9cf3d04c2e33af496dac3aedac0d_JaffaCakes118.exe 1948 0bfa9cf3d04c2e33af496dac3aedac0d_JaffaCakes118.exe 1948 0bfa9cf3d04c2e33af496dac3aedac0d_JaffaCakes118.exe 3440 cnzbeanvjc.exe 3440 cnzbeanvjc.exe 3440 cnzbeanvjc.exe 3440 cnzbeanvjc.exe 3440 cnzbeanvjc.exe 3440 cnzbeanvjc.exe 3440 cnzbeanvjc.exe 3440 cnzbeanvjc.exe 3440 cnzbeanvjc.exe 3440 cnzbeanvjc.exe 3060 jfantlfrtzubiwj.exe 3060 jfantlfrtzubiwj.exe 3060 jfantlfrtzubiwj.exe 3060 jfantlfrtzubiwj.exe 3060 jfantlfrtzubiwj.exe 3060 jfantlfrtzubiwj.exe 3060 jfantlfrtzubiwj.exe 3060 jfantlfrtzubiwj.exe 3060 jfantlfrtzubiwj.exe 3060 jfantlfrtzubiwj.exe 4728 zheuudcbrmicj.exe 4728 zheuudcbrmicj.exe 4728 zheuudcbrmicj.exe 4728 zheuudcbrmicj.exe 4728 zheuudcbrmicj.exe 4728 zheuudcbrmicj.exe 4728 zheuudcbrmicj.exe 4728 zheuudcbrmicj.exe 4728 zheuudcbrmicj.exe 4728 zheuudcbrmicj.exe 4728 zheuudcbrmicj.exe 4728 zheuudcbrmicj.exe 4720 kcuwipat.exe 4720 kcuwipat.exe 4720 kcuwipat.exe 4720 kcuwipat.exe 4720 kcuwipat.exe 4720 kcuwipat.exe 4720 kcuwipat.exe 4720 kcuwipat.exe 4336 kcuwipat.exe 4336 kcuwipat.exe 4336 kcuwipat.exe 4336 kcuwipat.exe 4336 kcuwipat.exe 4336 kcuwipat.exe 4336 kcuwipat.exe 4336 kcuwipat.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 1948 0bfa9cf3d04c2e33af496dac3aedac0d_JaffaCakes118.exe 1948 0bfa9cf3d04c2e33af496dac3aedac0d_JaffaCakes118.exe 1948 0bfa9cf3d04c2e33af496dac3aedac0d_JaffaCakes118.exe 3440 cnzbeanvjc.exe 3440 cnzbeanvjc.exe 3440 cnzbeanvjc.exe 3060 jfantlfrtzubiwj.exe 3060 jfantlfrtzubiwj.exe 3060 jfantlfrtzubiwj.exe 4728 zheuudcbrmicj.exe 4720 kcuwipat.exe 4728 zheuudcbrmicj.exe 4720 kcuwipat.exe 4728 zheuudcbrmicj.exe 4720 kcuwipat.exe 4336 kcuwipat.exe 4336 kcuwipat.exe 4336 kcuwipat.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 1948 0bfa9cf3d04c2e33af496dac3aedac0d_JaffaCakes118.exe 1948 0bfa9cf3d04c2e33af496dac3aedac0d_JaffaCakes118.exe 1948 0bfa9cf3d04c2e33af496dac3aedac0d_JaffaCakes118.exe 3440 cnzbeanvjc.exe 3440 cnzbeanvjc.exe 3440 cnzbeanvjc.exe 3060 jfantlfrtzubiwj.exe 3060 jfantlfrtzubiwj.exe 3060 jfantlfrtzubiwj.exe 4728 zheuudcbrmicj.exe 4720 kcuwipat.exe 4728 zheuudcbrmicj.exe 4720 kcuwipat.exe 4728 zheuudcbrmicj.exe 4720 kcuwipat.exe 4336 kcuwipat.exe 4336 kcuwipat.exe 4336 kcuwipat.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 4964 WINWORD.EXE 4964 WINWORD.EXE 4964 WINWORD.EXE 4964 WINWORD.EXE 4964 WINWORD.EXE 4964 WINWORD.EXE 4964 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1948 wrote to memory of 3440 1948 0bfa9cf3d04c2e33af496dac3aedac0d_JaffaCakes118.exe 89 PID 1948 wrote to memory of 3440 1948 0bfa9cf3d04c2e33af496dac3aedac0d_JaffaCakes118.exe 89 PID 1948 wrote to memory of 3440 1948 0bfa9cf3d04c2e33af496dac3aedac0d_JaffaCakes118.exe 89 PID 1948 wrote to memory of 3060 1948 0bfa9cf3d04c2e33af496dac3aedac0d_JaffaCakes118.exe 90 PID 1948 wrote to memory of 3060 1948 0bfa9cf3d04c2e33af496dac3aedac0d_JaffaCakes118.exe 90 PID 1948 wrote to memory of 3060 1948 0bfa9cf3d04c2e33af496dac3aedac0d_JaffaCakes118.exe 90 PID 1948 wrote to memory of 4720 1948 0bfa9cf3d04c2e33af496dac3aedac0d_JaffaCakes118.exe 91 PID 1948 wrote to memory of 4720 1948 0bfa9cf3d04c2e33af496dac3aedac0d_JaffaCakes118.exe 91 PID 1948 wrote to memory of 4720 1948 0bfa9cf3d04c2e33af496dac3aedac0d_JaffaCakes118.exe 91 PID 1948 wrote to memory of 4728 1948 0bfa9cf3d04c2e33af496dac3aedac0d_JaffaCakes118.exe 92 PID 1948 wrote to memory of 4728 1948 0bfa9cf3d04c2e33af496dac3aedac0d_JaffaCakes118.exe 92 PID 1948 wrote to memory of 4728 1948 0bfa9cf3d04c2e33af496dac3aedac0d_JaffaCakes118.exe 92 PID 1948 wrote to memory of 4964 1948 0bfa9cf3d04c2e33af496dac3aedac0d_JaffaCakes118.exe 93 PID 1948 wrote to memory of 4964 1948 0bfa9cf3d04c2e33af496dac3aedac0d_JaffaCakes118.exe 93 PID 3440 wrote to memory of 4336 3440 cnzbeanvjc.exe 95 PID 3440 wrote to memory of 4336 3440 cnzbeanvjc.exe 95 PID 3440 wrote to memory of 4336 3440 cnzbeanvjc.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\0bfa9cf3d04c2e33af496dac3aedac0d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0bfa9cf3d04c2e33af496dac3aedac0d_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Windows\SysWOW64\cnzbeanvjc.execnzbeanvjc.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3440 -
C:\Windows\SysWOW64\kcuwipat.exeC:\Windows\system32\kcuwipat.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4336
-
-
-
C:\Windows\SysWOW64\jfantlfrtzubiwj.exejfantlfrtzubiwj.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3060
-
-
C:\Windows\SysWOW64\kcuwipat.exekcuwipat.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4720
-
-
C:\Windows\SysWOW64\zheuudcbrmicj.exezheuudcbrmicj.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4728
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4964
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4116,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=1504 /prefetch:81⤵PID:3268
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
255KB
MD5809f62cb92436e43b61266ba2cf9cc41
SHA1b89556a54bc22a1b5da4d70373a349333131946e
SHA256c5b3e5d80735a882b055711e4ed696074e97653ca8e2eb65f635a2c356ed01ba
SHA512ed96990b7b6fcdcea9170d81e5a60b7e43025332f9761999c215834268f08ca028d7f16ed61ed1ebf143d94ee8905b90611285c1c5ee049191b350298ab6dc70
-
Filesize
263KB
MD5ff0e07eff1333cdf9fc2523d323dd654
SHA177a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA2563f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d
-
Filesize
370B
MD5e4d192292d457da496beac66168344a1
SHA1a30ee8d8c1cbe9113544b1dfc8c545b13011174e
SHA2567c36d96ee411aa82ff1de145d8281fb984a7cc297f117e59a81d64063c04d846
SHA512b7c6630a64d3a806915260628ba9e46b7ed713a49c7466044f8996a0db5056b8dc05b5b7bfa4693c2b852bbdb863e21af7599fd15ec17866c5be45ee73b899ce
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5d19acc060f5fe93f84459ff74139549f
SHA15dc4ada4e5a76d59c5e42e45cda4350814dfb273
SHA256c02939d5dd2cdb88e50685d9b1a2c484b6d284bd89187d4ca43ca12f76466547
SHA51297a39b4067f222dd4ebc075a0d01a8c303bf924d21f95559ccefcc511c4867a1d5642eb2a55f29362654924a613aa637f59b82ba233e89fb2f5411811b737889
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5fdfb162f54967c27d9862fe6f3a5179d
SHA12bf2811ac525b38d146c20b6c5c89bb8bbd45983
SHA256fbdb695016a9ae86df6b5f36401961ad8d7cd65f904d7589e5a4674c33b435d4
SHA512f75bfaadcea9e56bb6fe4d58908252758c14926fe2c8ed8d0d47d1a85ac409db5ff00dbfb3a2cf5fd152bcc6e2463249439b4ecda09eb83a9ae64d5fe466bfd9
-
Filesize
255KB
MD53a9eb70eae30eb4348d3db68fcb2a37a
SHA13aa831ca50b705ae89775f262f389ebe5ab7eaea
SHA25699dcb9bff862068e37b8f7858cc96da63eb0160bbfcab3a8007ba2474f4f534e
SHA512c8dc03f04145ff7e8345cdb28041b44e5efb7288b1c8ed24a42067835b212222a7a10e00a2ad4b66621bab079660a2a286f338eadc657f103364032fea43dc7c
-
Filesize
255KB
MD53e52ef21492331ce2309d7cbdfbfa3f7
SHA112c4dafe6c2b4a9ffe4d17a9cb9366559a6159d2
SHA256ce9dfa0f7cbb05d1fc6c01e32c58393b6ceffbf7fd495dd2a9fe84536e46d35a
SHA512871d2e99477631fc89d99bd2bc18db8c0edd8211e4f402af089759af2ffa9a2081e62accfe516992f3ead7d1e6bff61a1ada38b3abc12ed6c6c5fe590f5c8743
-
Filesize
255KB
MD5a0f3c896e66af7133e84b37e1f0bd3bd
SHA1bc1cf72e81c48f5eed2f8ec2b99f69479d542060
SHA256c38ba96a5f05cbf35f6e33d1b670c1d2a3b886e1442752681f8d21603b7df81b
SHA512732040aa4a2ea82d143ea41da7e80a1d06680d3a51171b0ea83ee3cfaa63e53118688ac96c2e10f6f4e90d0af25aa60d0415da7037d9a8145a9aa756ec477371
-
Filesize
255KB
MD589cec1b67e3ffc8081ad394041994ec5
SHA1cdb4a8b304c82d384104384b99739b9aff3688ea
SHA2562f3d77e6f22dcaacb77281e0ce73141d0805b40615fb9d0d29883269777f626c
SHA5123bf6c6a96810fabe3f9df79ccc679fb47fd6acbd1bad65628b4dd8dcd23db42329ad51ef1815241eef71dc5eadc2cebe5858346d9f39a588da16c87cf9e3695f
-
Filesize
255KB
MD5cd3d7b41c9ce447e13b6a1422e62f89c
SHA15a0ee0425eb7fa0c1ef422256c14d7e9d077a77e
SHA25625a552b15f73195eeecaee3f2734c273d44ac05773d0df4fa0ba1f9caf4aa4e0
SHA512636125e1ce5bbb1c68752c570505d3933e20b9837039062bc2ca388f1c66306cf7f2a6e2aad70e8381a6125643c1eecabcfff862a59314d19e5de23a843702b1
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
255KB
MD576f508c7b77808d9fd036c8d299113e8
SHA195f2db72332ceffc02bc52b3ab85d4fb71a643af
SHA256b330eec37f77b7b50e7b4bd8d50f8df05c3bd14164d4d0825278facd5e716391
SHA512f9ace30364ed21e747d96a1382bbfd33e392fcb52971dcf6e9c07bd0fa30ca7f7653590830d72d1de676bb3e13922da71bb69e2248eeebaa5b6b34af9546cc4e
-
Filesize
255KB
MD53a1e4823cd8a2328f6a3b77ab4f8e8a3
SHA1ef22df70ae97e898d6f22c3452a104a93b070c22
SHA2565944b35acf94fed1964ab122711dd6253a4e80291588e19a72d94fbaf3bcb71a
SHA51297f33961dd4445753ac4cc49f825f4d230dd38c1d30aebd91fc0abf50f926e1f5db4607ec0bbf2079a15b731bb9055aa015f1dcdf5b19e886eddf985d896be66
-
Filesize
255KB
MD5625a7dc87e9cd611bc6e16dc78aa510b
SHA15456e5d56d3625ae8f5d902fe75b487b001d48ec
SHA256d934753c1d401ae37452579f610e23056c3c47cefeedf47f57b8f551c70cf9d6
SHA5127cbd387783cfd323b55d3a8476f76526229450a3e57b0c7c3d0f18a8ae14a36cf1647600ed7e0a98e222440c3be5ae7847c68422a339cec5e8f9e1eabb703716