Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/10/2024, 07:03
Behavioral task
behavioral1
Sample
2ce90a7ccef295dffd02af7eac4ca4a7_JaffaCakes118.exe
Resource
win7-20240729-en
windows7-x64
29 signatures
150 seconds
General
-
Target
2ce90a7ccef295dffd02af7eac4ca4a7_JaffaCakes118.exe
-
Size
255KB
-
MD5
2ce90a7ccef295dffd02af7eac4ca4a7
-
SHA1
f389d52e3c9fc0e6c4ae0c2746e67b8aa17f97cd
-
SHA256
451dc58e2c48916c3929d5cc707a195031af65e4c070e0f1e6cde8038fd3cd84
-
SHA512
99c14e7e54316a5bf0bd8f1ba21c4280061755ccf0f00815c936d1ac22daa023f7297d54fcc6e94b1d855aa3f383ec900f4427032092fca7dc40e9f49aa745e1
-
SSDEEP
6144:1xlZam+akqx6YQJXcNlEHUIQeE3mmBWFv6A:Plf5j6zCNa0xeE3mV
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" taztptnvua.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" taztptnvua.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" taztptnvua.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" taztptnvua.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" taztptnvua.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" taztptnvua.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" taztptnvua.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" taztptnvua.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation 2ce90a7ccef295dffd02af7eac4ca4a7_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 4684 taztptnvua.exe 2120 iflrksyhsfvoiwz.exe 1980 cypifjsm.exe 844 zjgsubcgfjjho.exe 1256 cypifjsm.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" taztptnvua.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" taztptnvua.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" taztptnvua.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" taztptnvua.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" taztptnvua.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" taztptnvua.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mzjhvhtl = "iflrksyhsfvoiwz.exe" iflrksyhsfvoiwz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "zjgsubcgfjjho.exe" iflrksyhsfvoiwz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rpmhjwys = "taztptnvua.exe" iflrksyhsfvoiwz.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\b: taztptnvua.exe File opened (read-only) \??\n: taztptnvua.exe File opened (read-only) \??\q: taztptnvua.exe File opened (read-only) \??\y: cypifjsm.exe File opened (read-only) \??\l: cypifjsm.exe File opened (read-only) \??\o: cypifjsm.exe File opened (read-only) \??\k: cypifjsm.exe File opened (read-only) \??\n: cypifjsm.exe File opened (read-only) \??\w: cypifjsm.exe File opened (read-only) \??\x: cypifjsm.exe File opened (read-only) \??\s: cypifjsm.exe File opened (read-only) \??\s: taztptnvua.exe File opened (read-only) \??\g: cypifjsm.exe File opened (read-only) \??\p: cypifjsm.exe File opened (read-only) \??\h: cypifjsm.exe File opened (read-only) \??\h: cypifjsm.exe File opened (read-only) \??\r: cypifjsm.exe File opened (read-only) \??\z: cypifjsm.exe File opened (read-only) \??\g: cypifjsm.exe File opened (read-only) \??\a: taztptnvua.exe File opened (read-only) \??\e: taztptnvua.exe File opened (read-only) \??\p: cypifjsm.exe File opened (read-only) \??\m: taztptnvua.exe File opened (read-only) \??\m: cypifjsm.exe File opened (read-only) \??\r: cypifjsm.exe File opened (read-only) \??\j: cypifjsm.exe File opened (read-only) \??\e: cypifjsm.exe File opened (read-only) \??\n: cypifjsm.exe File opened (read-only) \??\g: taztptnvua.exe File opened (read-only) \??\q: cypifjsm.exe File opened (read-only) \??\z: cypifjsm.exe File opened (read-only) \??\r: taztptnvua.exe File opened (read-only) \??\v: taztptnvua.exe File opened (read-only) \??\a: cypifjsm.exe File opened (read-only) \??\w: cypifjsm.exe File opened (read-only) \??\z: taztptnvua.exe File opened (read-only) \??\b: cypifjsm.exe File opened (read-only) \??\i: cypifjsm.exe File opened (read-only) \??\u: cypifjsm.exe File opened (read-only) \??\j: taztptnvua.exe File opened (read-only) \??\t: taztptnvua.exe File opened (read-only) \??\x: taztptnvua.exe File opened (read-only) \??\y: taztptnvua.exe File opened (read-only) \??\y: cypifjsm.exe File opened (read-only) \??\l: taztptnvua.exe File opened (read-only) \??\o: taztptnvua.exe File opened (read-only) \??\w: taztptnvua.exe File opened (read-only) \??\v: cypifjsm.exe File opened (read-only) \??\e: cypifjsm.exe File opened (read-only) \??\o: cypifjsm.exe File opened (read-only) \??\i: cypifjsm.exe File opened (read-only) \??\k: cypifjsm.exe File opened (read-only) \??\h: taztptnvua.exe File opened (read-only) \??\i: taztptnvua.exe File opened (read-only) \??\k: taztptnvua.exe File opened (read-only) \??\u: taztptnvua.exe File opened (read-only) \??\u: cypifjsm.exe File opened (read-only) \??\v: cypifjsm.exe File opened (read-only) \??\l: cypifjsm.exe File opened (read-only) \??\a: cypifjsm.exe File opened (read-only) \??\x: cypifjsm.exe File opened (read-only) \??\b: cypifjsm.exe File opened (read-only) \??\m: cypifjsm.exe File opened (read-only) \??\p: taztptnvua.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" taztptnvua.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" taztptnvua.exe -
AutoIT Executable 61 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/1980-30-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1016-35-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4684-77-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1980-79-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2120-78-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/844-80-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4684-81-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1256-86-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1256-85-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/844-84-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1980-83-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2120-82-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4684-230-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/844-233-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1980-232-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1256-234-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2120-231-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4684-235-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2120-236-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1980-237-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/844-238-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1256-239-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4684-240-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2120-241-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1980-242-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1256-244-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/844-243-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4684-245-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1980-247-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/844-248-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2120-246-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1256-249-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1980-253-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1256-252-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4684-254-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2120-255-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/844-256-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4684-262-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2120-263-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/844-264-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2120-266-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/844-267-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4684-265-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4684-268-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/844-270-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2120-269-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4684-271-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/844-273-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2120-272-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4684-274-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/844-276-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2120-275-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2120-278-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/844-279-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4684-277-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4684-280-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2120-281-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/844-282-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4684-283-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/844-285-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2120-284-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe -
Drops file in System32 directory 12 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\msvbvm60.dll taztptnvua.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe cypifjsm.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe cypifjsm.exe File created C:\Windows\SysWOW64\taztptnvua.exe 2ce90a7ccef295dffd02af7eac4ca4a7_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\taztptnvua.exe 2ce90a7ccef295dffd02af7eac4ca4a7_JaffaCakes118.exe File created C:\Windows\SysWOW64\iflrksyhsfvoiwz.exe 2ce90a7ccef295dffd02af7eac4ca4a7_JaffaCakes118.exe File created C:\Windows\SysWOW64\zjgsubcgfjjho.exe 2ce90a7ccef295dffd02af7eac4ca4a7_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\zjgsubcgfjjho.exe 2ce90a7ccef295dffd02af7eac4ca4a7_JaffaCakes118.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe cypifjsm.exe File opened for modification C:\Windows\SysWOW64\iflrksyhsfvoiwz.exe 2ce90a7ccef295dffd02af7eac4ca4a7_JaffaCakes118.exe File created C:\Windows\SysWOW64\cypifjsm.exe 2ce90a7ccef295dffd02af7eac4ca4a7_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\cypifjsm.exe 2ce90a7ccef295dffd02af7eac4ca4a7_JaffaCakes118.exe -
resource yara_rule behavioral2/memory/1016-0-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0009000000023c59-8.dat upx behavioral2/files/0x000c000000023b6c-18.dat upx behavioral2/memory/2120-23-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0008000000023c64-28.dat upx behavioral2/files/0x0007000000023c65-31.dat upx behavioral2/memory/1980-30-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1016-35-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0009000000023c00-69.dat upx behavioral2/memory/4684-77-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1980-79-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2120-78-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/844-80-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4684-81-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1256-86-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1256-85-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/844-84-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1980-83-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2120-82-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x000b000000023c7a-105.dat upx behavioral2/files/0x000b000000023c7a-226.dat upx behavioral2/memory/4684-230-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/844-233-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1980-232-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1256-234-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2120-231-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4684-235-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2120-236-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1980-237-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/844-238-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1256-239-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4684-240-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2120-241-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1980-242-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1256-244-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/844-243-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4684-245-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1980-247-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/844-248-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2120-246-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1256-249-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1980-253-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1256-252-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4684-254-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2120-255-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/844-256-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4684-262-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2120-263-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/844-264-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2120-266-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/844-267-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4684-265-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4684-268-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/844-270-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2120-269-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4684-271-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/844-273-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2120-272-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4684-274-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/844-276-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2120-275-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2120-278-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/844-279-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4684-277-0x0000000000400000-0x00000000004A0000-memory.dmp upx -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe cypifjsm.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe cypifjsm.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal cypifjsm.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe cypifjsm.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe cypifjsm.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal cypifjsm.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe cypifjsm.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe cypifjsm.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe cypifjsm.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe cypifjsm.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe cypifjsm.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe cypifjsm.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal cypifjsm.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal cypifjsm.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf 2ce90a7ccef295dffd02af7eac4ca4a7_JaffaCakes118.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe cypifjsm.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe cypifjsm.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe cypifjsm.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe cypifjsm.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe cypifjsm.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe cypifjsm.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe cypifjsm.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe cypifjsm.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe cypifjsm.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe cypifjsm.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe cypifjsm.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe cypifjsm.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe cypifjsm.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe cypifjsm.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe cypifjsm.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe cypifjsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2ce90a7ccef295dffd02af7eac4ca4a7_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taztptnvua.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iflrksyhsfvoiwz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cypifjsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zjgsubcgfjjho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cypifjsm.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat taztptnvua.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" taztptnvua.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32472C799D2382206D4577D470512DD87CF464D8" 2ce90a7ccef295dffd02af7eac4ca4a7_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB1B05844EE39EB53C8BAA733EFD7CB" 2ce90a7ccef295dffd02af7eac4ca4a7_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7FFBFF8D48278212903DD75A7D96BD95E134593667366336D79B" 2ce90a7ccef295dffd02af7eac4ca4a7_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh taztptnvua.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" taztptnvua.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc taztptnvua.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf taztptnvua.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs taztptnvua.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABCFAC9F961F2E0837B3A4281EB3999B38C028B42150349E1BE45E709A0" 2ce90a7ccef295dffd02af7eac4ca4a7_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F368B5FE6921D0D27AD1A98B099010" 2ce90a7ccef295dffd02af7eac4ca4a7_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" taztptnvua.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg taztptnvua.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings 2ce90a7ccef295dffd02af7eac4ca4a7_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" taztptnvua.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" taztptnvua.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 2ce90a7ccef295dffd02af7eac4ca4a7_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184DC77B1591DAB3B9B97C95ECE534BE" 2ce90a7ccef295dffd02af7eac4ca4a7_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" taztptnvua.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 1376 WINWORD.EXE 1376 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1016 2ce90a7ccef295dffd02af7eac4ca4a7_JaffaCakes118.exe 1016 2ce90a7ccef295dffd02af7eac4ca4a7_JaffaCakes118.exe 1016 2ce90a7ccef295dffd02af7eac4ca4a7_JaffaCakes118.exe 1016 2ce90a7ccef295dffd02af7eac4ca4a7_JaffaCakes118.exe 1016 2ce90a7ccef295dffd02af7eac4ca4a7_JaffaCakes118.exe 1016 2ce90a7ccef295dffd02af7eac4ca4a7_JaffaCakes118.exe 1016 2ce90a7ccef295dffd02af7eac4ca4a7_JaffaCakes118.exe 1016 2ce90a7ccef295dffd02af7eac4ca4a7_JaffaCakes118.exe 1016 2ce90a7ccef295dffd02af7eac4ca4a7_JaffaCakes118.exe 1016 2ce90a7ccef295dffd02af7eac4ca4a7_JaffaCakes118.exe 1016 2ce90a7ccef295dffd02af7eac4ca4a7_JaffaCakes118.exe 1016 2ce90a7ccef295dffd02af7eac4ca4a7_JaffaCakes118.exe 1016 2ce90a7ccef295dffd02af7eac4ca4a7_JaffaCakes118.exe 1016 2ce90a7ccef295dffd02af7eac4ca4a7_JaffaCakes118.exe 1016 2ce90a7ccef295dffd02af7eac4ca4a7_JaffaCakes118.exe 1016 2ce90a7ccef295dffd02af7eac4ca4a7_JaffaCakes118.exe 4684 taztptnvua.exe 4684 taztptnvua.exe 4684 taztptnvua.exe 4684 taztptnvua.exe 4684 taztptnvua.exe 4684 taztptnvua.exe 4684 taztptnvua.exe 4684 taztptnvua.exe 2120 iflrksyhsfvoiwz.exe 2120 iflrksyhsfvoiwz.exe 4684 taztptnvua.exe 4684 taztptnvua.exe 2120 iflrksyhsfvoiwz.exe 2120 iflrksyhsfvoiwz.exe 2120 iflrksyhsfvoiwz.exe 2120 iflrksyhsfvoiwz.exe 2120 iflrksyhsfvoiwz.exe 2120 iflrksyhsfvoiwz.exe 2120 iflrksyhsfvoiwz.exe 2120 iflrksyhsfvoiwz.exe 1980 cypifjsm.exe 1980 cypifjsm.exe 1980 cypifjsm.exe 1980 cypifjsm.exe 1980 cypifjsm.exe 1980 cypifjsm.exe 1980 cypifjsm.exe 1980 cypifjsm.exe 844 zjgsubcgfjjho.exe 844 zjgsubcgfjjho.exe 844 zjgsubcgfjjho.exe 844 zjgsubcgfjjho.exe 844 zjgsubcgfjjho.exe 844 zjgsubcgfjjho.exe 844 zjgsubcgfjjho.exe 844 zjgsubcgfjjho.exe 844 zjgsubcgfjjho.exe 844 zjgsubcgfjjho.exe 844 zjgsubcgfjjho.exe 844 zjgsubcgfjjho.exe 1256 cypifjsm.exe 1256 cypifjsm.exe 1256 cypifjsm.exe 1256 cypifjsm.exe 1256 cypifjsm.exe 1256 cypifjsm.exe 1256 cypifjsm.exe 1256 cypifjsm.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 1016 2ce90a7ccef295dffd02af7eac4ca4a7_JaffaCakes118.exe 1016 2ce90a7ccef295dffd02af7eac4ca4a7_JaffaCakes118.exe 1016 2ce90a7ccef295dffd02af7eac4ca4a7_JaffaCakes118.exe 4684 taztptnvua.exe 2120 iflrksyhsfvoiwz.exe 4684 taztptnvua.exe 2120 iflrksyhsfvoiwz.exe 4684 taztptnvua.exe 2120 iflrksyhsfvoiwz.exe 1980 cypifjsm.exe 1980 cypifjsm.exe 1980 cypifjsm.exe 844 zjgsubcgfjjho.exe 844 zjgsubcgfjjho.exe 844 zjgsubcgfjjho.exe 1256 cypifjsm.exe 1256 cypifjsm.exe 1256 cypifjsm.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 1016 2ce90a7ccef295dffd02af7eac4ca4a7_JaffaCakes118.exe 1016 2ce90a7ccef295dffd02af7eac4ca4a7_JaffaCakes118.exe 1016 2ce90a7ccef295dffd02af7eac4ca4a7_JaffaCakes118.exe 4684 taztptnvua.exe 2120 iflrksyhsfvoiwz.exe 4684 taztptnvua.exe 2120 iflrksyhsfvoiwz.exe 4684 taztptnvua.exe 2120 iflrksyhsfvoiwz.exe 1980 cypifjsm.exe 1980 cypifjsm.exe 1980 cypifjsm.exe 844 zjgsubcgfjjho.exe 844 zjgsubcgfjjho.exe 844 zjgsubcgfjjho.exe 1256 cypifjsm.exe 1256 cypifjsm.exe 1256 cypifjsm.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 1376 WINWORD.EXE 1376 WINWORD.EXE 1376 WINWORD.EXE 1376 WINWORD.EXE 1376 WINWORD.EXE 1376 WINWORD.EXE 1376 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1016 wrote to memory of 4684 1016 2ce90a7ccef295dffd02af7eac4ca4a7_JaffaCakes118.exe 85 PID 1016 wrote to memory of 4684 1016 2ce90a7ccef295dffd02af7eac4ca4a7_JaffaCakes118.exe 85 PID 1016 wrote to memory of 4684 1016 2ce90a7ccef295dffd02af7eac4ca4a7_JaffaCakes118.exe 85 PID 1016 wrote to memory of 2120 1016 2ce90a7ccef295dffd02af7eac4ca4a7_JaffaCakes118.exe 86 PID 1016 wrote to memory of 2120 1016 2ce90a7ccef295dffd02af7eac4ca4a7_JaffaCakes118.exe 86 PID 1016 wrote to memory of 2120 1016 2ce90a7ccef295dffd02af7eac4ca4a7_JaffaCakes118.exe 86 PID 1016 wrote to memory of 1980 1016 2ce90a7ccef295dffd02af7eac4ca4a7_JaffaCakes118.exe 88 PID 1016 wrote to memory of 1980 1016 2ce90a7ccef295dffd02af7eac4ca4a7_JaffaCakes118.exe 88 PID 1016 wrote to memory of 1980 1016 2ce90a7ccef295dffd02af7eac4ca4a7_JaffaCakes118.exe 88 PID 1016 wrote to memory of 844 1016 2ce90a7ccef295dffd02af7eac4ca4a7_JaffaCakes118.exe 89 PID 1016 wrote to memory of 844 1016 2ce90a7ccef295dffd02af7eac4ca4a7_JaffaCakes118.exe 89 PID 1016 wrote to memory of 844 1016 2ce90a7ccef295dffd02af7eac4ca4a7_JaffaCakes118.exe 89 PID 4684 wrote to memory of 1256 4684 taztptnvua.exe 90 PID 4684 wrote to memory of 1256 4684 taztptnvua.exe 90 PID 4684 wrote to memory of 1256 4684 taztptnvua.exe 90 PID 1016 wrote to memory of 1376 1016 2ce90a7ccef295dffd02af7eac4ca4a7_JaffaCakes118.exe 91 PID 1016 wrote to memory of 1376 1016 2ce90a7ccef295dffd02af7eac4ca4a7_JaffaCakes118.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\2ce90a7ccef295dffd02af7eac4ca4a7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2ce90a7ccef295dffd02af7eac4ca4a7_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1016 -
C:\Windows\SysWOW64\taztptnvua.exetaztptnvua.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4684 -
C:\Windows\SysWOW64\cypifjsm.exeC:\Windows\system32\cypifjsm.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1256
-
-
-
C:\Windows\SysWOW64\iflrksyhsfvoiwz.exeiflrksyhsfvoiwz.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2120
-
-
C:\Windows\SysWOW64\cypifjsm.execypifjsm.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1980
-
-
C:\Windows\SysWOW64\zjgsubcgfjjho.exezjgsubcgfjjho.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:844
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1376
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
255KB
MD5e4b734c5a40ae2cd8c8630ca9dadd92f
SHA1660012820c159d852da32a9f3388edd07e1e393d
SHA256fcdcbe34339dae895248b69c95bafcded62cdd715d2fe25565e23b1ce8239bf0
SHA51237a69a50e20cafe3bc0037e6639cda6ea174b474836254db5fdc4100a3c2c78bd11589cab48ada200e48215fe9b9f4159104120a07dd9d9412d73210aec491ed
-
Filesize
262KB
MD551d32ee5bc7ab811041f799652d26e04
SHA1412193006aa3ef19e0a57e16acf86b830993024a
SHA2566230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA5125fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810
-
Filesize
368B
MD556bc8439f051c51ed1ae9e485e5c9d01
SHA14f40b26efc8adefacf57bdc5292e432889cb04df
SHA256cae19bacd49c00844f07cc66d43391282b6dfd788a98b8de0e9ee22a335bac5f
SHA512e334e06f49870a5fac76fde73c0b590eb90e7b346176f85cc1c84c99331f7d7caf83651ff43ba6330ddb10aaa7a70dc6cc8fb2b79f70e291eb9b44fe8c6d1884
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize1KB
MD5efb99e20cf50b14dda763b8f24e75c25
SHA11a0cca41c17be7fc6365f8de44f10e4ac65d53ed
SHA2564cb3e3fbc056308dd70036208999b868c302f61ccae542a5ad6e7573139482a3
SHA51287b2609dac53be846b2ea1c955a1b61dd54fcf40e34bc69158510733c7df1a79719af9904e88faa818b2f459a00f04ae6a4a3117b4da38c25115d8620cbc234f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize2KB
MD5da2846135566091daffbb52315745c4a
SHA1c20bffe8b6ce944035e6e11960f8a1cbce48d22b
SHA256a61e7944dbd2d70d3155a4ce2f48c4ff6d443aa115adf4ac9c0a85c759015d58
SHA512e40c803dc6357f08e55468340e495028baffe2eb9217b8e49c0a93297845e4495d26058b94e0c2f0d8c3550ece115aa70425397502a8e958328f069182c6a23c
-
Filesize
255KB
MD5ae40bce6bc93206769ff6b5708bfad98
SHA1f497662b570194b53a4eeaa0ab78c9b4eae50223
SHA2561c60ecc6c3a9fe7890e5c90003c04afcb43c058fced55d6e3dbca03881c7ca42
SHA512dc569e098f75ab93586799e1dea2cc207c9eff41e9ed83727f3ac033cd4a3e32b6152abc2fafb28e077305264f9c031b0970efb6cc9e8350c99b4f533894f19b
-
Filesize
255KB
MD51414fadac7244287165d128143737bfe
SHA1bcde1557b1dafb215e87c96894e9e028aab87785
SHA256861af623eed86fc185a1c3478d676a46cf08cab765f703d50588115aab82819c
SHA5122b45df59ddad30bb5f8b7f72ffc8e8838f1753b645225053c05f45216a12b2c29e8f240b8a3aeb424f538feb33bb7b561000f2d2885877d3c906782b3b407c60
-
Filesize
255KB
MD5ee7094ad438d3d58a34f7d7a64339ea7
SHA158f8adad495f7d10e9ed21858f0b5155e6b2016b
SHA256ecfe77e10cd5ec8d806c936f54d53855ab6b2479951110aab219a9e732e3b263
SHA512a71ede0fb8498e96bfba08fe1e633ba9e12412fdc70a778f0cef5ff00f03d747f5fa4cf64308ebe2c8c60c94d52a2d94ab7a8c2b64d8cdf147d0532166da0bc3
-
Filesize
255KB
MD5ec5f9ee34e8497ad94cef11d76c85077
SHA1a5cc0bb4d07dd443a2066727e5d31cbc797cada4
SHA2562dabc2239503c6c31848ba2eeb7378d689c1e98071782a58d045abba268ccf3f
SHA512d4b67268a50f40b3554e1293baec38e554837ef8d99b0eeb6d3c0e64b2d54a96217602d70c015b534a099ea2d56596d3a78e8b02bc228d9ad7e8e6fc81551313
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
255KB
MD597c651770b8eeb9997bb3bbde1f030ab
SHA156aed07081a8198ab72f1e15f48251b2d9175240
SHA256c9b738ddbbe438f9bb26cbed10d1ddbc583b889ef2f527a98fa88f6d46c8bcb4
SHA512a3ece2448b728440b83d300d27cd666dd0301da951483c07bb6d7c70ae4bf3c627c43fe61905fae7801a791f188d98bea61aa993c986c1624bf1d169bd6faad0
-
Filesize
255KB
MD579c70c229e95174de53f34c8309a16fe
SHA1a9f617b7bc101617a287806cb3f16d5f772a3ae5
SHA2561b43bc0c3c60a1b523e64f8a7dc45d07521b6d7cbbc0b7f00e6e709673051dd8
SHA512af608293dce685641ad10ac36de4eef097e42a065441ebfb3d69ef4a903dec3dc1dd09000405a9b711526050116d9e6415e697d0ce06aabf600de7a49439315c