Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
112s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12/10/2024, 06:46
Behavioral task
behavioral1
Sample
38e1221a40e0325b2bc547e1bcbca91b_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
29 signatures
150 seconds
General
-
Target
38e1221a40e0325b2bc547e1bcbca91b_JaffaCakes118.exe
-
Size
255KB
-
MD5
38e1221a40e0325b2bc547e1bcbca91b
-
SHA1
daae377df141d9505b6fc074eb3b2690dc8f8717
-
SHA256
7a2e00ba3e4c1e3bdc8ae5ad27270495e124e8919bb9fdf222f33f32aa1da819
-
SHA512
2fae3ad7385d68a4f41fa8dae20e48eb022320a29ef487dd81b011a93c4c8d7809d1d2e38aa48f300d66a99aff40edb20665adee6e79760ac4c0de0b87bf842f
-
SSDEEP
3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJA:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIP
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" csuzxrykxk.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" csuzxrykxk.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" csuzxrykxk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" csuzxrykxk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" csuzxrykxk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" csuzxrykxk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" csuzxrykxk.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csuzxrykxk.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation 38e1221a40e0325b2bc547e1bcbca91b_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 3736 csuzxrykxk.exe 2344 xaprakwtgcocqfk.exe 2180 yaahzpzj.exe 4972 ovxmirkouuawz.exe 2156 yaahzpzj.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" csuzxrykxk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" csuzxrykxk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" csuzxrykxk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" csuzxrykxk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" csuzxrykxk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" csuzxrykxk.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\glhcmekr = "csuzxrykxk.exe" xaprakwtgcocqfk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\seoridin = "xaprakwtgcocqfk.exe" xaprakwtgcocqfk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "ovxmirkouuawz.exe" xaprakwtgcocqfk.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\a: yaahzpzj.exe File opened (read-only) \??\v: yaahzpzj.exe File opened (read-only) \??\k: csuzxrykxk.exe File opened (read-only) \??\n: csuzxrykxk.exe File opened (read-only) \??\t: csuzxrykxk.exe File opened (read-only) \??\s: yaahzpzj.exe File opened (read-only) \??\z: yaahzpzj.exe File opened (read-only) \??\v: csuzxrykxk.exe File opened (read-only) \??\x: yaahzpzj.exe File opened (read-only) \??\p: yaahzpzj.exe File opened (read-only) \??\h: yaahzpzj.exe File opened (read-only) \??\e: yaahzpzj.exe File opened (read-only) \??\v: yaahzpzj.exe File opened (read-only) \??\t: yaahzpzj.exe File opened (read-only) \??\b: csuzxrykxk.exe File opened (read-only) \??\j: yaahzpzj.exe File opened (read-only) \??\p: yaahzpzj.exe File opened (read-only) \??\e: csuzxrykxk.exe File opened (read-only) \??\g: csuzxrykxk.exe File opened (read-only) \??\l: csuzxrykxk.exe File opened (read-only) \??\e: yaahzpzj.exe File opened (read-only) \??\u: yaahzpzj.exe File opened (read-only) \??\q: yaahzpzj.exe File opened (read-only) \??\r: yaahzpzj.exe File opened (read-only) \??\a: csuzxrykxk.exe File opened (read-only) \??\i: csuzxrykxk.exe File opened (read-only) \??\w: csuzxrykxk.exe File opened (read-only) \??\m: yaahzpzj.exe File opened (read-only) \??\w: yaahzpzj.exe File opened (read-only) \??\y: yaahzpzj.exe File opened (read-only) \??\z: yaahzpzj.exe File opened (read-only) \??\l: yaahzpzj.exe File opened (read-only) \??\p: csuzxrykxk.exe File opened (read-only) \??\u: csuzxrykxk.exe File opened (read-only) \??\z: csuzxrykxk.exe File opened (read-only) \??\i: yaahzpzj.exe File opened (read-only) \??\q: yaahzpzj.exe File opened (read-only) \??\r: csuzxrykxk.exe File opened (read-only) \??\b: yaahzpzj.exe File opened (read-only) \??\s: yaahzpzj.exe File opened (read-only) \??\r: yaahzpzj.exe File opened (read-only) \??\t: yaahzpzj.exe File opened (read-only) \??\y: yaahzpzj.exe File opened (read-only) \??\m: csuzxrykxk.exe File opened (read-only) \??\s: csuzxrykxk.exe File opened (read-only) \??\o: yaahzpzj.exe File opened (read-only) \??\k: yaahzpzj.exe File opened (read-only) \??\y: csuzxrykxk.exe File opened (read-only) \??\g: yaahzpzj.exe File opened (read-only) \??\k: yaahzpzj.exe File opened (read-only) \??\j: csuzxrykxk.exe File opened (read-only) \??\n: yaahzpzj.exe File opened (read-only) \??\w: yaahzpzj.exe File opened (read-only) \??\g: yaahzpzj.exe File opened (read-only) \??\m: yaahzpzj.exe File opened (read-only) \??\x: yaahzpzj.exe File opened (read-only) \??\l: yaahzpzj.exe File opened (read-only) \??\n: yaahzpzj.exe File opened (read-only) \??\a: yaahzpzj.exe File opened (read-only) \??\h: yaahzpzj.exe File opened (read-only) \??\u: yaahzpzj.exe File opened (read-only) \??\x: csuzxrykxk.exe File opened (read-only) \??\i: yaahzpzj.exe File opened (read-only) \??\b: yaahzpzj.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" csuzxrykxk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" csuzxrykxk.exe -
AutoIT Executable 60 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/2180-31-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4972-32-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1032-35-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3736-77-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2344-78-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4972-84-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2180-83-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3736-85-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2156-90-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2156-89-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4972-88-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2180-87-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2344-86-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3736-233-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4972-236-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2180-235-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2344-234-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2156-237-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2180-240-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2156-242-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2344-239-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3736-238-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4972-241-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3736-243-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4972-246-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2180-245-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2344-244-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2156-247-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2180-248-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2156-250-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3736-251-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4972-253-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2344-252-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3736-254-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2344-255-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4972-259-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3736-262-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4972-264-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2344-263-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3736-265-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2344-266-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4972-267-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3736-268-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2344-269-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4972-270-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3736-271-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4972-273-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2344-272-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3736-274-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2344-275-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4972-276-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3736-277-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4972-279-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2344-278-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4972-282-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2344-281-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3736-280-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3736-283-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4972-285-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2344-284-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe -
Drops file in System32 directory 12 IoCs
description ioc Process File created C:\Windows\SysWOW64\ovxmirkouuawz.exe 38e1221a40e0325b2bc547e1bcbca91b_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe yaahzpzj.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe yaahzpzj.exe File created C:\Windows\SysWOW64\csuzxrykxk.exe 38e1221a40e0325b2bc547e1bcbca91b_JaffaCakes118.exe File created C:\Windows\SysWOW64\xaprakwtgcocqfk.exe 38e1221a40e0325b2bc547e1bcbca91b_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\yaahzpzj.exe 38e1221a40e0325b2bc547e1bcbca91b_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ovxmirkouuawz.exe 38e1221a40e0325b2bc547e1bcbca91b_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll csuzxrykxk.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe yaahzpzj.exe File opened for modification C:\Windows\SysWOW64\csuzxrykxk.exe 38e1221a40e0325b2bc547e1bcbca91b_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\xaprakwtgcocqfk.exe 38e1221a40e0325b2bc547e1bcbca91b_JaffaCakes118.exe File created C:\Windows\SysWOW64\yaahzpzj.exe 38e1221a40e0325b2bc547e1bcbca91b_JaffaCakes118.exe -
resource yara_rule behavioral2/memory/1032-0-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0008000000023c93-5.dat upx behavioral2/files/0x000c000000023b9b-19.dat upx behavioral2/memory/3736-21-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0007000000023c94-27.dat upx behavioral2/files/0x0007000000023c95-30.dat upx behavioral2/memory/2180-31-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4972-32-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1032-35-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0008000000023c78-69.dat upx behavioral2/files/0x0007000000023ca3-75.dat upx behavioral2/memory/3736-77-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2344-78-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4972-84-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2180-83-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3736-85-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2156-90-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2156-89-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4972-88-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2180-87-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2344-86-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x000c000000023cab-110.dat upx behavioral2/files/0x000c000000023cab-231.dat upx behavioral2/memory/3736-233-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4972-236-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2180-235-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2344-234-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2156-237-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2180-240-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2156-242-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2344-239-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3736-238-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4972-241-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3736-243-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4972-246-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2180-245-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2344-244-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2156-247-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2180-248-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2156-250-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3736-251-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4972-253-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2344-252-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3736-254-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2344-255-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4972-259-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3736-262-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4972-264-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2344-263-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3736-265-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2344-266-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4972-267-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3736-268-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2344-269-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4972-270-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3736-271-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4972-273-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2344-272-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3736-274-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2344-275-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4972-276-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3736-277-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4972-279-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2344-278-0x0000000000400000-0x00000000004A0000-memory.dmp upx -
Drops file in Program Files directory 21 IoCs
description ioc Process File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe yaahzpzj.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe yaahzpzj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe yaahzpzj.exe File opened for modification C:\Program Files\UsePing.nal yaahzpzj.exe File opened for modification \??\c:\Program Files\UsePing.doc.exe yaahzpzj.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe yaahzpzj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe yaahzpzj.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe yaahzpzj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe yaahzpzj.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe yaahzpzj.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe yaahzpzj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal yaahzpzj.exe File opened for modification C:\Program Files\UsePing.nal yaahzpzj.exe File created \??\c:\Program Files\UsePing.doc.exe yaahzpzj.exe File opened for modification C:\Program Files\UsePing.doc.exe yaahzpzj.exe File opened for modification \??\c:\Program Files\UsePing.doc.exe yaahzpzj.exe File opened for modification C:\Program Files\UsePing.doc.exe yaahzpzj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal yaahzpzj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe yaahzpzj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal yaahzpzj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal yaahzpzj.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe yaahzpzj.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe yaahzpzj.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe yaahzpzj.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe yaahzpzj.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe yaahzpzj.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe yaahzpzj.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe yaahzpzj.exe File opened for modification C:\Windows\mydoc.rtf 38e1221a40e0325b2bc547e1bcbca91b_JaffaCakes118.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe yaahzpzj.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe yaahzpzj.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe yaahzpzj.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe yaahzpzj.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe yaahzpzj.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe yaahzpzj.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe yaahzpzj.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe yaahzpzj.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe yaahzpzj.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 38e1221a40e0325b2bc547e1bcbca91b_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csuzxrykxk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xaprakwtgcocqfk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yaahzpzj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ovxmirkouuawz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yaahzpzj.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33402D7B9D2C82556D3477D2772F2CAE7C8664AD" 38e1221a40e0325b2bc547e1bcbca91b_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat csuzxrykxk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F66BB9FE6C21DBD27DD0D28A0B9013" 38e1221a40e0325b2bc547e1bcbca91b_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh csuzxrykxk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc csuzxrykxk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" csuzxrykxk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" csuzxrykxk.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 38e1221a40e0325b2bc547e1bcbca91b_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BBDFACCFE14F2E0830E3B4A819C3E95B088028C4367033AE2CF42E608A1" 38e1221a40e0325b2bc547e1bcbca91b_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg csuzxrykxk.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings 38e1221a40e0325b2bc547e1bcbca91b_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" csuzxrykxk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs csuzxrykxk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "193AC67415EDDBC0B8CD7CE0ED9734C7" 38e1221a40e0325b2bc547e1bcbca91b_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" csuzxrykxk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" csuzxrykxk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" csuzxrykxk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf csuzxrykxk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EC2B12B47EF39EA52C4B9D2339FD7CC" 38e1221a40e0325b2bc547e1bcbca91b_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFEFCF84F28851C9131D65A7DE5BDE2E637584267466242D69E" 38e1221a40e0325b2bc547e1bcbca91b_JaffaCakes118.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 920 WINWORD.EXE 920 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1032 38e1221a40e0325b2bc547e1bcbca91b_JaffaCakes118.exe 1032 38e1221a40e0325b2bc547e1bcbca91b_JaffaCakes118.exe 1032 38e1221a40e0325b2bc547e1bcbca91b_JaffaCakes118.exe 1032 38e1221a40e0325b2bc547e1bcbca91b_JaffaCakes118.exe 1032 38e1221a40e0325b2bc547e1bcbca91b_JaffaCakes118.exe 1032 38e1221a40e0325b2bc547e1bcbca91b_JaffaCakes118.exe 1032 38e1221a40e0325b2bc547e1bcbca91b_JaffaCakes118.exe 1032 38e1221a40e0325b2bc547e1bcbca91b_JaffaCakes118.exe 1032 38e1221a40e0325b2bc547e1bcbca91b_JaffaCakes118.exe 1032 38e1221a40e0325b2bc547e1bcbca91b_JaffaCakes118.exe 1032 38e1221a40e0325b2bc547e1bcbca91b_JaffaCakes118.exe 1032 38e1221a40e0325b2bc547e1bcbca91b_JaffaCakes118.exe 1032 38e1221a40e0325b2bc547e1bcbca91b_JaffaCakes118.exe 1032 38e1221a40e0325b2bc547e1bcbca91b_JaffaCakes118.exe 1032 38e1221a40e0325b2bc547e1bcbca91b_JaffaCakes118.exe 1032 38e1221a40e0325b2bc547e1bcbca91b_JaffaCakes118.exe 3736 csuzxrykxk.exe 3736 csuzxrykxk.exe 3736 csuzxrykxk.exe 3736 csuzxrykxk.exe 3736 csuzxrykxk.exe 3736 csuzxrykxk.exe 3736 csuzxrykxk.exe 3736 csuzxrykxk.exe 3736 csuzxrykxk.exe 3736 csuzxrykxk.exe 2344 xaprakwtgcocqfk.exe 2344 xaprakwtgcocqfk.exe 2344 xaprakwtgcocqfk.exe 2344 xaprakwtgcocqfk.exe 2344 xaprakwtgcocqfk.exe 2344 xaprakwtgcocqfk.exe 2344 xaprakwtgcocqfk.exe 2344 xaprakwtgcocqfk.exe 2344 xaprakwtgcocqfk.exe 2344 xaprakwtgcocqfk.exe 4972 ovxmirkouuawz.exe 4972 ovxmirkouuawz.exe 4972 ovxmirkouuawz.exe 4972 ovxmirkouuawz.exe 4972 ovxmirkouuawz.exe 4972 ovxmirkouuawz.exe 4972 ovxmirkouuawz.exe 4972 ovxmirkouuawz.exe 4972 ovxmirkouuawz.exe 4972 ovxmirkouuawz.exe 4972 ovxmirkouuawz.exe 4972 ovxmirkouuawz.exe 2180 yaahzpzj.exe 2180 yaahzpzj.exe 2180 yaahzpzj.exe 2180 yaahzpzj.exe 2180 yaahzpzj.exe 2180 yaahzpzj.exe 2180 yaahzpzj.exe 2180 yaahzpzj.exe 2156 yaahzpzj.exe 2156 yaahzpzj.exe 2156 yaahzpzj.exe 2156 yaahzpzj.exe 2156 yaahzpzj.exe 2156 yaahzpzj.exe 2156 yaahzpzj.exe 2156 yaahzpzj.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 1032 38e1221a40e0325b2bc547e1bcbca91b_JaffaCakes118.exe 1032 38e1221a40e0325b2bc547e1bcbca91b_JaffaCakes118.exe 1032 38e1221a40e0325b2bc547e1bcbca91b_JaffaCakes118.exe 3736 csuzxrykxk.exe 3736 csuzxrykxk.exe 3736 csuzxrykxk.exe 2344 xaprakwtgcocqfk.exe 2344 xaprakwtgcocqfk.exe 2344 xaprakwtgcocqfk.exe 4972 ovxmirkouuawz.exe 2180 yaahzpzj.exe 4972 ovxmirkouuawz.exe 2180 yaahzpzj.exe 4972 ovxmirkouuawz.exe 2180 yaahzpzj.exe 2156 yaahzpzj.exe 2156 yaahzpzj.exe 2156 yaahzpzj.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 1032 38e1221a40e0325b2bc547e1bcbca91b_JaffaCakes118.exe 1032 38e1221a40e0325b2bc547e1bcbca91b_JaffaCakes118.exe 1032 38e1221a40e0325b2bc547e1bcbca91b_JaffaCakes118.exe 3736 csuzxrykxk.exe 3736 csuzxrykxk.exe 3736 csuzxrykxk.exe 2344 xaprakwtgcocqfk.exe 2344 xaprakwtgcocqfk.exe 2344 xaprakwtgcocqfk.exe 4972 ovxmirkouuawz.exe 2180 yaahzpzj.exe 4972 ovxmirkouuawz.exe 2180 yaahzpzj.exe 4972 ovxmirkouuawz.exe 2180 yaahzpzj.exe 2156 yaahzpzj.exe 2156 yaahzpzj.exe 2156 yaahzpzj.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 920 WINWORD.EXE 920 WINWORD.EXE 920 WINWORD.EXE 920 WINWORD.EXE 920 WINWORD.EXE 920 WINWORD.EXE 920 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1032 wrote to memory of 3736 1032 38e1221a40e0325b2bc547e1bcbca91b_JaffaCakes118.exe 85 PID 1032 wrote to memory of 3736 1032 38e1221a40e0325b2bc547e1bcbca91b_JaffaCakes118.exe 85 PID 1032 wrote to memory of 3736 1032 38e1221a40e0325b2bc547e1bcbca91b_JaffaCakes118.exe 85 PID 1032 wrote to memory of 2344 1032 38e1221a40e0325b2bc547e1bcbca91b_JaffaCakes118.exe 86 PID 1032 wrote to memory of 2344 1032 38e1221a40e0325b2bc547e1bcbca91b_JaffaCakes118.exe 86 PID 1032 wrote to memory of 2344 1032 38e1221a40e0325b2bc547e1bcbca91b_JaffaCakes118.exe 86 PID 1032 wrote to memory of 2180 1032 38e1221a40e0325b2bc547e1bcbca91b_JaffaCakes118.exe 87 PID 1032 wrote to memory of 2180 1032 38e1221a40e0325b2bc547e1bcbca91b_JaffaCakes118.exe 87 PID 1032 wrote to memory of 2180 1032 38e1221a40e0325b2bc547e1bcbca91b_JaffaCakes118.exe 87 PID 1032 wrote to memory of 4972 1032 38e1221a40e0325b2bc547e1bcbca91b_JaffaCakes118.exe 88 PID 1032 wrote to memory of 4972 1032 38e1221a40e0325b2bc547e1bcbca91b_JaffaCakes118.exe 88 PID 1032 wrote to memory of 4972 1032 38e1221a40e0325b2bc547e1bcbca91b_JaffaCakes118.exe 88 PID 3736 wrote to memory of 2156 3736 csuzxrykxk.exe 90 PID 3736 wrote to memory of 2156 3736 csuzxrykxk.exe 90 PID 3736 wrote to memory of 2156 3736 csuzxrykxk.exe 90 PID 1032 wrote to memory of 920 1032 38e1221a40e0325b2bc547e1bcbca91b_JaffaCakes118.exe 91 PID 1032 wrote to memory of 920 1032 38e1221a40e0325b2bc547e1bcbca91b_JaffaCakes118.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\38e1221a40e0325b2bc547e1bcbca91b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\38e1221a40e0325b2bc547e1bcbca91b_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Windows\SysWOW64\csuzxrykxk.execsuzxrykxk.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3736 -
C:\Windows\SysWOW64\yaahzpzj.exeC:\Windows\system32\yaahzpzj.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2156
-
-
-
C:\Windows\SysWOW64\xaprakwtgcocqfk.exexaprakwtgcocqfk.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2344
-
-
C:\Windows\SysWOW64\yaahzpzj.exeyaahzpzj.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2180
-
-
C:\Windows\SysWOW64\ovxmirkouuawz.exeovxmirkouuawz.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4972
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:920
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
255KB
MD59b2b2d92b0aee51c47c62f5c14a132f4
SHA138d9ca74e47030264dceed9d2419a52c1bc33a6c
SHA25681e312e90e57616f171e456073720903d869ab1bbd395d23664e265c7f235273
SHA5123045afe641ac777c3da10bf73f2b5fde3ad4053e575514028d32bd89b5397064d229137d4c9bd90361e08080fccbe307e4d323b8605ff2fb342ec89dd762c833
-
Filesize
255KB
MD530a32bd6bf24f6df91cdf3e33386f5e0
SHA1d6e1fec628ecbcb812ea53c883ed011248c60d38
SHA2563f3164f95a12aacf54e27747c015dc9ab5507d675c1c405685a2fc79aa5a7106
SHA51269a1ef6e54f49ed1a11042f0f81c8e608fc6d35169e656507308ce20820f4d84efeb9bb6e3fc5fbfbf78a11f439075c8af4aca9f8b58f22e37e47ede6027f7d8
-
Filesize
263KB
MD5ff0e07eff1333cdf9fc2523d323dd654
SHA177a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA2563f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d
-
Filesize
408B
MD579020417e47ee6098561f2b5d25105be
SHA11c909bd3647ed0091bf724fc069680c992557ed0
SHA256eac97c966603c00f4c60f0f78230bc1a2f3de59a7d17bdb4984841f606b7333e
SHA512db75e651472cf4f6ccd0d460c409cca3043fa9ea25a9af858c8f770421688b805f3239a0425a5c5763c3cf9e8945d8d83ece311652ca629cc896857c158caa59
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize1KB
MD5e56bf94aae4cdb10687a5a47289fa366
SHA1b1c7503af0433e81980fafc957da54a051256f5e
SHA25628a5b2fc4b7d08dfc0f7f463c0070f0823f0735e4871a94b4eb030cede9873e0
SHA512cb6809a45e47f8e99e88d15a362804a331368d1b9e812369139227809e1e8a6a87e2a62051d5ab7f15a2688d55f31833c255502810dbe16f6fc9c26346fbe5ac
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize2KB
MD52187b2de26220ff7884a4afbe5cb0486
SHA1e84d79ecb9fa4e88e6058099b164485920dce220
SHA25668ce91cf35f7704b051b5a8dc8f88db9f9531f2c9f8790deabd5accc3fa2e5d4
SHA5126f9c634cc7bf8b30cae0be8be30b7938b9181504789247664166e97100e030760929f6dc1c2c8703026f03bbaf013dafbca6b1e3ca3d3349fe1fdb015a48bea9
-
Filesize
255KB
MD587c7397e0b4ed0ffa9a402826fbe3d20
SHA15e42891350b309845d9e76bf49f81cd69c92a8d7
SHA256adf60dc0b5ca8b91e0f293bf81127b5c43b18b768de046be9d5f46dee7a10ea3
SHA512e0ceb18ad784c3a8555d53c5e837777dd12ac125602a6dca6ae4e6aca830e9025365347187aa10ad68e31e8a51cba8891ee0d496f6845c11812b3e18207c3ca7
-
Filesize
255KB
MD5e8993c826eef87f27353885efb6f46e0
SHA1a21e636870e383e5960961a57f5c6b25cb8c3d9a
SHA2564030577dd63bf3be11587869940ecad6d8ed290ebd69831d29c74b636321e1d3
SHA5124081c14fce6d9aaf344a7d5c19d0dbc07706ef15b28a7b0b283c376ae9c971284f64273ce5d9ce2ced4bbe7822049a90878de3badbdb3108b5c6aac87baa171b
-
Filesize
255KB
MD5fbf268de3be2558595e07a7ed4ddb1dd
SHA10dd9fa2dcfcaef815ae248cc0f66a0333a2f549e
SHA256bf41d2e47a9dcfda752df3b3580c1d27ad2ea6a1d7065e2158bc07fd1d937415
SHA512861e999b0dfc2fe4fb539db4fa3047d527abafd3014f3f25d50b720e4c9a81cf92a3e24dbdbd2daa1dd7b05d376d22e7b2c7077398128766c10fc7091edde8fb
-
Filesize
255KB
MD5dc43a09fcaeda4facda4090d3ad578c5
SHA1d4c7ab73c522bca5f6b5bf9ca65c49f111093dff
SHA256648d86a304933fb689fcd9273efb37ee20565df0f2c51ed9936343f5d04d1a0d
SHA512cb9289011ede73eb43f24590e10783b1879c1a260ea4e59be196ca0465af80dac0e2fe3963deeee94e5d66ad121867f838fbc708b730b60f6aed602f4b27ce6d
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
255KB
MD568cc565d1a6670e12207f7d3e7fbbe31
SHA1e06c447ed7c71c46da49800f710fee4714a14ed1
SHA25630a2a36435adb0983aa5765b4df36dab180dcbfd00385e24417299b3ccc05ae0
SHA51278da07b9b93b32160be32b1740da3f01c1e9cbdd7bb235fe64a7f712ea1b845bde60a109b561cfa644a841bb0bfce3d4ffce722cf9c359b065f2721fa92d2636
-
Filesize
255KB
MD515b5e48806044047c19e3615bd58683e
SHA16c34c9d5cb921029b80c9f2b696a841f460a594e
SHA256fc15507ea01a4924fbe34e5c35ee709510734e2d59e136ac2fcc8c3ad416ff43
SHA512f5a40e1ce39fcf1d5cc3cd4e370072c80c891e6f9bb045cc847e18142302315b7a64035f73d9420359e0d0d5cfbdd7fae387eeb795c74e0543396bf117de6c9c