Analysis
-
max time kernel
149s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
23-10-2024 16:12
Behavioral task
behavioral1
Sample
6fccbe041e1dd9a5e2cb7fd93c981389_JaffaCakes118.exe
Resource
win7-20241010-en
General
-
Target
6fccbe041e1dd9a5e2cb7fd93c981389_JaffaCakes118.exe
-
Size
526KB
-
MD5
6fccbe041e1dd9a5e2cb7fd93c981389
-
SHA1
9490421957fc19da0b0e273104f8a712e63c968d
-
SHA256
c65ade0d652262eb829c23077cd9cf690115f18fce081d807a733cf66e23cd15
-
SHA512
8154d547c08ae714e27b7e779d3dc81c722137bd7ede6cce942ff2869daa7eb1a241b243948db6489b57341918a3cf74838c76c0d2157783f2301987522820c1
-
SSDEEP
3072:+R1y22xLm8D8CVUaBsG4J4llVFE764dym8:I1y225dD8Cz2J49e64dym8
Malware Config
Signatures
-
Modifies firewall policy service 3 TTPs 14 IoCs
Processes:
winlogon.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-57951861" winlogon.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List winlogon.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptions = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" winlogon.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List winlogon.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile winlogon.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableNotifications = "1" winlogon.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-70554750" winlogon.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" winlogon.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List winlogon.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-53342401" winlogon.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications winlogon.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-28956246" winlogon.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall = "0" winlogon.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
winlogon.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" winlogon.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
winlogon.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "3" winlogon.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
winlogon.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" winlogon.exe -
Processes:
winlogon.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1" winlogon.exe -
Processes:
winlogon.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winlogon.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
winlogon.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" winlogon.exe -
Disables Task Manager via registry modification
-
Disables taskbar notifications via registry modification
-
Drops file in Drivers directory 1 IoCs
Processes:
winlogon.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts winlogon.exe -
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
Processes:
winlogon.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\atwatch.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfind.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fp-win.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pccguide.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pcciomon.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rrguard.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wnt.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ecls.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcvsshld.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sgssfw32.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sysdoc32.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\titaninxp.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsmain.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avxmonitornt.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FirewallSettings.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netinfo.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pathping.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rescue32.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmon.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsscan40.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OUTLOOK.EXE winlogon.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WORDCONV .EXE winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mpftray.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsav530wtbyb.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lockdown.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\atguard.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avpcc.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gbpoll.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\srwatch.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autodown.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nprotect.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\serv95.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cpd.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scanpm.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\st2.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vettray.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcconsol.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SandboxieCrypto.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bidef.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bipcpevalsetup.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dvp95_0.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\htlog.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\purge.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HelpPane.exe winlogon.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ONELEV.EXE winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avxquar.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qserver.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scan32.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vccmserv.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mctool.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msn.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navdx.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navex15.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tds2.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_avpcc.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bipcp.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xpf202en.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctrl.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\etrustcipe.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ifw2000.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rav8win32eng.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rescue32.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tcm.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe -
Drops startup file 1 IoCs
Processes:
winlogon.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Anytime Upgrade.exe winlogon.exe -
Executes dropped EXE 3 IoCs
Processes:
winlogon.exewinlogon.exewinlogon.exepid process 2812 winlogon.exe 1824 winlogon.exe 1672 winlogon.exe -
Loads dropped DLL 3 IoCs
Processes:
6fccbe041e1dd9a5e2cb7fd93c981389_JaffaCakes118.exewinlogon.exepid process 2824 6fccbe041e1dd9a5e2cb7fd93c981389_JaffaCakes118.exe 2824 6fccbe041e1dd9a5e2cb7fd93c981389_JaffaCakes118.exe 2812 winlogon.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
winlogon.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpyWareDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\DisableMonitoring = "1" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecAntiVirus winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AutoUpdateDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecFirewall\DisableMonitoring = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\cval = "1" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecFirewall winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\InternetSettingsDisableNotify = "1" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecAntiVirus\DisableMonitoring = "1" winlogon.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
winlogon.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\E50B29BAACAA360FCC344254F83743208BA6735D23877EED = "C:\\Users\\Admin\\E696D64614\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\B9373D14A02BC13F1345A3F7BC53B8BCC98D3B04DD0CD9CF = "C:\\Users\\Admin\\E696D64614\\winlogon.exe" winlogon.exe -
Processes:
winlogon.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe -
Processes:
winlogon.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSQRY32.EXE winlogon.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VPREVIEW.EXE winlogon.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DWTRIG20.EXE winlogon.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EXTEXPORT.EXE winlogon.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GROOVE.EXE winlogon.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IEUNATT.EXE winlogon.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IEXPLORE.EXE winlogon.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSPUB.EXE winlogon.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CNFNOT32.EXE winlogon.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EXCEL.EXE winlogon.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ONENOTE.EXE winlogon.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETLANG.EXE winlogon.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WINWORD.EXE winlogon.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSHTA.EXE winlogon.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ONELEV.EXE winlogon.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions winlogon.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OSE.EXE winlogon.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSTORE.EXE winlogon.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ONENOTEM.EXE winlogon.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SCANPST.EXE winlogon.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WORDCONV .EXE winlogon.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WXP.EXE winlogon.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IELOWUTIL.EXE winlogon.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSOHTMED.EXE winlogon.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSACCESS.EXE winlogon.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSOSYNC.EXE winlogon.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSTORDB.EXE winlogon.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OIS.EXE winlogon.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SCANOST.EXE winlogon.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GOOGLEUPDATE.EXE winlogon.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GRAPH.EXE winlogon.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EXCELCNV.EXE winlogon.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IE4UINIT.EXE winlogon.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\INFOPATH.EXE winlogon.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSFEEDSSYNC.EXE winlogon.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSOXMLED.EXE winlogon.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OUTLOOK.EXE winlogon.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CLVIEW.EXE winlogon.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DW20.EXE winlogon.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\POWERPNT.EXE winlogon.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ACCICONS.EXE winlogon.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SELFCERT.EXE winlogon.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
6fccbe041e1dd9a5e2cb7fd93c981389_JaffaCakes118.exewinlogon.exewinlogon.exedescription pid process target process PID 2484 set thread context of 2824 2484 6fccbe041e1dd9a5e2cb7fd93c981389_JaffaCakes118.exe 6fccbe041e1dd9a5e2cb7fd93c981389_JaffaCakes118.exe PID 2812 set thread context of 1824 2812 winlogon.exe winlogon.exe PID 1824 set thread context of 1672 1824 winlogon.exe winlogon.exe -
Processes:
resource yara_rule behavioral1/memory/2484-0-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral1/memory/2824-18-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/2824-16-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/2824-15-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/2484-14-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral1/memory/2824-13-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/2824-9-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/2824-5-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/2824-3-0x0000000000400000-0x000000000041C000-memory.dmp upx \Users\Admin\E696D64614\winlogon.exe upx behavioral1/memory/2824-25-0x0000000000590000-0x00000000005C8000-memory.dmp upx behavioral1/memory/1824-51-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/2824-53-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/2812-33-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral1/memory/1672-54-0x0000000000400000-0x0000000000443000-memory.dmp upx behavioral1/memory/1672-60-0x0000000000400000-0x0000000000443000-memory.dmp upx behavioral1/memory/1672-59-0x0000000000400000-0x0000000000443000-memory.dmp upx behavioral1/memory/1672-58-0x0000000000400000-0x0000000000443000-memory.dmp upx behavioral1/memory/1672-57-0x0000000000400000-0x0000000000443000-memory.dmp upx behavioral1/memory/1824-63-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/1672-71-0x0000000000400000-0x0000000000443000-memory.dmp upx behavioral1/memory/1672-72-0x0000000000400000-0x0000000000443000-memory.dmp upx behavioral1/memory/1672-73-0x0000000000400000-0x0000000000443000-memory.dmp upx behavioral1/memory/1672-75-0x0000000000400000-0x0000000000443000-memory.dmp upx behavioral1/memory/1672-403-0x0000000000400000-0x0000000000443000-memory.dmp upx behavioral1/memory/1672-564-0x0000000000400000-0x0000000000443000-memory.dmp upx behavioral1/memory/1672-650-0x0000000000400000-0x0000000000443000-memory.dmp upx behavioral1/memory/1672-865-0x0000000000400000-0x0000000000443000-memory.dmp upx behavioral1/memory/1672-1071-0x0000000000400000-0x0000000000443000-memory.dmp upx behavioral1/memory/1672-1185-0x0000000000400000-0x0000000000443000-memory.dmp upx behavioral1/memory/1672-1187-0x0000000000400000-0x0000000000443000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
6fccbe041e1dd9a5e2cb7fd93c981389_JaffaCakes118.exe6fccbe041e1dd9a5e2cb7fd93c981389_JaffaCakes118.exewinlogon.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEwinlogon.exewinlogon.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEdescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6fccbe041e1dd9a5e2cb7fd93c981389_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6fccbe041e1dd9a5e2cb7fd93c981389_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE -
Modifies Control Panel 2 IoCs
Processes:
winlogon.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Sound winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Sound\Beep = "no" winlogon.exe -
Processes:
iexplore.exewinlogon.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10aa09796625db01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecf3e4259aa05419b9c0951a15b131900000000020000000000106600000001000020000000b7f4246ee565659be2a668f6afcf53b2a00e77253ca6939bf9e817ee027189ea000000000e80000000020000200000001b1ef5bea6ffdc32cd86e357d833dbae95d2549aab5e2af91a1ffff9a78194562000000092e270f5bf7d710b5ea8db73f038ea70b59e9824e8654561c3b8800594799e9540000000bd69cb1bcff2b37e546cab283420ba29073d5941fcbd7deb4296b7363f59355ff281a7c893a8b616943fca9cb7bf6fa6997da8e5f645699a93fd84d3d974adaa iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A7824CD1-9159-11EF-BFDF-52AA2C275983} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "435861865" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Download\RunInvalidSignatures = "1" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main winlogon.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://526f0r8m33hg002.directorio-w.com" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Check_Associations = "no" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Download winlogon.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Local Page = "http://83468ienbaf70s4.directorio-w.com" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Default_Search_URL = "http://pp69hbdm6516d3s.directorio-w.com" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Disable Script Debugger = "Yes" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Default_Search_URL = "http://m00i0hhqk93bq3t.directorio-w.com" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecf3e4259aa05419b9c0951a15b131900000000020000000000106600000001000020000000d4b5fccadecd974407d37962fb03f55ef55f0b2555a3a67bc2d656e7baa1aa59000000000e80000000020000200000004c1e784ecff55fa1422114e721d5df3d134a2685570ea2d9672673654e922da890000000df4a7e2b40089d128b4886f092d1604d8b488ba5ff12883ecd27e92e98ec08915a42e8bc829241095e2be9fd57b963697ee76e643f1fea570edbe4656268f3422cddc7023873008b43ecf79c4c6764b4b4890f42da98c6f04aab4224b798f2d20426d1eb5b3f9d5df52336fef76d65c6e09b088795f3735e28607b27fb94d3384d094e91a35d6cb127677e8667f12aef400000009ded229a0469ad87c36ec3f31e629adee1a1fd0f421eb563083b7e462b029631a612a424f97e5051e02bbebebd758274406a454b5dc74db12c1dafc8203a2f56 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Local Page = "http://1e85ajnnknnk6y5.directorio-w.com" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://18q9gduw39bj502.directorio-w.com" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Default_Page_URL = "http://ja7t9uh4929xn4o.directorio-w.com" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Search Page = "http://6a2w65s15hf5v7e.directorio-w.com" winlogon.exe -
Modifies Internet Explorer start page 1 TTPs 2 IoCs
Processes:
winlogon.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://94j67fpq69tt38p.directorio-w.com" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Start Page = "http://4d18kkanof6k5o1.directorio-w.com" winlogon.exe -
Modifies registry class 24 IoCs
Processes:
winlogon.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec\Application\ = "IExplore" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec\Application winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec\Application winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec\Application winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec\Application\ = "IExplore" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec\Application\ = "IExplore" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell winlogon.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
winlogon.exepid process 1672 winlogon.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
winlogon.exedescription pid process Token: SeBackupPrivilege 1672 winlogon.exe -
Suspicious use of FindShellTrayWindow 8 IoCs
Processes:
iexplore.exepid process 2100 iexplore.exe 2100 iexplore.exe 2100 iexplore.exe 2100 iexplore.exe 2100 iexplore.exe 2100 iexplore.exe 2100 iexplore.exe 2100 iexplore.exe -
Suspicious use of SetWindowsHookEx 35 IoCs
Processes:
6fccbe041e1dd9a5e2cb7fd93c981389_JaffaCakes118.exewinlogon.exewinlogon.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEpid process 2824 6fccbe041e1dd9a5e2cb7fd93c981389_JaffaCakes118.exe 1824 winlogon.exe 1672 winlogon.exe 2100 iexplore.exe 2100 iexplore.exe 1048 IEXPLORE.EXE 1048 IEXPLORE.EXE 2100 iexplore.exe 2100 iexplore.exe 2328 IEXPLORE.EXE 2328 IEXPLORE.EXE 2100 iexplore.exe 2100 iexplore.exe 2056 IEXPLORE.EXE 2056 IEXPLORE.EXE 2100 iexplore.exe 2100 iexplore.exe 2916 IEXPLORE.EXE 2916 IEXPLORE.EXE 2100 iexplore.exe 2100 iexplore.exe 1048 IEXPLORE.EXE 1048 IEXPLORE.EXE 2100 iexplore.exe 2100 iexplore.exe 1748 IEXPLORE.EXE 1748 IEXPLORE.EXE 2100 iexplore.exe 2100 iexplore.exe 2328 IEXPLORE.EXE 2328 IEXPLORE.EXE 2100 iexplore.exe 2100 iexplore.exe 1928 IEXPLORE.EXE 1928 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 61 IoCs
Processes:
6fccbe041e1dd9a5e2cb7fd93c981389_JaffaCakes118.exe6fccbe041e1dd9a5e2cb7fd93c981389_JaffaCakes118.exewinlogon.exewinlogon.exeiexplore.exedescription pid process target process PID 2484 wrote to memory of 2748 2484 6fccbe041e1dd9a5e2cb7fd93c981389_JaffaCakes118.exe svchost.exe PID 2484 wrote to memory of 2748 2484 6fccbe041e1dd9a5e2cb7fd93c981389_JaffaCakes118.exe svchost.exe PID 2484 wrote to memory of 2748 2484 6fccbe041e1dd9a5e2cb7fd93c981389_JaffaCakes118.exe svchost.exe PID 2484 wrote to memory of 2748 2484 6fccbe041e1dd9a5e2cb7fd93c981389_JaffaCakes118.exe svchost.exe PID 2484 wrote to memory of 2824 2484 6fccbe041e1dd9a5e2cb7fd93c981389_JaffaCakes118.exe 6fccbe041e1dd9a5e2cb7fd93c981389_JaffaCakes118.exe PID 2484 wrote to memory of 2824 2484 6fccbe041e1dd9a5e2cb7fd93c981389_JaffaCakes118.exe 6fccbe041e1dd9a5e2cb7fd93c981389_JaffaCakes118.exe PID 2484 wrote to memory of 2824 2484 6fccbe041e1dd9a5e2cb7fd93c981389_JaffaCakes118.exe 6fccbe041e1dd9a5e2cb7fd93c981389_JaffaCakes118.exe PID 2484 wrote to memory of 2824 2484 6fccbe041e1dd9a5e2cb7fd93c981389_JaffaCakes118.exe 6fccbe041e1dd9a5e2cb7fd93c981389_JaffaCakes118.exe PID 2484 wrote to memory of 2824 2484 6fccbe041e1dd9a5e2cb7fd93c981389_JaffaCakes118.exe 6fccbe041e1dd9a5e2cb7fd93c981389_JaffaCakes118.exe PID 2484 wrote to memory of 2824 2484 6fccbe041e1dd9a5e2cb7fd93c981389_JaffaCakes118.exe 6fccbe041e1dd9a5e2cb7fd93c981389_JaffaCakes118.exe PID 2484 wrote to memory of 2824 2484 6fccbe041e1dd9a5e2cb7fd93c981389_JaffaCakes118.exe 6fccbe041e1dd9a5e2cb7fd93c981389_JaffaCakes118.exe PID 2484 wrote to memory of 2824 2484 6fccbe041e1dd9a5e2cb7fd93c981389_JaffaCakes118.exe 6fccbe041e1dd9a5e2cb7fd93c981389_JaffaCakes118.exe PID 2824 wrote to memory of 2812 2824 6fccbe041e1dd9a5e2cb7fd93c981389_JaffaCakes118.exe winlogon.exe PID 2824 wrote to memory of 2812 2824 6fccbe041e1dd9a5e2cb7fd93c981389_JaffaCakes118.exe winlogon.exe PID 2824 wrote to memory of 2812 2824 6fccbe041e1dd9a5e2cb7fd93c981389_JaffaCakes118.exe winlogon.exe PID 2824 wrote to memory of 2812 2824 6fccbe041e1dd9a5e2cb7fd93c981389_JaffaCakes118.exe winlogon.exe PID 2812 wrote to memory of 2800 2812 winlogon.exe svchost.exe PID 2812 wrote to memory of 2800 2812 winlogon.exe svchost.exe PID 2812 wrote to memory of 2800 2812 winlogon.exe svchost.exe PID 2812 wrote to memory of 2800 2812 winlogon.exe svchost.exe PID 2812 wrote to memory of 1824 2812 winlogon.exe winlogon.exe PID 2812 wrote to memory of 1824 2812 winlogon.exe winlogon.exe PID 2812 wrote to memory of 1824 2812 winlogon.exe winlogon.exe PID 2812 wrote to memory of 1824 2812 winlogon.exe winlogon.exe PID 2812 wrote to memory of 1824 2812 winlogon.exe winlogon.exe PID 2812 wrote to memory of 1824 2812 winlogon.exe winlogon.exe PID 2812 wrote to memory of 1824 2812 winlogon.exe winlogon.exe PID 2812 wrote to memory of 1824 2812 winlogon.exe winlogon.exe PID 1824 wrote to memory of 1672 1824 winlogon.exe winlogon.exe PID 1824 wrote to memory of 1672 1824 winlogon.exe winlogon.exe PID 1824 wrote to memory of 1672 1824 winlogon.exe winlogon.exe PID 1824 wrote to memory of 1672 1824 winlogon.exe winlogon.exe PID 1824 wrote to memory of 1672 1824 winlogon.exe winlogon.exe PID 1824 wrote to memory of 1672 1824 winlogon.exe winlogon.exe PID 1824 wrote to memory of 1672 1824 winlogon.exe winlogon.exe PID 1824 wrote to memory of 1672 1824 winlogon.exe winlogon.exe PID 1824 wrote to memory of 1672 1824 winlogon.exe winlogon.exe PID 2100 wrote to memory of 1048 2100 iexplore.exe IEXPLORE.EXE PID 2100 wrote to memory of 1048 2100 iexplore.exe IEXPLORE.EXE PID 2100 wrote to memory of 1048 2100 iexplore.exe IEXPLORE.EXE PID 2100 wrote to memory of 1048 2100 iexplore.exe IEXPLORE.EXE PID 2100 wrote to memory of 2328 2100 iexplore.exe IEXPLORE.EXE PID 2100 wrote to memory of 2328 2100 iexplore.exe IEXPLORE.EXE PID 2100 wrote to memory of 2328 2100 iexplore.exe IEXPLORE.EXE PID 2100 wrote to memory of 2328 2100 iexplore.exe IEXPLORE.EXE PID 2100 wrote to memory of 2056 2100 iexplore.exe IEXPLORE.EXE PID 2100 wrote to memory of 2056 2100 iexplore.exe IEXPLORE.EXE PID 2100 wrote to memory of 2056 2100 iexplore.exe IEXPLORE.EXE PID 2100 wrote to memory of 2056 2100 iexplore.exe IEXPLORE.EXE PID 2100 wrote to memory of 2916 2100 iexplore.exe IEXPLORE.EXE PID 2100 wrote to memory of 2916 2100 iexplore.exe IEXPLORE.EXE PID 2100 wrote to memory of 2916 2100 iexplore.exe IEXPLORE.EXE PID 2100 wrote to memory of 2916 2100 iexplore.exe IEXPLORE.EXE PID 2100 wrote to memory of 1748 2100 iexplore.exe IEXPLORE.EXE PID 2100 wrote to memory of 1748 2100 iexplore.exe IEXPLORE.EXE PID 2100 wrote to memory of 1748 2100 iexplore.exe IEXPLORE.EXE PID 2100 wrote to memory of 1748 2100 iexplore.exe IEXPLORE.EXE PID 2100 wrote to memory of 1928 2100 iexplore.exe IEXPLORE.EXE PID 2100 wrote to memory of 1928 2100 iexplore.exe IEXPLORE.EXE PID 2100 wrote to memory of 1928 2100 iexplore.exe IEXPLORE.EXE PID 2100 wrote to memory of 1928 2100 iexplore.exe IEXPLORE.EXE -
System policy modification 1 TTPs 6 IoCs
Processes:
winlogon.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "0" winlogon.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6fccbe041e1dd9a5e2cb7fd93c981389_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6fccbe041e1dd9a5e2cb7fd93c981389_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\\svchost.exe2⤵PID:2748
-
C:\Users\Admin\AppData\Local\Temp\6fccbe041e1dd9a5e2cb7fd93c981389_JaffaCakes118.exe
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Users\Admin\E696D64614\winlogon.exe"C:\Users\Admin\E696D64614\winlogon.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\\svchost.exe4⤵PID:2800
-
C:\Users\Admin\E696D64614\winlogon.exe
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Users\Admin\E696D64614\winlogon.exe"C:\Users\Admin\E696D64614\winlogon.exe"5⤵
- Modifies firewall policy service
- Modifies security service
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Drops startup file
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Indicator Removal: Clear Persistence
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1672
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:2944
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2100 CREDAT:275457 /prefetch:22⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1048 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2100 CREDAT:2044937 /prefetch:22⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2328 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2100 CREDAT:1389598 /prefetch:22⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2056 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2100 CREDAT:2307085 /prefetch:22⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2916 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2100 CREDAT:2765843 /prefetch:22⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1748 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2100 CREDAT:1324088 /prefetch:22⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1928
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Image File Execution Options Injection
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Image File Execution Options Injection
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Indicator Removal
1Clear Persistence
1Modify Registry
11Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
854B
MD5e935bc5762068caf3e24a2683b1b8a88
SHA182b70eb774c0756837fe8d7acbfeec05ecbf5463
SHA256a8accfcfeb51bd73df23b91f4d89ff1a9eb7438ef5b12e8afda1a6ff1769e89d
SHA512bed4f6f5357b37662623f1f8afed1a3ebf3810630b2206a0292052a2e754af9dcfe34ee15c289e3d797a8f33330e47c14cbefbc702f74028557ace29bf855f9e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize1KB
MD5f5c9938a2fa3fc7c84debe9b5699bd85
SHA1698dde95fa540adaedf8c6c475730896609a8fd0
SHA2562d21778bc0d4f0798a5c652a62f2971db17dcf2462b0c13d89bd02de1d6df3f3
SHA5124dfee6086310236069239716570f6d0c63946a01b62e644447d9f6c5c3231e50b9041cc6a4d1378d58a6f694520a825e7abf98fc501c519750602ccfebd3479b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6DA548C7E5915679F87E910D6581DEF1_FF39174E74B4CC3EDAB0407DAB3A6FF0
Filesize471B
MD569fbae725b24fc9c56c31a94732df2df
SHA1a4fe166a35a908d7c5bed3b2a6ee0a4d6e628f1e
SHA25616cc605709ea40468a1eeab1382f6d4d6a373340c8fba3787737d6e9df481172
SHA51298c321ddcb9a37e66ac0fce829cb72d98569bf28f70057d5916ded2c3dab886b5623bf20789b143eb44d863259c309600edccd062e7ea93e6e31c8196629dd80
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\84AFE219AEC53B0C9251F5E19EF019BD_2C9D5E6D83DF507CBE6C15521D5D3562
Filesize2KB
MD55530179a4bef4a734f996eaac4103109
SHA1756c4e23268a8564c03cd604bd645554ed3711c7
SHA256f9bcdcb27fdb349917c9aea3f88e18370b09cb2386829a055a14a403d8766aba
SHA512f20b24a1d3fd37713100d55a317ebfd8a8eeb6a229da5f4ea7d286257d50459ca9f36bb26da95c436c84f6b4b8fd25c6512b543a0430e6f320b5756b11931f97
-
Filesize
1KB
MD567e486b2f148a3fca863728242b6273e
SHA1452a84c183d7ea5b7c015b597e94af8eef66d44a
SHA256facaf1c3a4bf232abce19a2d534e495b0d3adc7dbe3797d336249aa6f70adcfb
SHA512d3a37da3bb10a9736dc03e8b2b49baceef5d73c026e2077b8ebc1b786f2c9b2f807e0aa13a5866cf3b3cafd2bc506242ef139c423eaffb050bbb87773e53881e
-
Filesize
436B
MD5971c514f84bba0785f80aa1c23edfd79
SHA1732acea710a87530c6b08ecdf32a110d254a54c8
SHA256f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895
SHA51243dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BC2602F5489CFE3E69F81C6328A4C17C_849A9AE095E451B9FFDF6A58F3A98E26
Filesize2KB
MD51af76c41a6d2d6d23e2cf921cb559527
SHA16fa16979d18aa8cb2bea2c0abd30ba2d6344663e
SHA2568e5a8a9cd6959271b135b0fa8df441b8f9e0897bf121b1051e1fcbe2a52788b5
SHA512cc27cbe8749ef2b850e8a7a392325c48356f43176863a4bd4406db24628b4f3f52a26b6551782ced088ce4863d325ca89d2cb69e9fcd56e70c4892943e75ed48
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199
Filesize170B
MD5d008e8b06bccbf9a8bf7867cf830a131
SHA1c60abc06eb4e9a9c8e5514f0601c684e56b65b34
SHA25617734fde91846c4422e82bf1888803df2ea6b8a5d0ccd6aa5e174732a04d7303
SHA512ed5fba96f1e7d2ad11c1ee6c4216c94bd51c99b0df0d6091d6b5cef8898b1c0e23b51daf0b40fd4309987cd74ed23283c888a9523893e72a6917393eecf1520d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize410B
MD51c3fd7579aa596901356394660a31f2b
SHA1f388ce781f50d3503f1c94c07941685cacace827
SHA25684365ba401d96f3e3e007c83c30c78d2351739c6bc94e8c16f7e64d4024c348a
SHA51263201a84b8b911b94069f37c7c7de9dfde4529fff6a5ba84f755a8c1bc531478df496ca1f1a46aa175f5915984b9f254f594d0e391e185cc164f9e8d4f9a1255
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6DA548C7E5915679F87E910D6581DEF1_FF39174E74B4CC3EDAB0407DAB3A6FF0
Filesize406B
MD56e6b9b858966efb053c631315243e27d
SHA1c33a91656f0190895c64ef8a0ed54446667ff6bd
SHA256de3d51eb2f0a1baa98fe9f2f5b9118d35b768e30a0d96a7413374ac90fcf87c2
SHA512d8e45f8b10dd610bbfdee651b1859e3cc99103f8da5bac228b3bc15b5afb683687380abaa5b39abf75207272d5122588b113e0615085271895ea489e4b1c4388
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\84AFE219AEC53B0C9251F5E19EF019BD_2C9D5E6D83DF507CBE6C15521D5D3562
Filesize466B
MD531b10dbb090cf38fb84054db1657302c
SHA14c966dc7f51316928a04ec9e61a15a4e22c562a8
SHA2564b8462941270bc62ebed75eafd15326d782b681e78368d3d02ceeb6c98fbaa8c
SHA512471c015b7e9c831ec855c1f78b6d615d50c3fdb4ecb11bee8006b3395b3a88558be0ff51b4a30bec3694dd5f5f126fffb70392373cffebd762ce92a6d69d4dc7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12
Filesize174B
MD57a87cdef06bd491e82259bcc7b3e6739
SHA1c30c41cb9ffb7e7182b330d8220df9b8e880594c
SHA256e468763c2ce5b3dfa8390da4f228cce8e734b24874d0f53d3d851abe2b3b5575
SHA512e68dba53d2efbc80e79fe11f8aa57a8afbce02b5a90147e3f70bb8d31c8f4f94805435592ead23b61d8d796ad805ad1c5a491ad0a7bd7dcf562dfa58485ad086
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5194453e5ac914423a13060992f571fae
SHA115afa019975a808eb91dab3a4c57ee3214dd5462
SHA256aeb5a91a6f750da5f8979bc2adebbdc40f773af7dfa1ed0f7067876eaa708c85
SHA5129e0eed1e75279d77e84076799bdbb005391caf3ee30c35da231b8307f7fc4c22c25c5a6b40c094fdb976a12da95148e002d6a88f6d3f14806ab7da59b7345236
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5346dddb8c425b2f6d38b1daade1af3d0
SHA127b1e258f3dd9c744fa7bae2583628f7706905c2
SHA2562cdd07350a03e06001c91871bc92e1cce5a5a140467780b706150fb75707f490
SHA5125eccff87a530827b7a2b554c28dde1b47b11463baf185c032784e04a45300e7139026676057cb16131883a6cea107c24c0f012d5b94689393968b13f04a944ca
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD523813da5341fe9008902a867acc71f4d
SHA14fc70075cd7813c74970e0b0a11332c67bd9ff31
SHA25657775c3a14fdf30e99e3dec74cee239811e19a22e16592e260fcd6781d0e47b5
SHA512e3c8b1dbb6cfd960b8a0a2d3ce4fa00cf43e1efe9525f18fbf98aa4a83e100b2bdac80883361e451168b256891140c63c4e7408d1739057b32bcb3ef85388eb7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50a656477cb331a386c04e4de893f8236
SHA149c546e424a978359f4944a3a0e5d548678b18cf
SHA256380c44d1afcef724be87cd83568c85861910994a4a5e2c496b1c862591f33739
SHA512c733476cb6f432c6e4ed27dd2d40ffd8768103ec81a9a895db6943cbb00389e0ee9f1ba64c46fdde614fc0f27cbd353b9c07a520932450135ba136ab4a66efdb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d1e20f4af50d098a8769fa965e0932b9
SHA17bcf6f3d3e315e6cddf52dc659910996c4484440
SHA256a13b74115e492dd64ffbf8e2d57a99cf4f9d8fc96f9be3deef16df2c2741c913
SHA5125d9b5cfc08dc3e804c8d7d6ba3965ab9572251d820a6f09fbcea6434e4a5af9b16ce7a28d58f33c2f3f2c104c0b8acf053a3092b3e9ca540625c4c2dc90683c4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a8b9ab4171884d2c1c5d879d776be104
SHA16d8ce1509e917f1a6af00aae2c07e7acf6ce89fb
SHA25611d0f03c7ef4ac987a1f7ba5a16b64379d7ba7b5795bc9358a210f836b750c0c
SHA512106aca2c4e66c7269ba61a3a51b9b8931597d38de94607b65b17f5b9b09c6d90b51c9805f84324eed11633c4d5df8c5a113c86de1b0f213c52e971d5de5ceba8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD587f42cdaaca6c1efccda41c3ddcd8eb7
SHA1df1a39a278fb50d89ed7f02769e238c6463b2fec
SHA256bb18ba3e1551a7706fc37cb0242b162ccbf3df9502a55cefa284ef8ae8f53ff1
SHA512e992df99b4bb824678acbb89363b55a6b63434607191cb70a342686d2c78e6a275f162e2af5bef134cc4d6cb9657c500bd32b73da722bd9a93e2f5d3dc3986a0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5fba746f17d5e1c35ce72ea6cfeffbb66
SHA19df438c13d5dd1e4f2bc1f0cc9bee0763e346ce8
SHA256f2e5f1abf59fdfe221984395de8b6c7e788d940ed4b7891a0bca28e3144b6d87
SHA512fc750361f5dc69ba73fe53f56df43004129c7ec7e4c612141324caf76219c9d0b6cbb448b443a9dd63b0c28bf7de724f81a8c69a33e1d0b82f1edace4814a69a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55f5c413c039502256a23bdbd7c6b72e2
SHA1be2dc6e03115ffef0f3b36a97cffd54cf4053d44
SHA25626240698ab671e9aa45db4fdd0b9c1386b4c1052cdd80fbb0acb55117aa319d7
SHA5128fcaa8d4ed44e2189d0af00e24bb75d313947593d99574ed4d76fecf398f0c8c30b60de0fa5817de081215803b0d6b0c699122c4744daa1e6bebbbe5df41ec2e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58c807d44d529365928108385024a9da5
SHA1f2fcadf409e6bbbb4452cbca599114e59a2815e0
SHA25679655e8d600485f79f01a5d2e5b7460ff36ec5d89660252292465131bbcfa887
SHA512d37c76301b9709ef13dae24e4b29c90de098bdfb5816e0c087d4a031c6b016f4d4ab6bb91a17821c8ad6b5770b554a711b6d86fb14b3af9977b3c2fd4e05ad50
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ca7ba9118bb0cef7ca22859d8b0010d4
SHA144fc48ad5ff4a7383f971085ae8ecec9817d0167
SHA256dca16bc802dfd6f708c6a7dd2479f6e18f6355389752a6f699cdf44bb423ec8f
SHA51224a70fc29a991f077b343a98b38d5aec7e9de47886a014f86caefb6d1925bc9146d86aed578fabbe3104145d102c55af68fb59749e20f9ff4b9ac7672d14587c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56403de0c5a701b84dc5a0af069818f55
SHA18207eb53746958b03e3e8989774418738eab1946
SHA25626787333ec0e94405a02608e62e588eb896c58346f50c207e54fdfad5e05d450
SHA5125bcceb98f276e2ece512d385f0fbfc8cf5e7d34573570d789472a0e1e451fa333caf43c049e6d62c8ea09237bd5ee91e037fe0550e63f6e99fe451150de84e5e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b62c2fd99708f431f7d36b48692ef41e
SHA120109ef1d50e842fa29792e6eedf905e028747cd
SHA256b8f3bca854bea8bbcf7b668a91a11857767a8edd7d4d6993da80ef1737bfcb35
SHA5127fc5fccb9c5e34b5bb3a860269bc029d44dac106b992d6d95328767096222f02f99166168f47ba5cffcfb15308223089b989e70bf6ffeee7dc58a0edad303e38
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5440f04deabc150ad13d940ec2aab34ad
SHA16571a1936fad32ae1470669520db1a8955508d1b
SHA256318e5ede341361177ab4aa128156dd77628792aaadf6da32e55614a1793b9776
SHA51262ce3a3af9f044bc67ab7d3505db51302ec994b5570389ac0adae80af4af861368c518ae46d908ac7364745b332f84395b64830c9c7862225ac8703c13ef1105
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f095b0f2caa23ef3cb5927e21cf9657f
SHA1d808522da16e2d7e9e9ac588b7e6d7725d644266
SHA2561da4598943e950d5f23040306b1c6bf65104d10a6ce61f6de3d827372290cc86
SHA5123de0c564a891baf9427f2d0ee07d18e1ae9690640e718094e5e79ac82583f735f5e58e9998b168e276bf72e478341538592008b816e377cbf4bed9dd4e903930
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD559b99120bd2f127723a30e0abac9c3c1
SHA1844202c5d125b75eeebae04e8596d154d77862c1
SHA256b65294d0988e68da5c0aa3a9c62d4ca66de756966a67d6d411bda237b2c64df3
SHA51203bccd69dbfc2c296b09b1514008eb3a358669cf6456d4c6624ecc62c112db5de435801799d37eb1a20387250de8120da49d5bc033ed9fca7e5b70af4ba1d8fd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d6089a32befef989589314449fce29de
SHA1860f19e480e76bfbe5dc2b3984ff4565c2ab1586
SHA2563625d7d1c32c2088e73cb51166b8b6cbac316fb57bb7840c3eb83bbc37951932
SHA5121051a9faabe25ce8518ef5aeb34dc1c0bc999591290b7ab4e235b5a6a49c952d851246fe45460b8bbda46f5e973ef39234c907413d7efe4efe11b870d09d6707
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8
Filesize170B
MD5cdf60d2a53e8eb65eba41c12dd49f6e7
SHA124697ebce8c97cd0981b811c9195cd48c0d97289
SHA25660543c58b37ca20fad6b94da1ea0006dd73399ed694e25726529ded138e2d49c
SHA5127cd4e189dc8ac42e1af4c8767000682cbb625a218d621472e6109e8f20cfa3b3ab4a9c3acce72f8760bbfa791d30e1a5de775c3b2466c258ff32b39b1f054b80
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BC2602F5489CFE3E69F81C6328A4C17C_849A9AE095E451B9FFDF6A58F3A98E26
Filesize470B
MD559d7372186c3357c044c72b1b7163b7a
SHA1159e77439face8fcf1b5d3fd3684c1eca65c58a4
SHA2568d41d5fecf32fa06bc0c1b7c8e7cd5668197fe19f3c4bec2dda2cb63768bd64d
SHA512b1c83c0bdf80d3398e0ca4a882a781cb8c1999c48829662b5610b1f7195ed7f313d356ad511c1e03f1930345736f01ef06dcd1ca292e5d45e81ac54c32047be8
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7BCOPU31\tag[1].js
Filesize59KB
MD528a0614f13dd1ee7a7bbe82bbd11e07e
SHA1d0e6e1cae124d2e6e082060378286ee69db9a1aa
SHA256ecb84c090467eb948c17287cffa270e4682f84ce8c5d64e4a3610766876526bf
SHA5120195b20fe9165eeffc3f2763a163c2340f35bab8154d0a33de2e5fc293153340ac2832753874b0788c6db71c6c90b54d3b9b9e829b09ca3c940fd25e158f2599
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8P9TO0C6\caf[1].js
Filesize150KB
MD5787990ff9cbf0945543cc751dc98898c
SHA1ef1e788091319d770e0c9686904d7a8150230606
SHA2562eae1cadea23580be277e1fd0e462223590e56d1bc2cf9e2aefcaee82d95eba3
SHA51208b6cba357aa8247b81660c843a17689d2d7a88cdba55acff490adc925305fa5f7107c8794c1cfd8544c7facad2b1d3c8d0475272e10476ce768f9fb3d5ec5bf
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8P9TO0C6\caf[1].js
Filesize150KB
MD5c88e5a46224bee6685c937fc4fcdef3c
SHA19e5e31a9f96d870a2863ce022fc782bd84dca154
SHA2563802892d65152c85fad9ac22b00205405314da2b2c3d91778a19cd7bf3d11d73
SHA512bf924c2ba760d3ee5da3cc63e1aae0698bad6e3065c3f1b7f9e681d0f7754c1bb564e3ff40b27bcf319ace921811462190cb919437c502314cf85aa0551dfcd0
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8P9TO0C6\main.ef90a627[1].css
Filesize3KB
MD53f821ada778691e677aef2cea8c4b4f6
SHA1643e7b729b25c2f800469623191dc837798e9d50
SHA2567510035d553a99fbf93eb67737b2df057ce096fa1ed7aad83cfd559e11f2320d
SHA5128993a8ad28ed4035a022d1b7274c77a97b8235b2ddcd5e6d29f7230d375851539900d4ace652c94c4be8a8284ffd86501df420385a6e680df4222c162deff4d5
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DUME8XYE\ZXDKNJYU.htm
Filesize220B
MD5b01635ec5e275591499115532c76bc17
SHA15d0bab313a319f7f5b278644f041b2a506b79cfb
SHA256c0d7b6836963b59feb5880b06cfb79f2131d260f188a142ba851d8bb807cbb41
SHA5126beebb1d493d687fd5448cbc5da17c89aa8d283d7f06a495168c234d6b89430c0e51ec3bc6b4ff608a0acf856a204c328c849bc25ee17cdb751a2cb9d432b9b7
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DUME8XYE\main.a6395724[1].js
Filesize674KB
MD5888c1e954d8f5c1ba90402c3fdf39209
SHA16328f5feab3eb9b3f988a139341a19deef2b208a
SHA256e513d7ea8bf12e7872afffd0793bbe9d2db074f6fb013a10a6de9bccb4789a7d
SHA512c107c6975b1285dda539a5aee6e984d2663430e4fb58bf2a47aff179568e28efadc538309c917e138e919ad54483e59208e5ae89cec0a64b9e4db604369a583c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NT668XG4\lander[3].htm
Filesize620B
MD5cb45e15ab52c1eb76257b6fa7be6b86b
SHA19e011b81247e40889c2847af26039ef59f268553
SHA256ff104bc0e40a7588a3d507a7d136d4e5a0c9bbe224825469f42dcf985b53f575
SHA512d0b8a24593c51b4c39a675c65896c6caf62b7ac1fffd0cec30a60bacb6a9b7a8ff611bfc64a7cd626f3083b15a8c10cf9f76cbbac88cb56351befcce619b5afc
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
401B
MD55649a914e322508847e588d4cc39c904
SHA1f381bf448e5fa3279243dee3fc17972ab979492d
SHA256c847d9f1273fd9b281487a813895a999d8f34779d6c331245f44a81393c5af65
SHA51281e14305fc4a086b91fa14658ccf6f6ccf3d4b679b96b8dd8d9c146c54bd7f17b2bb9c098a467ec194a13f8826bf8e816501ebe5ec8b358ecaace9405abb9a48
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\28c8b86deab549a1.customDestinations-ms
Filesize3KB
MD5389c034967a03ba6efe075688bcbd88d
SHA179a42cde9117d13752071a22970f37bd5eab1487
SHA256694eef89ef13ee05ae1bcfab45d3ff5c8875d7b1828a7126a38d695fe17514e8
SHA5120096a0584467d2cca8284de722f02045de3c0425de03ec5226294cb892e79b0d23c5ae26f5673c9b80a8c7541be612fe67251ab6f97d27cf6a45e5eda3b2016b
-
Filesize
526KB
MD56fccbe041e1dd9a5e2cb7fd93c981389
SHA19490421957fc19da0b0e273104f8a712e63c968d
SHA256c65ade0d652262eb829c23077cd9cf690115f18fce081d807a733cf66e23cd15
SHA5128154d547c08ae714e27b7e779d3dc81c722137bd7ede6cce942ff2869daa7eb1a241b243948db6489b57341918a3cf74838c76c0d2157783f2301987522820c1