Analysis
-
max time kernel
139s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
31/10/2024, 02:12
Behavioral task
behavioral1
Sample
8126840a68ac0b59131895236692c577_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
8126840a68ac0b59131895236692c577_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
8126840a68ac0b59131895236692c577_JaffaCakes118.exe
-
Size
1.4MB
-
MD5
8126840a68ac0b59131895236692c577
-
SHA1
9a610c195b9b153d8f31a0cc786f709372bc81d7
-
SHA256
d38e4a084a04993bf205a802fb04c83ab1436319c95605595bb274231b19c435
-
SHA512
74cacd4ddd9253f960fac294c36c13e9d7d94f10808622db2acb8cdefd5fe65ef6e603313a8996322f11c935bbebb3c5a58253e5dcb879f95a0c674845a2e4c8
-
SSDEEP
3072:hxAMvBIEH5OIPPSwSHErh1Rj++Ekibboxd2Kzm:hxAWINKSqh1Rj+TnHqm
Malware Config
Signatures
-
Modifies firewall policy service 3 TTPs 18 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptions = "0" winlogon.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-70554750" winlogon.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications winlogon.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableNotifications = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" winlogon.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications winlogon.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List winlogon.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-57951861" winlogon.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile winlogon.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-28956246" winlogon.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" winlogon.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List winlogon.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-53342401" winlogon.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List winlogon.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications winlogon.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile winlogon.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile winlogon.exe -
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" winlogon.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "3" winlogon.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" winlogon.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" winlogon.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" winlogon.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" winlogon.exe -
Disables Task Manager via registry modification
-
Disables taskbar notifications via registry modification
-
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts winlogon.exe -
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CLVIEW.EXE winlogon.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SELFCERT.EXE winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netstat.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nmain.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nwtool16.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bisp.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tmntsrv.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vpc32.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Filemon.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avshadow.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\alerter.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firewall.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\supftrl.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navsched.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netutils.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pccpfw.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avpm.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\callmsi.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cwntdwmo.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dvp95.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msblast.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scrscan.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nd98spst.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\blackd.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dvp95_0.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\IEXPLORE.EXE winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ecmd.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\neomonitor.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nui.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pcscanpdsetup.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\outpostproinstall.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\update.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\virusmdpersonalfirewall.exe winlogon.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\IE4UINIT.EXE winlogon.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\POWERPNT.EXE winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ldpro.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mghtml.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navapw32.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\opera.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\clamauto.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\w32dsm89.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\whoswatchingme.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GenericRenosFix.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavlite40eng.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mfweng3.02d30.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msinfo32.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msinfo32.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vptray.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsscan40.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfinet.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\defalert.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\f-prot.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\npssvc.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\outpostinstall.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_avpm.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smc.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HostsChk.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ecls.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cv.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\f-agnt95.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation 8126840a68ac0b59131895236692c577_JaffaCakes118.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Anytime Upgrade.exe winlogon.exe -
Executes dropped EXE 4 IoCs
pid Process 1664 winlogon.exe 3532 winlogon.exe 376 winlogon.exe 4008 winlogon.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\cval = "1" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring\DisableMonitoring = "1" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring\SymantecAntiVirus winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring\SymantecAntiVirus\DisableMonitoring = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring\SymantecFirewall\DisableMonitoring = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring\SymantecFirewall winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AutoUpdateDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\InternetSettingsDisableNotify = "1" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpyWareDisableNotify = "1" winlogon.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\E50B29BAACAA360FCC344254F83743208BA6735D23877EED = "C:\\Users\\Admin\\E696D64614\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\B9373D14A02BC13F1345A3F7BC53B8BCC98D3B04DD0CD9CF = "C:\\Users\\Admin\\E696D64614\\winlogon.exe" winlogon.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe -
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\PRINTDIALOG.EXE winlogon.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\PRINTISOLATIONHOST.EXE winlogon.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\EXCEL.EXE winlogon.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\IE4UINIT.EXE winlogon.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSOHTMED.EXE winlogon.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\NGEN.EXE winlogon.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ORGCHART.EXE winlogon.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\PRESENTATIONHOST.EXE winlogon.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\RDRCEF.EXE winlogon.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SYSTEMSETTINGS.EXE winlogon.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\WORDCONV.EXE winlogon.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSOSYNC.EXE winlogon.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ONENOTEM.EXE winlogon.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SETLANG.EXE winlogon.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\WINWORD.EXE winlogon.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ACRORD32.EXE winlogon.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\GRAPH.EXE winlogon.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSOADFSB.EXE winlogon.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSCORSVW.EXE winlogon.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSOASB.EXE winlogon.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ONENOTE.EXE winlogon.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\RDRSERVICESUPDATER.EXE winlogon.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SPOOLSV.EXE winlogon.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ACRORD32INFO.EXE winlogon.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\EXCELCNV.EXE winlogon.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\EXTEXPORT.EXE winlogon.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\GOOGLEUPDATE.EXE winlogon.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\NGENTASK.EXE winlogon.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\POWERPNT.EXE winlogon.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\IEINSTAL.EXE winlogon.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MRT.EXE winlogon.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSQRY32.EXE winlogon.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SDXHELPER.EXE winlogon.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SELFCERT.EXE winlogon.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe winlogon.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\RUNTIMEBROKER.EXE winlogon.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CLVIEW.EXE winlogon.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\IELOWUTIL.EXE winlogon.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\IEUNATT.EXE winlogon.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MICROSOFTEDGEUPDATE.EXE winlogon.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSFEEDSSYNC.EXE winlogon.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSHTA.EXE winlogon.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\IEXPLORE.EXE winlogon.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSOSREC.EXE winlogon.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSOXMLED.EXE winlogon.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SPLWOW64.EXE winlogon.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 512 set thread context of 3716 512 8126840a68ac0b59131895236692c577_JaffaCakes118.exe 85 PID 1664 set thread context of 376 1664 winlogon.exe 90 PID 376 set thread context of 4008 376 winlogon.exe 91 -
resource yara_rule behavioral2/memory/512-0-0x0000000000E50000-0x0000000000E8C000-memory.dmp upx behavioral2/memory/3716-1-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral2/memory/3716-5-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral2/memory/512-4-0x0000000000E50000-0x0000000000E8C000-memory.dmp upx behavioral2/memory/3716-7-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral2/files/0x0032000000023b74-14.dat upx behavioral2/memory/1664-17-0x00000000008E0000-0x000000000091C000-memory.dmp upx behavioral2/memory/3716-18-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral2/memory/1664-25-0x00000000008E0000-0x000000000091C000-memory.dmp upx behavioral2/memory/4008-30-0x0000000000400000-0x0000000000443000-memory.dmp upx behavioral2/memory/4008-33-0x0000000000400000-0x0000000000443000-memory.dmp upx behavioral2/memory/4008-35-0x0000000000400000-0x0000000000443000-memory.dmp upx behavioral2/memory/376-82-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral2/memory/4008-83-0x0000000000400000-0x0000000000443000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 13 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8126840a68ac0b59131895236692c577_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8126840a68ac0b59131895236692c577_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ielowutil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE -
Modifies Control Panel 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\Sound winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\Sound\Beep = "no" winlogon.exe -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1070936923" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31140672" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a43d217a0cb97a4db769f976d8642e39000000000200000000001066000000010000200000006d569d97abca0f803d47b7ad8396921473e855d8ff80fc5be1ab138e6eb7c77d000000000e80000000020000200000009634e6338f029b32a9e3cf8ef4cd0fa20ae5752e98b1aaecb728de397e240b2920000000b57b30cb10909c71256ad5590cc76dc4866098c54a418577640e03ca7fafe07a40000000eeb6357a1d3d44f7776209d8a3a34f622f60a327bb32524968feca495a04120ee69d77615ca77f5e703520d49ed956f84ca8a3c0061170493a76fb5b2b85f8d1 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "437108232" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a43d217a0cb97a4db769f976d8642e3900000000020000000000106600000001000020000000b58b885e8a7002b6e625080f2308f4df18aa61dc3f17cf94fc1a08039129c23d000000000e8000000002000020000000dff2cc63c473bcc589b6c05c0f93d925f791618c581e852439740b11c666062a20000000729aaa83c132faa0b7705ab2d98ab52ff9b66d4ff31eaf1014471d897d1b622b40000000b39fd3e7b4b7a9c25437470b0c22bdfe2178c21cd8e41def669ba766a51a46be064987113d1168da86dc48565db6485bfe2bc2955f440a1bbaf846fc354952d9 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a43d217a0cb97a4db769f976d8642e3900000000020000000000106600000001000020000000ee1a1f2dc0d094d70ca6ed933b19e6cdf4a49cf15cf0d72622fec202382e7012000000000e8000000002000020000000cfed2eb336e3f2fd0f5152629eb7c38232a633f6ad32cf72710d3c08a8512bea2000000061df3e71d3f5011b2690b2422250e2bbfba77baad8a7897dab4624c058210679400000002087ab9a51f6853c95c3bd6a13960dc879a5785835a9dddd0d7a608f3904e500ba20825f83550f6cbcc2edf3ad75b6540287cfe56f63b453f3efedf6d8021b33 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a43d217a0cb97a4db769f976d8642e390000000002000000000010660000000100002000000065a950fe7baa3f1dbfebd61e21d6ef170575f5c265fb701fcb54debabe12ffce000000000e80000000020000200000007ea859582887b03f47fddafece88cff2dfd7f957adce04df064c5388b7ff28622000000027c624b79ddd37451a05096a21608791cc6983ead3f6b254dc126fe203866d9c40000000a7d4b6ec81e8b34c7ad1bbd6e0cd126df631c978eb63fdb534a3790d3a79528053adcca9fa3acfa9a9e4f6dbc38da25cf3ab972afc3c8d41cc96e5e8e1bf4d11 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 102cb46c402bdb01 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://7802os2tclomc07.directorio-w.com" winlogon.exe Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a43d217a0cb97a4db769f976d8642e3900000000020000000000106600000001000020000000eb613c3ae7e8e8da6bc38d1e3e787974736077152305a10e7ebeaae8e5a04a55000000000e80000000020000200000006c2090d22a034a2e05d65fdde6ee7e7e574ab430ee33d652505e235c408d02ee2000000054b072b7382c5b03bde5a1481bfc3926dfcec2069802339bc8ebd1c7f43222264000000091f6f9073bf87f91c0002d03fe8a47d3d2665f8da2570f521606b463865bc17991eeadf2e38e64046f3786dc5905610a4e8f719b2b1e07cf5161c1adb70709a6 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0145257402bdb01 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70765350402bdb01 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a43d217a0cb97a4db769f976d8642e3900000000020000000000106600000001000020000000a5dd159e6de570b898b60bc797ecb83285c43b6eaef733e05c0de8769cfc627e000000000e800000000200002000000052c8662ad571843fe8f0f528546cdb7ddc8a88bfc1bafe474a09655f5f2b0d3d200000003af0d826efc6efd50f1d29cf93c71b5e453b7b827cefcfe37a3c28c729aa27bf400000002ad5e4c096aa4494c83fadd8224ec439546e798381dbe1316081227e9b672c64e42c66ff5ddc73a85b090b5d7286159a86422a03a584b9b10512271f67c21e6b iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a43d217a0cb97a4db769f976d8642e390000000002000000000010660000000100002000000042c417198a6734efd6bd244401b86aa33822dad359ab1247f0f81dab99122f1a000000000e800000000200002000000011f6de9939e2ac224b87f097fefa93a0c3bc3981599dacc3c1c0f0e8e3476804200000003d690a8effa8b6db841e05f6ae89dfadc317965ac069544b1ff2e5fb24c6697340000000d5a7d3f6e5eb0fca9547d8e94c48e8342737d0d0191c12cf84f439f9ffd859fe477d54b3f3a2b285862b810b3bfc8af11c057c69df570480b4c2e7191ab4a387 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a43d217a0cb97a4db769f976d8642e3900000000020000000000106600000001000020000000c6c7f522df86b8efce5bd2bb825b0b5f7e778cff67fbd1f7f27c1262c8b69ce7000000000e80000000020000200000009cf4f21d283151e84b12d7485491320ea5b4a5c16cca01f6dc2bede6962f69cd20000000d4c3a9e31d681aadf548a06c25a41193c61efa5f3655ae7c5db3a7648e4bced340000000d53df888c19276f34b9dc69bf00ef137865039f8b0df2994a8560c175c5d8b1af5099f5e04f459e76a6bc6fc848a8e161f4a0a0c64ebe5545f51e91407cef642 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 7014592f402bdb01 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31140672" IEXPLORE.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Default_Search_URL = "http://z548qjnsyy80x2w.directorio-w.com" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a048013c402bdb01 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1072187176" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70dfd442402bdb01 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0f74948402bdb01 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a43d217a0cb97a4db769f976d8642e3900000000020000000000106600000001000020000000db0a782b812c10bba7d8e7ef57c96433586152e91fea49cc0a23c820469fe2cb000000000e800000000200002000000063ef3ee11854f0b8d56401c55363cb0b16d2b187375e75b657554d0c41dd991b20000000b1ac671f665e13f273550ec0274a1a60afd3ff4412a8b9d6915d44ffe09c6cfd40000000837299aed2fd7737252dce63c24d2ec213e6962588e757f7279799f3c84af38fdf17129a6f27ed6e52a06bbb8a4ca68ee15df4ca6102833105cb5224d9bd0dba iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a43d217a0cb97a4db769f976d8642e39000000000200000000001066000000010000200000007e7070226fc0804c1675de4c08e570226a386de0a35d9ff6530e1df406d82d68000000000e80000000020000200000000e88a9719e2ef12f73de2953276b399b1e8772fd39351af55482a356dc824a5520000000d358dcdc1399a97471e5e879452027dc680a89637340ed9df68f1d31a17e850f40000000ad74a954b32ab03e9374d27955ec4d8455d1e942ef70a05783b205ad23b4bb27e8ff73ad4d4530c37cfa195d45f9e7205460f93f7766a4bb4347a9ddf9fba8c8 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a43d217a0cb97a4db769f976d8642e3900000000020000000000106600000001000020000000f24800e02bf3f4274a215ed2c583542bdef509dbe12c85f1727d3c128d20ae11000000000e80000000020000200000005697cc6ff0bc6bd49a4fb716f2612c490f6a8cfb6927f4b4448a9d9c40ce786a20000000ba0bf7113c9870a044dddb4c688d28fedc08e62f1c7221220566a75521f7c84240000000fbf8d3e39ea18bcff901bbdcdbe4bd424a67e21e72667e72f64e6cb462159ccb932459808033a7394ccc280988ee335d9408f4aa8734f1f18204bdc6b5178a5d iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Local Page = "http://px3pj6420c4m1t9.directorio-w.com" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1072187176" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0697649402bdb01 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a43d217a0cb97a4db769f976d8642e3900000000020000000000106600000001000020000000d1e66fc4038e215f446afe02f1430b887e91085213d81eafecc9e8abaac17cf1000000000e8000000002000020000000ce2f95f1629ce73e4ba08fbf537ac7d20b8da92fac90f840a88bb4780cd09e4020000000225a5b724210fa426eaf56e895f37f294d2c9474372715874e39abf90b205be440000000b7f6d8db9d9a0384de84f0064fb1a5c77968654a5f04a0144fb03566d6a9eaca84c73c9edc97fcc2a02326971885ebeb6a702db22b0251ce3d15d06e48baa15f iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a43d217a0cb97a4db769f976d8642e3900000000020000000000106600000001000020000000c047b0cd0fe18cc51034eb777aa2e56f11eecb1bdfddd587d1babb3409d452d4000000000e8000000002000020000000a05463b846e1aa1b6aaa3d90a9b6b5778525be25f7c4d3e037b654ec7c96c6022000000097af54c676c876e7afe696760d6ac7ff5e8e678d5e93ce0c834c6e7f10f6796840000000d5e5ab8af75aaa11aada6093872bf8c431fe7bacd62aad7a317f9fc3f7d3464162fdfe32a2896ba265064964a094817008449de646df46864c4dba8ecdd6b9bc iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a43d217a0cb97a4db769f976d8642e390000000002000000000010660000000100002000000049068dd8204426a30cbd3d9f007ec2f5f4a0cb8112562231feede379a66edf2d000000000e8000000002000020000000f2476e8dcdfd246faa903413ea35a12a49fb4e24476e6df682cd4f9e699ba046200000009e5ded80099cf695c266784ab51384c3d135c81d39a594abe3a3991c3f23803540000000b165d4d6bf55f0fd55788e82fa0d9f68493d4e268c950e9a9450bd38f2521f29a278c8df09008c627a9146f048f09fe7293db4817ff0691d311ebd84dd319da7 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 705d1d72402bdb01 iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://8q69g5bk2j47vt6.directorio-w.com" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{6B6E0B13-9733-11EF-ADF2-D6A59BC41F9D} = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a06eab6b402bdb01 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a43d217a0cb97a4db769f976d8642e39000000000200000000001066000000010000200000008e93a80b4a3b9d69277f777e53e50374c5b4c0626359958d18f37b749f9f16ef000000000e80000000020000200000004ec5c1121d231eb7a22447076db0fa0a07542791a1cecb1e31a7dea214473d9d200000008ced556bfe19fb5c03d2b7f057325c3526a4726081d09dd12a8483bf6500473c4000000010ac13f971d7237c284a3a284d976202a128e068c7b418300ae87bb47ff45fc117950aa6205f6d6c3a426726c0e300805bcec32e7d66a2765b3ef4e7149f8359 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0b94c65402bdb01 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0235148402bdb01 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a43d217a0cb97a4db769f976d8642e3900000000020000000000106600000001000020000000eed5ebc81741a8c7383c3a4bb0fabd0df883eefbf3d3eefef63270cc68d66ab7000000000e800000000200002000000087bccc64319a3eea56d297f3f195374280e5772c2523be0894a852fe192c059220000000303cbdb2987f940d69a133386ac419159ef0856dccf67f2cfee6c80e10ec0edb4000000093756c9052f3ff33bcf56ef1a5c428417cd235781ee537d51e87f0592a54f83aa38d4da2e671be0c2b4cbba8ec31fe01d6cfbb7d1912efc606201b950c76359f iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Download\RunInvalidSignatures = "1" winlogon.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main winlogon.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a43d217a0cb97a4db769f976d8642e3900000000020000000000106600000001000020000000ac2ee100f758f189638aedb6f73e4240fcc99016009ce1f37893114c655b1acd000000000e8000000002000020000000357ccfad998a48cd9c121014b9e59f1e1fe049069c6dd83b9839de10f0340e8d200000008435d583902ec24a37c9a6a3ebd35c40cf0d146ddb5df9a692d945d111e614ab40000000a8bb0e816498987b326d3dee262f4b53b1e588edee4cfe3a7379e8d7fec47ffcd4d96063ac4f0977f699439ed6737120bf83163598b6f636007e499342ffd2ff iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Local Page = "http://qd8ge4z1t2o3d08.directorio-w.com" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://fctsigx8jbazi8b.directorio-w.com" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1070936923" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 3047555e402bdb01 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a061935e402bdb01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 908d6c3c402bdb01 iexplore.exe -
Modifies Internet Explorer start page 1 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://71r6716le07z4zq.directorio-w.com" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://711h081oz8s12r6.directorio-w.com" winlogon.exe -
Modifies registry class 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec\Application\ = "IExplore" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec\Application winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec\Application\ = "IExplore" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec\Application winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec\Application\ = "IExplore" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec\Application winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell winlogon.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4008 winlogon.exe 4008 winlogon.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeBackupPrivilege 4008 winlogon.exe -
Suspicious use of FindShellTrayWindow 11 IoCs
pid Process 3936 iexplore.exe 3936 iexplore.exe 3936 iexplore.exe 3936 iexplore.exe 3936 iexplore.exe 3936 iexplore.exe 3936 iexplore.exe 3936 iexplore.exe 3936 iexplore.exe 3936 iexplore.exe 3936 iexplore.exe -
Suspicious use of SetWindowsHookEx 49 IoCs
pid Process 3716 8126840a68ac0b59131895236692c577_JaffaCakes118.exe 376 winlogon.exe 4008 winlogon.exe 3936 iexplore.exe 3936 iexplore.exe 1764 IEXPLORE.EXE 1764 IEXPLORE.EXE 3936 iexplore.exe 3936 iexplore.exe 860 IEXPLORE.EXE 860 IEXPLORE.EXE 3936 iexplore.exe 3936 iexplore.exe 3628 IEXPLORE.EXE 3628 IEXPLORE.EXE 3936 iexplore.exe 3936 iexplore.exe 4976 IEXPLORE.EXE 4976 IEXPLORE.EXE 3936 iexplore.exe 3936 iexplore.exe 860 IEXPLORE.EXE 860 IEXPLORE.EXE 3936 iexplore.exe 3936 iexplore.exe 2864 IEXPLORE.EXE 2864 IEXPLORE.EXE 3936 iexplore.exe 3936 iexplore.exe 3628 IEXPLORE.EXE 3628 IEXPLORE.EXE 3936 iexplore.exe 3936 iexplore.exe 4380 IEXPLORE.EXE 4380 IEXPLORE.EXE 3936 iexplore.exe 3936 iexplore.exe 4976 IEXPLORE.EXE 4976 IEXPLORE.EXE 3936 iexplore.exe 3936 iexplore.exe 3068 IEXPLORE.EXE 3068 IEXPLORE.EXE 3936 iexplore.exe 3936 iexplore.exe 2864 IEXPLORE.EXE 2864 IEXPLORE.EXE 4008 winlogon.exe 4008 winlogon.exe -
Suspicious use of WriteProcessMemory 57 IoCs
description pid Process procid_target PID 512 wrote to memory of 4904 512 8126840a68ac0b59131895236692c577_JaffaCakes118.exe 84 PID 512 wrote to memory of 4904 512 8126840a68ac0b59131895236692c577_JaffaCakes118.exe 84 PID 512 wrote to memory of 4904 512 8126840a68ac0b59131895236692c577_JaffaCakes118.exe 84 PID 512 wrote to memory of 3716 512 8126840a68ac0b59131895236692c577_JaffaCakes118.exe 85 PID 512 wrote to memory of 3716 512 8126840a68ac0b59131895236692c577_JaffaCakes118.exe 85 PID 512 wrote to memory of 3716 512 8126840a68ac0b59131895236692c577_JaffaCakes118.exe 85 PID 512 wrote to memory of 3716 512 8126840a68ac0b59131895236692c577_JaffaCakes118.exe 85 PID 512 wrote to memory of 3716 512 8126840a68ac0b59131895236692c577_JaffaCakes118.exe 85 PID 512 wrote to memory of 3716 512 8126840a68ac0b59131895236692c577_JaffaCakes118.exe 85 PID 512 wrote to memory of 3716 512 8126840a68ac0b59131895236692c577_JaffaCakes118.exe 85 PID 512 wrote to memory of 3716 512 8126840a68ac0b59131895236692c577_JaffaCakes118.exe 85 PID 3716 wrote to memory of 1664 3716 8126840a68ac0b59131895236692c577_JaffaCakes118.exe 87 PID 3716 wrote to memory of 1664 3716 8126840a68ac0b59131895236692c577_JaffaCakes118.exe 87 PID 3716 wrote to memory of 1664 3716 8126840a68ac0b59131895236692c577_JaffaCakes118.exe 87 PID 1664 wrote to memory of 3428 1664 winlogon.exe 88 PID 1664 wrote to memory of 3428 1664 winlogon.exe 88 PID 1664 wrote to memory of 3428 1664 winlogon.exe 88 PID 1664 wrote to memory of 3532 1664 winlogon.exe 89 PID 1664 wrote to memory of 3532 1664 winlogon.exe 89 PID 1664 wrote to memory of 3532 1664 winlogon.exe 89 PID 1664 wrote to memory of 376 1664 winlogon.exe 90 PID 1664 wrote to memory of 376 1664 winlogon.exe 90 PID 1664 wrote to memory of 376 1664 winlogon.exe 90 PID 1664 wrote to memory of 376 1664 winlogon.exe 90 PID 1664 wrote to memory of 376 1664 winlogon.exe 90 PID 1664 wrote to memory of 376 1664 winlogon.exe 90 PID 1664 wrote to memory of 376 1664 winlogon.exe 90 PID 1664 wrote to memory of 376 1664 winlogon.exe 90 PID 376 wrote to memory of 4008 376 winlogon.exe 91 PID 376 wrote to memory of 4008 376 winlogon.exe 91 PID 376 wrote to memory of 4008 376 winlogon.exe 91 PID 376 wrote to memory of 4008 376 winlogon.exe 91 PID 376 wrote to memory of 4008 376 winlogon.exe 91 PID 376 wrote to memory of 4008 376 winlogon.exe 91 PID 376 wrote to memory of 4008 376 winlogon.exe 91 PID 376 wrote to memory of 4008 376 winlogon.exe 91 PID 3936 wrote to memory of 1764 3936 iexplore.exe 100 PID 3936 wrote to memory of 1764 3936 iexplore.exe 100 PID 3936 wrote to memory of 1764 3936 iexplore.exe 100 PID 3936 wrote to memory of 860 3936 iexplore.exe 107 PID 3936 wrote to memory of 860 3936 iexplore.exe 107 PID 3936 wrote to memory of 860 3936 iexplore.exe 107 PID 3936 wrote to memory of 3628 3936 iexplore.exe 108 PID 3936 wrote to memory of 3628 3936 iexplore.exe 108 PID 3936 wrote to memory of 3628 3936 iexplore.exe 108 PID 3936 wrote to memory of 4976 3936 iexplore.exe 112 PID 3936 wrote to memory of 4976 3936 iexplore.exe 112 PID 3936 wrote to memory of 4976 3936 iexplore.exe 112 PID 3936 wrote to memory of 2864 3936 iexplore.exe 113 PID 3936 wrote to memory of 2864 3936 iexplore.exe 113 PID 3936 wrote to memory of 2864 3936 iexplore.exe 113 PID 3936 wrote to memory of 4380 3936 iexplore.exe 115 PID 3936 wrote to memory of 4380 3936 iexplore.exe 115 PID 3936 wrote to memory of 4380 3936 iexplore.exe 115 PID 3936 wrote to memory of 3068 3936 iexplore.exe 124 PID 3936 wrote to memory of 3068 3936 iexplore.exe 124 PID 3936 wrote to memory of 3068 3936 iexplore.exe 124 -
System policy modification 1 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" winlogon.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8126840a68ac0b59131895236692c577_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8126840a68ac0b59131895236692c577_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:512 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe2⤵PID:4904
-
-
C:\Users\Admin\AppData\Local\Temp\8126840a68ac0b59131895236692c577_JaffaCakes118.exe2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3716 -
C:\Users\Admin\E696D64614\winlogon.exe"C:\Users\Admin\E696D64614\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe4⤵PID:3428
-
-
C:\Users\Admin\E696D64614\winlogon.exe4⤵
- Executes dropped EXE
PID:3532
-
-
C:\Users\Admin\E696D64614\winlogon.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:376 -
C:\Users\Admin\E696D64614\winlogon.exe"C:\Users\Admin\E696D64614\winlogon.exe"5⤵
- Modifies firewall policy service
- Modifies security service
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Drops startup file
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Indicator Removal: Clear Persistence
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:4008
-
-
-
-
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:372
-
C:\Program Files (x86)\Internet Explorer\ielowutil.exe"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding1⤵
- System Location Discovery: System Language Discovery
PID:2196
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3936 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3936 CREDAT:17410 /prefetch:22⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1764
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3936 CREDAT:17418 /prefetch:22⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:860
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3936 CREDAT:17428 /prefetch:22⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3628
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3936 CREDAT:17436 /prefetch:22⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4976
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3936 CREDAT:17450 /prefetch:22⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2864
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3936 CREDAT:17464 /prefetch:22⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4380
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3936 CREDAT:17478 /prefetch:22⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3068
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Image File Execution Options Injection
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Image File Execution Options Injection
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Indicator Removal
1Clear Persistence
1Modify Registry
11Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
854B
MD5e935bc5762068caf3e24a2683b1b8a88
SHA182b70eb774c0756837fe8d7acbfeec05ecbf5463
SHA256a8accfcfeb51bd73df23b91f4d89ff1a9eb7438ef5b12e8afda1a6ff1769e89d
SHA512bed4f6f5357b37662623f1f8afed1a3ebf3810630b2206a0292052a2e754af9dcfe34ee15c289e3d797a8f33330e47c14cbefbc702f74028557ace29bf855f9e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize1KB
MD53755dc974dc983c89c3eeb17650ddf77
SHA154142c635c10f3babb9d8b1664be790718e96d0b
SHA256592115ed4f1407febb0ced51e613ce66ad32d84143bfaed2c5990ad439a3cc71
SHA5126c2d76c24a005cf92121e2ec96ea1e6cbe93d6c2c48c910cbbea411841433148bfadf47c6ef85d5e7ce8b33f97ccc9131b314c8f9457b7f149ddb9451d02d95c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\84AFE219AEC53B0C9251F5E19EF019BD_2C9D5E6D83DF507CBE6C15521D5D3562
Filesize2KB
MD5b44b786694bfd96d3c090058dff2efd9
SHA1d1d8701831fd00e083b82703c42e7f3d5c9b53a9
SHA256677c2e00b2bd2a8bbc4721cc7ca4ff0d5ce334fb3f8757396c7df51bd61ba989
SHA512ad9a05daa2d007c42206ba13277e85f275f151ae9f7f1e4b1844e743a157c91cfc66bf2dc2068cb8279c5c29604a6cab7e961de7e45cf273f9211cf5d0ac171b
-
Filesize
1KB
MD567e486b2f148a3fca863728242b6273e
SHA1452a84c183d7ea5b7c015b597e94af8eef66d44a
SHA256facaf1c3a4bf232abce19a2d534e495b0d3adc7dbe3797d336249aa6f70adcfb
SHA512d3a37da3bb10a9736dc03e8b2b49baceef5d73c026e2077b8ebc1b786f2c9b2f807e0aa13a5866cf3b3cafd2bc506242ef139c423eaffb050bbb87773e53881e
-
Filesize
436B
MD5971c514f84bba0785f80aa1c23edfd79
SHA1732acea710a87530c6b08ecdf32a110d254a54c8
SHA256f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895
SHA51243dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BC2602F5489CFE3E69F81C6328A4C17C_849A9AE095E451B9FFDF6A58F3A98E26
Filesize2KB
MD5ec48c020024ca393990eaad1c4166bd2
SHA15645e6a65c6ee1cd0491f7bc417d22d30af7ff4c
SHA25636c5f4a91e0125bd55d53e618441b88118d2b043ed2c162e0406b2b257e829fe
SHA5126102a4c3a19bf097e918925c09088734aa1cce998803d7063f6900b94ecc161560d3d5bb3201a28cab8a944040d59f18df4bd4704e148bc98fcd2c7b73a4d9c6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C02877841121CC45139CB51404116B25_6C4EDE6B4E04AD6FDB8E61232C576EF9
Filesize471B
MD5e9855b3c6f08d1f2c13a88b4dc7cb955
SHA1cc43861c842b195cc022d8ccf9f6984ddd88d4bd
SHA2567d8dd79e5630070e5ef07b78bd2e586528b9c2807cbd88471088b35e31f37828
SHA5123a04b7125a7d2a1403677b2c5a3a91cf81101093a004255034637aeb4dac0b96687b454e8ab9dae0e6cf6c0bfea917f3caf6237d84b7f52f8246ac0c290952a9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199
Filesize170B
MD562b5967776594d040fd16952f1615430
SHA15846eb7c1e1b493b67e10d2615c9a6ae77332b2d
SHA2569aaa7e16d985fd7257a03bc3ea3e8ef9c28dad21300ab27bcce323e72f82b19f
SHA5123142cd9b32c1d16723ed1937aa79fed61d47357cbc1f47b994761759a021ecde610caf6061c5e0931f1fee7ade6015fac6adca757b7dc4f367851203351e16c0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize410B
MD59fad70be50a77fadec9765c29e6953d0
SHA101a3617ba1a54350f0c221c6e44f2b656e07824b
SHA256877585c2a2f83c9ad2efdc0807592deace6de7f5d09457a949dbde9fb0510c81
SHA512ba87a6bf195840a223b012133eb55c1ce20df75a43bdef8cd475c49def5405b4a9a8d591e7979e8d68c3820aab6886639f2da8ef373f704098f21f5c5d5e62da
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\84AFE219AEC53B0C9251F5E19EF019BD_2C9D5E6D83DF507CBE6C15521D5D3562
Filesize466B
MD50f208b16d7ca50ce483b6f6b171d9e0d
SHA1661600699281220ac0f97f34ccb0a6063403355e
SHA256dfb05b61cc83ca973e8321744dc4084a64387894b49483807e31343daa881465
SHA51272d549083e9e4520b39e23364bdf21f074bace802fea3267f98f6537454a7c41925710b789dc4d2b9b82028c64dc7e82f4e2ead7805733bd28e0d740a38cd690
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12
Filesize174B
MD5c58fdf8462cbb57281609e2769df3702
SHA1329b28709369f68c63561584ac51e72d6d0d9a7c
SHA25659c8ebd7a1277b2bd20db43fc61fe42ca0f7822c2c7d7ad90fa1023ea4ac6bc1
SHA5124761447858df034e94ea22fcfb5f5ef2b756bfe554a6e93c6c2e055a0e948c13597a3717dcf5eb44a7c761015289787f722f8929af916b5abbf0b325b51428c1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8
Filesize170B
MD5b36d1273d2c3454777c9e09b1cc86da2
SHA18734de9278276b494c0616797fd609fb8ab2a71b
SHA25680d4abfa28f1f4b07e861d1f7c649531027dbb0b4f4a9e4e0010b6de649491d1
SHA51249118f960ff716a78175f06dc38a15f0531ab217ca5271a54212be990e74a46d2f30f47ce04435eb57d01a0d540fa081bacc834b761cbd4e16f8bdf9f2b518e2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BC2602F5489CFE3E69F81C6328A4C17C_849A9AE095E451B9FFDF6A58F3A98E26
Filesize470B
MD580268f845552c33d0181594b4e3d54fe
SHA13e9d423c97885b47b4df7acb05caa1e00ba6b500
SHA2569267cdfc6231c41c89ce2a35db2379fa23571513736da393b33ca8a0b45e147f
SHA512af0e9e4bfc842f590cf85d691134d7f33b74c2c96896784e452929e5ec60d5e556b1324890b4fcc7702fb27dcd1537414962491bb48b94d4856018155d26343a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C02877841121CC45139CB51404116B25_6C4EDE6B4E04AD6FDB8E61232C576EF9
Filesize402B
MD54cd5a4f2ce6b03f42d3a4f4a72c7921e
SHA1e4146bcc0fb0e38c35d967ac7689689a4cb88437
SHA256e6e2ab5e3b577b9cb943a39ce3f38326b5d1856e796566876f90e21d0402082c
SHA512a8948d3dc2c394d87545d77d33d25579bec4a90730c1e23ba438189eb1af458717df2329caad2c00d82b9e00492ead5220bdbbebcb40f8473f4b72018c58c0fd
-
Filesize
15KB
MD51a545d0052b581fbb2ab4c52133846bc
SHA162f3266a9b9925cd6d98658b92adec673cbe3dd3
SHA256557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1
SHA512bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d
-
Filesize
872B
MD55bf8a14e0828b528b942bda627ef5df4
SHA16109969fccf61e9a73d7ade791883a161c3ccc80
SHA2563b3991b64114d9fa87734ee504936fef044fe274cf9fd52ae3522f6bde9e319d
SHA512414e7f78b9ab5d9ed1fb02d049607d58fc5cf95ed3d24710817685d37a0c163f4e7ee58d29fd6e6050b1ef50e42578902e2e3b2ee7f5973fed8309c55f33d8c0
-
Filesize
872B
MD527e22f75474988f9030be7ea53980ae2
SHA1a7268304ab1085069064f171fb8911e3a47fc639
SHA2566fcaf9f36decca166c5ae5550c345c3fb03de49271d692eb18e324261fd7bcb0
SHA512041cf79a5d682e6aa3e2922f161b6ae9902e0fb0f74fa0cf109ee18f6c22e2f0799383210de16d31e5d67ca9c10d4ca445306a2c7a3dde35e579e4fd4ea29d50
-
Filesize
872B
MD5c010ba06745cd1bbc23dab6ea06db16f
SHA1af21b04cc7473de95a481fbed84a420bd6a8c264
SHA2569e60e8576b53153dfdfdaef3063543e1c0733d51890770a2d75282688318e70a
SHA512d73366e5e71c0755046a6d11f58798160a6ec6a9454b8db58dedfba2f28eb87a5637ea15425277a0cf9407dcc1bd07f2db1523f0ca9eeb27dffd3d1af6e3c60b
-
Filesize
2KB
MD5f4fe1cb77e758e1ba56b8a8ec20417c5
SHA1f4eda06901edb98633a686b11d02f4925f827bf0
SHA2568d018639281b33da8eb3ce0b21d11e1d414e59024c3689f92be8904eb5779b5f
SHA51262514ab345b6648c5442200a8e9530dfb88a0355e262069e0a694289c39a4a1c06c6143e5961074bfac219949102a416c09733f24e8468984b96843dc222b436
-
Filesize
220B
MD5dfeb07871e58cd3537f30da5fad9ca14
SHA1fc52042fa6ee618f89631335f61c067893d024aa
SHA2568d9ac95b12968978fb7ae85bb9a6d968cdd3f6a22c5cc772fe7fe129fc31f66a
SHA5126e006480d85d3358a6f7583310b0de2311b174956ae3c8ab3f3af24095b984418b6b9277e746c5c55a14bc9cf7d41f9822d03767d974301a60029f8e6398faf3
-
Filesize
872B
MD55883f46c1ef7b7c85314ba911869fab4
SHA1252daf738d9888825742e25ac42ffd69538aa3b3
SHA2562b0b93c69d5d649272ab2f0b3538cc7e2e8a4b784c2c32464d074df2231ea532
SHA512b0b628501438534071872d80aed28ef161dd6b6db549fc1497bea1bef668a0375995a6d96ab5e3dc8d3b4e9924ef70fa6f374dbfefd62608f76baf768439c4e5
-
Filesize
872B
MD5167367582e5b71bc9838ec147ee53afd
SHA1b3a2c653bf961f4ef6f2801d746e18868e3e32d9
SHA256b4faf4ce8d8df166748e9a1502ba5ecfa278b5c33643df4ad80bee0a86537b44
SHA512233b9558c352199c3a11cf0db4516433f208d6e5f9735fc72dde3d86c07f89becee5fb6642d575da1127ccca3b2a50db94d272453f7e5cb0a84c0181dabcb0d4
-
Filesize
148KB
MD5340d8a59db8189247ee271411338df7a
SHA19b423de05ff2d15c88107d40146d0dd1b03431c3
SHA25625ac5bfe94dbad6a8d33bd8b3844a471bc171202fa67f6778e263a5a3bad534d
SHA512e74586f5d07a97997cc6a053f4cd5f1608c7db31375a4116c41227fe7373df11c842fdea268ff30ced05e0e864b6080404e5c064de9a8e794c1188e0610b7e0b
-
Filesize
150KB
MD53ead10870e1afbc3f82ce87dc30e59de
SHA1054444246b731a9b64c730871407d7302bf5ac2b
SHA256b5e45b2484a4791b1829946da8a71a8429cf12ac14cfb1eb9ca011a201f4ca7f
SHA5129fa45c0ecc3683c97a394e2636ee1c687e4d1917470714aaf1381cf012109a38edf637f2da88c62da62b8f0a28df8c9d23f533f9df9bd1b8a78d895f6c7a50b5
-
Filesize
150KB
MD5e69ac32ab1e181b296b5d71cfa1ef63a
SHA1ad1d570d7a5fb3ffc42ecefe1cea13a9fac205c4
SHA2568d0dd55974c027b602fa403e5372a69dfc99c122fe9e1983f3bb1bb3dc28dac7
SHA51270a990c4f0e5af5074304b2f625130e2741d8c532a05c603adc853d184da203eb51859e66e998539e57f3cfb4e6fad6ba8196c81ceba03b6c1ae7e85afa1b243
-
Filesize
4KB
MD5d65ec06f21c379c87040b83cc1abac6b
SHA1208d0a0bb775661758394be7e4afb18357e46c8b
SHA256a1270e90cea31b46432ec44731bf4400d22b38eb2855326bf934fe8f1b169a4f
SHA5128a166d26b49a5d95aea49bc649e5ea58786a2191f4d2adac6f5fbb7523940ce4482d6a2502aa870a931224f215cb2010a8c9b99a2c1820150e4d365cab28299e
-
Filesize
674KB
MD5a45598e4c3ad88168b72ba9e56f9db3e
SHA123ca76f52fafd8bbfee3426cc2202975a43d7450
SHA2569cde14ce75189208d1475f90c0cd75c31413d95f1c521ed0be883d3a5979647d
SHA512b719742992b9e1bd9a0f6a7b98eebe32718bdf1d4fc47ba3e1c0d5c2991d0019013cc5a6c1ade7416077e8136b6c24869cca87067b67e9bda6610743f6790241
-
Filesize
3KB
MD53f821ada778691e677aef2cea8c4b4f6
SHA1643e7b729b25c2f800469623191dc837798e9d50
SHA2567510035d553a99fbf93eb67737b2df057ce096fa1ed7aad83cfd559e11f2320d
SHA5128993a8ad28ed4035a022d1b7274c77a97b8235b2ddcd5e6d29f7230d375851539900d4ace652c94c4be8a8284ffd86501df420385a6e680df4222c162deff4d5
-
Filesize
872B
MD5ad4b8b78660237e90d67998fd3cad18f
SHA1faae5b2c8b720bd753aac996bba439c1a1f5635d
SHA256b6303035a2bb5c474b0144297c656c0ae94a124cde3e2e609eb6921747f2ea1e
SHA512f4ecdccd6b3962c2bed6ca636d1041880f96c9b4f0edf103d737be8e9ce925078715f56687c29110e6f49cc1ff2400248819528f87d2f356ba75e937b1ca9a9c
-
Filesize
872B
MD54d23344b780b1cb09c2f9c92f03d7a0b
SHA1d63c9cb09395b7c91f1d1f4fb3595733eda5f865
SHA256470d40498a016be7d519f396375a0c13fd507b2b179877f0e0de47f4c3933e67
SHA512a19180ce7f03cfaedc7959233e1ebe801d245832b75e18c806b0addd16f96efdfca6e7f867ad07998aac01d5885a133db57aa53b546a474ab27f964c34bf1a41
-
Filesize
872B
MD5dac5e4781d66af73cf333643010fdbbd
SHA151326f40da0b960418a4c5a60b7f99e000456501
SHA2565b5a2a9a061243480e44a57bee3cf76424c44164be9cec85a5acc95d0617a918
SHA512aab7e20160356d44773a2a3ae8e38225673644e15d88298e646e513c59d6ef6bc3cc9c31b75081fa31fe22ad06c0fd087bd360ba4a77c51ce916ae6108c7210d
-
Filesize
6KB
MD592ab50175c4b03970f264c637c78febe
SHA1b00fbe1169da972ba4a4a84871af9eca7479000a
SHA2563926c545ae82fc264c98d6c229a8a0999e2b59ed2bb736f1bda9e2f89e0eeac8
SHA5123311f118963ad1eaf1b9c7fb10b67280aae1ab38358aed77c10f2587100427af58c7d008abb46ad0f59880ac51e50b5a53fc2c2a96d70f5ece4578ab72382b7a
-
Filesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
Filesize
872B
MD50ac17d2e3df26372118deffb67060b69
SHA178e5ac5568354defca592b0b1595dd7307c2c09e
SHA256b7c9b65a8ed945d6f5e53950cd8533e8cbaf2b9c7f7cfdda75e81d4be1a5d7db
SHA512c0a71e6d3fab1e6699f4f4ad3115377ae1270509edb6e224a816391543fa0abc2d4c5d41271ec3d65e602c5b2092c9cb9b7db230d9c9748ceebdab11504e32c2
-
Filesize
872B
MD5b451b6d35d24a000dc1e3953f1249609
SHA11f87f2e807e23c3641c564f58f13c2b7d3159f0f
SHA256c624cb8f6dacbf0dec360f6ac2149eba115eb5f580fdf007fb5232652e70da84
SHA5123b4628728ba6727330cca27bea804ba4f18c20eb5078b5312b857dada8dcb039f02e6095530e7031d5698286ce1f1e51284a03e4c784c9eb4685b0c11fb47db8
-
Filesize
11KB
MD59234071287e637f85d721463c488704c
SHA1cca09b1e0fba38ba29d3972ed8dcecefdef8c152
SHA25665cc039890c7ceb927ce40f6f199d74e49b8058c3f8a6e22e8f916ad90ea8649
SHA51287d691987e7a2f69ad8605f35f94241ab7e68ad4f55ad384f1f0d40dc59ffd1432c758123661ee39443d624c881b01dcd228a67afb8700fe5e66fc794a6c0384
-
Filesize
620B
MD5e15c460ec7ba9ac34c90a95a4d8cf472
SHA17f87fb6d10fa8b1d88972826b2fca27278fbcfa6
SHA256e3645f226c6d2b938c261bdd3682a245e248f56e8cf7ef6d8ac30011d7ede8a7
SHA5125b69a590abe2c9289db9d09886fc74478dab94d029438a1e2bbc2019a27e008f776c838fbdc3a9c40b4dff322c8510cb6d4f34ab51cf76a40cedfac14e97f070
-
Filesize
58KB
MD578cb756aa06b07c207880f7b4fbb721a
SHA16f96c8d80d2281afe016f345bdc448255740622e
SHA256cb666c470a82988da4f29bef5b1f8f3e1d4119fafc9e78538cc0e74f17c8c338
SHA512a3fa57a8bc184f2561164395b9015305bfc6b4c1eeffae5a630395a21f730bf8a0640b4bc5d948d6f0bc78e3f6c829517ef011f1f78db0578272d8a1bb1aaa21
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\28c8b86deab549a1.customDestinations-ms
Filesize3KB
MD5ae72ca27b9634411ebb23777cc46a472
SHA1ea027016fd632f9b6ba1c39de3bdd15c2ef9baab
SHA2562eac5e0ad59cb5f6fcf1d664a06496869211d95e965a6199af32fa76363a40b9
SHA5121dbf8e1ef12ddf8e09b6d2313a8f1960cea7b637988f2e18e0d2097bff929834ee37454dc6e699023f8aa13f071fc9e5591fca9be53e4edf7973527f5636465c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\28c8b86deab549a1.customDestinations-ms
Filesize3KB
MD59cb89abcf07bb31fb38c895f6b00741a
SHA1b332ab7b5ffef559b3521b14f8e01a464908c78d
SHA256116c85f8ddc3c53cc648ea219ddc20a77c1605a489636267d87316473177f707
SHA512a658bc409d306fea713e22e2f79dc62788acb91e7e59a136b1ee6a8dd66d4c0ecb0acf392f49f1d7468f841447fe3a001d5614c418ed54a4a204e7f9f987b6d7
-
Filesize
1.4MB
MD58126840a68ac0b59131895236692c577
SHA19a610c195b9b153d8f31a0cc786f709372bc81d7
SHA256d38e4a084a04993bf205a802fb04c83ab1436319c95605595bb274231b19c435
SHA51274cacd4ddd9253f960fac294c36c13e9d7d94f10808622db2acb8cdefd5fe65ef6e603313a8996322f11c935bbebb3c5a58253e5dcb879f95a0c674845a2e4c8