Overview
overview
10Static
static
3a112e40270...18.exe
windows7-x64
10a112e40270...18.exe
windows10-2004-x64
10/tbu01...in.dll
windows7-x64
/tbu01...in.dll
windows10-2004-x64
/tbu01...mm.dll
windows7-x64
/tbu01...mm.dll
windows10-2004-x64
/tbu01...ne.dll
windows7-x64
/tbu01...ne.dll
windows10-2004-x64
/tbu01...in.dll
windows7-x64
/tbu01...in.dll
windows10-2004-x64
/tbu01...em.exe
windows7-x64
/tbu01...em.exe
windows10-2004-x64
/tbu01...am.vbs
windows7-x64
/tbu01...am.vbs
windows10-2004-x64
/tbu01...br.vbs
windows7-x64
/tbu01...br.vbs
windows10-2004-x64
/tbu01...er.dll
windows7-x64
/tbu01...er.dll
windows10-2004-x64
Analysis
-
max time kernel
121s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
26-11-2024 09:14
Static task
static1
Behavioral task
behavioral1
Sample
a112e40270437a236bdd9dfcc948a571_JaffaCakes118.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
a112e40270437a236bdd9dfcc948a571_JaffaCakes118.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
/tbu01932/autofill_plugin.dll
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
/tbu01932/autofill_plugin.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
/tbu01932/communicomm.dll
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
/tbu01932/communicomm.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
/tbu01932/scengine.dll
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
/tbu01932/scengine.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
/tbu01932/spellchecker_plugin.dll
Resource
win7-20241023-en
Behavioral task
behavioral10
Sample
/tbu01932/spellchecker_plugin.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
/tbu01932/spyrem.exe
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
/tbu01932/spyrem.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
/tbu01932/ssceam.vbs
Resource
win7-20241010-en
Behavioral task
behavioral14
Sample
/tbu01932/ssceam.vbs
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
/tbu01932/sscebr.vbs
Resource
win7-20240729-en
Behavioral task
behavioral16
Sample
/tbu01932/sscebr.vbs
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
/tbu01932/tbhelper.dll
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
/tbu01932/tbhelper.dll
Resource
win10v2004-20241007-en
General
-
Target
a112e40270437a236bdd9dfcc948a571_JaffaCakes118.exe
-
Size
1.2MB
-
MD5
a112e40270437a236bdd9dfcc948a571
-
SHA1
8a986bdf5b0271e563879d322f4cb0cb9baba466
-
SHA256
1558335060381a3a45cbd49ea18742a4d1f2bb7660905ba07fc01a215cc792d9
-
SHA512
943099e0d4a2f13437eef1a7b0dcdf72a3b3a7c78d5daaf9882b0433f2b5a06e53964b470b47a0585c2999707cdb663a460515360bbc82af83cdb827f273b48e
-
SSDEEP
24576:8RWbHmsmKbRL6lzZXgfWDzyMM65tkU3ytel:8AbHmsXRePXgfWDOMjkU3KQ
Malware Config
Signatures
-
Ardamax family
-
Ardamax main executable 1 IoCs
resource yara_rule behavioral1/files/0x000900000001749c-31.dat family_ardamax -
Loads dropped DLL 18 IoCs
pid Process 2940 regsvr32.exe 2940 regsvr32.exe 2940 regsvr32.exe 2940 regsvr32.exe 2940 regsvr32.exe 2940 regsvr32.exe 2744 IEXPLORE.EXE 2744 IEXPLORE.EXE 2744 IEXPLORE.EXE 2744 IEXPLORE.EXE 2744 IEXPLORE.EXE 2744 IEXPLORE.EXE 2744 IEXPLORE.EXE 2744 IEXPLORE.EXE 2744 IEXPLORE.EXE 2744 IEXPLORE.EXE 2744 IEXPLORE.EXE 2744 IEXPLORE.EXE -
Installs/modifies Browser Helper Object 2 TTPs 3 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{E69F62B9-AE72-43EB-990C-3E4D8590E17D} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{E69F62B9-AE72-43EB-990C-3E4D8590E17D}\ = "TBSB08725" regsvr32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{E69F62B9-AE72-43EB-990C-3E4D8590E17D}\NoExplorer = "1" regsvr32.exe -
Drops file in Program Files directory 45 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\CommuniComm Internet Toolbar\communicomm.crc a112e40270437a236bdd9dfcc948a571_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\CommuniComm Internet Toolbar\fdb.bin a112e40270437a236bdd9dfcc948a571_JaffaCakes118.exe File created C:\Program Files (x86)\CommuniComm Internet Toolbar\spyrem.exe a112e40270437a236bdd9dfcc948a571_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\CommuniComm Internet Toolbar\sscebr2.clx a112e40270437a236bdd9dfcc948a571_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\CommuniComm Internet Toolbar\tech.tlx a112e40270437a236bdd9dfcc948a571_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\CommuniComm Internet Toolbar\autofill.cfg a112e40270437a236bdd9dfcc948a571_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\CommuniComm Internet Toolbar\autofill_plugin.dll a112e40270437a236bdd9dfcc948a571_JaffaCakes118.exe File created C:\Program Files (x86)\CommuniComm Internet Toolbar\regdb.bin a112e40270437a236bdd9dfcc948a571_JaffaCakes118.exe File created C:\Program Files (x86)\CommuniComm Internet Toolbar\spellchecker_plugin.dll a112e40270437a236bdd9dfcc948a571_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\CommuniComm Internet Toolbar\spyrem.exe a112e40270437a236bdd9dfcc948a571_JaffaCakes118.exe File created C:\Program Files (x86)\CommuniComm Internet Toolbar\ssceam.tlx a112e40270437a236bdd9dfcc948a571_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\CommuniComm Internet Toolbar\sscebr.tlx a112e40270437a236bdd9dfcc948a571_JaffaCakes118.exe File created C:\Program Files (x86)\CommuniComm Internet Toolbar\tech.tlx a112e40270437a236bdd9dfcc948a571_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\CommuniComm Internet Toolbar\communicomm.dll a112e40270437a236bdd9dfcc948a571_JaffaCakes118.exe File created C:\Program Files (x86)\CommuniComm Internet Toolbar\version.txt a112e40270437a236bdd9dfcc948a571_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\CommuniComm Internet Toolbar\userdic.tlx a112e40270437a236bdd9dfcc948a571_JaffaCakes118.exe File created C:\Program Files (x86)\CommuniComm Internet Toolbar\basis.xml a112e40270437a236bdd9dfcc948a571_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\CommuniComm Internet Toolbar\descdb.bin a112e40270437a236bdd9dfcc948a571_JaffaCakes118.exe File created C:\Program Files (x86)\CommuniComm Internet Toolbar\fdb.bin a112e40270437a236bdd9dfcc948a571_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\CommuniComm Internet Toolbar\ssceam2.clx a112e40270437a236bdd9dfcc948a571_JaffaCakes118.exe File created C:\Program Files (x86)\CommuniComm Internet Toolbar\sscebr.tlx a112e40270437a236bdd9dfcc948a571_JaffaCakes118.exe File created C:\Program Files (x86)\CommuniComm Internet Toolbar\userdic.tlx a112e40270437a236bdd9dfcc948a571_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\CommuniComm Internet Toolbar\basis.xml a112e40270437a236bdd9dfcc948a571_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\CommuniComm Internet Toolbar\correct.tlx a112e40270437a236bdd9dfcc948a571_JaffaCakes118.exe File created C:\Program Files (x86)\CommuniComm Internet Toolbar\correct.tlx a112e40270437a236bdd9dfcc948a571_JaffaCakes118.exe File created C:\Program Files (x86)\CommuniComm Internet Toolbar\icons.bmp a112e40270437a236bdd9dfcc948a571_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\CommuniComm Internet Toolbar\regdb.bin a112e40270437a236bdd9dfcc948a571_JaffaCakes118.exe File created C:\Program Files (x86)\CommuniComm Internet Toolbar\scengine.dll a112e40270437a236bdd9dfcc948a571_JaffaCakes118.exe File created C:\Program Files (x86)\CommuniComm Internet Toolbar\sscebr2.clx a112e40270437a236bdd9dfcc948a571_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\CommuniComm Internet Toolbar\accent.tlx a112e40270437a236bdd9dfcc948a571_JaffaCakes118.exe File created C:\Program Files (x86)\CommuniComm Internet Toolbar\descdb.bin a112e40270437a236bdd9dfcc948a571_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\CommuniComm Internet Toolbar\icons.bmp a112e40270437a236bdd9dfcc948a571_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\CommuniComm Internet Toolbar\scengine.dll a112e40270437a236bdd9dfcc948a571_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\CommuniComm Internet Toolbar\sñengine.ini a112e40270437a236bdd9dfcc948a571_JaffaCakes118.exe File created C:\Program Files (x86)\CommuniComm Internet Toolbar\sñengine.ini a112e40270437a236bdd9dfcc948a571_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\CommuniComm Internet Toolbar\tbhelper.dll a112e40270437a236bdd9dfcc948a571_JaffaCakes118.exe File created C:\Program Files (x86)\CommuniComm Internet Toolbar\communicomm.crc a112e40270437a236bdd9dfcc948a571_JaffaCakes118.exe File created C:\Program Files (x86)\CommuniComm Internet Toolbar\autofill_plugin.dll a112e40270437a236bdd9dfcc948a571_JaffaCakes118.exe File created C:\Program Files (x86)\CommuniComm Internet Toolbar\tbhelper.dll a112e40270437a236bdd9dfcc948a571_JaffaCakes118.exe File created C:\Program Files (x86)\CommuniComm Internet Toolbar\autofill.cfg a112e40270437a236bdd9dfcc948a571_JaffaCakes118.exe File created C:\Program Files (x86)\CommuniComm Internet Toolbar\ssceam2.clx a112e40270437a236bdd9dfcc948a571_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\CommuniComm Internet Toolbar\version.txt a112e40270437a236bdd9dfcc948a571_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\CommuniComm Internet Toolbar\ssceam.tlx a112e40270437a236bdd9dfcc948a571_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\CommuniComm Internet Toolbar\spellchecker_plugin.dll a112e40270437a236bdd9dfcc948a571_JaffaCakes118.exe File created C:\Program Files (x86)\CommuniComm Internet Toolbar\accent.tlx a112e40270437a236bdd9dfcc948a571_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a112e40270437a236bdd9dfcc948a571_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{6AE02E1C-8859-4F57-9097-5A55A56A4CAF} regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E47C30F1-ABD6-11EF-AF8F-6EC443A7582C} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\MAO Settings iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\URLSearchHooks\{CFBFAE00-17A6-11D0-99CB-00C04FD64497} IEXPLORE.EXE Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Toolbar regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\IntelliForms IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Zoom IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "438774360" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\Enable Browser Extensions = "yes" a112e40270437a236bdd9dfcc948a571_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain IEXPLORE.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{6AE02E1C-8859-4F57-9097-5A55A56A4CAF} = 00 regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\PageSetup IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000000700005e0100000600000009030000590400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001c2ee06a5988574f90975a55a56a4caf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a907cc1344750743988d8bab481dbfbf0000000002000000000010660000000100002000000042ce34752597bcffc846a394a9aa711dbca7d515cea3c9a70419ae3c0f0dddef000000000e8000000002000020000000780e7a8369b8428bf637ae1628a5e671b538f239faf2b689bec55ad813ce510020000000d66ba5ec2015e66e2b6272f4695bcc1084274972774b59572f30333aed7b46e6400000009ebe3b67ea860bb4ef3ffe1c450d76c47018f08e413d80028b359bced904ec639a5dbfde1391ac0a06089b4334a2c2317abe983833b3cf2a2518ce52fc1b2682 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\IETld\LowMic IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBar7Height = "22" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a907cc1344750743988d8bab481dbfbf00000000020000000000106600000001000020000000e7cb31ce2613521553300a97d634c26a183af98eaea662ed34fa9b5b401a6f40000000000e80000000020000200000004e56003dba7a9746da73b38534b7c37051844e941b13912fddb11b99b5e9edf09000000038f4299359319b0071db58919c1b4bbf953ee45d0834dafd3e37682283d6f96c8b0cd24c914974d6aa295e7522298f6e04e72d2dde477913c30c91f2bc8ea292c362eddcb8d73d92308555a9c4b9612355af7ec568c85853ce217e00cdcb6b5304bcc9f29b46f7b548fa3298a8c2fc4eab7177ea57a0370e0d237df9d20e0fea4ac92a26df8f39cc12f0d3d4d4fcbb23400000008b5d9ea8634f2830c27c6e1b4aaa9e6186524bd43d3f50193dc478e6c1d0ab63eab1f21dd07b5c3891bf730aa66ffe15e05b6fc50d7fdf0651e5bac4748dee39 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main a112e40270437a236bdd9dfcc948a571_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\InternetRegistry IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\LowRegistry IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBar7Layout = 13000000000000000000000020000000100001002d00000001000000000700005e0100000600000001030000590400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001c2ee06a5988574f90975a55a56a4caf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBar7Layout = 13000000000000000000000020000000100001001600000001000000000700005e0100000600000001030000590400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001c2ee06a5988574f90975a55a56a4caf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{6AE02E1C-8859-4F57-9097-5A55A56A4CAF} = 1c2ee06a5988574f90975a55a56a4caf IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl regsvr32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe = "0" regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\URLSearchHooks\ IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\MAO Settings\DiscardLoadTimes = d09ce9a8e33fdb01 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0c533bbe33fdb01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E69F62B9-AE72-43EB-990C-3E4D8590E17D}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E69F62B9-AE72-43EB-990C-3E4D8590E17D}\Programmable regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E69F62B9-AE72-43EB-990C-3E4D8590E17D}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\VersionIndependentProgID\ = "URLSearchHook.ToolbarURLSearchHook" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB08725.IEToolbar\CLSID\ = "{6AE02E1C-8859-4F57-9097-5A55A56A4CAF}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar3.TBSB08725.1\ = "TBSB08725 Class" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BD5C32AE-9FB0-4FC3-BA34-BA0808A74387}\ = "IPosBHO" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook.1\CLSID\ = "{CA3EB689-8F09-4026-AA10-B9534C691CE0}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\FLAGS\ = "0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\0 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C9BB149A-DC7B-4E5B-825B-156CB84AE980}\TypeLib\ = "{9534F437-EE92-47C4-836E-D316DDB426B7}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB08725.IEToolbar.1\CLSID\ = "{6AE02E1C-8859-4F57-9097-5A55A56A4CAF}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6AE02E1C-8859-4F57-9097-5A55A56A4CAF}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E69F62B9-AE72-43EB-990C-3E4D8590E17D}\VersionIndependentProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9BB149A-DC7B-4E5B-825B-156CB84AE980}\ = "ISoftomateObj" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB08725.TBSB08725\ = "CommuniComm Internet Toolbar" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6AE02E1C-8859-4F57-9097-5A55A56A4CAF}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9534F437-EE92-47C4-836E-D316DDB426B7}\1.0 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9534F437-EE92-47C4-836E-D316DDB426B7}\1.0\0\win32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BD5C32AE-9FB0-4FC3-BA34-BA0808A74387} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6AE02E1C-8859-4F57-9097-5A55A56A4CAF}\VersionIndependentProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6AE02E1C-8859-4F57-9097-5A55A56A4CAF}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E69F62B9-AE72-43EB-990C-3E4D8590E17D}\InprocServer32\ = "C:\\Program Files (x86)\\CommuniComm Internet Toolbar\\communicomm.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9534F437-EE92-47C4-836E-D316DDB426B7}\1.0\ = "Toolbar3 1.0 Type Library" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C9BB149A-DC7B-4E5B-825B-156CB84AE980} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6AE02E1C-8859-4F57-9097-5A55A56A4CAF}\VersionIndependentProgID\ = "TBSB08725.TBSB08725" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6AE02E1C-8859-4F57-9097-5A55A56A4CAF}\Implemented Categories regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar3.TBSB08725\CurVer regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E69F62B9-AE72-43EB-990C-3E4D8590E17D}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BD5C32AE-9FB0-4FC3-BA34-BA0808A74387}\TypeLib\ = "{9534F437-EE92-47C4-836E-D316DDB426B7}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB08725.IEToolbar.1\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6AE02E1C-8859-4F57-9097-5A55A56A4CAF}\Programmable regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar3.TBSB08725\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9BB149A-DC7B-4E5B-825B-156CB84AE980} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar3.TBSB08725.1\CLSID\ = "{E69F62B9-AE72-43EB-990C-3E4D8590E17D}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9BB149A-DC7B-4E5B-825B-156CB84AE980}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6AE02E1C-8859-4F57-9097-5A55A56A4CAF}\ = "CommuniComm Internet Toolbar" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB08725.IEToolbar.1\ = "IE Toolbar" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BD5C32AE-9FB0-4FC3-BA34-BA0808A74387}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB08725.IEToolbar.1 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB08725.IEToolbar\CurVer\ = "TBSB08725.IEToolbar.1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6AE02E1C-8859-4F57-9097-5A55A56A4CAF}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E69F62B9-AE72-43EB-990C-3E4D8590E17D}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C9BB149A-DC7B-4E5B-825B-156CB84AE980}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9BB149A-DC7B-4E5B-825B-156CB84AE980}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BD5C32AE-9FB0-4FC3-BA34-BA0808A74387}\ = "IPosBHO" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook\ = "ToolbarURLSearchHook Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ = "IToolbarURLSearchHook" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB08725.TBSB08725\CLSID\ = "{6AE02E1C-8859-4F57-9097-5A55A56A4CAF}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB08725.IEToolbar regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9534F437-EE92-47C4-836E-D316DDB426B7}\1.0\FLAGS regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BD5C32AE-9FB0-4FC3-BA34-BA0808A74387}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\0\win32\ = "C:\\Program Files (x86)\\CommuniComm Internet Toolbar\\tbhelper.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB08725.TBSB08725\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6AE02E1C-8859-4F57-9097-5A55A56A4CAF}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E69F62B9-AE72-43EB-990C-3E4D8590E17D} regsvr32.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2968 iexplore.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 2968 iexplore.exe 2968 iexplore.exe 2744 IEXPLORE.EXE 2744 IEXPLORE.EXE 2744 IEXPLORE.EXE 2744 IEXPLORE.EXE 2744 IEXPLORE.EXE 2744 IEXPLORE.EXE 2744 IEXPLORE.EXE 2744 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 2412 wrote to memory of 2940 2412 a112e40270437a236bdd9dfcc948a571_JaffaCakes118.exe 31 PID 2412 wrote to memory of 2940 2412 a112e40270437a236bdd9dfcc948a571_JaffaCakes118.exe 31 PID 2412 wrote to memory of 2940 2412 a112e40270437a236bdd9dfcc948a571_JaffaCakes118.exe 31 PID 2412 wrote to memory of 2940 2412 a112e40270437a236bdd9dfcc948a571_JaffaCakes118.exe 31 PID 2412 wrote to memory of 2940 2412 a112e40270437a236bdd9dfcc948a571_JaffaCakes118.exe 31 PID 2412 wrote to memory of 2940 2412 a112e40270437a236bdd9dfcc948a571_JaffaCakes118.exe 31 PID 2412 wrote to memory of 2940 2412 a112e40270437a236bdd9dfcc948a571_JaffaCakes118.exe 31 PID 2940 wrote to memory of 2968 2940 regsvr32.exe 32 PID 2940 wrote to memory of 2968 2940 regsvr32.exe 32 PID 2940 wrote to memory of 2968 2940 regsvr32.exe 32 PID 2940 wrote to memory of 2968 2940 regsvr32.exe 32 PID 2968 wrote to memory of 2744 2968 iexplore.exe 33 PID 2968 wrote to memory of 2744 2968 iexplore.exe 33 PID 2968 wrote to memory of 2744 2968 iexplore.exe 33 PID 2968 wrote to memory of 2744 2968 iexplore.exe 33 PID 2968 wrote to memory of 2744 2968 iexplore.exe 33 PID 2968 wrote to memory of 2744 2968 iexplore.exe 33 PID 2968 wrote to memory of 2744 2968 iexplore.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\a112e40270437a236bdd9dfcc948a571_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a112e40270437a236bdd9dfcc948a571_JaffaCakes118.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\system32\regsvr32 /s "C:\Program Files (x86)\CommuniComm Internet Toolbar\communicomm.dll"2⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://www.communicomm.com/toolbar.php?action=installed3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2968 CREDAT:275457 /prefetch:24⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2744
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD581e9319284bebf4a64a1ae1aa9297d30
SHA13c7b8bfb0340a138974dc96dd2a42488e908b3db
SHA2560ac1ead0c74e500a0f78d3f4b2bad09385c02f962974ac77e26d5ae9c62d129e
SHA5128ff8b1110a9480c8b3a3ec9321f183a8e2aff48f6889328a2656974d3944eba37ef6ee410a61040e2d4684d9f3fa17f094172b9a5527ba0057006c81757487c9
-
Filesize
18KB
MD53513969eb5048e2560c0116f09cc511e
SHA130a5e57f5cde04cbb5db6478922182787470ba17
SHA256755a5d5165d43c17217795db944b0f01e03b96325bb83ddf6e50f909eab4e6b1
SHA5129a03f3811b2d49f544d60b6cd27dc1c1e5570c7af2c7e4d3adb9b023289a1b51f98a38ed061c876b7a2f94265c730bbcf05b36f5110ac1518e1c2e9659737718
-
Filesize
244KB
MD5f43d684c3673aeb364e4549f62cf6a7e
SHA1eb0448cf354d3b1abe767e80a115e1712734e967
SHA256ebf969fec0e8c9ab5d2dd1b9a809615e5bbca0437cae20ea50b2925b17f72a97
SHA512886cc9c778734b939faf9e3202ad8e120adafeba4f9937fc33bbadf723c65bc1c5e1b9070f7ac60d4a9639512282feb08c2d92425fb71e85ddb50ac78013a6df
-
Filesize
12KB
MD58ed64ed7d3927743920ff39c77e177e6
SHA1e90c0fa21791d19a3cd23f51e19cb0fba57607bc
SHA256f9629550f54d2229e6f734c1f5ba9c7b3b48ee94681b76ec3b6ef8d695641881
SHA512014cc9c102bb575157274b3cbc9a6ec4267de2db2f7b92c92f0c22830df01d24d57b4fa57637585d10d15c2e0ca1e43f9f8f2f033763c8e01a51387b6ff33c65
-
Filesize
330B
MD561903c42486c2062581b0d227e62edd2
SHA198dbbee5c59df00fd20fffca031cd85222ef94f2
SHA2565890aff1507448bc1d444fe56a7673d095accbbf52677d0173d485f6257318a0
SHA51257222ce03c2ec7aa118476787a19c5aa256e73be00ccac584d51f8466fa7e4e1bd14085aaf15e3b3709ff718960556c3a97086803b33b4611b69ef2605da0d5d
-
Filesize
21KB
MD592448b12999c1826957b714104d620ce
SHA1657cd7e51326f2e0bc2514426948e76c25d9b82f
SHA2561d3a8990fe7af3365acf9bdb78552a8508a2ecc553ccffd68a91e9e000b242b0
SHA5122ce037025ef20f774acb68c40a53b65914443156ea86485ad58abfaeace13bd9e4aafb55f26e00f08be0536690e58dcf7e6d32cf88d4f562ec5d4f6761d5bfee
-
Filesize
115KB
MD57bb096d53d9ca88388254afae9068995
SHA1f877bbc27707547db79bc2a1fb05489104b05168
SHA256c171108e3d59968b9de54565a732c5a87e90f83e079156b3c92386c192768e17
SHA512901a05a0ba94ade6d9b90836bebd01c4af131457630cfd059ce6a1eba40c7b654c7b9f83079df6d08160e21e8a1842571bef6d077328fae097ac88cd9a6c5b97
-
Filesize
496KB
MD520a6062a938e56319ecc28fcbf71c191
SHA1da5096492160899b52a5a3414ec0829a38764600
SHA2568718d1d8154d0e4fcd0e2c84d02f580af677b96dac589426b0ed7e327f550a58
SHA51214bcec751dae012d35f25aae59dcec9dbaf0b8674035328cfa3a586228e40ffb6d2bbd3d4b068cae587f47f4f233ccea452ca016ecc4fc92b48a7a1a0baf3da4
-
Filesize
60KB
MD50540c76a162cf8aea5b333a6e183bdbc
SHA110650aed77cafd0e0e10a98a67343157abe93652
SHA2566f00271baba262330950c748e67f41f0d2c98d5e0a5ef7cf099d864d7d9891c0
SHA5127acbe3537f07ef6dc4a2dff809b8cc74edbf7d02ee4a75d0f399725d2dda28c5fa1f407495a23301f322e1655cfef83271be05e8062aab022538fddd6b001ee4
-
Filesize
717KB
MD5a9ea14a1fd7dbd79e7fc81c73b97a1b8
SHA146351d7552860351cd5cfb66a5056de3eb616157
SHA2569c2ab69190aeb45e65faf317cbb752beb43895a29eac69dba12b7d6fa035a582
SHA5121d0a15b2d128679c8275dea4a371e7b669a80d4d3e2d8a4c2f52d9987a2c589a7179f2885dc330cb58962bdbebb454513fab532405234a418b65b46e01dc4949
-
Filesize
280KB
MD583d5b6f29c5686bce69aa6999f4e074d
SHA1b98cc07896b1d313e85aa839447d679d86176aba
SHA256ad5ad2fe1229db247dcdd5b64fe49a588cbdc58d53e840c540cfaf9da53ce0c7
SHA5125a718249d27380fdb51e1a7b9dc077c4edc528ae4aea2ab12b1a9f8740e61febc8086174195fd2a849b55866a918bc08913fb70f516b286c86b103981772fb9d
-
Filesize
7KB
MD577eed4b296856a919e68bc23c57580a6
SHA19800e40738eeada502730fcbf8e27e98e38da592
SHA256924ef798579f1798b9ab6e7492fb3449b81c47b0af47c11c87be14e4dfab41fc
SHA51237267059dd6232cd9b56333082b02f164b51cfa30296c1870367fad70bb0083848c7da600553de9e5e48536885ed9231fc75618388c460eeb9926307ede60f8b
-
Filesize
407KB
MD53e7ff0511befe21dccdb0e92dce5ff75
SHA1e175b61e4ea90730777c4ad3b457e7ae2e5d93e3
SHA256f07f5f4c8d4fe3496748b5964fff157fc85d3fd8e57140e2c21ffdee1e554f32
SHA512ca292aa364b035bed016f9c3324fd53f4627aa4ff6014f500b7875f9bd67e5c99267edf707e9405caaef4e3d5a4734406466bb14c4d87fd5b742305fc871c75e
-
Filesize
7KB
MD5ee5c480aa68de03df03d0c8ef20bbf49
SHA1968a06ce6362b2611bea5d104148fefc70f64e6a
SHA256029354cff3194df395eaf2c08d30b75c256c44716c65a12ba6abbdd0910edd15
SHA51208192820d289e59d1b0b6895ed9cebdf25a62d0a9a689c26c883b83030578e841e785f3032eec6e691976c4a4360727220eae69054f69dd3a4953ce54c19d83f
-
Filesize
317KB
MD505b9bf1427c773c90281dc839978b0f6
SHA15c718b18b03060c6b2be25be350bb6511a3d10b9
SHA2569f4b3686e888aef337e35c2c9041cbfade51e3939ab16c487064795047ee5035
SHA5129681a3792e9e6fcc4cf3a3aa8b13310581f39cc439de5c2be68d30e9cd7939565758c8592ff06d0c1e0d78b3b9f221de45c128e7049f57edbf74ff660eb48416
-
Filesize
730B
MD5cc20ee690736984301a8b1e8ec2841e1
SHA1dcdd623475a70594e10e30d52700990111b28717
SHA2567d132a41263d8fe38c18a8ae80efb4745321ab7df8282d89195dc6dcd9d58c58
SHA512a88f22bd6a336c8d79d3b5add2400b728150e2749a0f952956dc5a76e2be26f2ed6706528c0a5f098a8287a2451f5b345f5c662474db3c0d0e444fca76dbf306
-
Filesize
372KB
MD5c4407679a570bef1b0171c93abd61361
SHA1629eb29ca00268704ee73be12ca281c93f6c5fd9
SHA256bf07e43e9ac1f11c650235b32e0e048a4f2fcd95c7787b6f61f0028467a4a3a7
SHA512ee1de941dd9b5574bf15eb80e9d0b5ef552e95bfac249d1240de5bbec70a0b8dde0526ac62286c6f89024ff0fc95d1735c980f6335375de6e58314cda8bdae05
-
Filesize
3KB
MD545650425e248e3d5a68f7d1121235d6b
SHA11fb95004c991137a52523a33c85a488ce614c3fc
SHA25660a37df177a6e6b7fe294aa394438cb6514bacd8201a3e18f4b914a6105a8555
SHA512181a12c0fe19d276401bc74dd13ad6f6961bbc3fe5cde88b531a48832c96017ba3f0bab4f148bb3f22996bf3c94ed7c0037312bfb98490a64b8eb2c6c547895c
-
Filesize
135B
MD52e6979e2b3af0d3b1af0e7a266c13184
SHA122602b8d04c16cb21d3051a074957dbbbcaa43f5
SHA2561d7336dc906ffba986f9c2e3cd2899153b2c2f68381e36976c7afd278f4190be
SHA512e40726345300b9bec6d9897bff6d742937a3d26de256d080bf8745bb074381c12ea8bb52883be35ab18dbeca89c8e045b752c118c2f6776fa1cf18bb3d71787f
-
Filesize
60B
MD5477918939d0d15ce41b8510f4a9dcdaa
SHA14b7376fd44a01f0d353872cb5dc3df825afb04f0
SHA256098e8d90526bde71724bfd4369a0a96e2fcfbc5c60b7222779ea15bae0454b58
SHA512b21b8f693b95fa75e03251c8208829604ef24c986a8e3e83e51ba4a9e980583c4c608e4904857d2be558ca1177b2ff40ea5a6ce91ca42deb8680b5c6c6a33b71
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e9888180e40f26c08c02140dd4f0b782
SHA11b5c4a2f2739d9c1d9065afa43abd73323de7f30
SHA256a8fc4f88a199e32e5116d40e6df11d6d0fd7460d46a11d37cd02e6f34d31a4ee
SHA5124c0b318ab66cab2f245330923fd2064488416cae70c0b49b491f80971dd394a6b4ae341f30b7f85fbe320b4c2b3ffdf101216754ad1f53c43239693e5a9e9481
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52ecd81b9438f9a197318b7fb1e7830fb
SHA1d6b117943ae36cb077264c8dc4fb7313c4e0b390
SHA256e0d6a2b8df6888e2404ec0b6c794f8888d46887d8fc4998bdf0683d4b424a2b3
SHA51207f9bcd1aea556bfa38dd5a6524c9046f4abe45459f90e4a6418a76f8df605328ca96f29dcb13e000984a85c1bef0c5b341205707b0aa21968a42a8d439e7ff7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f938ee9ed8eaa5d7c09b5c6fbf95c661
SHA1c3ea6e6d981add8383af51b0bfbd3f700d0c8e96
SHA2561c8376f04ffdcf2b1ca17e11e017395b94e8cd164372f1a42a3965d5d6b5f785
SHA512a86c0ed8efdf1cce87aafdc422dcba0a7fdb346793c910dbb95404ca2ed769c61545d7eab43799574e7820a4b61304fff33120334a73a9e9ff3714a2689bad83
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e5726169910706c68e7ad42e369478d2
SHA1ca86e70a6154aefc53cdedbbb5c53c0832cd8e83
SHA2568e989fac3bfc24b2365484f5ea773dbcffa41eae9ee8e3b11b8332c85d6796dd
SHA5124b5d14434728e6d7a3ef65710adef1d07e962e77dfe90c8fb10746d566cd7a68cb35c70fe95d1ddb9a0e1d4aa6081b500519a232e29789e92feec7792da17f35
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD566b1deb76c5b4d5670a6a897350e2275
SHA13c83ea0f16133c528e50e0b82fa2e96661ad79e9
SHA2569dd101d7854348f04bac8ebe8a5102969ced8accd9ee9410c79ae7f75e30124e
SHA512f0dcf877085b3cd0b8f268a4fb744cc061ad8cac5fbfaf8d4d7e16eef86fb72446cb3ce93249412d6a71cf56470d8d901cbac2474790783b18535540f166118f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e7bb1d82e715c3ede03738637cbfc537
SHA152f33cd2b9b2c91f8aa72699432fb2584627804f
SHA25617ddbebaf20ddb55acca91f9814781fdb4a93be95f8f4a8573e3cf325798b98f
SHA512a817a8ab66a017090abf5c15a94f0ce24b3944b4687e6e14d3f27e62177d016f5fa6ff54e1851bc0df4e63c152495a9152f71806e7b431f0f5265d560bce8b5e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c181460f2afde075354d8297bc3f2b9f
SHA118f953ca58ac4558131de6469aa6385543fa0b5f
SHA256fe584c0126273010c764631f3fca778f990d5a2d21c09fea6d3215f7711c8ce4
SHA51212070595418445123c9cb5e5dbb194933f80d9e1b639d2a2f10ca32b9eb4a3d39bd23cfed76e26d7404821ce1ebed66ce4d8bff6ca25776281bb28063e0b4052
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD593dc766cf0db58c98cfcf9c59c6216f5
SHA11c1f1a20723556fb77c37e22872dea33b23b66e2
SHA256f25a3129306e13a35e71623b11dc58fd648bd3b39dc6fa631f3098e3fa581232
SHA5123ecbcdc5a9069c206e709cfee9d147882f70c0b6f712f17cc2b73a5ed983a15480e9950ae95991b7224613f30356e435be22fd4d228f6fd22939a364534c71e9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d1b1c95ff8d4f84cd9b12088695add3f
SHA1c6772c32e6ceb550b18992b982317b074b82cfa7
SHA256024cda6906586cd57ea4f7df2a840baaeaca9f9fa6187080a7c112c3a343f9e6
SHA512472f61cf4953e911cd95a09f53d1e162dfcd125bbfa23fdc19b0f70394966a1805ca29aaf136c1e4794c8e6918b77668bf7440ae90498a84d68e569bace0f372
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5bd58161bc9322bcfd57b38c3b9c0cb76
SHA130461a29cb17230e49c9e1b8f6565777d520d32c
SHA256a737042e9075b70a2e6044ee856e800b42d98cfc6e9a13b6828898300e484fc6
SHA512249d8e61e97e2e22ddfa739a69e0c0af41d1201ef7ed5927afc1ab8b367aa605d7850b2ecfece7afacdb12a147ce752256249e3ef3f6f771b454c64048bf3b25
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51c38ee9aac6c8075843db8187df2f09e
SHA13ff3533d0d08f300d8de61e06828abf0ae729832
SHA256b6e6a077f17e644cae5ee452f2bdbf4bd9135a1246fd7194d99b17d44ede1fb7
SHA51203b7da3e4f537b7b28c7c70e8eb72633a01d605fc4542410528e99627d773149c573fd42d64866356b0e3d84ef3c517cd9e396e42f0e5c93132c9df12a8fd2f7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD530694ebb8ea32e20454e230a4a419e7b
SHA1483dbc7b12c0192f650ba86d482490c68c68d958
SHA256ec68060ebc2a35411cf28d9550179029043d59fd700e47b188db034e83831d49
SHA51212df2425361f28f070824f1c584f58b41ec366551903312731339f3070519120f95cc82330158cf3cfdcd8f93c3a868a0b943b638ab5b034cfd60f78e42036bb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD567120080931ce2dbbdc3fc6621acef9a
SHA1b769d6842a8835529b28de2c6de7f6b783bc7f32
SHA256f6dfa1288da62cf664dd9003d5893535b5bbc20aada22a310133cdf19196b9f4
SHA51264f0b83d85fcbd631c5e88f9c79d38df416f1705e445c63e306ee00db3e76211a32aaba606bb908d0153f1b566e2eafadc07d875631f048f839ca8d5b342d302
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5474b7141557308766ab3700b6ad2988f
SHA11602391ec723530a83a054dbbdc03fae69181da8
SHA256f19bbd1fd657374b47d43941ab52158ed23199045e45a5c4ffe24f8d436ecfc2
SHA5123bf90d590be79a6eabb524d6cd2ef8064d5e1650499fb2752c569de9bdd3125de4f8b6d934d2dee54431de5ad1fe01f85cb70134157182b82d67591b7f1497a7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD580e4605d53c9d402bf34a34f8cfda4ee
SHA18cb22d0a706b0e4ffb8da4ce4a748db4f2b86cf3
SHA256cc5727ae9e67f1c8c633a99f300872b55ed30758b874c0a59a06b01dc43e8df0
SHA5127b27d067bce613e5d86141216390eb8eb68c1c13f2f699301b32d092a59893bc6bd32c848b45679b1e6e2b29685b10fe99b45aa32209f9d475be1c9b9ebcc9b4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55cceff96ead6a8bd8ee0d1bdfe98806a
SHA179628bb7cc221b22c705a99a2dff36b712ec4290
SHA2560ce9a467a1ebf008fb39f692240deb40a66583c74472804d550b84f3497fdaa6
SHA5123cfbb3e4554c1f2e78917a2eec68a85800d62efc0d15f68369f8d2c49898197d9567fdff0a1789b36e0008ff403044af376613fee466c9a99aaf70bafcfa45f8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD500eb0bd0c44363cc51a99722b922c212
SHA15f6afa37943737db7b7dab7de3d82f000049deb5
SHA256362d1033c06dc52bc9edf090ad9ab91a5e8ad1166cf54c5144ecd7c15cc43dc5
SHA512b1f2b03d7e90d1533c5321887ea2b1cd96575dc548b79b45080a0eb63f677342f860e49a8e63118508c00ce844484591f666f0bb459ef9251bc9daff1972caa9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55c8e3125a16dfb3823dec780c4e7e30f
SHA1728156f1f164505734f38df4977b25c78e7874ad
SHA256ca41a8c2392287eeea1ddff89a8c668c251cad4734b0bdf1101554fe2e5a0d3d
SHA512c4c4e20e22a03e0aba87f70eb7f9daf4d7b4991ecb4b37e48f098f01dfe71998e5912fd333991c4d085eb9759e4ca72ca88c5174c9a84c336d9f5bf260744f71
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
1.2MB
MD5c20c1fd1a46880d06736b43e5ff0062b
SHA110161a72c9f25270bc56c09f453e9d8fbb0a3849
SHA256f711613ee8f75abf45cd3f3b20e57785e69fd709ab3db9890729e9791d4b6be0
SHA512e47a4f88f1b23a46917eea788544254e45d1168a31f95ed09cbfa7a0b8f8201656bd203765706d4a8ee4616b4cdcc78a4c20485a5dd2f053a14b6ce58494922a
-
Filesize
208KB
MD56577a80ad844076a70603b44f44ba1e3
SHA1b5b060fda75a6c95225644f137e1e65cbc10b77e
SHA256244c821688564bcb683592bd84fbfdd8e8ce54be699d48648f164c029ec66035
SHA512f4623dfa538fc72b4f739ed8eb054ec6618cfe46784df170c1d7186b3ca6eff6730aeb6bdbd6acf860625ec6a95e73db8164563d215492bd80d8454518bbeac0
-
Filesize
120KB
MD5a7e0e5c28cdf9b0822fc33e073552a36
SHA10090f0be61ed98e24f5781686f73c5585e344fd8
SHA25604165d906495ce8b1413cd22cd25aff21bf2b6f7f5ee3a197b24975edd8b073d
SHA5120fa604a5b563a61ce52ee0d541e5fc9a25c7c4c891ebb4b23f0d3cb9a4c9a98fe0913a42718e744532fae03ee17c241262bcad3f76e386394b96c357c3984400