Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20250207-en -
resource tags
arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system -
submitted
09-02-2025 00:18
Behavioral task
behavioral1
Sample
JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe
Resource
win7-20241010-en
windows7-x64
29 signatures
150 seconds
Behavioral task
behavioral2
Sample
JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe
Resource
win10v2004-20250207-en
windows10-2004-x64
34 signatures
150 seconds
General
-
Target
JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe
-
Size
1.5MB
-
MD5
c9040ddc80275bce629c71c50d2e42ae
-
SHA1
b01c27424e01031bdc77f56bd55d04fe791661aa
-
SHA256
7e3e3413575bc60710db5d575851dfd46c05e596eeb7e01ead584e671fe7af62
-
SHA512
d39e783ba908e5d5853263a28c6744c892ddd549591bb24b8da95ef219d9df5ed9c6a56645689289f263a077015681b70f3c6a4b985a5cf8afe762d9f67437ac
-
SSDEEP
12288:DLI2nmeC1Tg13XD7tfmCnZVcorOk4X/3K63S+/9HQKGP2ZbHfUK2jRhSGakKeiSt:fnmwnECnZtR6f/OKPOAGakqKitxKMM
Score
10/10
Malware Config
Signatures
-
Detect Neshta payload 7 IoCs
resource yara_rule behavioral2/files/0x00060000000203bb-18.dat family_neshta behavioral2/memory/1644-131-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1644-132-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1644-146-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/files/0x000a000000023d1a-350.dat family_neshta behavioral2/memory/1712-356-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/220-364-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Neshta family
-
Downloads MZ/PE file 1 IoCs
flow pid Process 80 2792 Process not Found -
Drops file in Drivers directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\Drivers\vwifikerneldrv.sys AdguardSvc.exe File created C:\Windows\system32\drivers\adgnetworkwfpdrv.sys Adguard.Tools.exe File opened for modification C:\Windows\system32\drivers\adgnetworkwfpdrv.sys Adguard.Tools.exe -
Manipulates Digital Signatures 1 TTPs 4 IoCs
Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\ChainUrlRetrievalTimeoutMilliseconds = "200" rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\ChainRevAccumulativeUrlRetrievalTimeoutMilliseconds = "500" rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\ChainUrlRetrievalTimeoutMilliseconds = "200" rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\ChainRevAccumulativeUrlRetrievalTimeoutMilliseconds = "500" rundll32.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-895555807-3853795127-2958627047-1000\Control Panel\International\Geo\Nation JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe Key value queried \REGISTRY\USER\S-1-5-21-895555807-3853795127-2958627047-1000\Control Panel\International\Geo\Nation rundll32.exe -
Executes dropped EXE 9 IoCs
pid Process 3216 JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe 1712 svchost.com 1396 ADGUAR~1.EXE 220 svchost.com 3952 ADGUAR~1.EXE 4396 AdguardSvc.exe 4092 Adguard.exe 2072 Adguard.Tools.exe 4112 AdguardNetReg.exe -
Loads dropped DLL 64 IoCs
pid Process 2072 MsiExec.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 2072 MsiExec.exe 220 rundll32.exe 220 rundll32.exe 220 rundll32.exe 220 rundll32.exe 220 rundll32.exe 2072 MsiExec.exe 4376 rundll32.exe 4376 rundll32.exe 4376 rundll32.exe 4376 rundll32.exe 4376 rundll32.exe 2072 MsiExec.exe 2072 MsiExec.exe 2072 MsiExec.exe 2072 MsiExec.exe 4524 MsiExec.exe 4524 MsiExec.exe 2072 MsiExec.exe 2072 MsiExec.exe 4700 rundll32.exe 4700 rundll32.exe 4700 rundll32.exe 4700 rundll32.exe 4700 rundll32.exe 4396 AdguardSvc.exe 4396 AdguardSvc.exe 4396 AdguardSvc.exe 4396 AdguardSvc.exe 4396 AdguardSvc.exe 4396 AdguardSvc.exe 4396 AdguardSvc.exe 4396 AdguardSvc.exe 4396 AdguardSvc.exe 4396 AdguardSvc.exe 4396 AdguardSvc.exe 4396 AdguardSvc.exe 4396 AdguardSvc.exe 4092 Adguard.exe 4092 Adguard.exe 4092 Adguard.exe 4092 Adguard.exe 4092 Adguard.exe 4092 Adguard.exe 4092 Adguard.exe 4092 Adguard.exe 4396 AdguardSvc.exe 4396 AdguardSvc.exe 4396 AdguardSvc.exe 4396 AdguardSvc.exe 4396 AdguardSvc.exe 4396 AdguardSvc.exe 4396 AdguardSvc.exe 4396 AdguardSvc.exe 4396 AdguardSvc.exe 4396 AdguardSvc.exe 4112 AdguardNetReg.exe 4396 AdguardSvc.exe -
Modifies system executable filetype association 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-895555807-3853795127-2958627047-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Adguard = "C:\\Program Files (x86)\\Adguard\\Adguard.exe" rundll32.exe -
Blocklisted process makes network request 2 IoCs
flow pid Process 22 1156 msiexec.exe 24 1156 msiexec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\X: msiexec.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\d3dx9_11.dll.tmp AdguardSvc.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Adguard.Tools.exe.log Adguard.Tools.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~3.EXE JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe File created C:\Program Files (x86)\Adguard\Drivers\x64\AdguardNetReg.exe AdguardSvc.exe File opened for modification C:\Program Files (x86)\Adguard\Drivers\x86\AdguardNetLib.dll AdguardSvc.exe File created C:\Program Files (x86)\Adguard\Adguard.Http.dll msiexec.exe File created C:\Program Files (x86)\Adguard\Adguard.Network.dll msiexec.exe File created C:\Program Files (x86)\Adguard\langs\Adguard.UI.resources.ru.dll msiexec.exe File created C:\Program Files (x86)\Adguard\drivers.bin msiexec.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe File opened for modification C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe File created C:\Program Files (x86)\Adguard\AdguardSvc.exe.config msiexec.exe File created C:\Program Files (x86)\Adguard\Drivers\x86\AdguardNetLib.dll AdguardSvc.exe File created C:\Program Files (x86)\Adguard\nss\softokn3.dll msiexec.exe File created C:\Program Files (x86)\Adguard\Drivers\x86\adgnetworktdidrv.sys AdguardSvc.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~2\13195~1.43\MICROS~4.EXE JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe File created C:\Program Files (x86)\Adguard\nss\nspr4.dll msiexec.exe File created C:\Program Files (x86)\Adguard\nss\plc4.dll msiexec.exe File created C:\Program Files (x86)\Adguard\Drivers\x64\adgnetworktdidrv.sys AdguardSvc.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe File created C:\Program Files (x86)\Adguard\Adguard.Filter.dll msiexec.exe File created C:\Program Files (x86)\Adguard\AdguardNetApi.dll msiexec.exe File created C:\Program Files (x86)\Adguard\init.bin msiexec.exe File opened for modification C:\Program Files (x86)\Adguard\Drivers\x86\adgnetworkwfpdrv.sys AdguardSvc.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe File opened for modification C:\PROGRA~2\MICROS~1\EdgeCore\132029~1.140\MSEDGE~1.EXE JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~2\13195~1.43\MI391D~1.EXE JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe File created C:\Program Files (x86)\Adguard\Drivers\x64\adgnetworkwfpdrv.sys AdguardSvc.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe File opened for modification C:\PROGRA~2\MICROS~1\EdgeCore\132029~1.140\ELEVAT~1.EXE JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe File created C:\Program Files (x86)\Adguard\Adguard.UI.dll msiexec.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~2\13195~1.43\MICROS~2.EXE JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MID1AD~1.EXE JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe File opened for modification C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MI9C33~1.EXE JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~2\13195~1.43\MI9C33~1.EXE JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe File created C:\Program Files (x86)\Adguard\Adguard.Proxy.dll msiexec.exe File created C:\Program Files (x86)\Adguard\Adguard.Tools.exe msiexec.exe File opened for modification C:\Program Files (x86)\Adguard\Drivers\x64\AdguardNetLib.dll AdguardSvc.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe File created C:\Program Files (x86)\Adguard\Adguard.Commons.dll msiexec.exe File created C:\Program Files (x86)\Adguard\AdguardNetLib.dll msiexec.exe File created C:\Program Files (x86)\Adguard\PresentationFramework.Aero.dll msiexec.exe File created C:\Program Files (x86)\Adguard\Drivers\x64\AdguardNetLib.dll AdguardSvc.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe -
Drops file in Windows directory 42 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSI81BE.tmp-\Microsoft.Deployment.WindowsInstaller.dll rundll32.exe File created C:\Windows\Installer\{685F6AB3-7C61-42D1-AE5B-3864E48D1035}\Uninstall.exe msiexec.exe File opened for modification C:\Windows\Installer\{685F6AB3-7C61-42D1-AE5B-3864E48D1035}\Uninstall.exe msiexec.exe File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\Installer\e5880f3.msi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSIAF6B.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIB30A.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIAD64.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIB2AB.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIB30A.tmp-\Microsoft.Deployment.WindowsInstaller.dll rundll32.exe File opened for modification C:\Windows\Installer\MSI81BE.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI9779.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI9779.tmp-\Microsoft.Deployment.WindowsInstaller.dll rundll32.exe File opened for modification C:\Windows\Installer\MSI9779.tmp-\CustomAction.config rundll32.exe File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI9779.tmp-\Adguard.CustomActions.dll rundll32.exe File opened for modification C:\Windows\Installer\MSIAD64.tmp-\CustomAction.config rundll32.exe File created C:\Windows\Installer\SourceHash{685F6AB3-7C61-42D1-AE5B-3864E48D1035} msiexec.exe File created C:\Windows\Installer\e5880f5.msi msiexec.exe File opened for modification C:\Windows\directx.sys svchost.com File created C:\Windows\WinSxS\poqexecv2sys.log AdguardSvc.exe File opened for modification C:\Windows\Installer\MSI81BE.tmp-\Adguard.CustomActions.dll rundll32.exe File opened for modification C:\Windows\Installer\MSIAD64.tmp-\Adguard.CustomActions.dll rundll32.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSIAF9B.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIB30A.tmp-\CustomAction.config rundll32.exe File opened for modification C:\Windows\svchost.com svchost.com File created C:\Windows\Installer\e5880f3.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIAD64.tmp-\Microsoft.Deployment.WindowsInstaller.dll rundll32.exe File opened for modification C:\Windows\Installer\MSIB0F4.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIB1EF.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIB30A.tmp-\Adguard.CustomActions.dll rundll32.exe File opened for modification C:\Windows\Installer\MSIAF1B.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIAF2C.tmp msiexec.exe File opened for modification C:\Windows\Installer\{685F6AB3-7C61-42D1-AE5B-3864E48D1035}\Icon.exe msiexec.exe File created C:\Windows\Installer\wix{685F6AB3-7C61-42D1-AE5B-3864E48D1035}.SchedServiceConfig.rmi MsiExec.exe File opened for modification C:\Windows\svchost.com JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe File opened for modification C:\Windows\Installer\MSI81BE.tmp-\CustomAction.config rundll32.exe File opened for modification C:\Windows\Installer\MSIAE7E.tmp msiexec.exe File created C:\Windows\Installer\{685F6AB3-7C61-42D1-AE5B-3864E48D1035}\Icon.exe msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 20 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adguard.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AdguardSvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2240 MicrosoftEdgeUpdate.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000ce8a48ddaceaa4900000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000ce8a48dd0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900ce8a48dd000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dce8a48dd000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000ce8a48dd00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AdguardSvc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier AdguardSvc.exe -
Modifies data under HKEY_USERS 9 IoCs
description ioc Process Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 msiexec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" AdguardSvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" AdguardSvc.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections AdguardSvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ AdguardSvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" AdguardSvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" AdguardSvc.exe -
Modifies registry class 25 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3BA6F58616C71D24EAB583464ED80153\SourceList\Media\1 = ";" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\3BA6F58616C71D24EAB583464ED80153\Complete msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3BA6F58616C71D24EAB583464ED80153\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3BA6F58616C71D24EAB583464ED80153\ProductIcon = "C:\\Windows\\Installer\\{685F6AB3-7C61-42D1-AE5B-3864E48D1035}\\Icon.exe" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3BA6F58616C71D24EAB583464ED80153\SourceList\Media msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3BA6F58616C71D24EAB583464ED80153\ProductName = "Adguard" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3BA6F58616C71D24EAB583464ED80153\Language = "1033" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3BA6F58616C71D24EAB583464ED80153\Version = "84543491" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3BA6F58616C71D24EAB583464ED80153\Assignment = "1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3BA6F58616C71D24EAB583464ED80153\AdvertiseFlags = "388" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3BA6F58616C71D24EAB583464ED80153\AuthorizedLUAApp = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3BA6F58616C71D24EAB583464ED80153\DeploymentFlags = "3" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\0E5674DA1C957254AA41A33512538F4C msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3BA6F58616C71D24EAB583464ED80153\PackageCode = "BEFABE847060739469BFE44F36E677D2" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3BA6F58616C71D24EAB583464ED80153\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\adguard\\" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3BA6F58616C71D24EAB583464ED80153\Clients = 3a0000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3BA6F58616C71D24EAB583464ED80153\SourceList\PackageName = "setup.msi" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3BA6F58616C71D24EAB583464ED80153\SourceList\Net msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3BA6F58616C71D24EAB583464ED80153\InstanceType = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\0E5674DA1C957254AA41A33512538F4C\3BA6F58616C71D24EAB583464ED80153 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3BA6F58616C71D24EAB583464ED80153\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\adguard\\" msiexec.exe Key created \REGISTRY\USER\S-1-5-21-895555807-3853795127-2958627047-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\3BA6F58616C71D24EAB583464ED80153 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3BA6F58616C71D24EAB583464ED80153 msiexec.exe -
Modifies system certificate store 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A5798ECF3BF3D31663A3BB648952BC22B21401B1 AdguardSvc.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A5798ECF3BF3D31663A3BB648952BC22B21401B1\Blob = 030000000100000014000000a5798ecf3bf3d31663a3bb648952bc22b21401b120000000010000000a03000030820306308201eea0030201020211009419e982e375040981d941c66b48d170300d06092a864886f70d01010b0500302b310b300906035504061302454e311c301a06035504030c134164677561726420506572736f6e616c2043413020170d3035303231343131353332345a180f32303635303133303131353332345a302b310b300906035504061302454e311c301a06035504030c134164677561726420506572736f6e616c20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100b274667a9ffe45769f07a04c595f4e498f455a463ce18420eff193d783ae808316b17f6d7b882f0c0fa1b54204b4728a23d11d621a7000610c5aa51b799561e9ab4fbfde2b0d913e767c25dea319c135a988c8df9726f2b879aeb1fa82a39f2c87d16a39376fac5152f4d4eed74d768beb7b7b804e9b7544f42026273f99093553d6cbf97d705106475ccb3040fc5cd3943588ba2a6585cdb91e666ccfad43fcb15ce58c9113b634a0d675966ccab1b5c9eee74c2e6f97fc7d29a2b0ae6bf8bb63d10f097bd2b20861c92eb6dd86b911b6b63718b655b73bf28a34ba2e99426bcd074d13267f5439ca39ea2a8f5d6eb59f284edc2651373a60444093afec69a70203010001a3233021300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106300d06092a864886f70d01010b0500038201010051c56566971f0f5dc365acaad573aa60a58db1ef410d714f9c3e08a6234afcfdd001bb0dfb7ccc7723be9db6cc54224d6a372ed767d4b35b9f1465cf40a8a2764bcde8b2eaa409ec6b3e7ee2f23a9b12a54e5de0c7a12620f221187f79e7cc64b2fb3beb2f7702ea8b1d9495a36117c724e2f3456f285fb4d9ed12b8d8b63058afd471659ff69fa6af6f975694a577428c7895b31d59e2af1522fd460cc258829c24503e90b36eb46b1c4b0460558fdbcd4293ad959a02d7adf1afe172cd774857b1bbbaa586321e02d9c32c63b97852eea58714bfefe312648c84471e60db7439e5732de64298998230a8f4f96167f767f8bdada5c1ae7a4156d585b9f467ce AdguardSvc.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 664 Process not Found 664 Process not Found -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 1156 msiexec.exe Token: SeIncreaseQuotaPrivilege 1156 msiexec.exe Token: SeSecurityPrivilege 4120 msiexec.exe Token: SeCreateTokenPrivilege 1156 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1156 msiexec.exe Token: SeLockMemoryPrivilege 1156 msiexec.exe Token: SeIncreaseQuotaPrivilege 1156 msiexec.exe Token: SeMachineAccountPrivilege 1156 msiexec.exe Token: SeTcbPrivilege 1156 msiexec.exe Token: SeSecurityPrivilege 1156 msiexec.exe Token: SeTakeOwnershipPrivilege 1156 msiexec.exe Token: SeLoadDriverPrivilege 1156 msiexec.exe Token: SeSystemProfilePrivilege 1156 msiexec.exe Token: SeSystemtimePrivilege 1156 msiexec.exe Token: SeProfSingleProcessPrivilege 1156 msiexec.exe Token: SeIncBasePriorityPrivilege 1156 msiexec.exe Token: SeCreatePagefilePrivilege 1156 msiexec.exe Token: SeCreatePermanentPrivilege 1156 msiexec.exe Token: SeBackupPrivilege 1156 msiexec.exe Token: SeRestorePrivilege 1156 msiexec.exe Token: SeShutdownPrivilege 1156 msiexec.exe Token: SeDebugPrivilege 1156 msiexec.exe Token: SeAuditPrivilege 1156 msiexec.exe Token: SeSystemEnvironmentPrivilege 1156 msiexec.exe Token: SeChangeNotifyPrivilege 1156 msiexec.exe Token: SeRemoteShutdownPrivilege 1156 msiexec.exe Token: SeUndockPrivilege 1156 msiexec.exe Token: SeSyncAgentPrivilege 1156 msiexec.exe Token: SeEnableDelegationPrivilege 1156 msiexec.exe Token: SeManageVolumePrivilege 1156 msiexec.exe Token: SeImpersonatePrivilege 1156 msiexec.exe Token: SeCreateGlobalPrivilege 1156 msiexec.exe Token: SeBackupPrivilege 212 vssvc.exe Token: SeRestorePrivilege 212 vssvc.exe Token: SeAuditPrivilege 212 vssvc.exe Token: SeBackupPrivilege 4120 msiexec.exe Token: SeRestorePrivilege 4120 msiexec.exe Token: SeRestorePrivilege 4120 msiexec.exe Token: SeTakeOwnershipPrivilege 4120 msiexec.exe Token: SeRestorePrivilege 4120 msiexec.exe Token: SeTakeOwnershipPrivilege 4120 msiexec.exe Token: SeDebugPrivilege 5016 rundll32.exe Token: SeRestorePrivilege 4120 msiexec.exe Token: SeTakeOwnershipPrivilege 4120 msiexec.exe Token: SeBackupPrivilege 1116 srtasks.exe Token: SeRestorePrivilege 1116 srtasks.exe Token: SeSecurityPrivilege 1116 srtasks.exe Token: SeTakeOwnershipPrivilege 1116 srtasks.exe Token: SeBackupPrivilege 1116 srtasks.exe Token: SeRestorePrivilege 1116 srtasks.exe Token: SeSecurityPrivilege 1116 srtasks.exe Token: SeTakeOwnershipPrivilege 1116 srtasks.exe Token: SeRestorePrivilege 4120 msiexec.exe Token: SeTakeOwnershipPrivilege 4120 msiexec.exe Token: SeRestorePrivilege 4120 msiexec.exe Token: SeTakeOwnershipPrivilege 4120 msiexec.exe Token: SeRestorePrivilege 4120 msiexec.exe Token: SeTakeOwnershipPrivilege 4120 msiexec.exe Token: SeRestorePrivilege 4120 msiexec.exe Token: SeTakeOwnershipPrivilege 4120 msiexec.exe Token: SeRestorePrivilege 4120 msiexec.exe Token: SeTakeOwnershipPrivilege 4120 msiexec.exe Token: SeRestorePrivilege 4120 msiexec.exe Token: SeTakeOwnershipPrivilege 4120 msiexec.exe -
Suspicious use of FindShellTrayWindow 11 IoCs
pid Process 1156 msiexec.exe 4092 Adguard.exe 4092 Adguard.exe 4092 Adguard.exe 4092 Adguard.exe 4092 Adguard.exe 4092 Adguard.exe 4092 Adguard.exe 1156 msiexec.exe 4092 Adguard.exe 4092 Adguard.exe -
Suspicious use of SendNotifyMessage 9 IoCs
pid Process 4092 Adguard.exe 4092 Adguard.exe 4092 Adguard.exe 4092 Adguard.exe 4092 Adguard.exe 4092 Adguard.exe 4092 Adguard.exe 4092 Adguard.exe 4092 Adguard.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 3216 JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe 3216 JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe 3216 JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe -
Suspicious use of WriteProcessMemory 61 IoCs
description pid Process procid_target PID 1644 wrote to memory of 3216 1644 JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe 87 PID 1644 wrote to memory of 3216 1644 JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe 87 PID 1644 wrote to memory of 3216 1644 JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe 87 PID 3216 wrote to memory of 1156 3216 JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe 90 PID 3216 wrote to memory of 1156 3216 JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe 90 PID 3216 wrote to memory of 1156 3216 JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe 90 PID 4120 wrote to memory of 1116 4120 msiexec.exe 106 PID 4120 wrote to memory of 1116 4120 msiexec.exe 106 PID 4120 wrote to memory of 2072 4120 msiexec.exe 108 PID 4120 wrote to memory of 2072 4120 msiexec.exe 108 PID 4120 wrote to memory of 2072 4120 msiexec.exe 108 PID 2072 wrote to memory of 5016 2072 MsiExec.exe 109 PID 2072 wrote to memory of 5016 2072 MsiExec.exe 109 PID 2072 wrote to memory of 5016 2072 MsiExec.exe 109 PID 2072 wrote to memory of 220 2072 MsiExec.exe 118 PID 2072 wrote to memory of 220 2072 MsiExec.exe 118 PID 2072 wrote to memory of 220 2072 MsiExec.exe 118 PID 2072 wrote to memory of 4376 2072 MsiExec.exe 120 PID 2072 wrote to memory of 4376 2072 MsiExec.exe 120 PID 2072 wrote to memory of 4376 2072 MsiExec.exe 120 PID 4120 wrote to memory of 4524 4120 msiexec.exe 121 PID 4120 wrote to memory of 4524 4120 msiexec.exe 121 PID 4120 wrote to memory of 4524 4120 msiexec.exe 121 PID 2072 wrote to memory of 4700 2072 MsiExec.exe 122 PID 2072 wrote to memory of 4700 2072 MsiExec.exe 122 PID 2072 wrote to memory of 4700 2072 MsiExec.exe 122 PID 4700 wrote to memory of 1712 4700 rundll32.exe 124 PID 4700 wrote to memory of 1712 4700 rundll32.exe 124 PID 4700 wrote to memory of 1712 4700 rundll32.exe 124 PID 1712 wrote to memory of 1396 1712 svchost.com 125 PID 1712 wrote to memory of 1396 1712 svchost.com 125 PID 4700 wrote to memory of 220 4700 rundll32.exe 127 PID 4700 wrote to memory of 220 4700 rundll32.exe 127 PID 4700 wrote to memory of 220 4700 rundll32.exe 127 PID 220 wrote to memory of 3952 220 svchost.com 128 PID 220 wrote to memory of 3952 220 svchost.com 128 PID 4700 wrote to memory of 1312 4700 rundll32.exe 130 PID 4700 wrote to memory of 1312 4700 rundll32.exe 130 PID 4700 wrote to memory of 1312 4700 rundll32.exe 130 PID 1312 wrote to memory of 1884 1312 cmd.exe 132 PID 1312 wrote to memory of 1884 1312 cmd.exe 132 PID 1312 wrote to memory of 1884 1312 cmd.exe 132 PID 1884 wrote to memory of 4828 1884 net.exe 133 PID 1884 wrote to memory of 4828 1884 net.exe 133 PID 1884 wrote to memory of 4828 1884 net.exe 133 PID 4700 wrote to memory of 704 4700 rundll32.exe 135 PID 4700 wrote to memory of 704 4700 rundll32.exe 135 PID 4700 wrote to memory of 704 4700 rundll32.exe 135 PID 704 wrote to memory of 4676 704 cmd.exe 137 PID 704 wrote to memory of 4676 704 cmd.exe 137 PID 704 wrote to memory of 4676 704 cmd.exe 137 PID 4676 wrote to memory of 456 4676 net.exe 138 PID 4676 wrote to memory of 456 4676 net.exe 138 PID 4676 wrote to memory of 456 4676 net.exe 138 PID 4700 wrote to memory of 4092 4700 rundll32.exe 139 PID 4700 wrote to memory of 4092 4700 rundll32.exe 139 PID 4700 wrote to memory of 4092 4700 rundll32.exe 139 PID 4396 wrote to memory of 2072 4396 AdguardSvc.exe 141 PID 4396 wrote to memory of 2072 4396 AdguardSvc.exe 141 PID 2072 wrote to memory of 4112 2072 Adguard.Tools.exe 143 PID 2072 wrote to memory of 4112 2072 Adguard.Tools.exe 143 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe"1⤵
- Checks computer location settings
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3216 -
C:\Windows\SysWOW64\msiexec.exemsiexec /i C:\Users\Admin\AppData\Local\Temp\adguard\setup.msi AID=119473⤵
- Blocklisted process makes network request
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1156
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4120 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
- Suspicious use of AdjustPrivilegeToken
PID:1116
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding D52618583F9268D428A199496284BC8D2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\Installer\MSI81BE.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240681515 2 Adguard.CustomActions!Adguard.CustomActions.CustomActions.OnFirstInstall3⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5016
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\Installer\MSI9779.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240686984 15 Adguard.CustomActions!Adguard.CustomActions.CustomActions.PermanentActions3⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:220
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\Installer\MSIAD64.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240692625 30 Adguard.CustomActions!Adguard.CustomActions.CustomActions.OnInstallInitialize3⤵
- Manipulates Digital Signatures
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4376
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\Installer\MSIB30A.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240694015 94 Adguard.CustomActions!Adguard.CustomActions.CustomActions.OnInstallFinalize3⤵
- Manipulates Digital Signatures
- Checks computer location settings
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4700 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\PROGRA~2\Adguard\ADGUAR~1.EXE"4⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\PROGRA~2\Adguard\ADGUAR~1.EXEC:\PROGRA~2\Adguard\ADGUAR~1.EXE5⤵
- Executes dropped EXE
PID:1396
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\PROGRA~2\Adguard\ADGUAR~1.EXE" /f4⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:220 -
C:\PROGRA~2\Adguard\ADGUAR~1.EXEC:\PROGRA~2\Adguard\ADGUAR~1.EXE /f5⤵
- Executes dropped EXE
PID:3952
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C "net start "Adguard Service""4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Windows\SysWOW64\net.exenet start "Adguard Service"5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start "Adguard Service"6⤵
- System Location Discovery: System Language Discovery
PID:4828
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C "net start "Adguard Service""4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:704 -
C:\Windows\SysWOW64\net.exenet start "Adguard Service"5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4676 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start "Adguard Service"6⤵
- System Location Discovery: System Language Discovery
PID:456
-
-
-
-
C:\Program Files (x86)\Adguard\Adguard.exe"C:\Program Files (x86)\Adguard\Adguard.exe" /visible4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4092
-
-
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 6E3151C923E416AA8354A29863B9B72D E Global\MSI00002⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4524
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QUNGODkyNzgtMzVFNS00NzZGLTg0Q0YtQjZCMDVENEM0RTQyfSIgdXNlcmlkPSJ7OTU4RDlGNzAtQ0M1Ny00MDZGLThDMkQtMzY1NDcxMzVDNjg2fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7MUVDMENBMzQtMEExRC00NzcwLThFQzctMEVDRjEyMUUzM0M2fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDY4MzAiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxOTE0Njg3NjAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MTYxODQ5MDUwIi8-PC9hcHA-PC9yZXF1ZXN0Pg1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:2240
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:212
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:3980
-
C:\Program Files (x86)\Adguard\AdguardSvc.exe"C:\Program Files (x86)\Adguard\AdguardSvc.exe"1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:4396 -
C:\Program Files (x86)\Adguard\Adguard.Tools.exe"C:\Program Files (x86)\Adguard\Adguard.Tools.exe" /install wfp2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Program Files (x86)\Adguard\Drivers\x64\AdguardNetReg.exe"Drivers\x64\AdguardNetReg.exe" adgnetworkwfpdrv3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4112
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Change Default File Association
1Defense Evasion
Modify Registry
3Subvert Trust Controls
2Install Root Certificate
1SIP and Trust Provider Hijacking
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
295KB
MD533107a8e68fb12cc104a211d082b0ac2
SHA1ffbd2175aef2846db1f5004740d7ec1ba533125c
SHA256f38cc624cc6e7f25a077324ff8940220d2d999c6b89cfd74bda6a00e73c87b48
SHA512269572fe9e028191d045f7615a51c283e7955d110161e45d8562b109ca90790dd4e687467f21a6975f804f62d6e5836a5d63eed68ca85629b84d8ecdcf542f61
-
Filesize
337KB
MD57284d34b31acaba49c50c2daee5b4bf0
SHA1c52f6a1aa24ae4d447d3df15826b9579fb6884ff
SHA256a61a3674bf842c9836917f72bf0b2be4466931d11f4e8f1a4931dc0736414450
SHA512a0b39aa61db99049527fa6bbe4d9808f277c6b5efbcc19cea53bcb43f7872cb0d7b0014788724ba372251a3e9cfb315843d1e484414147c6ce386100119d895c
-
Filesize
86KB
MD53b73078a714bf61d1c19ebc3afc0e454
SHA19abeabd74613a2f533e2244c9ee6f967188e4e7e
SHA256ded54d1fcca07b6bff2bc3b9a1131eac29ff1f836e5d7a7c5c325ec5abe96e29
SHA51275959d4e8a7649c3268b551a2a378e6d27c0bfb03d2422ebeeb67b0a3f78c079473214057518930f2d72773ce79b106fd2d78405e8e3d8883459dcbb49c163c4
-
Filesize
126KB
MD5246012bdb779acdcb4f058dd33bedbff
SHA132cb320b20582fc3be192f921a9258b5094eea09
SHA256e4909b7e113f0761ceca4b51edc367955ab4e544132957486cce23dfd2f8d29e
SHA512f05066e9d6a82923962dcaa152ef0439f8c3bc9cf6a53134b069938a7dddf9f3e96f42a3292dc34cfb9c784cd11310bca1fcde4829ea51be0f56791639f092da
-
Filesize
1.9MB
MD51036a5756f04cba6c7f01deeeecf8ac6
SHA18fcff1106409bad8974d74b16ae6035e006ef8dc
SHA256a753557051177a292c07e936952558e266a3038fc60c324edf7333b32e635f19
SHA51218a3b31915d94df9958056bd94eeb4ca7957717deac970f98db441fd9374763aee62409308574ae18a93c6aed75ccb05fc1f7a12ca4c7620dcedd2c4ecb00245
-
Filesize
117KB
MD5fe392e13fb5c8be2ce9128449885bcb5
SHA10659e107869ca13d135e4ca5bfb47c28112f401f
SHA256d5a62598b0b4348a626d92fd2fbbf9d00f593587e2aacc93bb18136662fbd8c5
SHA5121b7ea1d684c80b0c56b81a4ad81536e1956a25b8f126c42a0ef2d55f1d83cc9c77d0d5dfd0c172fa16fa7251ff5e91493ca9c2c0f8eef21ea1cef6a5a6535fed
-
Filesize
40KB
MD5749e9a44ae656a51851ce13ee0a1b9c8
SHA1e9236af4f8ed8bb1ac5eb0c23676a5f2583cb96f
SHA25617846f73646a7251a56bd6c42981bb9e7b64806df29558e5baaecdf8c598b90b
SHA512f11b9367fbc4133ca14073b84d617bfcdbd13b3f42507105084d4f4a69f31f796ab6bafcad1de750469cb81c582b5c8a2f89cc4c5d7f99aa9abb49599c828fdb
-
Filesize
4.0MB
MD584b686e30f670af4366f4a346bc2b5e2
SHA180c9d333e98e79db72b00b28878cd9762c5ecf1d
SHA256bf9e8985e38420cbdd1705844ca58f264e69e35db66b2be84336125e5291d764
SHA512f9ab5996ca1dfe08792134baef6ad54b43f9df6642918aa7e51017159adf9c2f8da21543a44a4d26e46d59eac3a93a34d2d7cb878c8d13a0baca34957787c8eb
-
Filesize
4.0MB
MD5e304083dc56a02c3208e280de2b2569a
SHA138b9bb7cea98e22faa3522b6c79894216540b33c
SHA25655fae7d3c722e7be48d40c12d1f1dab9e51ad1e6b41517817542fa9713789293
SHA5125d0123f76e1e3ec85fa72cdbbd575a3db4f960ebed6926337ed79cfa804a4bd565327dec0bfbd4a605331075c83c100196eceff5e9f4f5373afcefcb6630121d
-
Filesize
4.0MB
MD52af22f1dd0aea7c0058bcc42f51829b9
SHA192057b688f7890bf533da9f6bb5e216a2fbf091b
SHA2569d0107db561a29c656e8170f921a6ae6ec37172d2d7f837132e3168493c58518
SHA512f64571cbd11bed0c7281b01ca2d5054ace57541357dbe387cf9a1b07f1e59c3fecf7772330d65bda00053f28063f24bdfbea55d0f78878de314812d350bd7ede
-
Filesize
1KB
MD55e6295e7a66d37c86542a268e660a499
SHA1d2806d11b81849475b13888e0fcb0ce2db5518bf
SHA25634d5e9da5133fdac0b86a40136ef54ebe854084ee6c0933a22cf4593de214fa7
SHA5123a9d52a8ed5878eae427d69d083fa5df03b3c26aa4ad489d85e80cd3c094831ffad7942229f80cc601663e6303cb7854c034a5bb12b5755de5fd6b29b0a57d6c
-
Filesize
1KB
MD5c9be626e9715952e9b70f92f912b9787
SHA1aa2e946d9ad9027172d0d321917942b7562d6abe
SHA256c13e8d22800c200915f87f71c31185053e4e60ca25de2e41e160e09cd2d815d4
SHA5127581b7c593785380e9db3ae760af85c1a889f607a3cd2aa5a2695a0e5a0fe8ee751578e88f7d8c997faeda804e2fc2655d859bee2832eace526ed4379edaa3f5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8A9510437CB4EEB09F4B3AC2BC980E19
Filesize208B
MD5ab2d90e31f879636619b699c51380024
SHA1e95fde8a7502ba5d2e7669b2eaf3b048d48f4652
SHA256f6beb29d7f5e616dda8eb02f798e1225c0777dd32c2ed14ea57951867fdbc14a
SHA51248235221414c525ffc092de28a69f0ba13ed703626ca02b9272c3de22f3dfefd11a88882ae1d7b9d2abf8cab9e62542d77f3c0385b3de828ccf9750938c029c0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E7EC0C85688F4738F3BE49B104BA67
Filesize186B
MD52575dcae6f9f81af332dd8caf78c7b79
SHA1cb06420804e957f45f613be8f610de22f0bc6c51
SHA2564d00f694f95360b8a2bb9a1e499455615a536df65975ad6bf77d190f24782a31
SHA512e0d7c6d18353102d3ef5994e5c0271e78219273d88f2fc6ed8e36c1348a6a44e274afff39de44f21d0402b413cae7400c6cefe4c8759e5ff64e6d28cdd229514
-
Filesize
651B
MD59bbfe11735bac43a2ed1be18d0655fe2
SHA161141928bb248fd6e9cd5084a9db05a9b980fb3a
SHA256549953bd4fc8acc868a9374ec684ebd9e7b23939adf551016f3433b642697b74
SHA512a78c52b2ddc057dabf260eeb744b9f55eab3374ad96e1938a291d2b17f204a0d6e1aa02802de75f0b2cd6d156540d2ddee15e889b89d5e619207054df4c1d483
-
Filesize
11.4MB
MD55b8303360f8d585409d41be1a9513187
SHA1c09f1ece40407ee6260f31ea84c1a9ff685931e4
SHA2560eb35eb02667d3d23c14a2275db8e5ab292602b838e763f188a764765086c5c4
SHA512eb2d2e659adb638e372cd032fd1bdead5185586281df715f7c740b9cacae8f8e8da08bcbdc03088896a235493c4f16ab6b25db8dca3a048ea18bb8ca8b4dc382
-
Filesize
1.5MB
MD533c788ad055127fd3a37ca958a9adb51
SHA14fa0b653e27516d7186ef56117e197e6c89ff987
SHA2568d88f1eddb421c04f090fe09cfbc33c46244658fe77852e309014448bcc1da7f
SHA51291a2c604d69be7cc4c887dfa48c959c418b8c812db9ff3287bf4fe6219aed23f46f5bdc123ed3ce041ca4ba4977eedb901fb4e6ae9dff0953d41e5ac215e4d52
-
Filesize
8B
MD52ddb82ce1fe2405f94574cf2ef2dc03f
SHA1edb26df1b8be2cee7bd2f8cb0a3dd3aa499b64b8
SHA256a77122e7b44ab00063d5f50371abb8db042311e66137aa2e426f72e18ab5d819
SHA51241e37309d87d88cbb3d6b2eb2a24e9a3dd7476027ee1765a0cb0fae108957878346a17e091e385acde30285ddebca104d21ce636b7ec6e3f3b50ff83e8b2fcaa
-
Filesize
291KB
MD5e9b6b9fd50a6a3a13fad66d497fd7950
SHA1db392075dff3bffa5773dfcd5263dfd0d79159fe
SHA25651f161358a273a3035c8b0d9d8f0261cb7eef20e180d4276a3d046d05436e138
SHA512efd7253b81990b174d9daa1a13679ea7795a01d987e93b7ac82166aedaf482964fd00d91855d1457e6496267264b8f9ca008f5b89e43f71d9940b72e7aa8bdd0
-
Filesize
365KB
MD56ee23c8c7772171e6e894fa986f81bca
SHA1358751731976c09f5fadbd2616f36d07126982aa
SHA256964e10b474e406457581cf6717db6a917783532ce73d1ef8e76f01f06d40ae32
SHA5120255541b0e7b8483fb335bfbe920e80e514503769cfd863a60d465c671f83cb059d6795856db56f1ce50352f15b328d694558c0f49383ee4c6092912f380046a
-
Filesize
180KB
MD57d625fe73ab5f25390d5b663b0760bb8
SHA15dccf0b59215e47bd477ae563db9fb53fd1970a0
SHA25620af4ea25c5bfb6cf5ae236d2f213402c6040ebca2e7ab5c0983267d34ca1673
SHA512a7a12744afb89ff52d7cc5785edc9c42da0c796d3389cd39e7815623d9bdd4735f2410885714bc25e8fdf74e5cba8a1e3e691c0e47b775a2dce05bd0a5662a93
-
Filesize
234B
MD5dfbc95544efd4fd9aca13ca4d43440b5
SHA10b84c31f88a2e2c36732336b5674266205e1260e
SHA25693e7b3276f8bbaddf70f808df1b605cfbfd2b8b16c31f459efa66f6028ec1c10
SHA5126450d56de9767a09aacd8c880c10daaaeaee1e604553f47a7df2595b20e8dad7eadf5bd641524dee600a50c1b41e7cd26f85e211792bf9609701654c1df5c8a9
-
Filesize
181KB
MD5b1298b75b1c09fdbb3906aeec500f066
SHA1d84b4fe247a47ea7649f75e88791d34a60454f2e
SHA256826289b33e9046fd86c559ac3c888129451534bfb2f31fa264d0c62760e0e35e
SHA5122359518d0c5a19123b3491143d20f453e09d973323863b51b917434a5989790f0aad47ac41fb142ab5aceed973ad924392f7efa7244a17d2374d262cc2b8fac5
-
Filesize
101KB
MD5543f75540b657c47619488d9d479de17
SHA14b30aec5ad9e96f8101f116c1945eb3ae1b9bce7
SHA256aaf422c618cd70950c600b2890440ac24d9ebda82b9072ac3d59bd44a6ef2392
SHA512c1ff2ff0928e49a03e6204274273bb9ff581e7bba7bb3bf4534f7734ecc45bf3596c6a63386428248a1c1a733fd880c5ccdee2062a94227c6fcec2a8a9417ed4
-
Filesize
34B
MD5efe1b69e738f8520e0c7c7831e32c5bb
SHA1e243f6ac1d686e8fb475a414cccfc67259fd67d2
SHA2564e9df86fd4e68ad09aa7075634b3846ddcd9b5869f2b26dee5159d9e517dca4d
SHA512886105b7e1f537cbaf8931217f81fbcf3712b776850eaffea7856b7d522d25d45d3dcf11f8ea74bff1c37d34ce6c46ef34e70fd3f1e4ebfc3ef0e29735cf6d3a
-
Filesize
40KB
MD581baeae62298eda5bdb5d6bc28da08dc
SHA12eed11ab623bbd8cd71aba1fa9e30db5c82fce1e
SHA2563a87dd25b3cd5fd9e111bd1b6bd169a4a89e4edc021c7a8ad5e6d66b7adb244f
SHA5123e8f5acfc92ec0f3cf7c539369a16a75adc488de20384ce1f508f87d98818da03ab26be39c1b7c8d418c5aa8794752a48b0985415dd89633e38abf451b8ce402
-
Filesize
24.1MB
MD57d79321d3b9001bbb54de49af460eb8e
SHA1de1717fa0791699552872983343961e0b36a74ba
SHA2565c75dd5991a2fcfc5f32edb60d5420b5f53bead7e52efc852668a7cb5081b6db
SHA5127ca98eeeb8a0bfe338295ed028b8783bfe44a69c4ff947f90a3cbd333437f78c3daa5ffca55aa01b3b4e5044db2e17a941db067792a316559c7f34f3873ea990
-
\??\Volume{dd488ace-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{1f45c86c-0cdb-44b6-84cd-e0b77d830f2b}_OnDiskSnapshotProp
Filesize6KB
MD597a0f6858c5e2c250c30e7475063015a
SHA162b01946ae0dc0b4e5c67e1ac74f88290c9ee0f4
SHA256939bbecd59eb06af5e92e061e1e6018f3c7028368eb8f432d8ee2d1dd8ac9979
SHA512c5c51ac00ce1b4ef2f35057f95da809f9cda4a3f4d8d14a7b44384df9b9b50166ed0c6953ad67eb1431b9056d02f5a9bd6fbe1facf8a62a41ae6b6c53a9a1e0b