Analysis
-
max time kernel
150s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
20/06/2024, 22:23
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe
Resource
win7-20240508-en
windows7-x64
10 signatures
150 seconds
General
-
Target
09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe
-
Size
833KB
-
MD5
09c839a2a506daa090d4f1016c0ad9c1
-
SHA1
983340b56a397086149feeaf2f82020e44692c93
-
SHA256
957cf88ba5481d47a8864d22ff8d12ec35d7aaadd419ff2e1682b2bbefac401a
-
SHA512
bbde4ae6d3dfe889f5f661d2bc788b46385ab8de2c3da7a4469992021e225820c5c278272803b9e0d3945ca5e27decc253d2fef0b1c5eb31ff8a0cd593084ceb
-
SSDEEP
12288:d3TdtLW5WIj1YSSdFxDbeC0XYEBSXyMzBUWb9lx/9AgHLo8OW+rBwtCsZ+USu6tD:FDsj1dEOC0XYEBcJ9nPx/igrp+CFZ80c
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Ardamax main executable 1 IoCs
resource yara_rule behavioral2/files/0x000700000002341b-77.dat family_ardamax -
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe regsvr.exe" 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" tazebama.dl_ -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe -
Disables Task Manager via registry modification
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2028 netsh.exe -
Executes dropped EXE 2 IoCs
pid Process 2704 tazebama.dl_ 4556 svchost.exe -
Loads dropped DLL 1 IoCs
pid Process 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe -
resource yara_rule behavioral2/memory/3148-22-0x0000000003D30000-0x0000000004D60000-memory.dmp upx behavioral2/memory/3148-16-0x0000000003D30000-0x0000000004D60000-memory.dmp upx behavioral2/memory/3148-13-0x0000000003D30000-0x0000000004D60000-memory.dmp upx behavioral2/memory/3148-79-0x0000000003D30000-0x0000000004D60000-memory.dmp upx behavioral2/memory/3148-89-0x0000000003D30000-0x0000000004D60000-memory.dmp upx behavioral2/memory/3148-131-0x0000000003D30000-0x0000000004D60000-memory.dmp upx behavioral2/memory/3148-139-0x0000000003D30000-0x0000000004D60000-memory.dmp upx behavioral2/memory/3148-140-0x0000000003D30000-0x0000000004D60000-memory.dmp upx behavioral2/memory/3148-142-0x0000000003D30000-0x0000000004D60000-memory.dmp upx behavioral2/memory/3148-145-0x0000000003D30000-0x0000000004D60000-memory.dmp upx behavioral2/memory/3148-147-0x0000000003D30000-0x0000000004D60000-memory.dmp upx behavioral2/memory/3148-159-0x0000000003D30000-0x0000000004D60000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Msn Messsenger = "C:\\Windows\\system32\\regsvr.exe" 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\svchost Agent = "C:\\Windows\\SysWOW64\\28463\\svchost.exe" svchost.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe -
Enumerates connected drives 3 TTPs 44 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\v: 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe File opened (read-only) \??\Z: tazebama.dl_ File opened (read-only) \??\T: tazebama.dl_ File opened (read-only) \??\N: tazebama.dl_ File opened (read-only) \??\e: 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe File opened (read-only) \??\r: 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe File opened (read-only) \??\z: 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe File opened (read-only) \??\E: tazebama.dl_ File opened (read-only) \??\g: 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe File opened (read-only) \??\q: 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe File opened (read-only) \??\u: 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe File opened (read-only) \??\y: 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe File opened (read-only) \??\a: 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe File opened (read-only) \??\t: 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe File opened (read-only) \??\V: tazebama.dl_ File opened (read-only) \??\U: tazebama.dl_ File opened (read-only) \??\R: tazebama.dl_ File opened (read-only) \??\O: tazebama.dl_ File opened (read-only) \??\G: tazebama.dl_ File opened (read-only) \??\w: 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe File opened (read-only) \??\X: tazebama.dl_ File opened (read-only) \??\S: tazebama.dl_ File opened (read-only) \??\K: tazebama.dl_ File opened (read-only) \??\j: 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe File opened (read-only) \??\l: 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe File opened (read-only) \??\W: tazebama.dl_ File opened (read-only) \??\I: tazebama.dl_ File opened (read-only) \??\J: tazebama.dl_ File opened (read-only) \??\h: 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe File opened (read-only) \??\i: 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe File opened (read-only) \??\m: 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe File opened (read-only) \??\o: 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe File opened (read-only) \??\p: 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe File opened (read-only) \??\Y: tazebama.dl_ File opened (read-only) \??\P: tazebama.dl_ File opened (read-only) \??\M: tazebama.dl_ File opened (read-only) \??\H: tazebama.dl_ File opened (read-only) \??\n: 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe File opened (read-only) \??\x: 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe File opened (read-only) \??\Q: tazebama.dl_ File opened (read-only) \??\L: tazebama.dl_ File opened (read-only) \??\b: 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe File opened (read-only) \??\k: 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe File opened (read-only) \??\s: 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe -
AutoIT Executable 8 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/3148-57-0x0000000000400000-0x00000000004CD000-memory.dmp autoit_exe behavioral2/memory/3148-56-0x0000000000400000-0x00000000004CD000-memory.dmp autoit_exe behavioral2/memory/3148-19-0x0000000000400000-0x00000000004CD000-memory.dmp autoit_exe behavioral2/memory/3148-133-0x0000000000400000-0x00000000004CD000-memory.dmp autoit_exe behavioral2/memory/3148-153-0x0000000000400000-0x00000000004CD000-memory.dmp autoit_exe behavioral2/memory/3148-171-0x0000000000400000-0x00000000004CD000-memory.dmp autoit_exe behavioral2/memory/3148-177-0x0000000000400000-0x00000000004CD000-memory.dmp autoit_exe behavioral2/memory/3148-176-0x0000000000400000-0x00000000004CD000-memory.dmp autoit_exe -
Drops autorun.inf file 1 TTPs 3 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\CD Burning\autorun.inf tazebama.dl_ File opened for modification F:\autorun.inf tazebama.dl_ File opened for modification C:\autorun.inf tazebama.dl_ -
Drops file in System32 directory 15 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\28463\svchost.001 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe File created C:\Windows\SysWOW64\svchost .exe 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe File opened for modification C:\WINDOWS\SysWOW64\REGSVR.EXE 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe File created C:\Windows\SysWOW64\28463\svchost.exe 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\28463 svchost.exe File created C:\Windows\SysWOW64\setting.ini 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\svchost .exe 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\setup.ini 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe File opened for modification C:\WINDOWS\SysWOW64\28463\SVCHOST.EXE 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\28463 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\28463\svchost.exe 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe File created C:\Windows\SysWOW64\regsvr.exe 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe File created C:\Windows\SysWOW64\28463\svchost.001 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\regsvr.exe 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\setting.ini 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe -
Drops file in Program Files directory 13 IoCs
description ioc Process File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MavInject32.exe 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES (X86)\COMMON FILES\JAVA\JAVA UPDATE\JUSCHED.EXE 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\appvcleaner.exe 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\AppVShNotify.exe 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\IntegratedOffice.exe 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES (X86)\ADOBE\ACROBAT READER DC\READER\ACRORD32.EXE tazebama.dl_ File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeClickToRun.exe 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe File created C:\Windows\regsvr.exe 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe File opened for modification C:\Windows\regsvr.exe 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5064 2704 WerFault.exe 82 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2704 tazebama.dl_ 2704 tazebama.dl_ 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe Token: SeDebugPrivilege 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe Token: SeDebugPrivilege 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe Token: SeDebugPrivilege 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe Token: SeDebugPrivilege 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe Token: SeDebugPrivilege 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe Token: SeDebugPrivilege 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe Token: SeDebugPrivilege 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe Token: SeDebugPrivilege 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe Token: SeDebugPrivilege 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe Token: SeDebugPrivilege 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe Token: SeDebugPrivilege 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe Token: SeDebugPrivilege 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe Token: SeDebugPrivilege 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe Token: SeDebugPrivilege 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe Token: SeDebugPrivilege 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe Token: SeDebugPrivilege 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe Token: SeDebugPrivilege 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe Token: SeDebugPrivilege 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe Token: SeDebugPrivilege 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe Token: SeDebugPrivilege 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe Token: SeDebugPrivilege 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe Token: SeDebugPrivilege 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe Token: SeDebugPrivilege 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe Token: SeDebugPrivilege 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe Token: SeDebugPrivilege 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe Token: SeDebugPrivilege 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe Token: SeDebugPrivilege 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe Token: SeDebugPrivilege 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe Token: SeDebugPrivilege 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe Token: SeDebugPrivilege 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe Token: SeDebugPrivilege 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe Token: SeDebugPrivilege 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe Token: SeDebugPrivilege 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe Token: SeDebugPrivilege 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe Token: SeDebugPrivilege 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe Token: SeDebugPrivilege 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe Token: SeDebugPrivilege 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe Token: SeDebugPrivilege 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe Token: SeDebugPrivilege 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe Token: SeDebugPrivilege 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe Token: SeDebugPrivilege 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe Token: SeDebugPrivilege 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe Token: SeDebugPrivilege 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe Token: SeDebugPrivilege 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe Token: SeDebugPrivilege 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe Token: SeDebugPrivilege 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe Token: SeDebugPrivilege 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe Token: SeDebugPrivilege 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe Token: SeDebugPrivilege 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe Token: SeDebugPrivilege 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe Token: SeDebugPrivilege 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe Token: SeDebugPrivilege 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe Token: SeDebugPrivilege 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe Token: SeDebugPrivilege 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe Token: SeDebugPrivilege 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe Token: SeDebugPrivilege 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe Token: SeDebugPrivilege 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe Token: SeDebugPrivilege 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe Token: SeDebugPrivilege 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe Token: SeDebugPrivilege 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe Token: SeDebugPrivilege 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe Token: SeDebugPrivilege 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe Token: SeDebugPrivilege 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4556 svchost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3148 wrote to memory of 2704 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 82 PID 3148 wrote to memory of 2704 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 82 PID 3148 wrote to memory of 2704 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 82 PID 3148 wrote to memory of 768 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 8 PID 3148 wrote to memory of 772 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 9 PID 3148 wrote to memory of 392 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 13 PID 3148 wrote to memory of 2664 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 44 PID 3148 wrote to memory of 2684 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 45 PID 3148 wrote to memory of 2028 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 83 PID 3148 wrote to memory of 2028 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 83 PID 3148 wrote to memory of 2028 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 83 PID 3148 wrote to memory of 2776 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 48 PID 3148 wrote to memory of 3432 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 56 PID 3148 wrote to memory of 3536 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 57 PID 3148 wrote to memory of 3748 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 58 PID 3148 wrote to memory of 3868 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 59 PID 3148 wrote to memory of 3928 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 60 PID 3148 wrote to memory of 4024 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 61 PID 3148 wrote to memory of 4136 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 62 PID 3148 wrote to memory of 736 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 73 PID 3148 wrote to memory of 3004 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 74 PID 3148 wrote to memory of 3696 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 79 PID 3148 wrote to memory of 4788 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 80 PID 3148 wrote to memory of 2704 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 82 PID 3148 wrote to memory of 2704 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 82 PID 3148 wrote to memory of 4556 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 87 PID 3148 wrote to memory of 4556 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 87 PID 3148 wrote to memory of 4556 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 87 PID 3148 wrote to memory of 3660 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 88 PID 3148 wrote to memory of 3660 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 88 PID 3148 wrote to memory of 3660 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 88 PID 3660 wrote to memory of 1488 3660 cmd.exe 90 PID 3660 wrote to memory of 1488 3660 cmd.exe 90 PID 3660 wrote to memory of 1488 3660 cmd.exe 90 PID 3148 wrote to memory of 2544 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 92 PID 3148 wrote to memory of 2544 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 92 PID 3148 wrote to memory of 2544 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 92 PID 2544 wrote to memory of 1300 2544 cmd.exe 94 PID 2544 wrote to memory of 1300 2544 cmd.exe 94 PID 2544 wrote to memory of 1300 2544 cmd.exe 94 PID 3148 wrote to memory of 768 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 8 PID 3148 wrote to memory of 772 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 9 PID 3148 wrote to memory of 392 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 13 PID 3148 wrote to memory of 2664 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 44 PID 3148 wrote to memory of 2684 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 45 PID 3148 wrote to memory of 2776 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 48 PID 3148 wrote to memory of 3432 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 56 PID 3148 wrote to memory of 3536 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 57 PID 3148 wrote to memory of 3748 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 58 PID 3148 wrote to memory of 3868 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 59 PID 3148 wrote to memory of 3928 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 60 PID 3148 wrote to memory of 4024 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 61 PID 3148 wrote to memory of 4136 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 62 PID 3148 wrote to memory of 736 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 73 PID 3148 wrote to memory of 3004 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 74 PID 3148 wrote to memory of 3696 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 79 PID 3148 wrote to memory of 4556 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 87 PID 3148 wrote to memory of 4556 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 87 PID 3148 wrote to memory of 1064 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 96 PID 3148 wrote to memory of 3992 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 97 PID 3148 wrote to memory of 768 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 8 PID 3148 wrote to memory of 772 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 9 PID 3148 wrote to memory of 392 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 13 PID 3148 wrote to memory of 2664 3148 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe 44 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:768
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:772
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:392
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2664
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2684
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2776
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3432
-
C:\Users\Admin\AppData\Local\Temp\09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\09c839a2a506daa090d4f1016c0ad9c1_JaffaCakes118.exe"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Disables RegEdit via registry modification
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3148 -
C:\Documents and Settings\tazebama.dl_"C:\Documents and Settings\tazebama.dl_"3⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:2704 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 7404⤵
- Program crash
PID:5064
-
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode disable3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:2028
-
-
C:\Windows\SysWOW64\28463\svchost.exeC:\Windows\system32\28463\svchost.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:4556
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes3⤵
- Suspicious use of WriteProcessMemory
PID:3660 -
C:\Windows\SysWOW64\at.exeAT /delete /yes4⤵PID:1488
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\svchost .exe3⤵
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\svchost .exe4⤵PID:1300
-
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE"3⤵PID:3360
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE"3⤵PID:4944
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE"3⤵PID:5068
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3536
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3748
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3868
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3928
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4024
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4136
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:736
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3004
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:3696
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:4788
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2704 -ip 27041⤵PID:2360
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1064
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3992
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:1960
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4288
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
2Disable or Modify System Firewall
1Disable or Modify Tools
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
157KB
MD5766819842d2b5114a9a36d702cf7ba04
SHA1aa878a993ad699fb03ef191321a6850a4466495e
SHA2569771c70c9cab7aeab2cbe9c95e052904283d3c20e1666d9209a4bff0f4e6bec3
SHA51275d2c61c674ba54664ae054503c0bd6582da09aa5fabf53677ce1e6b748314dbadb7bd32faf0910970633cc5e538a6810775375dc43c9916dd0d9d3e70142527
-
Filesize
32KB
MD5b6a03576e595afacb37ada2f1d5a0529
SHA1d598d4d0e70dec2ffa2849edaeb4db94fedcc0b8
SHA2561707eaf60aa91f3791aa5643bfa038e9d8141878d61f5d701ebac51f4ae7aaad
SHA512181b7cc6479352fe2c53c3630d45a839cdeb74708be6709c2a75847a54de3ffc1fdac8450270dde7174ecb23e5cb002f8ce39032429a3112b1202f3381b8918c
-
Filesize
2KB
MD5c427f41a9eb12166c278da8fed8a0c4a
SHA1e0e1d1c8f6b58675a544f1461997cfc37a2e6c63
SHA256ee74d1ba7e74e916f57ac4134aa5aa6eb7f920e7dae3b4cdb75af9225da616c6
SHA512ea2e49983e04afaa0eec5b28eeed1e9c804326b49933e69962805c10a405cb7dd87061e50355f395e74107cb6ca674d4c8c0000ef13505ec58b1d7dec873aa85
-
Filesize
513KB
MD50c7a714b8e1d2ead2afc90dcc43bbe18
SHA166736613f22771f5da5606ed8c80b572b3f5c103
SHA256800bdf00e09f302a17e22d26dffbea037e3c077ef9f6d1d585c114f079397a9e
SHA51235db0de86c168eb6302dcbaa1e1f9ec96b5a8814e7067e1a7bb682e9f35fc06c51148a08e6f7df1e8caeb2effde555c53966a8922e8fef6b7ce194dc81c984b4
-
Filesize
2B
MD5e0aa021e21dddbd6d8cecec71e9cf564
SHA19ce3bd4224c8c1780db56b4125ecf3f24bf748b7
SHA256565339bc4d33d72817b583024112eb7f5cdf3e5eef0252d6ec1b9c9a94e12bb3
SHA512900110c951560eff857b440e89cc29f529416e0e3b3d7f0ad51651bfdbd8025b91768c5ed7db5352d1a5523354ce06ced2c42047e33a3e958a1bba5f742db874
-
Filesize
96B
MD59ece103c47335f0cc777f1132b8d522f
SHA163afa171c64f86d99db81723e1335e960e85fa43
SHA25669815d4932ddde240ce6b1353305d2fab58ca402e9c478452c8e37ce8a7b2ac9
SHA512b1ac64c71c6338bf0ab33df938128822da680f20d0552edb2edb808f1c75bafb88467412fc8dc60ed8022a1f0c4f3fcbecb69a320ec871b3a766482f32d6eb05
-
Filesize
833KB
MD509c839a2a506daa090d4f1016c0ad9c1
SHA1983340b56a397086149feeaf2f82020e44692c93
SHA256957cf88ba5481d47a8864d22ff8d12ec35d7aaadd419ff2e1682b2bbefac401a
SHA512bbde4ae6d3dfe889f5f661d2bc788b46385ab8de2c3da7a4469992021e225820c5c278272803b9e0d3945ca5e27decc253d2fef0b1c5eb31ff8a0cd593084ceb
-
Filesize
126B
MD5163e20cbccefcdd42f46e43a94173c46
SHA14c7b5048e8608e2a75799e00ecf1bbb4773279ae
SHA2567780bee9df142a17e0457f3dcb2788b50fc2792370089335597d33719126fb7e
SHA512e5ac0ff6b087857799ab70f68067c9dc73eeb93ccfcad87047052380b95ade3e6eb2a7d01a0f850d548a39f4b1ebb60e299d603dbe25c31b9a3585b34a0c65a8
-
Filesize
157KB
MD56a3d41a35800a15decc275ef826d05bb
SHA1aeb72ccd056f41e703dee3483fbe7f8e3ad0afe2
SHA25660a10d2e786a08d0b64d8154b41c5ca1fa0d1558d82cd20ba43d97eff997e52e
SHA5120ee9bc3dd2d6bb5952a287c5c28948144c6aa246fa04e33bd21da6a89a6a4803d236aed9fbafe11345a0db0e591d0cb49eef942ae7090736b7901094d7639f1e
-
Filesize
229KB
MD5edaeb7e2e61ccfc182db0eec1e3a6e31
SHA1fa719c80cfbab2c2795e849009d512e5d7469311
SHA2569b0cf9a3d3d32f343154ae66af99366f543fe299353ccd6f915b51e0a6871a0f
SHA512c688539b749fb86c226611ad8612f4e9e1aec521cba122c0f74243cb1f2019b4887dfd7061ee1e880c087be380514ae6df5203f743b07154113dea34a412535b
-
Filesize
157KB
MD5ff9dce9baf6da108a033e84e1630b5ad
SHA1b4b6a4b5fd013d7d8b953d31578f0bbceae1a6e9
SHA2564cdc4d6aff2eba146f7bfb693113552f6aed52019f82d1e014c0a4579afa37a9
SHA512e2d8f32e1f835f34611e86a7feaeadb562946a20bf8744e421d20cf0d74c93ee15235fcf92422dfda46c3c5b7ed7b12995bf29f598167e131e629897fa799a59