Analysis
-
max time kernel
149s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
19-07-2024 21:57
Static task
static1
Behavioral task
behavioral1
Sample
5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe
-
Size
8.0MB
-
MD5
5dd4c0fb60f349296f7d0323c4fffd68
-
SHA1
7df0abcd02c09b40776637bb7d24a1d53e8de1e5
-
SHA256
9b5ce68573217ab0bb483e06f03f8b8b43c410d3dc78ce9d742b90c88ae1b8e3
-
SHA512
828d6ad7ae9ff8c78c4efeecac181e7d96cede8eb7b3369372e591a431fedc62c38e0c24aa87ed2e2fa167b83ab1abefad0e11849ef49c5e361c750c09e94f4d
-
SSDEEP
384:G0qV0gPnGgKU1N6ZF4JJ9zYIQPA03DTx3e8ko7iopioMvcd01dQghOblQH5D/K/D:G0YCMhib
Malware Config
Extracted
orcus
Windows Update
azxsdc.duckdns.org:54115
3dce8870ca1f4ac8ad1ff166a6813d2e
-
autostart_method
TaskScheduler
-
enable_keylogger
true
-
install_path
%programfiles%\Windows\Update.exe
-
reconnect_delay
10000
-
registry_keyname
Orcus
-
taskscheduler_taskname
Windows Update
-
watchdog_path
AppData\Windows Update.exe
Signatures
-
Modifies WinLogon for persistence 2 TTPs 3 IoCs
Processes:
5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exeUpdate.exeUpdate.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Temp\\5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe\"" 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Program Files (x86)\\Windows\\Update.exe\"" Update.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Program Files (x86)\\Windows\\Update.exe\"" Update.exe -
Processes:
5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe -
Processes:
5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exeUpdate.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe = "0" 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe = "0" 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.exe = "0" Update.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\Windows\Update.exe = "0" Update.exe -
Looks for VirtualBox Guest Additions in registry 2 TTPs 3 IoCs
Processes:
5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exeUpdate.exeUpdate.exedescription ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions Update.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions Update.exe -
Orcurs Rat Executable 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2636-84-0x0000000000400000-0x0000000000510000-memory.dmp orcus behavioral1/memory/2636-32-0x0000000000400000-0x0000000000510000-memory.dmp orcus behavioral1/memory/2636-31-0x0000000000400000-0x0000000000510000-memory.dmp orcus behavioral1/memory/2636-28-0x0000000000400000-0x0000000000510000-memory.dmp orcus behavioral1/memory/2636-26-0x0000000000400000-0x0000000000510000-memory.dmp orcus -
Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid Process 2448 powershell.exe 652 powershell.exe 4900 powershell.exe 5100 powershell.exe 5020 powershell.exe 2700 powershell.exe 2340 powershell.exe 2208 powershell.exe 2572 powershell.exe 2460 powershell.exe 2288 powershell.exe 5104 powershell.exe -
Looks for VMWare Tools registry key 2 TTPs 3 IoCs
Processes:
5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exeUpdate.exeUpdate.exedescription ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools Update.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools Update.exe -
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exeUpdate.exeUpdate.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Update.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Update.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Update.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Update.exe -
Drops startup file 4 IoCs
Processes:
5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exeUpdate.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.exe Update.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.exe Update.exe -
Executes dropped EXE 8 IoCs
Processes:
WindowsInput.exeWindowsInput.exeUpdate.exeUpdate.exeUpdate.exeWindows Update.exeWindows Update.exeUpdate.exepid Process 1568 WindowsInput.exe 2076 WindowsInput.exe 4704 Update.exe 4292 Update.exe 4304 Update.exe 652 Windows Update.exe 2228 Windows Update.exe 1936 Update.exe -
Loads dropped DLL 34 IoCs
Processes:
5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exeUpdate.exeUpdate.exeWerFault.exeUpdate.exeWindows Update.exeWindows Update.exeUpdate.exepid Process 2636 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 2636 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 2636 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 2636 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 2636 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 2636 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 2636 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 2636 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 2636 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 2636 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 4704 Update.exe 4704 Update.exe 4704 Update.exe 4704 Update.exe 4292 Update.exe 4292 Update.exe 4292 Update.exe 3496 WerFault.exe 3496 WerFault.exe 3496 WerFault.exe 3496 WerFault.exe 4304 Update.exe 4304 Update.exe 4304 Update.exe 4292 Update.exe 652 Windows Update.exe 652 Windows Update.exe 652 Windows Update.exe 2228 Windows Update.exe 2228 Windows Update.exe 4304 Update.exe 1936 Update.exe 1936 Update.exe 1936 Update.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exeUpdate.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe = "0" 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Real-Time Protection 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0" 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\Windows\Update.exe = "0" Update.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe = "0" 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.exe = "0" Update.exe -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
Update.exe5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exeUpdate.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update.exe = "C:\\Program Files (x86)\\Windows\\Update.exe" Update.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe" 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe" 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Program Files (x86)\\Windows\\Update.exe" Update.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update.exe = "C:\\Program Files (x86)\\Windows\\Update.exe" Update.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Program Files (x86)\\Windows\\Update.exe" Update.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
-
Maps connected drives based on registry 3 TTPs 6 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exeUpdate.exeUpdate.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum Update.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 Update.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum Update.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 Update.exe -
Drops file in System32 directory 7 IoCs
Processes:
powershell.exepowershell.exe5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exeWindowsInput.exepowershell.exepowershell.exedescription ioc Process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File created C:\Windows\SysWOW64\WindowsInput.exe 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe File created C:\Windows\SysWOW64\WindowsInput.exe.config 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe File created C:\Windows\SysWOW64\WindowsInput.InstallState WindowsInput.exe File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 40 IoCs
Processes:
5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exeUpdate.exeUpdate.exepid Process 2524 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 2524 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 2524 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 2524 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 2524 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 2524 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 2524 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 2524 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 2524 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 2524 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 2524 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 2524 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 2524 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 4704 Update.exe 4704 Update.exe 4704 Update.exe 4704 Update.exe 4704 Update.exe 4704 Update.exe 4704 Update.exe 4704 Update.exe 4704 Update.exe 4704 Update.exe 4704 Update.exe 4704 Update.exe 4704 Update.exe 4304 Update.exe 4304 Update.exe 4304 Update.exe 4304 Update.exe 4304 Update.exe 4304 Update.exe 4304 Update.exe 4304 Update.exe 4304 Update.exe 4304 Update.exe 4304 Update.exe 4304 Update.exe 4304 Update.exe 4304 Update.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exeUpdate.exeUpdate.exedescription pid Process procid_target PID 2524 set thread context of 2636 2524 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 41 PID 4704 set thread context of 4292 4704 Update.exe 56 PID 4304 set thread context of 1936 4304 Update.exe 73 -
Drops file in Program Files directory 3 IoCs
Processes:
5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exedescription ioc Process File created C:\Program Files (x86)\Windows\Update.exe 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Windows\Update.exe 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe File created C:\Program Files (x86)\Windows\Update.exe.config 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 3496 4704 WerFault.exe 44 -
Delays execution with timeout.exe 3 IoCs
Processes:
timeout.exetimeout.exetimeout.exepid Process 2608 timeout.exe 2376 timeout.exe 808 timeout.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exe5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exepowershell.exepowershell.exepowershell.exepowershell.exeUpdate.exeWindows Update.exeUpdate.exepowershell.exepowershell.exepowershell.exepowershell.exeUpdate.exepid Process 652 powershell.exe 2572 powershell.exe 2288 powershell.exe 2460 powershell.exe 2524 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 2524 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 2524 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 4900 powershell.exe 5020 powershell.exe 5100 powershell.exe 5104 powershell.exe 4704 Update.exe 4704 Update.exe 4704 Update.exe 2228 Windows Update.exe 2228 Windows Update.exe 2228 Windows Update.exe 4292 Update.exe 4292 Update.exe 4292 Update.exe 2228 Windows Update.exe 4292 Update.exe 2228 Windows Update.exe 4292 Update.exe 2228 Windows Update.exe 4292 Update.exe 2228 Windows Update.exe 4292 Update.exe 2448 powershell.exe 2228 Windows Update.exe 4292 Update.exe 2340 powershell.exe 2700 powershell.exe 2208 powershell.exe 4292 Update.exe 2228 Windows Update.exe 4292 Update.exe 2228 Windows Update.exe 4304 Update.exe 4304 Update.exe 4304 Update.exe 4292 Update.exe 2228 Windows Update.exe 4292 Update.exe 2228 Windows Update.exe 4292 Update.exe 2228 Windows Update.exe 4292 Update.exe 2228 Windows Update.exe 4292 Update.exe 2228 Windows Update.exe 4292 Update.exe 2228 Windows Update.exe 4292 Update.exe 2228 Windows Update.exe 4292 Update.exe 2228 Windows Update.exe 2228 Windows Update.exe 4292 Update.exe 2228 Windows Update.exe 4292 Update.exe 2228 Windows Update.exe 4292 Update.exe 4292 Update.exe -
Suspicious use of AdjustPrivilegeToken 20 IoCs
Processes:
5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exepowershell.exepowershell.exepowershell.exepowershell.exeUpdate.exepowershell.exepowershell.exepowershell.exepowershell.exeUpdate.exeWindows Update.exeWindows Update.exepowershell.exepowershell.exeUpdate.exepowershell.exepowershell.exedescription pid Process Token: SeDebugPrivilege 2524 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe Token: SeDebugPrivilege 652 powershell.exe Token: SeDebugPrivilege 2572 powershell.exe Token: SeDebugPrivilege 2288 powershell.exe Token: SeDebugPrivilege 2460 powershell.exe Token: SeDebugPrivilege 4704 Update.exe Token: SeDebugPrivilege 4900 powershell.exe Token: SeDebugPrivilege 5020 powershell.exe Token: SeDebugPrivilege 5100 powershell.exe Token: SeDebugPrivilege 5104 powershell.exe Token: SeDebugPrivilege 4292 Update.exe Token: SeDebugPrivilege 652 Windows Update.exe Token: SeDebugPrivilege 2228 Windows Update.exe Token: SeDebugPrivilege 2448 powershell.exe Token: SeDebugPrivilege 2340 powershell.exe Token: SeDebugPrivilege 4304 Update.exe Token: SeDebugPrivilege 2700 powershell.exe Token: SeDebugPrivilege 2208 powershell.exe Token: SeRestorePrivilege 4304 Update.exe Token: SeBackupPrivilege 4304 Update.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Update.exepid Process 4292 Update.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.execmd.exe5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exeUpdate.exedescription pid Process procid_target PID 2524 wrote to memory of 652 2524 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 30 PID 2524 wrote to memory of 652 2524 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 30 PID 2524 wrote to memory of 652 2524 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 30 PID 2524 wrote to memory of 652 2524 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 30 PID 2524 wrote to memory of 2572 2524 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 32 PID 2524 wrote to memory of 2572 2524 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 32 PID 2524 wrote to memory of 2572 2524 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 32 PID 2524 wrote to memory of 2572 2524 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 32 PID 2524 wrote to memory of 2460 2524 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 34 PID 2524 wrote to memory of 2460 2524 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 34 PID 2524 wrote to memory of 2460 2524 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 34 PID 2524 wrote to memory of 2460 2524 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 34 PID 2524 wrote to memory of 2288 2524 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 36 PID 2524 wrote to memory of 2288 2524 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 36 PID 2524 wrote to memory of 2288 2524 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 36 PID 2524 wrote to memory of 2288 2524 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 36 PID 2524 wrote to memory of 2760 2524 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 38 PID 2524 wrote to memory of 2760 2524 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 38 PID 2524 wrote to memory of 2760 2524 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 38 PID 2524 wrote to memory of 2760 2524 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 38 PID 2760 wrote to memory of 2608 2760 cmd.exe 40 PID 2760 wrote to memory of 2608 2760 cmd.exe 40 PID 2760 wrote to memory of 2608 2760 cmd.exe 40 PID 2760 wrote to memory of 2608 2760 cmd.exe 40 PID 2524 wrote to memory of 2636 2524 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 41 PID 2524 wrote to memory of 2636 2524 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 41 PID 2524 wrote to memory of 2636 2524 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 41 PID 2524 wrote to memory of 2636 2524 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 41 PID 2524 wrote to memory of 2636 2524 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 41 PID 2524 wrote to memory of 2636 2524 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 41 PID 2524 wrote to memory of 2636 2524 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 41 PID 2524 wrote to memory of 2636 2524 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 41 PID 2524 wrote to memory of 2636 2524 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 41 PID 2636 wrote to memory of 1568 2636 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 42 PID 2636 wrote to memory of 1568 2636 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 42 PID 2636 wrote to memory of 1568 2636 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 42 PID 2636 wrote to memory of 1568 2636 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 42 PID 2636 wrote to memory of 4704 2636 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 44 PID 2636 wrote to memory of 4704 2636 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 44 PID 2636 wrote to memory of 4704 2636 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 44 PID 2636 wrote to memory of 4704 2636 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 44 PID 2636 wrote to memory of 4704 2636 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 44 PID 2636 wrote to memory of 4704 2636 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 44 PID 2636 wrote to memory of 4704 2636 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 44 PID 4704 wrote to memory of 4900 4704 Update.exe 45 PID 4704 wrote to memory of 4900 4704 Update.exe 45 PID 4704 wrote to memory of 4900 4704 Update.exe 45 PID 4704 wrote to memory of 4900 4704 Update.exe 45 PID 4704 wrote to memory of 4900 4704 Update.exe 45 PID 4704 wrote to memory of 4900 4704 Update.exe 45 PID 4704 wrote to memory of 4900 4704 Update.exe 45 PID 4704 wrote to memory of 5100 4704 Update.exe 47 PID 4704 wrote to memory of 5100 4704 Update.exe 47 PID 4704 wrote to memory of 5100 4704 Update.exe 47 PID 4704 wrote to memory of 5100 4704 Update.exe 47 PID 4704 wrote to memory of 5100 4704 Update.exe 47 PID 4704 wrote to memory of 5100 4704 Update.exe 47 PID 4704 wrote to memory of 5100 4704 Update.exe 47 PID 4704 wrote to memory of 5020 4704 Update.exe 49 PID 4704 wrote to memory of 5020 4704 Update.exe 49 PID 4704 wrote to memory of 5020 4704 Update.exe 49 PID 4704 wrote to memory of 5020 4704 Update.exe 49 PID 4704 wrote to memory of 5020 4704 Update.exe 49 PID 4704 wrote to memory of 5020 4704 Update.exe 49
Processes
-
C:\Users\Admin\AppData\Local\Temp\5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Modifies Windows Defender Real-time Protection settings
- Windows security bypass
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Drops startup file
- Windows security modification
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe" -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:652
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe" -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2572
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe" -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2460
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe" -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2288
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 12⤵
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:2608
-
-
-
C:\Users\Admin\AppData\Local\Temp\5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\WindowsInput.exe"C:\Windows\SysWOW64\WindowsInput.exe" --install3⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1568
-
-
C:\Program Files (x86)\Windows\Update.exe"C:\Program Files (x86)\Windows\Update.exe"3⤵
- Modifies WinLogon for persistence
- Windows security bypass
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4704 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.exe" -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4900
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.exe" -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5100
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.exe" -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5020
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files (x86)\Windows\Update.exe" -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5104
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 14⤵PID:2524
-
C:\Windows\SysWOW64\timeout.exetimeout 15⤵
- Delays execution with timeout.exe
PID:2376
-
-
-
C:\Program Files (x86)\Windows\Update.exe"C:\Program Files (x86)\Windows\Update.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4292 -
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe" /launchSelfAndExit "C:\Program Files (x86)\Windows\Update.exe" 4292 /protectFile5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:652 -
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe" /watchProcess "C:\Program Files (x86)\Windows\Update.exe" 4292 "/protectFile"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2228
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 8244⤵
- Loads dropped DLL
- Program crash
PID:3496
-
-
-
-
C:\Windows\SysWOW64\WindowsInput.exe"C:\Windows\SysWOW64\WindowsInput.exe"1⤵
- Executes dropped EXE
PID:2076
-
C:\Windows\system32\taskeng.exetaskeng.exe {82946D86-C540-43B9-B1E2-352886A0C4FE} S-1-5-21-2172136094-3310281978-782691160-1000:EXCFTDUU\Admin:Interactive:[1]1⤵PID:3988
-
C:\Program Files (x86)\Windows\Update.exe"C:\Program Files (x86)\Windows\Update.exe"2⤵
- Modifies WinLogon for persistence
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4304 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.exe" -Force3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2448
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.exe" -Force3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2700
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.exe" -Force3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2340
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files (x86)\Windows\Update.exe" -Force3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2208
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 13⤵PID:4480
-
C:\Windows\SysWOW64\timeout.exetimeout 14⤵
- Delays execution with timeout.exe
PID:808
-
-
-
C:\Program Files (x86)\Windows\Update.exe"C:\Program Files (x86)\Windows\Update.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1936
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5303835c0bbd50042c89aeb5642f28af9
SHA170afaf81075d0570475bd0165cb6ad0581f807d0
SHA2567b12cb6b7a4148b136dc19b72b58df6a3c0b943e725e1dde768ab0dbd9d12865
SHA51265f4b50b46c045b1a52cd9417d185cd70fe85e404b24111da82126b37a73e938dbc57aa16f48f36fb580e61fe0af693ed72a81c01d9c7c991e612c57ac4a1d8b
-
Filesize
357B
MD5a2b76cea3a59fa9af5ea21ff68139c98
SHA135d76475e6a54c168f536e30206578babff58274
SHA256f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad
-
Filesize
8.0MB
MD55dd4c0fb60f349296f7d0323c4fffd68
SHA17df0abcd02c09b40776637bb7d24a1d53e8de1e5
SHA2569b5ce68573217ab0bb483e06f03f8b8b43c410d3dc78ce9d742b90c88ae1b8e3
SHA512828d6ad7ae9ff8c78c4efeecac181e7d96cede8eb7b3369372e591a431fedc62c38e0c24aa87ed2e2fa167b83ab1abefad0e11849ef49c5e361c750c09e94f4d
-
Filesize
9KB
MD5913967b216326e36a08010fb70f9dba3
SHA17b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf
SHA2568d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a
SHA512c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33
-
Filesize
21KB
MD5e6fcf516d8ed8d0d4427f86e08d0d435
SHA1c7691731583ab7890086635cb7f3e4c22ca5e409
SHA2568dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337
SHA512c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e