Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
19-07-2024 21:57
Static task
static1
Behavioral task
behavioral1
Sample
5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe
-
Size
8.0MB
-
MD5
5dd4c0fb60f349296f7d0323c4fffd68
-
SHA1
7df0abcd02c09b40776637bb7d24a1d53e8de1e5
-
SHA256
9b5ce68573217ab0bb483e06f03f8b8b43c410d3dc78ce9d742b90c88ae1b8e3
-
SHA512
828d6ad7ae9ff8c78c4efeecac181e7d96cede8eb7b3369372e591a431fedc62c38e0c24aa87ed2e2fa167b83ab1abefad0e11849ef49c5e361c750c09e94f4d
-
SSDEEP
384:G0qV0gPnGgKU1N6ZF4JJ9zYIQPA03DTx3e8ko7iopioMvcd01dQghOblQH5D/K/D:G0YCMhib
Malware Config
Extracted
orcus
Windows Update
azxsdc.duckdns.org:54115
3dce8870ca1f4ac8ad1ff166a6813d2e
-
autostart_method
TaskScheduler
-
enable_keylogger
true
-
install_path
%programfiles%\Windows\Update.exe
-
reconnect_delay
10000
-
registry_keyname
Orcus
-
taskscheduler_taskname
Windows Update
-
watchdog_path
AppData\Windows Update.exe
Signatures
-
Modifies WinLogon for persistence 2 TTPs 3 IoCs
Processes:
Update.exe5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exeUpdate.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Program Files (x86)\\Windows\\Update.exe\"" Update.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Temp\\5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe\"" 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Program Files (x86)\\Windows\\Update.exe\"" Update.exe -
Processes:
5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe -
Turns off Windows Defender SpyNet reporting 2 TTPs
-
Processes:
5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exeUpdate.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe = "0" 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe = "0" 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.exe = "0" Update.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\Windows\Update.exe = "0" Update.exe -
Looks for VirtualBox Guest Additions in registry 2 TTPs 3 IoCs
Processes:
5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exeUpdate.exeUpdate.exedescription ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions Update.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions Update.exe -
Orcurs Rat Executable 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3180-107-0x0000000000400000-0x0000000000510000-memory.dmp orcus -
Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid Process 2004 powershell.exe 4432 powershell.exe 3352 powershell.exe 4012 powershell.exe 4732 powershell.exe 2088 powershell.exe 2416 powershell.exe 2368 powershell.exe 2888 powershell.exe 3036 powershell.exe 3024 powershell.exe 3636 powershell.exe -
Looks for VMWare Tools registry key 2 TTPs 3 IoCs
Processes:
5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exeUpdate.exeUpdate.exedescription ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools Update.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools Update.exe -
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exeUpdate.exeUpdate.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Update.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Update.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Update.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Update.exe -
Checks computer location settings 2 TTPs 6 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exeUpdate.exeUpdate.exeWindows Update.exeUpdate.exe5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation Update.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation Update.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation Windows Update.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation Update.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe -
Drops startup file 4 IoCs
Processes:
5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exeUpdate.exedescription ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.exe Update.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.exe Update.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe -
Executes dropped EXE 9 IoCs
Processes:
WindowsInput.exeWindowsInput.exeUpdate.exeUpdate.exeUpdate.exeUpdate.exeWindows Update.exeWindows Update.exeUpdate.exepid Process 3104 WindowsInput.exe 2152 WindowsInput.exe 2676 Update.exe 2284 Update.exe 3776 Update.exe 2612 Update.exe 1344 Windows Update.exe 220 Windows Update.exe 4928 Update.exe -
Loads dropped DLL 8 IoCs
Processes:
5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exepid Process 3180 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 3180 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 3180 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 3180 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 3180 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 3180 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 3180 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 3180 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exeUpdate.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe = "0" 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0" 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.exe = "0" Update.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0" 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\Windows\Update.exe = "0" Update.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe = "0" 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
Update.exeUpdate.exe5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Program Files (x86)\\Windows\\Update.exe" Update.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update.exe = "C:\\Program Files (x86)\\Windows\\Update.exe" Update.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Program Files (x86)\\Windows\\Update.exe" Update.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update.exe = "C:\\Program Files (x86)\\Windows\\Update.exe" Update.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe" 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe" 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
Processes:
flow ioc 26 pastebin.com 28 pastebin.com 61 pastebin.com 65 pastebin.com -
Maps connected drives based on registry 3 TTPs 6 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
Update.exe5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exeUpdate.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 Update.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum Update.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 Update.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum Update.exe -
Drops file in System32 directory 3 IoCs
Processes:
5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exeWindowsInput.exedescription ioc Process File created C:\Windows\SysWOW64\WindowsInput.exe 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe File created C:\Windows\SysWOW64\WindowsInput.exe.config 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe File created C:\Windows\SysWOW64\WindowsInput.InstallState WindowsInput.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 46 IoCs
Processes:
5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exeUpdate.exeUpdate.exepid Process 2164 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 2164 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 2164 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 2164 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 2164 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 2164 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 2164 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 2164 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 2164 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 2164 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 2164 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 2164 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 2164 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 2164 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 2164 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 2164 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 2676 Update.exe 2676 Update.exe 2676 Update.exe 2676 Update.exe 2676 Update.exe 2676 Update.exe 2676 Update.exe 2676 Update.exe 2676 Update.exe 2676 Update.exe 2676 Update.exe 2676 Update.exe 2676 Update.exe 2676 Update.exe 2676 Update.exe 2612 Update.exe 2612 Update.exe 2612 Update.exe 2612 Update.exe 2612 Update.exe 2612 Update.exe 2612 Update.exe 2612 Update.exe 2612 Update.exe 2612 Update.exe 2612 Update.exe 2612 Update.exe 2612 Update.exe 2612 Update.exe 2612 Update.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exeUpdate.exeUpdate.exedescription pid Process procid_target PID 2164 set thread context of 3180 2164 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 102 PID 2676 set thread context of 3776 2676 Update.exe 140 PID 2612 set thread context of 4928 2612 Update.exe 157 -
Drops file in Program Files directory 3 IoCs
Processes:
5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exedescription ioc Process File created C:\Program Files (x86)\Windows\Update.exe 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Windows\Update.exe 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe File created C:\Program Files (x86)\Windows\Update.exe.config 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exepid pid_target Process procid_target 4480 2164 WerFault.exe 83 3956 2676 WerFault.exe 127 4980 2612 WerFault.exe 143 -
Delays execution with timeout.exe 3 IoCs
Processes:
timeout.exetimeout.exetimeout.exepid Process 3892 timeout.exe 1904 timeout.exe 4320 timeout.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exe5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exepowershell.exepowershell.exepowershell.exepowershell.exeUpdate.exeUpdate.exeWindows Update.exepowershell.exepowershell.exepowershell.exepowershell.exepid Process 4012 powershell.exe 3352 powershell.exe 2368 powershell.exe 2368 powershell.exe 4732 powershell.exe 4732 powershell.exe 4012 powershell.exe 4012 powershell.exe 3352 powershell.exe 3352 powershell.exe 2368 powershell.exe 4732 powershell.exe 2164 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 2164 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 2164 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 2164 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 2088 powershell.exe 2888 powershell.exe 2888 powershell.exe 3036 powershell.exe 3036 powershell.exe 2416 powershell.exe 2416 powershell.exe 2888 powershell.exe 2088 powershell.exe 2088 powershell.exe 3036 powershell.exe 2416 powershell.exe 2676 Update.exe 2676 Update.exe 2676 Update.exe 2676 Update.exe 2676 Update.exe 2676 Update.exe 3776 Update.exe 3776 Update.exe 3776 Update.exe 220 Windows Update.exe 220 Windows Update.exe 220 Windows Update.exe 3776 Update.exe 220 Windows Update.exe 3776 Update.exe 220 Windows Update.exe 3776 Update.exe 220 Windows Update.exe 2004 powershell.exe 2004 powershell.exe 3776 Update.exe 3776 Update.exe 220 Windows Update.exe 220 Windows Update.exe 4432 powershell.exe 4432 powershell.exe 3024 powershell.exe 3024 powershell.exe 3636 powershell.exe 3636 powershell.exe 3776 Update.exe 220 Windows Update.exe 2004 powershell.exe 3776 Update.exe 220 Windows Update.exe 4432 powershell.exe -
Suspicious use of AdjustPrivilegeToken 18 IoCs
Processes:
5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exepowershell.exepowershell.exepowershell.exepowershell.exeUpdate.exepowershell.exepowershell.exepowershell.exepowershell.exeUpdate.exeWindows Update.exeWindows Update.exepowershell.exeUpdate.exepowershell.exepowershell.exepowershell.exedescription pid Process Token: SeDebugPrivilege 2164 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe Token: SeDebugPrivilege 3352 powershell.exe Token: SeDebugPrivilege 4012 powershell.exe Token: SeDebugPrivilege 2368 powershell.exe Token: SeDebugPrivilege 4732 powershell.exe Token: SeDebugPrivilege 2676 Update.exe Token: SeDebugPrivilege 2088 powershell.exe Token: SeDebugPrivilege 2888 powershell.exe Token: SeDebugPrivilege 3036 powershell.exe Token: SeDebugPrivilege 2416 powershell.exe Token: SeDebugPrivilege 3776 Update.exe Token: SeDebugPrivilege 1344 Windows Update.exe Token: SeDebugPrivilege 220 Windows Update.exe Token: SeDebugPrivilege 2004 powershell.exe Token: SeDebugPrivilege 2612 Update.exe Token: SeDebugPrivilege 4432 powershell.exe Token: SeDebugPrivilege 3024 powershell.exe Token: SeDebugPrivilege 3636 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Update.exepid Process 3776 Update.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.execmd.exe5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exeUpdate.execmd.exeUpdate.exeWindows Update.exedescription pid Process procid_target PID 2164 wrote to memory of 3352 2164 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 90 PID 2164 wrote to memory of 3352 2164 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 90 PID 2164 wrote to memory of 3352 2164 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 90 PID 2164 wrote to memory of 4012 2164 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 92 PID 2164 wrote to memory of 4012 2164 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 92 PID 2164 wrote to memory of 4012 2164 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 92 PID 2164 wrote to memory of 4732 2164 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 95 PID 2164 wrote to memory of 4732 2164 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 95 PID 2164 wrote to memory of 4732 2164 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 95 PID 2164 wrote to memory of 2368 2164 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 97 PID 2164 wrote to memory of 2368 2164 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 97 PID 2164 wrote to memory of 2368 2164 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 97 PID 2164 wrote to memory of 4496 2164 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 99 PID 2164 wrote to memory of 4496 2164 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 99 PID 2164 wrote to memory of 4496 2164 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 99 PID 4496 wrote to memory of 3892 4496 cmd.exe 101 PID 4496 wrote to memory of 3892 4496 cmd.exe 101 PID 4496 wrote to memory of 3892 4496 cmd.exe 101 PID 2164 wrote to memory of 3180 2164 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 102 PID 2164 wrote to memory of 3180 2164 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 102 PID 2164 wrote to memory of 3180 2164 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 102 PID 2164 wrote to memory of 3180 2164 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 102 PID 2164 wrote to memory of 3180 2164 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 102 PID 2164 wrote to memory of 3180 2164 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 102 PID 2164 wrote to memory of 3180 2164 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 102 PID 2164 wrote to memory of 3180 2164 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 102 PID 3180 wrote to memory of 3104 3180 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 106 PID 3180 wrote to memory of 3104 3180 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 106 PID 3180 wrote to memory of 2676 3180 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 127 PID 3180 wrote to memory of 2676 3180 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 127 PID 3180 wrote to memory of 2676 3180 5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe 127 PID 2676 wrote to memory of 2088 2676 Update.exe 128 PID 2676 wrote to memory of 2088 2676 Update.exe 128 PID 2676 wrote to memory of 2088 2676 Update.exe 128 PID 2676 wrote to memory of 2888 2676 Update.exe 130 PID 2676 wrote to memory of 2888 2676 Update.exe 130 PID 2676 wrote to memory of 2888 2676 Update.exe 130 PID 2676 wrote to memory of 3036 2676 Update.exe 132 PID 2676 wrote to memory of 3036 2676 Update.exe 132 PID 2676 wrote to memory of 3036 2676 Update.exe 132 PID 2676 wrote to memory of 2416 2676 Update.exe 134 PID 2676 wrote to memory of 2416 2676 Update.exe 134 PID 2676 wrote to memory of 2416 2676 Update.exe 134 PID 2676 wrote to memory of 544 2676 Update.exe 136 PID 2676 wrote to memory of 544 2676 Update.exe 136 PID 2676 wrote to memory of 544 2676 Update.exe 136 PID 544 wrote to memory of 1904 544 cmd.exe 138 PID 544 wrote to memory of 1904 544 cmd.exe 138 PID 544 wrote to memory of 1904 544 cmd.exe 138 PID 2676 wrote to memory of 2284 2676 Update.exe 139 PID 2676 wrote to memory of 2284 2676 Update.exe 139 PID 2676 wrote to memory of 2284 2676 Update.exe 139 PID 2676 wrote to memory of 3776 2676 Update.exe 140 PID 2676 wrote to memory of 3776 2676 Update.exe 140 PID 2676 wrote to memory of 3776 2676 Update.exe 140 PID 2676 wrote to memory of 3776 2676 Update.exe 140 PID 2676 wrote to memory of 3776 2676 Update.exe 140 PID 2676 wrote to memory of 3776 2676 Update.exe 140 PID 2676 wrote to memory of 3776 2676 Update.exe 140 PID 2676 wrote to memory of 3776 2676 Update.exe 140 PID 3776 wrote to memory of 1344 3776 Update.exe 144 PID 3776 wrote to memory of 1344 3776 Update.exe 144 PID 3776 wrote to memory of 1344 3776 Update.exe 144 PID 1344 wrote to memory of 220 1344 Windows Update.exe 145
Processes
-
C:\Users\Admin\AppData\Local\Temp\5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Modifies Windows Defender Real-time Protection settings
- Windows security bypass
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Drops startup file
- Windows security modification
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe" -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3352
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe" -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4012
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe" -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4732
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe" -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2368
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 12⤵
- Suspicious use of WriteProcessMemory
PID:4496 -
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:3892
-
-
-
C:\Users\Admin\AppData\Local\Temp\5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3180 -
C:\Windows\SysWOW64\WindowsInput.exe"C:\Windows\SysWOW64\WindowsInput.exe" --install3⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3104
-
-
C:\Program Files (x86)\Windows\Update.exe"C:\Program Files (x86)\Windows\Update.exe"3⤵
- Modifies WinLogon for persistence
- Windows security bypass
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.exe" -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2088
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.exe" -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2888
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.exe" -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3036
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files (x86)\Windows\Update.exe" -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2416
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 14⤵
- Suspicious use of WriteProcessMemory
PID:544 -
C:\Windows\SysWOW64\timeout.exetimeout 15⤵
- Delays execution with timeout.exe
PID:1904
-
-
-
C:\Program Files (x86)\Windows\Update.exe"C:\Program Files (x86)\Windows\Update.exe"4⤵
- Executes dropped EXE
PID:2284
-
-
C:\Program Files (x86)\Windows\Update.exe"C:\Program Files (x86)\Windows\Update.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3776 -
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe" /launchSelfAndExit "C:\Program Files (x86)\Windows\Update.exe" 3776 /protectFile5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1344 -
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe" /watchProcess "C:\Program Files (x86)\Windows\Update.exe" 3776 "/protectFile"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:220
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 10924⤵
- Program crash
PID:3956
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2164 -s 22682⤵
- Program crash
PID:4480
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2164 -ip 21641⤵PID:5044
-
C:\Windows\SysWOW64\WindowsInput.exe"C:\Windows\SysWOW64\WindowsInput.exe"1⤵
- Executes dropped EXE
PID:2152
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2676 -ip 26761⤵PID:1720
-
C:\Program Files (x86)\Windows\Update.exe"C:\Program Files (x86)\Windows\Update.exe"1⤵
- Modifies WinLogon for persistence
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2612 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.exe" -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2004
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.exe" -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4432
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.exe" -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3024
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files (x86)\Windows\Update.exe" -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3636
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 12⤵PID:516
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:4320
-
-
-
C:\Program Files (x86)\Windows\Update.exe"C:\Program Files (x86)\Windows\Update.exe"2⤵
- Executes dropped EXE
PID:4928
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2612 -s 23082⤵
- Program crash
PID:4980
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2612 -ip 26121⤵PID:164
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
4Disable or Modify Tools
4Modify Registry
6Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8.0MB
MD55dd4c0fb60f349296f7d0323c4fffd68
SHA17df0abcd02c09b40776637bb7d24a1d53e8de1e5
SHA2569b5ce68573217ab0bb483e06f03f8b8b43c410d3dc78ce9d742b90c88ae1b8e3
SHA512828d6ad7ae9ff8c78c4efeecac181e7d96cede8eb7b3369372e591a431fedc62c38e0c24aa87ed2e2fa167b83ab1abefad0e11849ef49c5e361c750c09e94f4d
-
Filesize
425B
MD54eaca4566b22b01cd3bc115b9b0b2196
SHA1e743e0792c19f71740416e7b3c061d9f1336bf94
SHA25634ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb
SHA512bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1
-
Filesize
2KB
MD53d086a433708053f9bf9523e1d87a4e8
SHA1b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA2566f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd
-
Filesize
18KB
MD5160d339812c55efd4d0246622a0435d0
SHA1d1a34de6f400cfc9fab58c0e8264fae56c0095b7
SHA2561cfb0676de51226633e6f7187a78dd87705e3a837a54c2ca32c1c8351640fdd1
SHA51283bf4d3442ccfc5e89f313eb5b1d04a1302582867a548e39cdc1c7613d299e63ea66b02081c42953dc3d3b4aa1870cd29b905f12a887fab5f3cca84953222e6a
-
Filesize
18KB
MD510cd251c99d85b554843ebccd3295a35
SHA190f6a0ace3abdd31e386ba4f32c464657537d4dd
SHA256a29cbd53c1001e02abea7aca1a48f09dba50054aedf95edd640a3c6e64551303
SHA512d928d0e5aaa7256715ed1a3b9d101ec57d26a4f86536ace8e6a61901603c5703ba163bb85828f15726059bb5cc16ca63eac5ecce91cb10c7734cbe03d73b0c54
-
Filesize
528B
MD50e1c4dd483a8fefad200890e0873c74c
SHA1e00357cb8a82e3c9b601182910fab723b4802a31
SHA25634f1854d4bf0e7c3856aab267edbb38c9f7fa09fb0a924df0a47759eedc7e373
SHA512a2944cebb4ce19fa65b40f9aa060286770f42f6c149127869d0199f06e86a6ccf4dcf4a4ef6faadd0699f258028f18da4562b52c648383a0779108860aa38456
-
Filesize
18KB
MD5b8c2e78942d580abec88b9bb1fd2b37b
SHA1f62a84ae8eb7984e627f55f576fe361447df46c0
SHA256260bcdd2559bd418698342da502553661de81acf7164b4a3c84d0a87a58c3bff
SHA512572492d8e6a28ef440987b2da47fbda9b0fcd2f9fb64298f255234ba74f7804c9f4356ca9fca1eb984c953b0bd947016e75ff2c59703ae5c248c7b2a9cc4c336
-
Filesize
176B
MD531f2e9e64f30c5d723b65eb6132e47b3
SHA175c1b180dcb9675fac67fe94dd7842b8d30df6c7
SHA25646ed22d2b0badfec0648322dd122a04f84a225da18e1668c5ea831a92ac6379a
SHA51222dc61351b81e3cd289b8d805fa1d4f3d29676a3e589a3198ae2891e169a4f82b6a2d90fb594716c5d9fbd052b07269528e2fc50d09c021c02f8372128c5a4e3
-
Filesize
18KB
MD501d1e9f4e68a8898d0b6c9ce58d342fc
SHA11dfa165e23d70fbd18dbf6949edb09747caf4e60
SHA256b79ddf4c13e8c72f6e308d29488209bec7d518af0a68e8ec35e7f6b257a897ad
SHA512afd9ab65b6acf47b454deee323468b8dc744afa5ef2d7a2d7ef927f98d5dc99c48680b3ced4ecca194ff83469b8041dcf674247e2e7bc0948431ec66bce30ff4
-
Filesize
18KB
MD56f4c975162c213b59ac971ab400dce9f
SHA16ade70f082046e4d6e854e79e6c2ba3c726f50de
SHA2560aa617cad8010e6668799a7e84f80b8d26191f6fde9b177669ddf2608053121a
SHA512210f36d98016fc4fb3e71cfae1ec1ef99431cfbdc4972a24ee3d446eb5c3a0f10334c0b2854d42f4218bee3446a3382759b8b0dc125adba3d699ed4ac74047ab
-
Filesize
18KB
MD5a1c779370d5144547ebebd18a3aabacb
SHA15a58643e1dd9f43e836426cdfc9f8ce04aeb4168
SHA256fb21f471f69850c144f356f5375e0cc5d21ee1eb87349c0d452841c8875788bd
SHA512811fc54944d6a124eaf91c23851ceed96abc888ca3be507a795b8431c6b096bc084213df02400bbe3653c02c3702c1f611f3e978a3843826dad1052b52387648
-
Filesize
7.9MB
MD589c4224b92c8df1ee28bc46abd321e7a
SHA123851cd0a84161e6e30dbf951b650692afda3efb
SHA256bf0fa011a0660a2ed9ce5c150def7761b97a27ab515fac69216cfe762b850d6e
SHA512a5df46b5e4e54d0b5b26dca65f7f9920e30d080476821a29ee8169d726028ab0cd570480333eab38b5aaf86b9ac0076a9363015bdf0fe10f3ccef716865b62fc
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
9KB
MD5913967b216326e36a08010fb70f9dba3
SHA17b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf
SHA2568d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a
SHA512c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33
-
Filesize
21KB
MD5e6fcf516d8ed8d0d4427f86e08d0d435
SHA1c7691731583ab7890086635cb7f3e4c22ca5e409
SHA2568dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337
SHA512c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e
-
Filesize
357B
MD5a2b76cea3a59fa9af5ea21ff68139c98
SHA135d76475e6a54c168f536e30206578babff58274
SHA256f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad