Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240730-en -
resource tags
arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system -
submitted
02/08/2024, 06:12
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8351f0b71db9e80b888b3f49dba43025_JaffaCakes118.exe
Resource
win7-20240704-en
windows7-x64
20 signatures
150 seconds
Behavioral task
behavioral2
Sample
8351f0b71db9e80b888b3f49dba43025_JaffaCakes118.exe
Resource
win10v2004-20240730-en
windows10-2004-x64
22 signatures
150 seconds
General
-
Target
8351f0b71db9e80b888b3f49dba43025_JaffaCakes118.exe
-
Size
276KB
-
MD5
8351f0b71db9e80b888b3f49dba43025
-
SHA1
16aabc8485d62c36365d39067911f5eb410b2ceb
-
SHA256
48640b4ce98932b3c9b91f11008234268b58556aae8492681f30a41339fdb1c1
-
SHA512
595a641742d13dd7ca1da2c1db37df4fa646469e8fb2045d8c397543cd8b35f56c1ed3ea41fff43cd265bb198252ea509f4370b746ce68d686d56f5327382d1f
-
SSDEEP
6144:ucPKm2vdh1q2uNK5U86JQPDHDdx/QtqP:R2v71qrNAUPJQPDHvd
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" 8351f0b71db9e80b888b3f49dba43025_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" cifor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" cifor.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" cifor.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" cifor.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" cifor.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 8351f0b71db9e80b888b3f49dba43025_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" 8351f0b71db9e80b888b3f49dba43025_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 8351f0b71db9e80b888b3f49dba43025_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cifor.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cifor.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" cifor.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" cifor.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" cifor.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 8351f0b71db9e80b888b3f49dba43025_JaffaCakes118.exe -
Adds policy Run key to start application 2 TTPs 27 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 8351f0b71db9e80b888b3f49dba43025_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\aihsxgm = "cylkdautjesozphdbiqmz.exe" cifor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tyuc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cylkdautjesozphdbiqmz.exe" cifor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tyuc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqysgynhsiriozmd.exe" cifor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tyuc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pisoeyplyqbucpexsw.exe" cifor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tyuc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqysgynhsiriozmd.exe" cifor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\aihsxgm = "pisoeyplyqbucpexsw.exe" cifor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tyuc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gyhcrkavhyiahthzt.exe" cifor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\aihsxgm = "zqysgynhsiriozmd.exe" cifor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\aihsxgm = "niuskgzxmgtoynezwcje.exe" cifor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\aihsxgm = "gyhcrkavhyiahthzt.exe" cifor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tyuc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gyhcrkavhyiahthzt.exe" cifor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\aihsxgm = "aufctogdrkwqzndxtye.exe" 8351f0b71db9e80b888b3f49dba43025_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\aihsxgm = "gyhcrkavhyiahthzt.exe" cifor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\aihsxgm = "niuskgzxmgtoynezwcje.exe" cifor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\aihsxgm = "zqysgynhsiriozmd.exe" cifor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\aihsxgm = "pisoeyplyqbucpexsw.exe" cifor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\aihsxgm = "aufctogdrkwqzndxtye.exe" cifor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tyuc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aufctogdrkwqzndxtye.exe" 8351f0b71db9e80b888b3f49dba43025_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run cifor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tyuc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\niuskgzxmgtoynezwcje.exe" cifor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\aihsxgm = "aufctogdrkwqzndxtye.exe" cifor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\aihsxgm = "cylkdautjesozphdbiqmz.exe" cifor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tyuc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\niuskgzxmgtoynezwcje.exe" cifor.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run cifor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\aihsxgm = "gyhcrkavhyiahthzt.exe" 8351f0b71db9e80b888b3f49dba43025_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tyuc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pisoeyplyqbucpexsw.exe" cifor.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2077438316-259605770-1264560426-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" cifor.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" cifor.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" cifor.exe Set value (int) \REGISTRY\USER\S-1-5-21-2077438316-259605770-1264560426-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 8351f0b71db9e80b888b3f49dba43025_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 8351f0b71db9e80b888b3f49dba43025_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-2077438316-259605770-1264560426-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" cifor.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2077438316-259605770-1264560426-1000\Control Panel\International\Geo\Nation 8351f0b71db9e80b888b3f49dba43025_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
pid Process 3100 cifor.exe 5060 cifor.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc cifor.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager cifor.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys cifor.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc cifor.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power cifor.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys cifor.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2077438316-259605770-1264560426-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cifor = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cylkdautjesozphdbiqmz.exe" cifor.exe Set value (str) \REGISTRY\USER\S-1-5-21-2077438316-259605770-1264560426-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pyykqaht = "niuskgzxmgtoynezwcje.exe" 8351f0b71db9e80b888b3f49dba43025_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2077438316-259605770-1264560426-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pyykqaht = "aufctogdrkwqzndxtye.exe" cifor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zkmaiudrwg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cylkdautjesozphdbiqmz.exe ." cifor.exe Set value (str) \REGISTRY\USER\S-1-5-21-2077438316-259605770-1264560426-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\nuscgo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pisoeyplyqbucpexsw.exe ." cifor.exe Set value (str) \REGISTRY\USER\S-1-5-21-2077438316-259605770-1264560426-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\nuscgo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\niuskgzxmgtoynezwcje.exe ." cifor.exe Set value (str) \REGISTRY\USER\S-1-5-21-2077438316-259605770-1264560426-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\nuscgo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqysgynhsiriozmd.exe ." cifor.exe Set value (str) \REGISTRY\USER\S-1-5-21-2077438316-259605770-1264560426-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\nuscgo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aufctogdrkwqzndxtye.exe ." cifor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cifor = "cylkdautjesozphdbiqmz.exe" cifor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nuscgo = "gyhcrkavhyiahthzt.exe ." cifor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ugjyhuetzko = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cylkdautjesozphdbiqmz.exe" cifor.exe Set value (str) \REGISTRY\USER\S-1-5-21-2077438316-259605770-1264560426-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cifor = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gyhcrkavhyiahthzt.exe" cifor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cifor = "aufctogdrkwqzndxtye.exe" cifor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nuscgo = "aufctogdrkwqzndxtye.exe ." cifor.exe Set value (str) \REGISTRY\USER\S-1-5-21-2077438316-259605770-1264560426-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\gqrelwerv = "aufctogdrkwqzndxtye.exe ." cifor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cifor = "zqysgynhsiriozmd.exe" cifor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nuscgo = "niuskgzxmgtoynezwcje.exe ." cifor.exe Set value (str) \REGISTRY\USER\S-1-5-21-2077438316-259605770-1264560426-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pyykqaht = "aufctogdrkwqzndxtye.exe" cifor.exe Set value (str) \REGISTRY\USER\S-1-5-21-2077438316-259605770-1264560426-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pyykqaht = "niuskgzxmgtoynezwcje.exe" cifor.exe Set value (str) \REGISTRY\USER\S-1-5-21-2077438316-259605770-1264560426-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\nuscgo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gyhcrkavhyiahthzt.exe ." cifor.exe Set value (str) \REGISTRY\USER\S-1-5-21-2077438316-259605770-1264560426-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cifor = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqysgynhsiriozmd.exe" cifor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nuscgo = "gyhcrkavhyiahthzt.exe ." cifor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zkmaiudrwg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aufctogdrkwqzndxtye.exe ." cifor.exe Set value (str) \REGISTRY\USER\S-1-5-21-2077438316-259605770-1264560426-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cifor = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cylkdautjesozphdbiqmz.exe" cifor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ugjyhuetzko = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqysgynhsiriozmd.exe" cifor.exe Set value (str) \REGISTRY\USER\S-1-5-21-2077438316-259605770-1264560426-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cifor = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gyhcrkavhyiahthzt.exe" cifor.exe Set value (str) \REGISTRY\USER\S-1-5-21-2077438316-259605770-1264560426-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cifor = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aufctogdrkwqzndxtye.exe" cifor.exe Set value (str) \REGISTRY\USER\S-1-5-21-2077438316-259605770-1264560426-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cifor = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pisoeyplyqbucpexsw.exe" cifor.exe Set value (str) \REGISTRY\USER\S-1-5-21-2077438316-259605770-1264560426-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\gqrelwerv = "pisoeyplyqbucpexsw.exe ." 8351f0b71db9e80b888b3f49dba43025_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nuscgo = "cylkdautjesozphdbiqmz.exe ." cifor.exe Set value (str) \REGISTRY\USER\S-1-5-21-2077438316-259605770-1264560426-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\gqrelwerv = "niuskgzxmgtoynezwcje.exe ." cifor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ugjyhuetzko = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cylkdautjesozphdbiqmz.exe" cifor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zkmaiudrwg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pisoeyplyqbucpexsw.exe ." cifor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ugjyhuetzko = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqysgynhsiriozmd.exe" cifor.exe Set value (str) \REGISTRY\USER\S-1-5-21-2077438316-259605770-1264560426-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pyykqaht = "pisoeyplyqbucpexsw.exe" cifor.exe Set value (str) \REGISTRY\USER\S-1-5-21-2077438316-259605770-1264560426-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\gqrelwerv = "cylkdautjesozphdbiqmz.exe ." cifor.exe Set value (str) \REGISTRY\USER\S-1-5-21-2077438316-259605770-1264560426-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pyykqaht = "pisoeyplyqbucpexsw.exe" cifor.exe Set value (str) \REGISTRY\USER\S-1-5-21-2077438316-259605770-1264560426-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pyykqaht = "gyhcrkavhyiahthzt.exe" cifor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ugjyhuetzko = "C:\\Users\\Admin\\AppData\\Local\\Temp\\niuskgzxmgtoynezwcje.exe" cifor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ugjyhuetzko = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aufctogdrkwqzndxtye.exe" cifor.exe Set value (str) \REGISTRY\USER\S-1-5-21-2077438316-259605770-1264560426-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\nuscgo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gyhcrkavhyiahthzt.exe ." 8351f0b71db9e80b888b3f49dba43025_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ugjyhuetzko = "C:\\Users\\Admin\\AppData\\Local\\Temp\\niuskgzxmgtoynezwcje.exe" cifor.exe Set value (str) \REGISTRY\USER\S-1-5-21-2077438316-259605770-1264560426-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\nuscgo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cylkdautjesozphdbiqmz.exe ." cifor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nuscgo = "pisoeyplyqbucpexsw.exe ." cifor.exe Set value (str) \REGISTRY\USER\S-1-5-21-2077438316-259605770-1264560426-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pyykqaht = "niuskgzxmgtoynezwcje.exe" cifor.exe Set value (str) \REGISTRY\USER\S-1-5-21-2077438316-259605770-1264560426-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\gqrelwerv = "zqysgynhsiriozmd.exe ." cifor.exe Set value (str) \REGISTRY\USER\S-1-5-21-2077438316-259605770-1264560426-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pyykqaht = "gyhcrkavhyiahthzt.exe" cifor.exe Set value (str) \REGISTRY\USER\S-1-5-21-2077438316-259605770-1264560426-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cifor = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pisoeyplyqbucpexsw.exe" cifor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ugjyhuetzko = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aufctogdrkwqzndxtye.exe" 8351f0b71db9e80b888b3f49dba43025_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2077438316-259605770-1264560426-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cifor = "C:\\Users\\Admin\\AppData\\Local\\Temp\\niuskgzxmgtoynezwcje.exe" cifor.exe Set value (str) \REGISTRY\USER\S-1-5-21-2077438316-259605770-1264560426-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\gqrelwerv = "pisoeyplyqbucpexsw.exe ." cifor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zkmaiudrwg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqysgynhsiriozmd.exe ." cifor.exe Set value (str) \REGISTRY\USER\S-1-5-21-2077438316-259605770-1264560426-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\gqrelwerv = "niuskgzxmgtoynezwcje.exe ." cifor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ugjyhuetzko = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pisoeyplyqbucpexsw.exe" cifor.exe Set value (str) \REGISTRY\USER\S-1-5-21-2077438316-259605770-1264560426-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\gqrelwerv = "gyhcrkavhyiahthzt.exe ." cifor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cifor = "zqysgynhsiriozmd.exe" cifor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cifor = "zqysgynhsiriozmd.exe" 8351f0b71db9e80b888b3f49dba43025_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nuscgo = "zqysgynhsiriozmd.exe ." 8351f0b71db9e80b888b3f49dba43025_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nuscgo = "pisoeyplyqbucpexsw.exe ." cifor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zkmaiudrwg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aufctogdrkwqzndxtye.exe ." cifor.exe Set value (str) \REGISTRY\USER\S-1-5-21-2077438316-259605770-1264560426-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\nuscgo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aufctogdrkwqzndxtye.exe ." cifor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ugjyhuetzko = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aufctogdrkwqzndxtye.exe" cifor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ugjyhuetzko = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gyhcrkavhyiahthzt.exe" cifor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zkmaiudrwg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cylkdautjesozphdbiqmz.exe ." cifor.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 8351f0b71db9e80b888b3f49dba43025_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 8351f0b71db9e80b888b3f49dba43025_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cifor.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cifor.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cifor.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cifor.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" 8351f0b71db9e80b888b3f49dba43025_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" cifor.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" cifor.exe -
Looks up external IP address via web service 6 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 17 www.showmyipaddress.com 21 whatismyip.everdot.org 23 whatismyipaddress.com 26 www.whatismyip.ca 31 whatismyip.everdot.org 35 whatismyip.everdot.org -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\dewayazdyyrsidabeqdewa.azd cifor.exe File created C:\Windows\SysWOW64\dewayazdyyrsidabeqdewa.azd cifor.exe File opened for modification C:\Windows\SysWOW64\ugjyhuetzkoabhpbpmkwzoxkujpaeqrxf.fca cifor.exe File created C:\Windows\SysWOW64\ugjyhuetzkoabhpbpmkwzoxkujpaeqrxf.fca cifor.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\dewayazdyyrsidabeqdewa.azd cifor.exe File created C:\Program Files (x86)\dewayazdyyrsidabeqdewa.azd cifor.exe File opened for modification C:\Program Files (x86)\ugjyhuetzkoabhpbpmkwzoxkujpaeqrxf.fca cifor.exe File created C:\Program Files (x86)\ugjyhuetzkoabhpbpmkwzoxkujpaeqrxf.fca cifor.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\dewayazdyyrsidabeqdewa.azd cifor.exe File created C:\Windows\dewayazdyyrsidabeqdewa.azd cifor.exe File opened for modification C:\Windows\ugjyhuetzkoabhpbpmkwzoxkujpaeqrxf.fca cifor.exe File created C:\Windows\ugjyhuetzkoabhpbpmkwzoxkujpaeqrxf.fca cifor.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8351f0b71db9e80b888b3f49dba43025_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cifor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cifor.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2077438316-259605770-1264560426-1000_Classes\Local Settings 8351f0b71db9e80b888b3f49dba43025_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2077438316-259605770-1264560426-1000_Classes\Local Settings cifor.exe Key created \REGISTRY\USER\S-1-5-21-2077438316-259605770-1264560426-1000_Classes\Local Settings cifor.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 3100 cifor.exe 3100 cifor.exe 3100 cifor.exe 3100 cifor.exe 3100 cifor.exe 3100 cifor.exe 3100 cifor.exe 3100 cifor.exe 3100 cifor.exe 3100 cifor.exe 3100 cifor.exe 3100 cifor.exe 3100 cifor.exe 3100 cifor.exe 3100 cifor.exe 3100 cifor.exe 3100 cifor.exe 3100 cifor.exe 3100 cifor.exe 3100 cifor.exe 3100 cifor.exe 3100 cifor.exe 3100 cifor.exe 3100 cifor.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 5060 cifor.exe 3100 cifor.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3100 cifor.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2412 wrote to memory of 3100 2412 8351f0b71db9e80b888b3f49dba43025_JaffaCakes118.exe 86 PID 2412 wrote to memory of 3100 2412 8351f0b71db9e80b888b3f49dba43025_JaffaCakes118.exe 86 PID 2412 wrote to memory of 3100 2412 8351f0b71db9e80b888b3f49dba43025_JaffaCakes118.exe 86 PID 2412 wrote to memory of 5060 2412 8351f0b71db9e80b888b3f49dba43025_JaffaCakes118.exe 87 PID 2412 wrote to memory of 5060 2412 8351f0b71db9e80b888b3f49dba43025_JaffaCakes118.exe 87 PID 2412 wrote to memory of 5060 2412 8351f0b71db9e80b888b3f49dba43025_JaffaCakes118.exe 87 -
System policy modification 1 TTPs 36 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 8351f0b71db9e80b888b3f49dba43025_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cifor.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" 8351f0b71db9e80b888b3f49dba43025_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" cifor.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" cifor.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" cifor.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" cifor.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" cifor.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" cifor.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 8351f0b71db9e80b888b3f49dba43025_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 8351f0b71db9e80b888b3f49dba43025_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" 8351f0b71db9e80b888b3f49dba43025_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cifor.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cifor.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" cifor.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 8351f0b71db9e80b888b3f49dba43025_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cifor.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" 8351f0b71db9e80b888b3f49dba43025_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" cifor.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" cifor.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" 8351f0b71db9e80b888b3f49dba43025_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" cifor.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" cifor.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" cifor.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 8351f0b71db9e80b888b3f49dba43025_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" 8351f0b71db9e80b888b3f49dba43025_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" 8351f0b71db9e80b888b3f49dba43025_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" cifor.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" cifor.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" cifor.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" cifor.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer 8351f0b71db9e80b888b3f49dba43025_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" cifor.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" cifor.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer cifor.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer cifor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8351f0b71db9e80b888b3f49dba43025_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8351f0b71db9e80b888b3f49dba43025_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2412 -
C:\Users\Admin\AppData\Local\Temp\cifor.exe"C:\Users\Admin\AppData\Local\Temp\cifor.exe" "-"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3100
-
-
C:\Users\Admin\AppData\Local\Temp\cifor.exe"C:\Users\Admin\AppData\Local\Temp\cifor.exe" "-"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- System policy modification
PID:5060
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1600
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
272B
MD5d74c3e11f170c9e5725383c431577f70
SHA13aa682d8fd3ce2c105485c905c49d62d4d61a80e
SHA25678524f33636bc6559fcb2033b23c1a320695cbd1f49449bf61eef4240e19d71f
SHA512d018759775368272f11daa5b7004d321f271b1809e5d7bca52cbdf86fd61a4017b0efb9065ab4b78c9347c805cb4ea4d0ab3bcd4f8eac53731efe50ac9efee7d
-
Filesize
272B
MD596a20b647385cf97eb2dd8de098fdb92
SHA1f8c7820d4edf9dafe6eefc05e0a3392ccc6cb669
SHA256962eaf9305892956550dbc1d75875b88f71cdc384119c0b1ce5ee5f33cf8363a
SHA5120657c831b218f8e5057a122ed178dfd3fb1d99a254faba829e6e89015dfff3ae1fd8b684b070b84a2c6cd4ca3f0723e289cef8bf0d8b5850e5e6aeb8ce177713
-
Filesize
272B
MD597293298405e3a0fbf1022891ca5b2b9
SHA1b2db664737ad73868b3913df71df27b5bf908212
SHA256761a7c4ab48ecb5079a77b9573facfe2b5b05c68e5560e2f44e4df3ea53ab919
SHA512eb7990066ab6be6fc4eb64e2257c9a3fbc36e3a4ff38dbb04c090d7940d5c1d0ffd60c8e6a8f6e0766c6750e9ea2a9965cb393e3f9009c42e2fac6d99532085b
-
Filesize
272B
MD5dab020e988098cb1c34dfc28a8a2cc5b
SHA17cc9c1d75a30ccf9a5956b4a62380e35aa63c2bf
SHA256f6d7c0270f068f55d394d18a16c4400e3532aa53fe633bfbab194b97f5a1ef59
SHA512e457578cb873f06d6f620768311a2f705609c1a4163a23985e7475b9888e712778f8892b4d574d42cfeaa8b0fcfc1d498363d5a8dde57afc571bea4ea3008758
-
Filesize
272B
MD5efe76e09ff26ba1f24d9cb6d86d897fb
SHA1f009516e3509876636e0384fcd42ef2bb5040dfc
SHA2569f8a207112e6d72562825693b9bc2efe5c238add7cb0755c9bfbc3e7c1d9853e
SHA5120703e200e6f09ac0d7430a217f7c806f70c0986f28e0d1ece4671945532aaf1bc65aa8669987c637ee41a101fdcab568b0b9f2718fae8ab390ba090261c02976
-
Filesize
272B
MD5deab7924773418b569bc31fe6719e41b
SHA10f6fc1c06bd0d675ee24997e001bbbe1f70017f8
SHA256b456cb8746e30305d14d3146bc54f490c9497c16e0e8c4af5c2e8ceed510ae29
SHA5120bee76336f63802e59ac7ca41ebe27372217d5470d392792ed5e9180574d727e1213484210c129bb4975e574f009d2ddc33e2f09e4cdbd9a1b46ee878143b510
-
Filesize
588KB
MD5dc6ff80425607033b4234cd00cc11a4b
SHA1e2fc89348ed53308a6d8eaf836da3c668e7c3d55
SHA256e5ee45fde7d08f44012fc943fed29826607415c2a4a3ede2791fe710ba7f8938
SHA512a0ad783d1c81e758811cef914f2e10e9b6737dfaaa1026b7c74db81a870eade54e7795eb1cabccf4271e91d0b1354c699c4953c0fc5ed66b26d7f5740ecbc3d9
-
Filesize
272B
MD599c7bd0a8c68a3531b05cd865b34dc52
SHA1a6e71578fc7d638fb1e5b83caa507a566f451e34
SHA256a300566e8ed5ba521f8f1e7342adcd9e389f154de5840a7d6a05f789756da133
SHA512e5e2a591033812848a9d4a5df450169ad9a9194c52ddff8e19cbe205dea83ebf60b4eff5425a6cc00bc8e900cd6f40b3f0ba3a3c1a067b3755eb07c912f04e27
-
Filesize
272B
MD53b06b6fc2054e4765f771dec553fe38b
SHA12b7ad024e52dc56122430937f11980e8810439e1
SHA256b20f628ed2d9fd8bc55bd8eed7c1eadffb0a70ec686f3489c6b9be4b921a8e27
SHA51286e855f24d325122fbda1326a85cdedc036db85075ffa721f08e04a22d11cde8d02ea068e9fb4e903a22e6d592ea58d00627d95199e4603e28a5a7d7cb24929e
-
Filesize
3KB
MD57c0ad2e9b418d95d73041e40ad06dbb9
SHA1dbcd2d22420ddca6790b170e1973b1f9325088d2
SHA256e96616d492d3c47aa53e7ea184c9eff7210491a3ec66adac7f6e219f31e0ac34
SHA51239d7c19a4efa15298302a2fe2dca24bde424f05478ce2fed4ebea64d3c60de54f816d2cf184399b7c179abd1123063129c61e762435ad4183cd7027ee94e404c