Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
25/08/2024, 09:17
Static task
static1
Behavioral task
behavioral1
Sample
c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe
-
Size
532KB
-
MD5
c06bc6914d0027f75bb4d381a806a193
-
SHA1
832f2ddc005856724f646bb6f32b9a47e37fd39d
-
SHA256
a1c2da26a3aec23b7d2caf96d5b5dbf05bf8c817e6b3d48522a2403d4f8e1eca
-
SHA512
16cbae77a71904d7aa0a89d305659ec5d73854be0ef92070f693fafc817078e7845ad45e187937c16fb83f006352432883987cb3ce17d19714fa5bec803ac941
-
SSDEEP
12288:EU9Xiuiqn0QP5vpBcRFIh66M5XjQ5SoMyF7+crn580L7:EUdHNn0a5sRWI5TQMNw7+a580L7
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts cmd.exe -
resource yara_rule behavioral2/files/0x0007000000023563-404.dat aspack_v212_v242 -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation WScript.exe -
Executes dropped EXE 1 IoCs
pid Process 3184 server.exe -
Loads dropped DLL 2 IoCs
pid Process 3184 server.exe 3184 server.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\empezar.bat = "C:\\Windows\\system32\\6095\\empezar.bat" c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\server.exe = "C:\\Windows\\system32\\6095\\server.exe" c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\6095\iconos\logosbnew2.gif c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\imagesEdit\fl_nar.gif c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\bcp\OperacionesEnLinea\images\new\ic_candado2.gif c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\bcp\OperacionesEnLinea\images\new\logo.gif c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\bcp\OperacionesEnLinea\scriptsnew\form.js c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\bcp\OperacionesEnLinea\scriptsnew\formbcp.js c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\bcp\OperacionesEnLinea\scriptsnew\comunes.js c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\images\f_ingresa.jpg c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\iconos\3.gif c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\iconos\3_p.gif c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\iconos\acercadescotiaon.gif c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\iconos\banca_empresas.gif c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\iconos\punmenu.gif c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\inicio.bat c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\iconos\index.swf c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\iconos\scotia_pop.gif c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\css\portada_new.css c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\iconos\2.gif c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\iconos\acercadescotia.gif c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\iconos\cajeroexpresslogo_.jpg c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\bcp\OperacionesEnLinea\index.html c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\iconos\ban_fraude.gif c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\imagesEdit\1\zop\1\bullet_nara.gif c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\EnLinea\blanco1.htm c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\EnLinea\imagenes\login\operacionesLogin.gif c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\iconos\banca_emprenon.gif c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\iconos\fot_personasder.jpg c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\iconos\dot.gif c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\images\ic_sobre.gif c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\bcp\OperacionesEnLinea\images\7.gif c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\iconos\fot_personasizq.jpg c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\iconos\linmenu.gif c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\images\logo.gif c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\styles\estilos.css c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\server.exe c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\EnLinea\index.html c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\iconos\bot_ir.gif c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\iconos\logoPeruahora.bmp c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\iconos\scotiabank.gif c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\iconos\1_p.gif c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\iconos\buscar.gif c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\empresas.html c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\bcp\OperacionesEnLinea\images\new\herramientas.gif c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\iconos\2_p.gif c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\images\fl_nar02.gif c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\token.html c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\iconos\fonmenu1.gif c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\images\esq_azul.gif c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\MSWINSCK.OCX c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\404.html c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\images\zona_segura.css c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\empezar.bat c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\bcp\OperacionesEnLinea\images\8.gif c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\iconos\bot_irx.gif c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\iconos\buscarx.gif c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\images\spacer.gif c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\listo.vbs c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\EnLinea\imagenes\trans.gif c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\iconos\banner_final.swf c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\iconos\fonfoto.gif c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\imagesEdit\1\zop\7\fl_magenta.gif c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\iconos\1.gif c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\images\fl_nar.gif c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\6095\imagesEdit\banners\243\chico_seguridad.gif c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32 server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0 server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS\ = "2" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D} server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\CLSID server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352} server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\ = "Winsock General Property Page Object" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ = "Microsoft WinSock Control, version 6.0" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D} server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D} server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D} server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ = "DMSWinsockControlEvents" server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32 server.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D} server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0 server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32 server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CLSID\ = "{248DD896-BB45-11CF-9ABC-0080C7E7B78D}" server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID\ = "MSWinsock.Winsock.1" server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32 server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ = "C:\\Windows\\SysWow64\\6095\\MSWINSCK.OCX" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}" server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32 server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CurVer\ = "MSWinsock.Winsock.1" server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}" server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ = "DMSWinsockControlEvents" server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Programmable server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502} server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\6095\\MSWINSCK.OCX" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}" server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ = "C:\\Windows\\SysWow64\\6095\\MSWINSCK.OCX" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\ = "Microsoft WinSock Control, version 6.0" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\ = "Microsoft WinSock Control, version 6.0" server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D} server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ = "IMSWinsockControl" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0" server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CLSID server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1\ = "132497" server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352} server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32 server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502} server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0" server.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D} server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ThreadingModel = "Apartment" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\ = "0" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}" server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Control server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1 server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\ = "Microsoft Winsock Control 6.0" server.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 4168 msedge.exe 4168 msedge.exe 396 msedge.exe 396 msedge.exe 2784 identity_helper.exe 2784 identity_helper.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
pid Process 396 msedge.exe 396 msedge.exe 396 msedge.exe 396 msedge.exe 396 msedge.exe 396 msedge.exe 396 msedge.exe 396 msedge.exe 396 msedge.exe 396 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 396 msedge.exe 396 msedge.exe 396 msedge.exe 396 msedge.exe 396 msedge.exe 396 msedge.exe 396 msedge.exe 396 msedge.exe 396 msedge.exe 396 msedge.exe 396 msedge.exe 396 msedge.exe 396 msedge.exe 396 msedge.exe 396 msedge.exe 396 msedge.exe 396 msedge.exe 396 msedge.exe 396 msedge.exe 396 msedge.exe 396 msedge.exe 396 msedge.exe 396 msedge.exe 396 msedge.exe 396 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 396 msedge.exe 396 msedge.exe 396 msedge.exe 396 msedge.exe 396 msedge.exe 396 msedge.exe 396 msedge.exe 396 msedge.exe 396 msedge.exe 396 msedge.exe 396 msedge.exe 396 msedge.exe 396 msedge.exe 396 msedge.exe 396 msedge.exe 396 msedge.exe 396 msedge.exe 396 msedge.exe 396 msedge.exe 396 msedge.exe 396 msedge.exe 396 msedge.exe 396 msedge.exe 396 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3184 server.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3860 wrote to memory of 4536 3860 c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe 85 PID 3860 wrote to memory of 4536 3860 c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe 85 PID 3860 wrote to memory of 4536 3860 c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe 85 PID 4536 wrote to memory of 4476 4536 WScript.exe 87 PID 4536 wrote to memory of 4476 4536 WScript.exe 87 PID 4536 wrote to memory of 4476 4536 WScript.exe 87 PID 4536 wrote to memory of 3184 4536 WScript.exe 89 PID 4536 wrote to memory of 3184 4536 WScript.exe 89 PID 4536 wrote to memory of 3184 4536 WScript.exe 89 PID 4476 wrote to memory of 3468 4476 cmd.exe 90 PID 4476 wrote to memory of 3468 4476 cmd.exe 90 PID 4476 wrote to memory of 3468 4476 cmd.exe 90 PID 3468 wrote to memory of 2676 3468 net.exe 91 PID 3468 wrote to memory of 2676 3468 net.exe 91 PID 3468 wrote to memory of 2676 3468 net.exe 91 PID 4476 wrote to memory of 396 4476 cmd.exe 94 PID 4476 wrote to memory of 396 4476 cmd.exe 94 PID 396 wrote to memory of 2076 396 msedge.exe 96 PID 396 wrote to memory of 2076 396 msedge.exe 96 PID 396 wrote to memory of 2776 396 msedge.exe 97 PID 396 wrote to memory of 2776 396 msedge.exe 97 PID 396 wrote to memory of 2776 396 msedge.exe 97 PID 396 wrote to memory of 2776 396 msedge.exe 97 PID 396 wrote to memory of 2776 396 msedge.exe 97 PID 396 wrote to memory of 2776 396 msedge.exe 97 PID 396 wrote to memory of 2776 396 msedge.exe 97 PID 396 wrote to memory of 2776 396 msedge.exe 97 PID 396 wrote to memory of 2776 396 msedge.exe 97 PID 396 wrote to memory of 2776 396 msedge.exe 97 PID 396 wrote to memory of 2776 396 msedge.exe 97 PID 396 wrote to memory of 2776 396 msedge.exe 97 PID 396 wrote to memory of 2776 396 msedge.exe 97 PID 396 wrote to memory of 2776 396 msedge.exe 97 PID 396 wrote to memory of 2776 396 msedge.exe 97 PID 396 wrote to memory of 2776 396 msedge.exe 97 PID 396 wrote to memory of 2776 396 msedge.exe 97 PID 396 wrote to memory of 2776 396 msedge.exe 97 PID 396 wrote to memory of 2776 396 msedge.exe 97 PID 396 wrote to memory of 2776 396 msedge.exe 97 PID 396 wrote to memory of 2776 396 msedge.exe 97 PID 396 wrote to memory of 2776 396 msedge.exe 97 PID 396 wrote to memory of 2776 396 msedge.exe 97 PID 396 wrote to memory of 2776 396 msedge.exe 97 PID 396 wrote to memory of 2776 396 msedge.exe 97 PID 396 wrote to memory of 2776 396 msedge.exe 97 PID 396 wrote to memory of 2776 396 msedge.exe 97 PID 396 wrote to memory of 2776 396 msedge.exe 97 PID 396 wrote to memory of 2776 396 msedge.exe 97 PID 396 wrote to memory of 2776 396 msedge.exe 97 PID 396 wrote to memory of 2776 396 msedge.exe 97 PID 396 wrote to memory of 2776 396 msedge.exe 97 PID 396 wrote to memory of 2776 396 msedge.exe 97 PID 396 wrote to memory of 2776 396 msedge.exe 97 PID 396 wrote to memory of 2776 396 msedge.exe 97 PID 396 wrote to memory of 2776 396 msedge.exe 97 PID 396 wrote to memory of 2776 396 msedge.exe 97 PID 396 wrote to memory of 2776 396 msedge.exe 97 PID 396 wrote to memory of 2776 396 msedge.exe 97 PID 396 wrote to memory of 2776 396 msedge.exe 97 PID 396 wrote to memory of 4168 396 msedge.exe 98 PID 396 wrote to memory of 4168 396 msedge.exe 98 PID 396 wrote to memory of 3960 396 msedge.exe 99 PID 396 wrote to memory of 3960 396 msedge.exe 99 PID 396 wrote to memory of 3960 396 msedge.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3860 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\6095\listo.vbs"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4536 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Windows\System32\6095\inicio.bat" "3⤵
- Drops file in Drivers directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4476 -
C:\Windows\SysWOW64\net.exenet stop SharedAccess4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3468 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SharedAccess5⤵
- System Location Discovery: System Language Discovery
PID:2676
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://srvr.timwe.com/timwe_prod/PROD_COL/PERU/CLARO/minisite/index.php4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffaad2746f8,0x7ffaad274708,0x7ffaad2747185⤵PID:2076
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,4079871939225741144,10551058676837326550,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:25⤵PID:2776
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,4079871939225741144,10551058676837326550,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
PID:4168
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,4079871939225741144,10551058676837326550,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:85⤵PID:3960
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,4079871939225741144,10551058676837326550,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:15⤵PID:2136
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,4079871939225741144,10551058676837326550,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:15⤵PID:5100
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,4079871939225741144,10551058676837326550,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4296 /prefetch:15⤵PID:1592
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,4079871939225741144,10551058676837326550,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3540 /prefetch:15⤵PID:1004
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,4079871939225741144,10551058676837326550,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4760 /prefetch:85⤵PID:4064
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,4079871939225741144,10551058676837326550,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4760 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
PID:2784
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,4079871939225741144,10551058676837326550,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5228 /prefetch:15⤵PID:1788
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,4079871939225741144,10551058676837326550,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:15⤵PID:516
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,4079871939225741144,10551058676837326550,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5284 /prefetch:15⤵PID:2376
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,4079871939225741144,10551058676837326550,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5312 /prefetch:15⤵PID:876
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,4079871939225741144,10551058676837326550,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2068 /prefetch:15⤵PID:5024
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,4079871939225741144,10551058676837326550,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5036 /prefetch:15⤵PID:856
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,4079871939225741144,10551058676837326550,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5624 /prefetch:25⤵
- Suspicious behavior: EnumeratesProcesses
PID:3772
-
-
-
-
C:\Windows\SysWOW64\6095\server.exe"C:\Windows\System32\6095\server.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3184
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4932
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1904
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5719923124ee00fb57378e0ebcbe894f7
SHA1cc356a7d27b8b27dc33f21bd4990f286ee13a9f9
SHA256aa22ab845fa08c786bd3366ec39f733d5be80e9ac933ed115ff048ff30090808
SHA512a207b6646500d0d504cf70ee10f57948e58dab7f214ad2e7c4af0e7ca23ce1d37c8c745873137e6c55bdcf0f527031a66d9cc54805a0eac3678be6dd497a5bbc
-
Filesize
152B
MD5d7114a6cd851f9bf56cf771c37d664a2
SHA1769c5d04fd83e583f15ab1ef659de8f883ecab8a
SHA256d2c75c7d68c474d4b8847b4ba6cfd09fe90717f46dd398c86483d825a66e977e
SHA51233bdae2305ae98e7c0de576de5a6600bd70a425e7b891d745cba9de992036df1b3d1df9572edb0f89f320e50962d06532dae9491985b6b57fd37d5f46f7a2ff8
-
Filesize
5KB
MD5a6404af0ee29c838cf6bab87f37ef8fb
SHA17ebaf7423f0141d6db96932b55378e1d09fcefd9
SHA2561d1e7fd14135b859eecddac2667dfcf7a4ffa73541334e201d9843c364836fe1
SHA512c5985a9d4d817c3bb5826f2f66bb6412174c669c73c205430dd513c9d9e3057e354a958d736de53acb83d0371a63cd9f84de717b9a0e82dc777e97a4baf63251
-
Filesize
6KB
MD5eb47c27dfe56def8d84d2f70ad81bfe6
SHA1fe4d578cd98dadea2b00ea47cbf018a7374c04be
SHA256d0f98fcecf195597dce657842ef08141501edb5cccbb245a6f15d8b36d67e43c
SHA512aed92327f92d7bc4b68db49afe1119dc79f046adb6a2ea630bbb2bc97668e832210d273a0c56a0c8e37e07eb0e22ab6e9469c6e27f786a87262e5bf313c7ea6e
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5369afc58624b6096a1acdfd52648fcc1
SHA14ff95076e80b7052c4dff4de440be5925ec15d07
SHA256bfeb920dbc72590de29ff17c718289d8200fa4f10f98b42d514995a58fecb7af
SHA512c34ac2217173e54689705383727fd110f7f91d466d6b138c0caea4f7e8348e23a107c66c8d21bcfee33d33ee2626d464b108cc9db5abf0ed756d82b2e9566266
-
Filesize
105KB
MD59484c04258830aa3c2f2a70eb041414c
SHA1b242a4fb0e9dcf14cb51dc36027baff9a79cb823
SHA256bf7e47c16d7e1c0e88534f4ef95e09d0fd821ed1a06b0d95a389b35364b63ff5
SHA5129d0e9f0d88594746ba41ea4a61a53498619eda596e12d8ec37d01cfe8ceb08be13e3727c83d630a6d9e6d03066f62444bb94ea5a0d2ed9d21a270e612db532a0
-
Filesize
54B
MD5b70875abc68acdda52465961e52d7f22
SHA1a1e96c97fe86f5c920f3b4f6a55eb38d6f42979e
SHA2567bdaeff8903cd47126213fad77a50309ccce60039dcd3c24491912c5961a6274
SHA512db7d0a5f750cf4f27e88b0f65633097d662d6c7045ae5adf6b82f9891f2c1e18242d75d57a939d7dd9c1e7f91374fa928ad34b5e3bf605cf9c8caaa3f0786235
-
Filesize
152B
MD58588fe42b88c8813b38b4130b50263e2
SHA136293570a1ee26d87b4924f74001b3b9db09f8ce
SHA256c444fd18800314f402b3390411b766d8aea965b2b1196a85e8a382c8a4021984
SHA512a0b6939ae213568316f6d6100a20043cae333a86593c7326bed394d6069ea71fda385561c2b74b209f5bf64b36717d191238f855aff15c1b4c81c7362e5e599c
-
Filesize
56B
MD58e7e35d6069b7f3cfffc2552366b8d77
SHA1eca95ebf49cc4e5ebdfd1c5898b08c761786ef48
SHA2562483283737104c74a80a0d87aafda6158380b8eb5b320dcf0dd16f1bfdca9b10
SHA51212e69f747206795fbaa83d47498a589fafc9e7b76e6e876d12d8b94f990a11b428093bdc6a0030d0101e5d50b7b71e184d1909454935300d65054d4fd8e36fb8
-
Filesize
55B
MD54448424a0727f28efafa40d30149c379
SHA1636da7194bcadff563932b4de1d5d66c9abf80d3
SHA256264e559dbeb149890848186acbca26f2bd0232c3eba38694bb8c36a85a663872
SHA512ece247d66a2940fe7fe724a062e0c69344822ed8cade60bc95663432f9cc37f412986dcf43ac8a9e214e1afde83f786d063ac7b663ecca30a0ea209b7feeb097
-
Filesize
55B
MD56ce0387d66549f45f0881bb9077e192d
SHA1f6b41cd1c0598345c71a65bce08e25bc6da9d70a
SHA2560a12e034b28fac8e819b5e9b1cce37b5e831834b5bbf6e9a64070b53533e6a8c
SHA512462782de67b91ba3169bdaf47b65db4b26e020fe68e43a3bfb9e17e61925e80cd58c9100a9277e1db09e90a7cfce34c458216c79440e0ba83d44fee9d9604d66
-
Filesize
53B
MD5bbefc514ca3b7b4e1ef7e1c62f9b1d3e
SHA17d9b89999b7fb235bb9f0759ee63ef5f73c98627
SHA2562dfa7d8aa4d292b6c84f518b69f26be52b06c5104f0e527e8a295f66e1730e17
SHA512a3155a4e06c32096774cd37d6bdb59252f2cdfeb14d426b14b5e471bc3850ed1e8f6517e2bfbdf4ee7c23864aec4f9d5c050f9b43c880dcdfbf61395e282a8bb
-
Filesize
48B
MD5ada7ea4a9123bcee2828d3520a514c06
SHA193f1b122b57109081ff4c567c81e177981800a7c
SHA256cca4e955402ad5f676f2e7f56782812526c4233538b15957436f4b2c1feaf60f
SHA512473b0baec60d55cb4186f66fff8606711f480273a8b2d0c78580e90fd52c47d40492ffbefe34693b1eae7b3967c50d9f966c1f35f28e848361d49e0a84ced1a2
-
Filesize
76B
MD59b769432f88cdba9df37f3bbf5680dcb
SHA1c394c97606ad96dfeb00a4c12756e2fe8b54240a
SHA256041e15100772ad4aa977949ba324181861a6c9e25b78e702a80801e20d9c5f8b
SHA51202f96f5df2d5c9405b6a4b9117e99f255496a87d7ca4650e36871d37e1c2215a0bc96577b6b0f161e694b8548d4507896b12deb819321c906ccbf84cbf3f7029
-
Filesize
1KB
MD50af4ea969033d065c1d9e1e00fac7ab2
SHA1dfc0c441493178427875d13f8738eefb328745bd
SHA2565bd86f0c7b9488952472273d994a2c12fc50cf7293825df767bcc5218be5393f
SHA512310c3f05542af52950232d7cb4a15c2cb086f21fc7899184e12114ce8348fa5e49f684999ff3a6ba59fcc587b05dfd1c6127629d64794b685d82e6c67a4a0801
-
Filesize
43B
MD5325472601571f31e1bf00674c368d335
SHA12daeaa8b5f19f0bc209d976c02bd6acb51b00b0a
SHA256b1442e85b03bdcaf66dc58c7abb98745dd2687d86350be9a298a1d9382ac849b
SHA512717ea0ff7f3f624c268eccb244e24ec1305ab21557abb3d6f1a7e183ff68a2d28f13d1d2af926c9ef6d1fb16dd8cbe34cd98cacf79091dddc7874dcee21ecfdc
-
Filesize
1KB
MD5174a762ede78de6b9f2aa8ce0d39b060
SHA17fba4fc75ba3e9dea1b5eb098c1a33939f1bcf46
SHA25641450915dcebef37b44954f00e96de58391db1b2f614d82213554e5467b53885
SHA512d5c4031784e59f7bacbfb0f42d14409cb912dc25964991b0a8ec9bf1bc05a5bd5f97c2ffdaa1d054dfd758e32f8914d5d3e1ba089ab742715ae7253508d352aa
-
Filesize
626B
MD5159eee2c69357c834edb81cf878184ab
SHA13ed002de0f2a06025c4443bf3f2989cfc2f3685e
SHA2562c5a687cf8efe6c7617470c70ddfa817c2a14e12a0fd5e045950759f3dabeca2
SHA5123049c7bd6c7cf6e2eae72ddd3c65087bbe3ad1197a47e654318fe8378bc183200e49ce8558eeb16848c02f557cffa27d444c6ef2a10baed2335d88bbba1fcc25
-
Filesize
106B
MD5ed9ab547e8782ae58904eb302b508bee
SHA1e0c674b714fe356860cbb2706b3d313a10bad21b
SHA25659c4d73ca93def31d0c496f1c7e66360484de1053d9c084faad280adad12666a
SHA512dc63f4db230e5471e14ade740b748f7317bfbfd5e641ceb09c88cdc2c2e45f6906fb5a3744daaf950c7e95ac898f3f3934b86dbb4082e3c2f60beb5115e9f9ae
-
Filesize
16KB
MD5d824fd5dc0fcb7d8b685afee4335ecdf
SHA1365f4667af283423bb730f3041293896b3198c34
SHA256f76aaa2369bac454921482500e332b451b890e1f56bced1c166d8037bd79f441
SHA5128025d2d457551c304910b9ac76c1db5e69d1a67b27389e8dbcc2529c90bb031d4e27770715de8836286e9388dcff3d56e21edfcd3779e7c4f3b528f7fbb0272f
-
Filesize
198B
MD5d544942bbcdda2bd50dd0b3fb14757b7
SHA1d7949bb8f02d71fcfbd36f11e218541b75096812
SHA25601a159ae55b8a5ff6ade892b25fa9ca3ece110a5d13968bf4341918c6b784448
SHA5121bb773e98827c148acc4fbf6006c366e6a2dae4cc5a262f4f19095b09092fecc56dd3150c6aaf1ffce5ac44255969198ff21d1f6c75bccfad49385fb50aba9eb