Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
14/09/2024, 23:36
Behavioral task
behavioral1
Sample
e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe
-
Size
841KB
-
MD5
e143087e244e6bced278e4a16f9f1445
-
SHA1
70c17b71957e185cd09181ac0a317135e7a797db
-
SHA256
fca7ad5c5619d248df1b82d1dc8fdc61682ea89192ce61dff70c6e3621032988
-
SHA512
cf47d36d1e673065066f1184c4457b157b3c7c37425e59be0726f250de4b3afac85522ab1f2154b6043d32c985bffa77ac7b1aba2e46acf4e3d0ea3d147b59ef
-
SSDEEP
24576:Y1ckvnJDH7oH1haz/5qgxuLh62tLqazx5QwLzyUSSykQ59aIkPTr:Y1vvJz8H1hU/5qgQ62Bqad5g0yksxkrr
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "3" clhost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" kajek.exe Set value (int) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" miGRu6Gcu2.exe -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
ModiLoader Second Stage 9 IoCs
resource yara_rule behavioral1/memory/2252-10-0x0000000000400000-0x0000000000419000-memory.dmp modiloader_stage2 behavioral1/memory/1160-15-0x0000000000400000-0x000000000051D000-memory.dmp modiloader_stage2 behavioral1/memory/1160-13-0x0000000000400000-0x000000000051D000-memory.dmp modiloader_stage2 behavioral1/files/0x00030000000178b0-44.dat modiloader_stage2 behavioral1/memory/1160-51-0x0000000000400000-0x000000000051D000-memory.dmp modiloader_stage2 behavioral1/memory/2616-72-0x0000000000400000-0x0000000000418000-memory.dmp modiloader_stage2 behavioral1/files/0x00160000000185f5-73.dat modiloader_stage2 behavioral1/memory/1700-92-0x0000000000400000-0x0000000000418000-memory.dmp modiloader_stage2 behavioral1/memory/1160-398-0x0000000000400000-0x000000000051D000-memory.dmp modiloader_stage2 -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Disables taskbar notifications via registry modification
-
Deletes itself 1 IoCs
pid Process 2240 cmd.exe -
Executes dropped EXE 13 IoCs
pid Process 2724 miGRu6Gcu2.exe 2264 kajek.exe 2616 alhost.exe 1720 alhost.exe 1700 blhost.exe 2284 blhost.exe 1540 clhost.exe 1964 dlhost.exe 1644 clhost.exe 1940 clhost.exe 332 csrss.exe 1648 elhost.exe 2872 9B94.tmp -
Loads dropped DLL 17 IoCs
pid Process 1160 e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe 1160 e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe 2724 miGRu6Gcu2.exe 2724 miGRu6Gcu2.exe 1160 e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe 1160 e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe 1160 e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe 1160 e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe 1160 e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe 1160 e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe 1160 e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe 1160 e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe 1160 e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe 1160 e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe 1540 clhost.exe 1540 clhost.exe 2872 9B94.tmp -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/1160-15-0x0000000000400000-0x000000000051D000-memory.dmp upx behavioral1/memory/1160-13-0x0000000000400000-0x000000000051D000-memory.dmp upx behavioral1/memory/1160-12-0x0000000000400000-0x000000000051D000-memory.dmp upx behavioral1/memory/1160-6-0x0000000000400000-0x000000000051D000-memory.dmp upx behavioral1/memory/1160-4-0x0000000000400000-0x000000000051D000-memory.dmp upx behavioral1/memory/1160-2-0x0000000000400000-0x000000000051D000-memory.dmp upx behavioral1/memory/1160-51-0x0000000000400000-0x000000000051D000-memory.dmp upx behavioral1/memory/2284-90-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2284-97-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2284-96-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2284-95-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2284-86-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2284-84-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1540-118-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/1644-159-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/1160-398-0x0000000000400000-0x000000000051D000-memory.dmp upx -
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Adds Run key to start application 2 TTPs 53 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kajek = "C:\\Users\\Admin\\kajek.exe /A" kajek.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kajek = "C:\\Users\\Admin\\kajek.exe /l" kajek.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kajek = "C:\\Users\\Admin\\kajek.exe /j" kajek.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kajek = "C:\\Users\\Admin\\kajek.exe /M" kajek.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kajek = "C:\\Users\\Admin\\kajek.exe /G" kajek.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kajek = "C:\\Users\\Admin\\kajek.exe /D" kajek.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kajek = "C:\\Users\\Admin\\kajek.exe /J" kajek.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kajek = "C:\\Users\\Admin\\kajek.exe /X" kajek.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kajek = "C:\\Users\\Admin\\kajek.exe /R" kajek.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kajek = "C:\\Users\\Admin\\kajek.exe /z" kajek.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kajek = "C:\\Users\\Admin\\kajek.exe /P" kajek.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kajek = "C:\\Users\\Admin\\kajek.exe /b" kajek.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kajek = "C:\\Users\\Admin\\kajek.exe /Y" kajek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\9F7.exe = "C:\\Program Files (x86)\\LP\\24FD\\9F7.exe" clhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kajek = "C:\\Users\\Admin\\kajek.exe /f" kajek.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kajek = "C:\\Users\\Admin\\kajek.exe /H" kajek.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kajek = "C:\\Users\\Admin\\kajek.exe /e" kajek.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kajek = "C:\\Users\\Admin\\kajek.exe /m" kajek.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kajek = "C:\\Users\\Admin\\kajek.exe /w" kajek.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kajek = "C:\\Users\\Admin\\kajek.exe /I" kajek.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kajek = "C:\\Users\\Admin\\kajek.exe /T" kajek.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kajek = "C:\\Users\\Admin\\kajek.exe /x" kajek.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kajek = "C:\\Users\\Admin\\kajek.exe /Q" kajek.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kajek = "C:\\Users\\Admin\\kajek.exe /p" kajek.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kajek = "C:\\Users\\Admin\\kajek.exe /g" kajek.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kajek = "C:\\Users\\Admin\\kajek.exe /u" kajek.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kajek = "C:\\Users\\Admin\\kajek.exe /W" kajek.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kajek = "C:\\Users\\Admin\\kajek.exe /a" kajek.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kajek = "C:\\Users\\Admin\\kajek.exe /r" kajek.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kajek = "C:\\Users\\Admin\\kajek.exe /Z" miGRu6Gcu2.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kajek = "C:\\Users\\Admin\\kajek.exe /F" kajek.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kajek = "C:\\Users\\Admin\\kajek.exe /d" kajek.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kajek = "C:\\Users\\Admin\\kajek.exe /V" kajek.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kajek = "C:\\Users\\Admin\\kajek.exe /t" kajek.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kajek = "C:\\Users\\Admin\\kajek.exe /q" kajek.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kajek = "C:\\Users\\Admin\\kajek.exe /k" kajek.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kajek = "C:\\Users\\Admin\\kajek.exe /N" kajek.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kajek = "C:\\Users\\Admin\\kajek.exe /K" kajek.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kajek = "C:\\Users\\Admin\\kajek.exe /U" kajek.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kajek = "C:\\Users\\Admin\\kajek.exe /s" kajek.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kajek = "C:\\Users\\Admin\\kajek.exe /o" kajek.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kajek = "C:\\Users\\Admin\\kajek.exe /L" kajek.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kajek = "C:\\Users\\Admin\\kajek.exe /Z" kajek.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kajek = "C:\\Users\\Admin\\kajek.exe /v" kajek.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kajek = "C:\\Users\\Admin\\kajek.exe /E" kajek.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kajek = "C:\\Users\\Admin\\kajek.exe /h" kajek.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kajek = "C:\\Users\\Admin\\kajek.exe /S" kajek.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kajek = "C:\\Users\\Admin\\kajek.exe /i" kajek.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kajek = "C:\\Users\\Admin\\kajek.exe /C" kajek.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kajek = "C:\\Users\\Admin\\kajek.exe /c" kajek.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kajek = "C:\\Users\\Admin\\kajek.exe /n" kajek.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kajek = "C:\\Users\\Admin\\kajek.exe /B" kajek.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\kajek = "C:\\Users\\Admin\\kajek.exe /y" kajek.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 2 IoCs
description ioc Process File created \systemroot\assembly\GAC_64\Desktop.ini csrss.exe File created \systemroot\assembly\GAC_32\Desktop.ini csrss.exe -
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum alhost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 alhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum blhost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 blhost.exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 2748 tasklist.exe 2868 tasklist.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2252 set thread context of 1160 2252 e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe 29 PID 2616 set thread context of 1720 2616 alhost.exe 37 PID 1700 set thread context of 2284 1700 blhost.exe 39 PID 1964 set thread context of 1652 1964 dlhost.exe 49 -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\LP\24FD\9F7.exe clhost.exe File opened for modification C:\Program Files (x86)\LP\24FD\9F7.exe clhost.exe File opened for modification C:\Program Files (x86)\LP\24FD\9B94.tmp clhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 17 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language alhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dlhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language miGRu6Gcu2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language clhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language elhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kajek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language clhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language blhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language clhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9B94.tmp -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2724 miGRu6Gcu2.exe 2724 miGRu6Gcu2.exe 2264 kajek.exe 2264 kajek.exe 2264 kajek.exe 2264 kajek.exe 2264 kajek.exe 2264 kajek.exe 2264 kajek.exe 2264 kajek.exe 2264 kajek.exe 2264 kajek.exe 2264 kajek.exe 2264 kajek.exe 1720 alhost.exe 1720 alhost.exe 2264 kajek.exe 1720 alhost.exe 2264 kajek.exe 2264 kajek.exe 2264 kajek.exe 2264 kajek.exe 2264 kajek.exe 2264 kajek.exe 2264 kajek.exe 1720 alhost.exe 1720 alhost.exe 2264 kajek.exe 2264 kajek.exe 2264 kajek.exe 2264 kajek.exe 2264 kajek.exe 2264 kajek.exe 2264 kajek.exe 2284 blhost.exe 1720 alhost.exe 1720 alhost.exe 2264 kajek.exe 2264 kajek.exe 2264 kajek.exe 2264 kajek.exe 2264 kajek.exe 2264 kajek.exe 1540 clhost.exe 1540 clhost.exe 1540 clhost.exe 1540 clhost.exe 1540 clhost.exe 1540 clhost.exe 2264 kajek.exe 2264 kajek.exe 1720 alhost.exe 1720 alhost.exe 2264 kajek.exe 2264 kajek.exe 2264 kajek.exe 2264 kajek.exe 2264 kajek.exe 2264 kajek.exe 2264 kajek.exe 1720 alhost.exe 1720 alhost.exe 2264 kajek.exe 2264 kajek.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2616 explorer.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
description pid Process Token: SeDebugPrivilege 2748 tasklist.exe Token: SeRestorePrivilege 2132 msiexec.exe Token: SeTakeOwnershipPrivilege 2132 msiexec.exe Token: SeSecurityPrivilege 2132 msiexec.exe Token: SeDebugPrivilege 1964 dlhost.exe Token: SeShutdownPrivilege 2616 explorer.exe Token: SeShutdownPrivilege 2616 explorer.exe Token: SeShutdownPrivilege 2616 explorer.exe Token: SeShutdownPrivilege 2616 explorer.exe Token: SeShutdownPrivilege 2616 explorer.exe Token: SeShutdownPrivilege 2616 explorer.exe Token: SeShutdownPrivilege 2616 explorer.exe Token: SeShutdownPrivilege 2616 explorer.exe Token: SeShutdownPrivilege 2616 explorer.exe Token: SeShutdownPrivilege 2616 explorer.exe Token: 33 1324 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1324 AUDIODG.EXE Token: 33 1324 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1324 AUDIODG.EXE Token: SeDebugPrivilege 1964 dlhost.exe Token: SeShutdownPrivilege 2616 explorer.exe Token: SeShutdownPrivilege 2616 explorer.exe Token: SeDebugPrivilege 2868 tasklist.exe -
Suspicious use of FindShellTrayWindow 28 IoCs
pid Process 2616 explorer.exe 2616 explorer.exe 2616 explorer.exe 2616 explorer.exe 2616 explorer.exe 2616 explorer.exe 2616 explorer.exe 2616 explorer.exe 2616 explorer.exe 2616 explorer.exe 2616 explorer.exe 2616 explorer.exe 2616 explorer.exe 2616 explorer.exe 2616 explorer.exe 2616 explorer.exe 2616 explorer.exe 2616 explorer.exe 2616 explorer.exe 2616 explorer.exe 2616 explorer.exe 2616 explorer.exe 2616 explorer.exe 2616 explorer.exe 2616 explorer.exe 2616 explorer.exe 2616 explorer.exe 2616 explorer.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 2616 explorer.exe 2616 explorer.exe 2616 explorer.exe 2616 explorer.exe 2616 explorer.exe 2616 explorer.exe 2616 explorer.exe 2616 explorer.exe 2616 explorer.exe 2616 explorer.exe 2616 explorer.exe 2616 explorer.exe 2616 explorer.exe 2616 explorer.exe 2616 explorer.exe 2616 explorer.exe 2616 explorer.exe 2616 explorer.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 1160 e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe 2724 miGRu6Gcu2.exe 2264 kajek.exe 1648 elhost.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 332 csrss.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2252 wrote to memory of 1160 2252 e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe 29 PID 2252 wrote to memory of 1160 2252 e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe 29 PID 2252 wrote to memory of 1160 2252 e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe 29 PID 2252 wrote to memory of 1160 2252 e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe 29 PID 2252 wrote to memory of 1160 2252 e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe 29 PID 2252 wrote to memory of 1160 2252 e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe 29 PID 2252 wrote to memory of 1160 2252 e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe 29 PID 2252 wrote to memory of 1160 2252 e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe 29 PID 1160 wrote to memory of 2724 1160 e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe 30 PID 1160 wrote to memory of 2724 1160 e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe 30 PID 1160 wrote to memory of 2724 1160 e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe 30 PID 1160 wrote to memory of 2724 1160 e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe 30 PID 2724 wrote to memory of 2264 2724 miGRu6Gcu2.exe 31 PID 2724 wrote to memory of 2264 2724 miGRu6Gcu2.exe 31 PID 2724 wrote to memory of 2264 2724 miGRu6Gcu2.exe 31 PID 2724 wrote to memory of 2264 2724 miGRu6Gcu2.exe 31 PID 2724 wrote to memory of 2596 2724 miGRu6Gcu2.exe 32 PID 2724 wrote to memory of 2596 2724 miGRu6Gcu2.exe 32 PID 2724 wrote to memory of 2596 2724 miGRu6Gcu2.exe 32 PID 2724 wrote to memory of 2596 2724 miGRu6Gcu2.exe 32 PID 1160 wrote to memory of 2616 1160 e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe 35 PID 1160 wrote to memory of 2616 1160 e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe 35 PID 1160 wrote to memory of 2616 1160 e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe 35 PID 1160 wrote to memory of 2616 1160 e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe 35 PID 2596 wrote to memory of 2748 2596 cmd.exe 34 PID 2596 wrote to memory of 2748 2596 cmd.exe 34 PID 2596 wrote to memory of 2748 2596 cmd.exe 34 PID 2596 wrote to memory of 2748 2596 cmd.exe 34 PID 2616 wrote to memory of 1720 2616 alhost.exe 37 PID 2616 wrote to memory of 1720 2616 alhost.exe 37 PID 2616 wrote to memory of 1720 2616 alhost.exe 37 PID 2616 wrote to memory of 1720 2616 alhost.exe 37 PID 2616 wrote to memory of 1720 2616 alhost.exe 37 PID 2616 wrote to memory of 1720 2616 alhost.exe 37 PID 2616 wrote to memory of 1720 2616 alhost.exe 37 PID 2616 wrote to memory of 1720 2616 alhost.exe 37 PID 2616 wrote to memory of 1720 2616 alhost.exe 37 PID 2616 wrote to memory of 1720 2616 alhost.exe 37 PID 1160 wrote to memory of 1700 1160 e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe 38 PID 1160 wrote to memory of 1700 1160 e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe 38 PID 1160 wrote to memory of 1700 1160 e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe 38 PID 1160 wrote to memory of 1700 1160 e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe 38 PID 1700 wrote to memory of 2284 1700 blhost.exe 39 PID 1700 wrote to memory of 2284 1700 blhost.exe 39 PID 1700 wrote to memory of 2284 1700 blhost.exe 39 PID 1700 wrote to memory of 2284 1700 blhost.exe 39 PID 1700 wrote to memory of 2284 1700 blhost.exe 39 PID 1700 wrote to memory of 2284 1700 blhost.exe 39 PID 1700 wrote to memory of 2284 1700 blhost.exe 39 PID 1700 wrote to memory of 2284 1700 blhost.exe 39 PID 1160 wrote to memory of 1540 1160 e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe 40 PID 1160 wrote to memory of 1540 1160 e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe 40 PID 1160 wrote to memory of 1540 1160 e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe 40 PID 1160 wrote to memory of 1540 1160 e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe 40 PID 1160 wrote to memory of 1964 1160 e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe 41 PID 1160 wrote to memory of 1964 1160 e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe 41 PID 1160 wrote to memory of 1964 1160 e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe 41 PID 1160 wrote to memory of 1964 1160 e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe 41 PID 1540 wrote to memory of 1644 1540 clhost.exe 43 PID 1540 wrote to memory of 1644 1540 clhost.exe 43 PID 1540 wrote to memory of 1644 1540 clhost.exe 43 PID 1540 wrote to memory of 1644 1540 clhost.exe 43 PID 1540 wrote to memory of 1940 1540 clhost.exe 45 PID 1540 wrote to memory of 1940 1540 clhost.exe 45 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" clhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer clhost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Suspicious use of UnmapMainImage
PID:332
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs1⤵PID:856
-
C:\Users\Admin\AppData\Local\Temp\e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Users\Admin\AppData\Local\Temp\e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exee143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Users\Admin\miGRu6Gcu2.exeC:\Users\Admin\miGRu6Gcu2.exe3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Users\Admin\kajek.exe"C:\Users\Admin\kajek.exe"4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2264
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del miGRu6Gcu2.exe4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2748
-
-
-
-
C:\Users\Admin\alhost.exeC:\Users\Admin\alhost.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Users\Admin\alhost.exealhost.exe4⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
PID:1720
-
-
-
C:\Users\Admin\blhost.exeC:\Users\Admin\blhost.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Users\Admin\blhost.exeblhost.exe4⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
PID:2284
-
-
-
C:\Users\Admin\clhost.exeC:\Users\Admin\clhost.exe3⤵
- Modifies security service
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1540 -
C:\Users\Admin\clhost.exeC:\Users\Admin\clhost.exe startC:\Users\Admin\AppData\Roaming\DBFBB\93024.exe%C:\Users\Admin\AppData\Roaming\DBFBB4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1644
-
-
C:\Users\Admin\clhost.exeC:\Users\Admin\clhost.exe startC:\Program Files (x86)\BB655\lvvm.exe%C:\Program Files (x86)\BB6554⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1940
-
-
C:\Program Files (x86)\LP\24FD\9B94.tmp"C:\Program Files (x86)\LP\24FD\9B94.tmp"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2872
-
-
-
C:\Users\Admin\dlhost.exeC:\Users\Admin\dlhost.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1964 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"4⤵
- System Location Discovery: System Language Discovery
PID:1652
-
-
-
C:\Users\Admin\elhost.exeC:\Users\Admin\elhost.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1648
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del e143087e244e6bced278e4a16f9f1445_JaffaCakes118.exe3⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2240 -
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2868
-
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2132
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2616
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5c81⤵
- Suspicious use of AdjustPrivilegeToken
PID:1324
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
5Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
300B
MD5992085599b6f2e8fdd1c595bbdfb9e76
SHA1f8a68c08c204addcfd674b69781888b3f2fecf6b
SHA256a10ab7e20b8cb90e4f4b356596cc1d35a2277717ee6e370d264710b6185564f8
SHA51226b906694c5291087ce1aa1d7383f6c87b02c6aff13f31246af5a694a65e88a59b3116e516db41be8d85532d5c5a4093ba3a07c60ceb92a7545f4a1869d7c99f
-
Filesize
600B
MD584e44940961fb664eaae76599d6b9fe5
SHA111ecfa6879c0b317803894e32dfbef6722d242be
SHA2561aae3a6a39174006c476e8743cdc7ab1cf6d4f14fe4e43fe5f07e40af4532b72
SHA512469168afe750226d0c99ac6f1ac7b71368ce4c2cf892c35bdd64df07c0a25970abe5b221ac355d845f573312064c28d1b409792cec044935100ea86f0cc1266c
-
Filesize
996B
MD5e501d6c27ac0e6049f13ec9a21195196
SHA11353d83b369cd0074b115e6197dff6fb0311ccef
SHA2564f75f7642a6e927f1e48f0ec1a1d11cf10d0a32732ea76817a6f335c93f180f9
SHA512151ca00bc7f80ab4a7c142b504379c853754e23194bcbaac4b1d385c5786ac353af0a40fc1ca6038206ed752d7ad6867d963892e64349b8dcdb7c543b817fdb9
-
Filesize
1KB
MD512efb599d1936b8ab59e7ebbf6364607
SHA1e211c93aad0bee50e85159a2b1053bb4dd0e6e5c
SHA2567e9b442f1593d5d530c54da653183ed8b927c0f47ffb3b44fe6d200fc0a48d7c
SHA512c444f6dc523e6af36c0cad9151f996493768a33af292166d617afbdf10525985e5d38a73324c4decdc49828e8e063e81dce1e72004adbefd394f79b0f44f8110
-
Filesize
53KB
MD563e99b675a1337db6d8430195ea3efd2
SHA11baead2bf8f433dc82f9b2c03fd65ce697a92155
SHA2566616179477849205eb4075b75a042056d196f45d67f78929dbb3317a35ccbea9
SHA512f5b986eafa38dbc9ad7759784ac887ecbb9c8d8009a3f33e91b9c9ceeaf043ed3e4ddab8e6b6b77e54aed9fcecab02442c8ff253f2136ea06996d05ddd68199f
-
Filesize
2KB
MD50013230658af51d60ff4984d15218414
SHA1ff367e5e7b513c07f600855be6222b596674c7b0
SHA256503dafc38a8b5a36550322c3e05d806ab4cff989a689f2ab9415d6c089818488
SHA51217a0c9a2db5071be187cc1beef3d03ea0013230b2b2b4e80d96c4ae15b57220ee24dbaf5530f79a9676ccdaf55db8d51aeedf7fba91bfbbcba794b7c707114ba
-
Filesize
99KB
MD50f322aa9f0ab8f4d2ac9dc7c1f67789b
SHA1bd0abad1aa3edd06bd176282c9ec3fa528ccf5f8
SHA256b788fc4b83fc9e83f3dd7a14e25c251434f5a3389750e380ea32a93662525863
SHA512736af7f378d4f05576010d4cd732ea02dd7e31999cd8e4ad7037686623a0a7a7a45e0376024327943e8a5ba9d090a1f4b2a6e7bc4366b05631abf371070cc6c9
-
Filesize
236KB
MD5ccee7bbbd52e9e3d551451e54f85489a
SHA17f72be25a00d4e667f17fa106bf024fac3eb9886
SHA25624d5bac9c9a2d7e77dc8f79ad7fe3333283028dbec964effd9020dd6473e3290
SHA5123e2fd0abfc61741698570a600aa4f845503410bc9bef9906dced2df27e5f38c7bb06eefb653a0e199eec88044725e2c0f0238253c73979fcceecb992e3b73af4
-
Filesize
126KB
MD5f9482a349a998f5c9cb842705e67fea7
SHA1196794ddf71cab834c7029dbf1c27009b06754b2
SHA2569e5b1531710c57fad4e07c5888db6823e6634384a5ebe9d7f40b54cb9a163b44
SHA51271ced1fbd460b833d1f422a80d5a27a893e18f7a6286cb61b1283a2c843f8fc77a68b30cba33fe988063f5db3893cb7fd8f677e023960b1999386c18389c9536
-
Filesize
283KB
MD578b038f42b4e2490672f9a35a42674b5
SHA1ca8972f311b9dab6aa917b65cfb9726447fb44f8
SHA25699125e2bff877025e5687aa5928061cc7da65a944afcd81a66f556bf5d48730d
SHA51213826dd7b9b1de6b08189c814487fcf6dd369059be8f70d5ba7ef6e9339a56be6f04a424e11238cc49a932e7d2988630c102109a861cb4adb5382f9e883ae515
-
Filesize
244KB
MD5682907092bb50419e5b28cf99466e124
SHA1622962a69e71cf4192f860be74249be205e9ce13
SHA2569e08b47ad6498e8f7173eb8a9e2ce2c4aaa36d0c69cfb3365ba76938d037f98e
SHA512cced9e3ec516c2e07182ecf012749b9b123bd70d6204d5f82afa4c0a8a8f110da8690c816e7c8d97f9a283e8e4961fbe0afa60badd4b57d21a8decfa1b527799
-
Filesize
32KB
MD500a9df0a178efb6f4f44aa392186c492
SHA1d3c3039ca41481525815bca5301d9d00f5725667
SHA256c505d1c76b1e886de65c6b7b171a9d56870a320532c7561f7f8b162920602b18
SHA512ae0cbce9119ec561a8084610a42f30f60ed29d6bde908dedb7394dbcd8cd24456c85a543b72aa797705130ccce851a348a5171baf1c8a2499ad599b345283a3f
-
Filesize
192KB
MD5deeffbdcdc44dbab312004f79b6e6be8
SHA18470ec1b600803bbe98e9194f2daf36de1fa13ac
SHA25657f510fa7396e0f3f3c1a0b6603a714c7d31d5c65baca3f9d09937ec34e90fe9
SHA5123fe33f9d81c22d48b8425fb2c94029f3f530337f2a60ebab8279c427b5c67b46f1e138a735032f65ae0c6ff1c6a824f29a2bd7aa2aeac2c076aab6942e2b8e9c
-
Filesize
192KB
MD5869d4fbc9194f74e9815f487d245fcff
SHA166ac3d8d447558f6389e3a8e203c1b60634af873
SHA256b7bc5a05d5190e33bcf35bc06107881990caf3fd99643c50eb855ca8505d7113
SHA51257700b710c9c42ed07f1959c7a17d592a5bfafadb340eaec33d769a788cb5b84de7d84b4ff5b865df9fedd966d7dc8b5a2534811e1de52f488a31a5548d4d6ce
-
Filesize
4KB
MD5758f90d425814ea5a1d2694e44e7e295
SHA164d61731255ef2c3060868f92f6b81b4c9b5fe29
SHA256896221147d8172197cbbf06c45d461141ce6b4af38027c1a22d57c1165026433
SHA51211858e498309f611ee6241c026a402d6d979bffe28d4cbf7c9d5a89c3f3de25e1d253ab552ef7bc7cc43dd056307bd625e2e4f09beb21f0214c3946113b97ca9