Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
24-09-2024 20:00
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f467ad374c4a6a470cde9f4893fd628c_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
33 signatures
150 seconds
Behavioral task
behavioral2
Sample
f467ad374c4a6a470cde9f4893fd628c_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
37 signatures
150 seconds
General
-
Target
f467ad374c4a6a470cde9f4893fd628c_JaffaCakes118.exe
-
Size
920KB
-
MD5
f467ad374c4a6a470cde9f4893fd628c
-
SHA1
b6fb7decf1da130faa70e8115f5593ba6b9235b9
-
SHA256
1c6d003793adae594719fc0572cf770437af2f24c1f8fe2307633a7cc59d8102
-
SHA512
49d5a9e9bb3fe6367a8081509913e6706a26887644af8233809c25cb913d72b3233341cecc665520c08fa3529dc457f1d80327a8eba2a330970e22aebc08ab83
-
SSDEEP
24576:tJXWAayET+QuawV+XTUknfiuG7weke8juowZKMnunK:WTzuaxjnsywKMnY
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\8a1d53fa\\X" Explorer.EXE -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" ruode.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" MDdyAsuPL1.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Disables taskbar notifications via registry modification
-
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\drivers\etc\hosts 5eaj.exe -
Deletes itself 1 IoCs
pid Process 1768 cmd.exe -
Executes dropped EXE 16 IoCs
pid Process 2056 MDdyAsuPL1.exe 2328 ruode.exe 2792 2eaj.exe 2684 2eaj.exe 2708 2eaj.exe 1572 2eaj.exe 2296 2eaj.exe 1816 2eaj.exe 1512 3eaj.exe 2492 4eaj.exe 332 csrss.exe 1696 X 1072 3eaj.exe 2656 3eaj.exe 2496 5eaj.exe 2052 59A5.tmp -
Loads dropped DLL 16 IoCs
pid Process 2404 f467ad374c4a6a470cde9f4893fd628c_JaffaCakes118.exe 2404 f467ad374c4a6a470cde9f4893fd628c_JaffaCakes118.exe 2056 MDdyAsuPL1.exe 2056 MDdyAsuPL1.exe 2404 f467ad374c4a6a470cde9f4893fd628c_JaffaCakes118.exe 2404 f467ad374c4a6a470cde9f4893fd628c_JaffaCakes118.exe 2404 f467ad374c4a6a470cde9f4893fd628c_JaffaCakes118.exe 2404 f467ad374c4a6a470cde9f4893fd628c_JaffaCakes118.exe 2404 f467ad374c4a6a470cde9f4893fd628c_JaffaCakes118.exe 2404 f467ad374c4a6a470cde9f4893fd628c_JaffaCakes118.exe 2492 4eaj.exe 2492 4eaj.exe 2404 f467ad374c4a6a470cde9f4893fd628c_JaffaCakes118.exe 2404 f467ad374c4a6a470cde9f4893fd628c_JaffaCakes118.exe 1512 3eaj.exe 1512 3eaj.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unexpected DNS network traffic destination 5 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 31.193.3.240 Destination IP 31.193.3.240 Destination IP 31.193.3.240 Destination IP 31.193.3.240 Destination IP 31.193.3.240 -
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Adds Run key to start application 2 TTPs 54 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\ruode = "C:\\Users\\Admin\\ruode.exe /U" ruode.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\ruode = "C:\\Users\\Admin\\ruode.exe /V" ruode.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\ruode = "C:\\Users\\Admin\\ruode.exe /k" ruode.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\ruode = "C:\\Users\\Admin\\ruode.exe /B" ruode.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\ruode = "C:\\Users\\Admin\\ruode.exe /S" ruode.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\ruode = "C:\\Users\\Admin\\ruode.exe /Y" ruode.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\ruode = "C:\\Users\\Admin\\ruode.exe /Q" ruode.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\ruode = "C:\\Users\\Admin\\ruode.exe /v" ruode.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\ruode = "C:\\Users\\Admin\\ruode.exe /E" ruode.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\ruode = "C:\\Users\\Admin\\ruode.exe /i" ruode.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\ruode = "C:\\Users\\Admin\\ruode.exe /R" ruode.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\ruode = "C:\\Users\\Admin\\ruode.exe /F" ruode.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\ruode = "C:\\Users\\Admin\\ruode.exe /O" ruode.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\ruode = "C:\\Users\\Admin\\ruode.exe /Q" MDdyAsuPL1.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\ruode = "C:\\Users\\Admin\\ruode.exe /I" ruode.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\ruode = "C:\\Users\\Admin\\ruode.exe /J" ruode.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\ruode = "C:\\Users\\Admin\\ruode.exe /j" ruode.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\ruode = "C:\\Users\\Admin\\ruode.exe /a" ruode.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\ruode = "C:\\Users\\Admin\\ruode.exe /T" ruode.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\ruode = "C:\\Users\\Admin\\ruode.exe /p" ruode.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\ruode = "C:\\Users\\Admin\\ruode.exe /b" ruode.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\ruode = "C:\\Users\\Admin\\ruode.exe /o" ruode.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\ruode = "C:\\Users\\Admin\\ruode.exe /u" ruode.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\ruode = "C:\\Users\\Admin\\ruode.exe /d" ruode.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\ruode = "C:\\Users\\Admin\\ruode.exe /c" ruode.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\ruode = "C:\\Users\\Admin\\ruode.exe /L" ruode.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\ruode = "C:\\Users\\Admin\\ruode.exe /s" ruode.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\ruode = "C:\\Users\\Admin\\ruode.exe /H" ruode.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\ruode = "C:\\Users\\Admin\\ruode.exe /n" ruode.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\ruode = "C:\\Users\\Admin\\ruode.exe /z" ruode.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\ruode = "C:\\Users\\Admin\\ruode.exe /l" ruode.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\ruode = "C:\\Users\\Admin\\ruode.exe /q" ruode.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\ruode = "C:\\Users\\Admin\\ruode.exe /W" ruode.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\ruode = "C:\\Users\\Admin\\ruode.exe /G" ruode.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\ruode = "C:\\Users\\Admin\\ruode.exe /h" ruode.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\ruode = "C:\\Users\\Admin\\ruode.exe /e" ruode.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\ruode = "C:\\Users\\Admin\\ruode.exe /M" ruode.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\ruode = "C:\\Users\\Admin\\ruode.exe /C" ruode.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\ruode = "C:\\Users\\Admin\\ruode.exe /g" ruode.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\ruode = "C:\\Users\\Admin\\ruode.exe /y" ruode.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\ruode = "C:\\Users\\Admin\\ruode.exe /P" ruode.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\ruode = "C:\\Users\\Admin\\ruode.exe /X" ruode.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\ruode = "C:\\Users\\Admin\\ruode.exe /N" ruode.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\ruode = "C:\\Users\\Admin\\ruode.exe /w" ruode.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\82B.exe = "C:\\Program Files (x86)\\LP\\AF05\\82B.exe" 3eaj.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\ruode = "C:\\Users\\Admin\\ruode.exe /f" ruode.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\ruode = "C:\\Users\\Admin\\ruode.exe /m" ruode.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\ruode = "C:\\Users\\Admin\\ruode.exe /K" ruode.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\ruode = "C:\\Users\\Admin\\ruode.exe /x" ruode.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\ruode = "C:\\Users\\Admin\\ruode.exe /A" ruode.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\ruode = "C:\\Users\\Admin\\ruode.exe /D" ruode.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\ruode = "C:\\Users\\Admin\\ruode.exe /Z" ruode.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\ruode = "C:\\Users\\Admin\\ruode.exe /t" ruode.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Init = "\"C:\\Users\\Admin\\AppData\\Roaming\\xe3fibce1yoodoqtjgxye1qgsapkdrnx2\\svcnost.exe\"" 5eaj.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 2eaj.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 2eaj.exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 2816 tasklist.exe 1260 tasklist.exe -
Suspicious use of SetThreadContext 6 IoCs
description pid Process procid_target PID 2792 set thread context of 2684 2792 2eaj.exe 38 PID 2792 set thread context of 2708 2792 2eaj.exe 39 PID 2792 set thread context of 2296 2792 2eaj.exe 40 PID 2792 set thread context of 1572 2792 2eaj.exe 41 PID 2792 set thread context of 1816 2792 2eaj.exe 42 PID 2492 set thread context of 2716 2492 4eaj.exe 52 -
resource yara_rule behavioral1/memory/2684-45-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/2684-42-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/2684-40-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/2684-47-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/2708-62-0x0000000000400000-0x000000000040E000-memory.dmp upx behavioral1/memory/2684-61-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/2708-59-0x0000000000400000-0x000000000040E000-memory.dmp upx behavioral1/memory/2708-58-0x0000000000400000-0x000000000040E000-memory.dmp upx behavioral1/memory/2708-56-0x0000000000400000-0x000000000040E000-memory.dmp upx behavioral1/memory/2708-53-0x0000000000400000-0x000000000040E000-memory.dmp upx behavioral1/memory/2708-51-0x0000000000400000-0x000000000040E000-memory.dmp upx behavioral1/memory/1572-83-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/1572-82-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/1572-80-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/1572-77-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/1572-75-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/2296-86-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2296-85-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2296-72-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2296-69-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2296-90-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2296-67-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1572-89-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/2684-135-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/files/0x0017000000019617-481.dat upx behavioral1/memory/2496-485-0x0000000000400000-0x0000000000B19000-memory.dmp upx behavioral1/memory/2496-494-0x0000000000400000-0x0000000000B19000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\LP\AF05\82B.exe 3eaj.exe File opened for modification C:\Program Files (x86)\LP\AF05\82B.exe 3eaj.exe File opened for modification C:\Program Files (x86)\LP\AF05\59A5.tmp 3eaj.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 16 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3eaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MDdyAsuPL1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4eaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ruode.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2eaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3eaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3eaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 59A5.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f467ad374c4a6a470cde9f4893fd628c_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2eaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2eaj.exe -
Modifies registry class 8 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \registry\machine\Software\Classes\Interface\{d089a6e8-2120-e33a-a694-70abb0cb4bde} 4eaj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{d089a6e8-2120-e33a-a694-70abb0cb4bde}\u = "188" 4eaj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{d089a6e8-2120-e33a-a694-70abb0cb4bde}\cid = "11449351397843909520" 4eaj.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2056 MDdyAsuPL1.exe 2056 MDdyAsuPL1.exe 2708 2eaj.exe 2296 2eaj.exe 2328 ruode.exe 2328 ruode.exe 2296 2eaj.exe 2708 2eaj.exe 2328 ruode.exe 2328 ruode.exe 2328 ruode.exe 1512 3eaj.exe 1512 3eaj.exe 1512 3eaj.exe 1512 3eaj.exe 1512 3eaj.exe 1512 3eaj.exe 2708 2eaj.exe 2328 ruode.exe 2708 2eaj.exe 2708 2eaj.exe 2492 4eaj.exe 2492 4eaj.exe 2492 4eaj.exe 2328 ruode.exe 2492 4eaj.exe 1696 X 2328 ruode.exe 2328 ruode.exe 2708 2eaj.exe 2328 ruode.exe 2708 2eaj.exe 2328 ruode.exe 2708 2eaj.exe 2328 ruode.exe 2328 ruode.exe 2708 2eaj.exe 2328 ruode.exe 2708 2eaj.exe 2708 2eaj.exe 2328 ruode.exe 2708 2eaj.exe 2708 2eaj.exe 2328 ruode.exe 2328 ruode.exe 2708 2eaj.exe 2708 2eaj.exe 2328 ruode.exe 2708 2eaj.exe 2328 ruode.exe 2328 ruode.exe 2708 2eaj.exe 2708 2eaj.exe 2708 2eaj.exe 2328 ruode.exe 2708 2eaj.exe 2328 ruode.exe 2708 2eaj.exe 2328 ruode.exe 2328 ruode.exe 2708 2eaj.exe 2708 2eaj.exe 2708 2eaj.exe 2328 ruode.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1700 explorer.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
description pid Process Token: SeDebugPrivilege 2816 tasklist.exe Token: SeRestorePrivilege 1620 msiexec.exe Token: SeTakeOwnershipPrivilege 1620 msiexec.exe Token: SeSecurityPrivilege 1620 msiexec.exe Token: SeDebugPrivilege 2492 4eaj.exe Token: SeDebugPrivilege 2492 4eaj.exe Token: SeShutdownPrivilege 1700 explorer.exe Token: SeShutdownPrivilege 1700 explorer.exe Token: SeShutdownPrivilege 1700 explorer.exe Token: SeShutdownPrivilege 1700 explorer.exe Token: SeShutdownPrivilege 1700 explorer.exe Token: SeShutdownPrivilege 1700 explorer.exe Token: SeShutdownPrivilege 1700 explorer.exe Token: SeShutdownPrivilege 1700 explorer.exe Token: SeShutdownPrivilege 1700 explorer.exe Token: SeShutdownPrivilege 1700 explorer.exe Token: SeShutdownPrivilege 1700 explorer.exe Token: SeShutdownPrivilege 1700 explorer.exe Token: SeDebugPrivilege 1260 tasklist.exe -
Suspicious use of FindShellTrayWindow 30 IoCs
pid Process 1204 Explorer.EXE 1204 Explorer.EXE 1700 explorer.exe 1700 explorer.exe 1700 explorer.exe 1700 explorer.exe 1700 explorer.exe 1700 explorer.exe 1700 explorer.exe 1700 explorer.exe 1700 explorer.exe 1700 explorer.exe 1700 explorer.exe 1700 explorer.exe 1700 explorer.exe 1700 explorer.exe 1700 explorer.exe 1700 explorer.exe 1700 explorer.exe 1700 explorer.exe 1700 explorer.exe 1700 explorer.exe 1700 explorer.exe 1700 explorer.exe 1700 explorer.exe 1700 explorer.exe 1700 explorer.exe 1700 explorer.exe 1700 explorer.exe 1700 explorer.exe -
Suspicious use of SendNotifyMessage 20 IoCs
pid Process 1204 Explorer.EXE 1204 Explorer.EXE 1700 explorer.exe 1700 explorer.exe 1700 explorer.exe 1700 explorer.exe 1700 explorer.exe 1700 explorer.exe 1700 explorer.exe 1700 explorer.exe 1700 explorer.exe 1700 explorer.exe 1700 explorer.exe 1700 explorer.exe 1700 explorer.exe 1700 explorer.exe 1700 explorer.exe 1700 explorer.exe 1700 explorer.exe 1700 explorer.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2404 f467ad374c4a6a470cde9f4893fd628c_JaffaCakes118.exe 2056 MDdyAsuPL1.exe 2328 ruode.exe 2792 2eaj.exe 2684 2eaj.exe 1572 2eaj.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 332 csrss.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2404 wrote to memory of 2056 2404 f467ad374c4a6a470cde9f4893fd628c_JaffaCakes118.exe 30 PID 2404 wrote to memory of 2056 2404 f467ad374c4a6a470cde9f4893fd628c_JaffaCakes118.exe 30 PID 2404 wrote to memory of 2056 2404 f467ad374c4a6a470cde9f4893fd628c_JaffaCakes118.exe 30 PID 2404 wrote to memory of 2056 2404 f467ad374c4a6a470cde9f4893fd628c_JaffaCakes118.exe 30 PID 2056 wrote to memory of 2328 2056 MDdyAsuPL1.exe 32 PID 2056 wrote to memory of 2328 2056 MDdyAsuPL1.exe 32 PID 2056 wrote to memory of 2328 2056 MDdyAsuPL1.exe 32 PID 2056 wrote to memory of 2328 2056 MDdyAsuPL1.exe 32 PID 2056 wrote to memory of 2476 2056 MDdyAsuPL1.exe 33 PID 2056 wrote to memory of 2476 2056 MDdyAsuPL1.exe 33 PID 2056 wrote to memory of 2476 2056 MDdyAsuPL1.exe 33 PID 2056 wrote to memory of 2476 2056 MDdyAsuPL1.exe 33 PID 2476 wrote to memory of 2816 2476 cmd.exe 35 PID 2476 wrote to memory of 2816 2476 cmd.exe 35 PID 2476 wrote to memory of 2816 2476 cmd.exe 35 PID 2476 wrote to memory of 2816 2476 cmd.exe 35 PID 2404 wrote to memory of 2792 2404 f467ad374c4a6a470cde9f4893fd628c_JaffaCakes118.exe 37 PID 2404 wrote to memory of 2792 2404 f467ad374c4a6a470cde9f4893fd628c_JaffaCakes118.exe 37 PID 2404 wrote to memory of 2792 2404 f467ad374c4a6a470cde9f4893fd628c_JaffaCakes118.exe 37 PID 2404 wrote to memory of 2792 2404 f467ad374c4a6a470cde9f4893fd628c_JaffaCakes118.exe 37 PID 2792 wrote to memory of 2684 2792 2eaj.exe 38 PID 2792 wrote to memory of 2684 2792 2eaj.exe 38 PID 2792 wrote to memory of 2684 2792 2eaj.exe 38 PID 2792 wrote to memory of 2684 2792 2eaj.exe 38 PID 2792 wrote to memory of 2684 2792 2eaj.exe 38 PID 2792 wrote to memory of 2684 2792 2eaj.exe 38 PID 2792 wrote to memory of 2684 2792 2eaj.exe 38 PID 2792 wrote to memory of 2684 2792 2eaj.exe 38 PID 2792 wrote to memory of 2708 2792 2eaj.exe 39 PID 2792 wrote to memory of 2708 2792 2eaj.exe 39 PID 2792 wrote to memory of 2708 2792 2eaj.exe 39 PID 2792 wrote to memory of 2708 2792 2eaj.exe 39 PID 2792 wrote to memory of 2708 2792 2eaj.exe 39 PID 2792 wrote to memory of 2708 2792 2eaj.exe 39 PID 2792 wrote to memory of 2708 2792 2eaj.exe 39 PID 2792 wrote to memory of 2708 2792 2eaj.exe 39 PID 2792 wrote to memory of 2296 2792 2eaj.exe 40 PID 2792 wrote to memory of 2296 2792 2eaj.exe 40 PID 2792 wrote to memory of 2296 2792 2eaj.exe 40 PID 2792 wrote to memory of 2296 2792 2eaj.exe 40 PID 2792 wrote to memory of 2296 2792 2eaj.exe 40 PID 2792 wrote to memory of 2296 2792 2eaj.exe 40 PID 2792 wrote to memory of 2296 2792 2eaj.exe 40 PID 2792 wrote to memory of 2296 2792 2eaj.exe 40 PID 2792 wrote to memory of 1572 2792 2eaj.exe 41 PID 2792 wrote to memory of 1572 2792 2eaj.exe 41 PID 2792 wrote to memory of 1572 2792 2eaj.exe 41 PID 2792 wrote to memory of 1572 2792 2eaj.exe 41 PID 2792 wrote to memory of 1572 2792 2eaj.exe 41 PID 2792 wrote to memory of 1572 2792 2eaj.exe 41 PID 2792 wrote to memory of 1572 2792 2eaj.exe 41 PID 2792 wrote to memory of 1572 2792 2eaj.exe 41 PID 2792 wrote to memory of 1816 2792 2eaj.exe 42 PID 2792 wrote to memory of 1816 2792 2eaj.exe 42 PID 2792 wrote to memory of 1816 2792 2eaj.exe 42 PID 2792 wrote to memory of 1816 2792 2eaj.exe 42 PID 2792 wrote to memory of 1816 2792 2eaj.exe 42 PID 2404 wrote to memory of 1512 2404 f467ad374c4a6a470cde9f4893fd628c_JaffaCakes118.exe 43 PID 2404 wrote to memory of 1512 2404 f467ad374c4a6a470cde9f4893fd628c_JaffaCakes118.exe 43 PID 2404 wrote to memory of 1512 2404 f467ad374c4a6a470cde9f4893fd628c_JaffaCakes118.exe 43 PID 2404 wrote to memory of 1512 2404 f467ad374c4a6a470cde9f4893fd628c_JaffaCakes118.exe 43 PID 2404 wrote to memory of 2492 2404 f467ad374c4a6a470cde9f4893fd628c_JaffaCakes118.exe 46 PID 2404 wrote to memory of 2492 2404 f467ad374c4a6a470cde9f4893fd628c_JaffaCakes118.exe 46 PID 2404 wrote to memory of 2492 2404 f467ad374c4a6a470cde9f4893fd628c_JaffaCakes118.exe 46 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer 3eaj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" 3eaj.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:332
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies WinLogon for persistence
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1204 -
C:\Users\Admin\AppData\Local\Temp\f467ad374c4a6a470cde9f4893fd628c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f467ad374c4a6a470cde9f4893fd628c_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Users\Admin\MDdyAsuPL1.exeC:\Users\Admin\MDdyAsuPL1.exe3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Users\Admin\ruode.exe"C:\Users\Admin\ruode.exe"4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2328
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del MDdyAsuPL1.exe4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2816
-
-
-
-
C:\Users\Admin\2eaj.exeC:\Users\Admin\2eaj.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Users\Admin\2eaj.exe"C:\Users\Admin\2eaj.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2684
-
-
C:\Users\Admin\2eaj.exe"C:\Users\Admin\2eaj.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2708
-
-
C:\Users\Admin\2eaj.exe"C:\Users\Admin\2eaj.exe"4⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
PID:2296
-
-
C:\Users\Admin\2eaj.exe"C:\Users\Admin\2eaj.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1572
-
-
C:\Users\Admin\2eaj.exe"C:\Users\Admin\2eaj.exe"4⤵
- Executes dropped EXE
PID:1816
-
-
-
C:\Users\Admin\3eaj.exeC:\Users\Admin\3eaj.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- System policy modification
PID:1512 -
C:\Users\Admin\3eaj.exeC:\Users\Admin\3eaj.exe startC:\Users\Admin\AppData\Roaming\5B378\EC9AF.exe%C:\Users\Admin\AppData\Roaming\5B3784⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1072
-
-
C:\Users\Admin\3eaj.exeC:\Users\Admin\3eaj.exe startC:\Program Files (x86)\78CCD\lvvm.exe%C:\Program Files (x86)\78CCD4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2656
-
-
C:\Program Files (x86)\LP\AF05\59A5.tmp"C:\Program Files (x86)\LP\AF05\59A5.tmp"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2052
-
-
-
C:\Users\Admin\4eaj.exeC:\Users\Admin\4eaj.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2492 -
C:\Users\Admin\AppData\Local\8a1d53fa\X*0*bc*611bbb90*31.193.3.240:534⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1696
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"4⤵
- System Location Discovery: System Language Discovery
PID:2716
-
-
-
C:\Users\Admin\5eaj.exeC:\Users\Admin\5eaj.exe3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
PID:2496
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del f467ad374c4a6a470cde9f4893fd628c_JaffaCakes118.exe3⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:1768 -
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1260
-
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1620
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1700
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵PID:2980
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
5Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
132KB
MD5afaca64214594290a9e01c2ab012f00c
SHA1eb1183a49d6da506072d34673f60a623687d2f82
SHA256ca9e0ce2d0cf500ddbad4e9ad42e6e4136e3fa351839ccc654f393e624528f7a
SHA5129f91e78c3a1de2e877e16b3cc862bc512051ccd011868c333dc66487bf1979c5f52406fa3498996e397705050b9c41a65a318d1f72e1e611dd9e2674a794a8b7
-
Filesize
121KB
MD56735cacc68031001bcf6459daa770b42
SHA178fc873eee60454534d7f39279d53d9bd9780c77
SHA256b1a7250c0fc8caa1a26ca2ebf18507ba4dcc564149ccfa81ed07e4fe2fbed026
SHA512ef092414d0b7f51ec8ec697148dba5656ba13987f2b7f746bda77267320dbbfdc0504e51699becbe30162ee0dd102cea80ab689f74221a2c6a50e1912ab82f08
-
Filesize
38KB
MD572de2dadaf875e2fd7614e100419033c
SHA15f17c5330e91a42daa9ff24c4aa602bd1a72bf6e
SHA256c44993768a4dc5a58ddbfc9cb05ce2a7d3a0a56be45643d70a72bcf811b6c381
SHA512e2520a53326a7d3b056e65d0cf60e9d823ffb34ca026cdddc7ea3a714f8396c53c37e13a887fc86a7dd7076c97fdfad53c3f5a68342ebc1bdec948c76bda8df3
-
Filesize
600B
MD5b54747a884559ca1c0a6d8fb71ffb1fd
SHA1fce5f27fab7377833954d953601ab52c6faadaee
SHA2560434dcf8ed305938a3db8ca366abdf76693c69260835ef96fc35efa8a94d5433
SHA512b2ad6d0f231668e6cad0292ca4a4cd3a9e2cfc1317184af2f3a210b5b9ebbc6dc64a5f77c40a8fc3cc0e3dc4720c48cfaea7ca3ba2468b110e7e5b6d3c9b4f72
-
Filesize
996B
MD5f34a5d739e01bd9cfe51c61aeaaa6371
SHA165b03b82bba0f7658512736056c60a939659fafe
SHA25681a9d7d8512d4707ccd4ed671d9fbc6f69846efafe883b6b8a5b2d8082180fa1
SHA51266e97b4d172eaf8c1597c9415a11697ac7c2ed7f7ce760cc07d42e8a6421760ab7ef3b9d163d0239bff1580c48cda320e9f75e963353758895ed2a253cf28754
-
Filesize
29KB
MD51149c1bd71248a9d170e4568fb08df30
SHA16f77f183d65709901f476c5d6eebaed060a495f9
SHA256c2dcf387cb4d218f50463338291e7db38afbdab9aab88fc54e7f9283df1792d1
SHA5129e6eac8facb23b38552d37c9f3cb24098f871d2885ecb3630fcd0199c5600b12a42f095f9fbeb90e5632496491d46fd987660cdda695e92dc386bd482d3ff459
-
Filesize
100KB
MD58659e2fdb286421874e997e5b1d56ae4
SHA1e3b46183011a317dd80baf92ff9ef1b2da53cc05
SHA25680ceedded02c13a9c4ade2d2242b2bb295bc122b5c7c0f6b3332b0f4fceae2b8
SHA512ae12fd737c0a6f765ebe7a6e312230220e5fb79d42c1478a6f00edf5e67b6dec201aee90d3082b7817726c6501c7c94ce4a8eab72b2a00547bfdc382bbf2a8dc
-
Filesize
283KB
MD5ab0bbc81ff15b6d295989e4076711c04
SHA199372e440fceb26128534ae44ba6649f4d6f5354
SHA256b936e7056270188775662177402c86da4028950320a772f3d56763e2f935b4e5
SHA512f1fa46e0fc9480766b68f7b3aba23bf41bb66e22d529d1006f5dbbfe467ec0bf490b50067184b38fa76639a76c15e88ca654544ea045bcbfce8c12d3d8347077
-
Filesize
273KB
MD590cfd3294a276c3bc20a9fddf574a8d1
SHA1fc294843a290d0bc223e67f3370009e0bd63e3b8
SHA2565b076d47b571824cd668c26e7fc0a53b54a58547b7cb6a70eccdf44b4ccbda14
SHA512a1ffc3e46490c74e7cd45b919b4668e0f38cbf28b3c3b81a25c68233cd68b72a5d9444306b9e8ef03fa1739d441c7f6504a36aabc2c53a7025b3c6260adc1aeb
-
Filesize
256KB
MD5601683a024c1e27dd62d33de59536641
SHA14584d66af41c4f77a6e1b7df3dcd3e78217ad270
SHA25611ba7731f1b9b48116167234553254116e86f06091b0bbd7eaf0cbea4c2df049
SHA512b6ee2b371198d5a70124444596fb28831ec6b2f06910e0f772852f7d80ad2974373aead6f9597c61a89bd99496ca33a838030e458265f6ddea4920ffb0472008
-
Filesize
256KB
MD549812146416b5cbd77451e23d59a3d50
SHA12f3a63e1a25e0f43083cc6d6bb2d4d49b521b218
SHA256dc3b3afd6fd62b7309a49ca1b2e3ff7bd3938201a2820705eb4f01affd6ad600
SHA5123e4ce89a0c940060556395c61706756052b5d9dda0d08b0453c421dca626269c98061381e4b711133de041b8fd61ad6624a8fc33a2aaaa6f3b892f3fad8c9e57
-
Filesize
2KB
MD5a5d7eac6c01a44b6a6256612f4b57ca3
SHA134197d3d33960563f01cd4fbc860af205e891de4
SHA256b205656391dba5728e73ba32074253a1da407794ebd3c192aacf22d73764e637
SHA512bd31f51eb92f9a08e0e5b96f2a28979115630a2776040f22c9cf46c1477bc92845a236b1e8a244a959c03a8f092da9be451f697ad892c8bf48a73a87410da582