Analysis
-
max time kernel
149s -
max time network
129s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
10-10-2024 14:17
Behavioral task
behavioral1
Sample
304d553299e245f0b907b0b50a50d3ad_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
34 signatures
150 seconds
Behavioral task
behavioral2
Sample
304d553299e245f0b907b0b50a50d3ad_JaffaCakes118.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
32 signatures
150 seconds
General
-
Target
304d553299e245f0b907b0b50a50d3ad_JaffaCakes118.exe
-
Size
875KB
-
MD5
304d553299e245f0b907b0b50a50d3ad
-
SHA1
63348283b822c25960133717aadccb2ed02f37af
-
SHA256
09da4f36e931cb15393834e79fce688ce21ff8a6bb082193a7e1e66df91feed3
-
SHA512
f312734df4f1c80ddd3c11539375de93d8335223e53855d3ab75c693cf60f4effc4f61bc182289d67585f3dee7377ddb08c20ee4d644abe9e8cca424f1e48a8f
-
SSDEEP
24576:B5T0kUJQbdHVFQlyOW8oooiAhYJWtA7q:B53UEHVFQAp5iAOgtAG
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "3" cthost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Ww9OoYLk.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" peeziag.exe -
ModiLoader Second Stage 9 IoCs
resource yara_rule behavioral1/memory/2520-10-0x0000000000400000-0x000000000041F000-memory.dmp modiloader_stage2 behavioral1/memory/3060-15-0x0000000000400000-0x0000000000535000-memory.dmp modiloader_stage2 behavioral1/memory/3060-13-0x0000000000400000-0x0000000000535000-memory.dmp modiloader_stage2 behavioral1/files/0x0008000000016d29-45.dat modiloader_stage2 behavioral1/memory/2852-68-0x0000000000400000-0x000000000041E000-memory.dmp modiloader_stage2 behavioral1/files/0x0008000000016d31-72.dat modiloader_stage2 behavioral1/memory/2408-91-0x0000000000400000-0x000000000041E000-memory.dmp modiloader_stage2 behavioral1/memory/3060-105-0x0000000000400000-0x0000000000535000-memory.dmp modiloader_stage2 behavioral1/memory/3060-359-0x0000000000400000-0x0000000000535000-memory.dmp modiloader_stage2 -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Disables taskbar notifications via registry modification
-
Deletes itself 1 IoCs
pid Process 2180 cmd.exe -
Executes dropped EXE 13 IoCs
pid Process 2556 Ww9OoYLk.exe 2732 peeziag.exe 2852 athost.exe 2896 athost.exe 2408 bthost.exe 860 bthost.exe 1968 cthost.exe 2416 dthost.exe 332 csrss.exe 2280 cthost.exe 1524 ethost.exe 2640 cthost.exe 2632 4598.tmp -
Loads dropped DLL 19 IoCs
pid Process 3060 304d553299e245f0b907b0b50a50d3ad_JaffaCakes118.exe 3060 304d553299e245f0b907b0b50a50d3ad_JaffaCakes118.exe 2556 Ww9OoYLk.exe 2556 Ww9OoYLk.exe 3060 304d553299e245f0b907b0b50a50d3ad_JaffaCakes118.exe 3060 304d553299e245f0b907b0b50a50d3ad_JaffaCakes118.exe 3060 304d553299e245f0b907b0b50a50d3ad_JaffaCakes118.exe 3060 304d553299e245f0b907b0b50a50d3ad_JaffaCakes118.exe 3060 304d553299e245f0b907b0b50a50d3ad_JaffaCakes118.exe 3060 304d553299e245f0b907b0b50a50d3ad_JaffaCakes118.exe 3060 304d553299e245f0b907b0b50a50d3ad_JaffaCakes118.exe 3060 304d553299e245f0b907b0b50a50d3ad_JaffaCakes118.exe 1968 cthost.exe 2084 DllHost.exe 3060 304d553299e245f0b907b0b50a50d3ad_JaffaCakes118.exe 3060 304d553299e245f0b907b0b50a50d3ad_JaffaCakes118.exe 1968 cthost.exe 1968 cthost.exe 2632 4598.tmp -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Adds Run key to start application 2 TTPs 54 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\peeziag = "C:\\Users\\Admin\\peeziag.exe /V" peeziag.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\peeziag = "C:\\Users\\Admin\\peeziag.exe /j" peeziag.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\peeziag = "C:\\Users\\Admin\\peeziag.exe /p" peeziag.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\peeziag = "C:\\Users\\Admin\\peeziag.exe /Q" peeziag.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\peeziag = "C:\\Users\\Admin\\peeziag.exe /o" peeziag.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\peeziag = "C:\\Users\\Admin\\peeziag.exe /L" peeziag.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\peeziag = "C:\\Users\\Admin\\peeziag.exe /i" peeziag.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\peeziag = "C:\\Users\\Admin\\peeziag.exe /h" peeziag.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\peeziag = "C:\\Users\\Admin\\peeziag.exe /S" peeziag.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\peeziag = "C:\\Users\\Admin\\peeziag.exe /A" peeziag.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\peeziag = "C:\\Users\\Admin\\peeziag.exe /J" peeziag.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\peeziag = "C:\\Users\\Admin\\peeziag.exe /e" peeziag.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\peeziag = "C:\\Users\\Admin\\peeziag.exe /t" peeziag.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\peeziag = "C:\\Users\\Admin\\peeziag.exe /C" peeziag.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\peeziag = "C:\\Users\\Admin\\peeziag.exe /l" peeziag.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\peeziag = "C:\\Users\\Admin\\peeziag.exe /F" peeziag.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\peeziag = "C:\\Users\\Admin\\peeziag.exe /y" peeziag.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\peeziag = "C:\\Users\\Admin\\peeziag.exe /B" peeziag.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\peeziag = "C:\\Users\\Admin\\peeziag.exe /f" peeziag.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\peeziag = "C:\\Users\\Admin\\peeziag.exe /P" peeziag.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\peeziag = "C:\\Users\\Admin\\peeziag.exe /Z" peeziag.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\peeziag = "C:\\Users\\Admin\\peeziag.exe /s" peeziag.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\peeziag = "C:\\Users\\Admin\\peeziag.exe /w" peeziag.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\peeziag = "C:\\Users\\Admin\\peeziag.exe /M" peeziag.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\peeziag = "C:\\Users\\Admin\\peeziag.exe /u" peeziag.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\peeziag = "C:\\Users\\Admin\\peeziag.exe /m" peeziag.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\peeziag = "C:\\Users\\Admin\\peeziag.exe /b" peeziag.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\peeziag = "C:\\Users\\Admin\\peeziag.exe /H" peeziag.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\peeziag = "C:\\Users\\Admin\\peeziag.exe /c" peeziag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\5C1.exe = "C:\\Program Files (x86)\\LP\\B3EF\\5C1.exe" cthost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\peeziag = "C:\\Users\\Admin\\peeziag.exe /k" peeziag.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\peeziag = "C:\\Users\\Admin\\peeziag.exe /T" peeziag.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\peeziag = "C:\\Users\\Admin\\peeziag.exe /a" peeziag.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\peeziag = "C:\\Users\\Admin\\peeziag.exe /Y" peeziag.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\peeziag = "C:\\Users\\Admin\\peeziag.exe /x" peeziag.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\peeziag = "C:\\Users\\Admin\\peeziag.exe /q" peeziag.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\peeziag = "C:\\Users\\Admin\\peeziag.exe /G" peeziag.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\peeziag = "C:\\Users\\Admin\\peeziag.exe /I" peeziag.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\peeziag = "C:\\Users\\Admin\\peeziag.exe /n" peeziag.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\peeziag = "C:\\Users\\Admin\\peeziag.exe /v" peeziag.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\peeziag = "C:\\Users\\Admin\\peeziag.exe /r" peeziag.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\peeziag = "C:\\Users\\Admin\\peeziag.exe /K" peeziag.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\peeziag = "C:\\Users\\Admin\\peeziag.exe /g" peeziag.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\peeziag = "C:\\Users\\Admin\\peeziag.exe /D" peeziag.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\peeziag = "C:\\Users\\Admin\\peeziag.exe /O" peeziag.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\peeziag = "C:\\Users\\Admin\\peeziag.exe /W" peeziag.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\peeziag = "C:\\Users\\Admin\\peeziag.exe /W" Ww9OoYLk.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\peeziag = "C:\\Users\\Admin\\peeziag.exe /z" peeziag.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\peeziag = "C:\\Users\\Admin\\peeziag.exe /R" peeziag.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\peeziag = "C:\\Users\\Admin\\peeziag.exe /E" peeziag.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\peeziag = "C:\\Users\\Admin\\peeziag.exe /N" peeziag.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\peeziag = "C:\\Users\\Admin\\peeziag.exe /U" peeziag.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\peeziag = "C:\\Users\\Admin\\peeziag.exe /d" peeziag.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\peeziag = "C:\\Users\\Admin\\peeziag.exe /X" peeziag.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 2 IoCs
description ioc Process File created \systemroot\assembly\GAC_64\Desktop.ini csrss.exe File created \systemroot\assembly\GAC_32\Desktop.ini csrss.exe -
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 athost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum bthost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 bthost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum athost.exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 2880 tasklist.exe 2640 tasklist.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2520 set thread context of 3060 2520 304d553299e245f0b907b0b50a50d3ad_JaffaCakes118.exe 30 PID 2852 set thread context of 2896 2852 athost.exe 38 PID 2408 set thread context of 860 2408 bthost.exe 41 PID 2416 set thread context of 2088 2416 dthost.exe 47 -
resource yara_rule behavioral1/memory/3060-2-0x0000000000400000-0x0000000000535000-memory.dmp upx behavioral1/memory/3060-15-0x0000000000400000-0x0000000000535000-memory.dmp upx behavioral1/memory/3060-12-0x0000000000400000-0x0000000000535000-memory.dmp upx behavioral1/memory/3060-6-0x0000000000400000-0x0000000000535000-memory.dmp upx behavioral1/memory/3060-4-0x0000000000400000-0x0000000000535000-memory.dmp upx behavioral1/memory/3060-13-0x0000000000400000-0x0000000000535000-memory.dmp upx behavioral1/memory/860-95-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/860-94-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/860-93-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/860-88-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/860-84-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/860-82-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/3060-105-0x0000000000400000-0x0000000000535000-memory.dmp upx behavioral1/memory/2280-148-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/3060-359-0x0000000000400000-0x0000000000535000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\LP\B3EF\5C1.exe cthost.exe File opened for modification C:\Program Files (x86)\LP\B3EF\4598.tmp cthost.exe File opened for modification C:\Program Files (x86)\LP\B3EF\5C1.exe cthost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 17 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4598.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 304d553299e245f0b907b0b50a50d3ad_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 304d553299e245f0b907b0b50a50d3ad_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cthost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cthost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ethost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language peeziag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cthost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ww9OoYLk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language athost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dthost.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2556 Ww9OoYLk.exe 2556 Ww9OoYLk.exe 2896 athost.exe 2896 athost.exe 2896 athost.exe 860 bthost.exe 2732 peeziag.exe 1968 cthost.exe 1968 cthost.exe 1968 cthost.exe 1968 cthost.exe 1968 cthost.exe 1968 cthost.exe 2732 peeziag.exe 2732 peeziag.exe 2732 peeziag.exe 2416 dthost.exe 2416 dthost.exe 2416 dthost.exe 2732 peeziag.exe 2732 peeziag.exe 2732 peeziag.exe 2896 athost.exe 2896 athost.exe 2732 peeziag.exe 2732 peeziag.exe 2732 peeziag.exe 2732 peeziag.exe 2732 peeziag.exe 2732 peeziag.exe 2732 peeziag.exe 2896 athost.exe 2896 athost.exe 2732 peeziag.exe 2732 peeziag.exe 2732 peeziag.exe 2732 peeziag.exe 2732 peeziag.exe 2732 peeziag.exe 2732 peeziag.exe 2732 peeziag.exe 2896 athost.exe 2896 athost.exe 2732 peeziag.exe 2732 peeziag.exe 2732 peeziag.exe 2732 peeziag.exe 2732 peeziag.exe 2732 peeziag.exe 2732 peeziag.exe 2896 athost.exe 2896 athost.exe 2732 peeziag.exe 2732 peeziag.exe 2732 peeziag.exe 2732 peeziag.exe 2732 peeziag.exe 2732 peeziag.exe 2732 peeziag.exe 2732 peeziag.exe 2896 athost.exe 2896 athost.exe 2732 peeziag.exe 2732 peeziag.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2980 explorer.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2880 tasklist.exe Token: SeRestorePrivilege 872 msiexec.exe Token: SeTakeOwnershipPrivilege 872 msiexec.exe Token: SeSecurityPrivilege 872 msiexec.exe Token: SeDebugPrivilege 2416 dthost.exe Token: SeDebugPrivilege 2416 dthost.exe Token: SeShutdownPrivilege 2980 explorer.exe Token: SeShutdownPrivilege 2980 explorer.exe Token: SeShutdownPrivilege 2980 explorer.exe Token: SeShutdownPrivilege 2980 explorer.exe Token: SeShutdownPrivilege 2980 explorer.exe Token: SeShutdownPrivilege 2980 explorer.exe Token: SeShutdownPrivilege 2980 explorer.exe Token: SeShutdownPrivilege 2980 explorer.exe Token: SeShutdownPrivilege 2980 explorer.exe Token: SeShutdownPrivilege 2980 explorer.exe Token: SeShutdownPrivilege 2980 explorer.exe Token: SeShutdownPrivilege 2980 explorer.exe Token: SeDebugPrivilege 2640 tasklist.exe Token: SeAssignPrimaryTokenPrivilege 844 svchost.exe Token: SeIncreaseQuotaPrivilege 844 svchost.exe Token: SeSecurityPrivilege 844 svchost.exe Token: SeTakeOwnershipPrivilege 844 svchost.exe Token: SeLoadDriverPrivilege 844 svchost.exe Token: SeSystemtimePrivilege 844 svchost.exe Token: SeBackupPrivilege 844 svchost.exe Token: SeRestorePrivilege 844 svchost.exe Token: SeShutdownPrivilege 844 svchost.exe Token: SeSystemEnvironmentPrivilege 844 svchost.exe Token: SeUndockPrivilege 844 svchost.exe Token: SeManageVolumePrivilege 844 svchost.exe Token: SeAssignPrimaryTokenPrivilege 844 svchost.exe Token: SeIncreaseQuotaPrivilege 844 svchost.exe Token: SeSecurityPrivilege 844 svchost.exe Token: SeTakeOwnershipPrivilege 844 svchost.exe Token: SeLoadDriverPrivilege 844 svchost.exe Token: SeSystemtimePrivilege 844 svchost.exe Token: SeBackupPrivilege 844 svchost.exe Token: SeRestorePrivilege 844 svchost.exe Token: SeShutdownPrivilege 844 svchost.exe Token: SeSystemEnvironmentPrivilege 844 svchost.exe Token: SeUndockPrivilege 844 svchost.exe Token: SeManageVolumePrivilege 844 svchost.exe Token: SeAssignPrimaryTokenPrivilege 844 svchost.exe Token: SeIncreaseQuotaPrivilege 844 svchost.exe Token: SeSecurityPrivilege 844 svchost.exe Token: SeTakeOwnershipPrivilege 844 svchost.exe Token: SeLoadDriverPrivilege 844 svchost.exe Token: SeSystemtimePrivilege 844 svchost.exe Token: SeBackupPrivilege 844 svchost.exe Token: SeRestorePrivilege 844 svchost.exe Token: SeShutdownPrivilege 844 svchost.exe Token: SeSystemEnvironmentPrivilege 844 svchost.exe Token: SeUndockPrivilege 844 svchost.exe Token: SeManageVolumePrivilege 844 svchost.exe Token: SeAssignPrimaryTokenPrivilege 844 svchost.exe Token: SeIncreaseQuotaPrivilege 844 svchost.exe Token: SeSecurityPrivilege 844 svchost.exe Token: SeTakeOwnershipPrivilege 844 svchost.exe Token: SeLoadDriverPrivilege 844 svchost.exe Token: SeSystemtimePrivilege 844 svchost.exe Token: SeBackupPrivilege 844 svchost.exe Token: SeRestorePrivilege 844 svchost.exe Token: SeShutdownPrivilege 844 svchost.exe -
Suspicious use of FindShellTrayWindow 28 IoCs
pid Process 2980 explorer.exe 2980 explorer.exe 2980 explorer.exe 2980 explorer.exe 2980 explorer.exe 2980 explorer.exe 2980 explorer.exe 2980 explorer.exe 2980 explorer.exe 2980 explorer.exe 2980 explorer.exe 2980 explorer.exe 2980 explorer.exe 2980 explorer.exe 2980 explorer.exe 2980 explorer.exe 2980 explorer.exe 2980 explorer.exe 2980 explorer.exe 2980 explorer.exe 2980 explorer.exe 2980 explorer.exe 2980 explorer.exe 2980 explorer.exe 2980 explorer.exe 2980 explorer.exe 2980 explorer.exe 2980 explorer.exe -
Suspicious use of SendNotifyMessage 22 IoCs
pid Process 2980 explorer.exe 2980 explorer.exe 2980 explorer.exe 2980 explorer.exe 2980 explorer.exe 2980 explorer.exe 2980 explorer.exe 2980 explorer.exe 2980 explorer.exe 2980 explorer.exe 2980 explorer.exe 2980 explorer.exe 2980 explorer.exe 2980 explorer.exe 2980 explorer.exe 2980 explorer.exe 2980 explorer.exe 2980 explorer.exe 2980 explorer.exe 2980 explorer.exe 2980 explorer.exe 2980 explorer.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 3060 304d553299e245f0b907b0b50a50d3ad_JaffaCakes118.exe 2556 Ww9OoYLk.exe 2732 peeziag.exe 1524 ethost.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 332 csrss.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2520 wrote to memory of 3060 2520 304d553299e245f0b907b0b50a50d3ad_JaffaCakes118.exe 30 PID 2520 wrote to memory of 3060 2520 304d553299e245f0b907b0b50a50d3ad_JaffaCakes118.exe 30 PID 2520 wrote to memory of 3060 2520 304d553299e245f0b907b0b50a50d3ad_JaffaCakes118.exe 30 PID 2520 wrote to memory of 3060 2520 304d553299e245f0b907b0b50a50d3ad_JaffaCakes118.exe 30 PID 2520 wrote to memory of 3060 2520 304d553299e245f0b907b0b50a50d3ad_JaffaCakes118.exe 30 PID 2520 wrote to memory of 3060 2520 304d553299e245f0b907b0b50a50d3ad_JaffaCakes118.exe 30 PID 2520 wrote to memory of 3060 2520 304d553299e245f0b907b0b50a50d3ad_JaffaCakes118.exe 30 PID 2520 wrote to memory of 3060 2520 304d553299e245f0b907b0b50a50d3ad_JaffaCakes118.exe 30 PID 3060 wrote to memory of 2556 3060 304d553299e245f0b907b0b50a50d3ad_JaffaCakes118.exe 31 PID 3060 wrote to memory of 2556 3060 304d553299e245f0b907b0b50a50d3ad_JaffaCakes118.exe 31 PID 3060 wrote to memory of 2556 3060 304d553299e245f0b907b0b50a50d3ad_JaffaCakes118.exe 31 PID 3060 wrote to memory of 2556 3060 304d553299e245f0b907b0b50a50d3ad_JaffaCakes118.exe 31 PID 2556 wrote to memory of 2732 2556 Ww9OoYLk.exe 32 PID 2556 wrote to memory of 2732 2556 Ww9OoYLk.exe 32 PID 2556 wrote to memory of 2732 2556 Ww9OoYLk.exe 32 PID 2556 wrote to memory of 2732 2556 Ww9OoYLk.exe 32 PID 2556 wrote to memory of 2748 2556 Ww9OoYLk.exe 33 PID 2556 wrote to memory of 2748 2556 Ww9OoYLk.exe 33 PID 2556 wrote to memory of 2748 2556 Ww9OoYLk.exe 33 PID 2556 wrote to memory of 2748 2556 Ww9OoYLk.exe 33 PID 2748 wrote to memory of 2880 2748 cmd.exe 35 PID 2748 wrote to memory of 2880 2748 cmd.exe 35 PID 2748 wrote to memory of 2880 2748 cmd.exe 35 PID 2748 wrote to memory of 2880 2748 cmd.exe 35 PID 3060 wrote to memory of 2852 3060 304d553299e245f0b907b0b50a50d3ad_JaffaCakes118.exe 37 PID 3060 wrote to memory of 2852 3060 304d553299e245f0b907b0b50a50d3ad_JaffaCakes118.exe 37 PID 3060 wrote to memory of 2852 3060 304d553299e245f0b907b0b50a50d3ad_JaffaCakes118.exe 37 PID 3060 wrote to memory of 2852 3060 304d553299e245f0b907b0b50a50d3ad_JaffaCakes118.exe 37 PID 2852 wrote to memory of 2896 2852 athost.exe 38 PID 2852 wrote to memory of 2896 2852 athost.exe 38 PID 2852 wrote to memory of 2896 2852 athost.exe 38 PID 2852 wrote to memory of 2896 2852 athost.exe 38 PID 2852 wrote to memory of 2896 2852 athost.exe 38 PID 2852 wrote to memory of 2896 2852 athost.exe 38 PID 2852 wrote to memory of 2896 2852 athost.exe 38 PID 2852 wrote to memory of 2896 2852 athost.exe 38 PID 2852 wrote to memory of 2896 2852 athost.exe 38 PID 2852 wrote to memory of 2896 2852 athost.exe 38 PID 3060 wrote to memory of 2408 3060 304d553299e245f0b907b0b50a50d3ad_JaffaCakes118.exe 40 PID 3060 wrote to memory of 2408 3060 304d553299e245f0b907b0b50a50d3ad_JaffaCakes118.exe 40 PID 3060 wrote to memory of 2408 3060 304d553299e245f0b907b0b50a50d3ad_JaffaCakes118.exe 40 PID 3060 wrote to memory of 2408 3060 304d553299e245f0b907b0b50a50d3ad_JaffaCakes118.exe 40 PID 2408 wrote to memory of 860 2408 bthost.exe 41 PID 2408 wrote to memory of 860 2408 bthost.exe 41 PID 2408 wrote to memory of 860 2408 bthost.exe 41 PID 2408 wrote to memory of 860 2408 bthost.exe 41 PID 2408 wrote to memory of 860 2408 bthost.exe 41 PID 2408 wrote to memory of 860 2408 bthost.exe 41 PID 2408 wrote to memory of 860 2408 bthost.exe 41 PID 2408 wrote to memory of 860 2408 bthost.exe 41 PID 3060 wrote to memory of 1968 3060 304d553299e245f0b907b0b50a50d3ad_JaffaCakes118.exe 42 PID 3060 wrote to memory of 1968 3060 304d553299e245f0b907b0b50a50d3ad_JaffaCakes118.exe 42 PID 3060 wrote to memory of 1968 3060 304d553299e245f0b907b0b50a50d3ad_JaffaCakes118.exe 42 PID 3060 wrote to memory of 1968 3060 304d553299e245f0b907b0b50a50d3ad_JaffaCakes118.exe 42 PID 3060 wrote to memory of 2416 3060 304d553299e245f0b907b0b50a50d3ad_JaffaCakes118.exe 44 PID 3060 wrote to memory of 2416 3060 304d553299e245f0b907b0b50a50d3ad_JaffaCakes118.exe 44 PID 3060 wrote to memory of 2416 3060 304d553299e245f0b907b0b50a50d3ad_JaffaCakes118.exe 44 PID 3060 wrote to memory of 2416 3060 304d553299e245f0b907b0b50a50d3ad_JaffaCakes118.exe 44 PID 2416 wrote to memory of 332 2416 dthost.exe 2 PID 1968 wrote to memory of 2280 1968 cthost.exe 45 PID 1968 wrote to memory of 2280 1968 cthost.exe 45 PID 1968 wrote to memory of 2280 1968 cthost.exe 45 PID 1968 wrote to memory of 2280 1968 cthost.exe 45 PID 332 wrote to memory of 2084 332 csrss.exe 46 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer cthost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" cthost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:332
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs1⤵
- Suspicious use of AdjustPrivilegeToken
PID:844
-
C:\Users\Admin\AppData\Local\Temp\304d553299e245f0b907b0b50a50d3ad_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\304d553299e245f0b907b0b50a50d3ad_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Users\Admin\AppData\Local\Temp\304d553299e245f0b907b0b50a50d3ad_JaffaCakes118.exe304d553299e245f0b907b0b50a50d3ad_JaffaCakes118.exe2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Users\Admin\Ww9OoYLk.exeC:\Users\Admin\Ww9OoYLk.exe3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Users\Admin\peeziag.exe"C:\Users\Admin\peeziag.exe"4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2732
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del Ww9OoYLk.exe4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2880
-
-
-
-
C:\Users\Admin\athost.exeC:\Users\Admin\athost.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Users\Admin\athost.exeathost.exe4⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
PID:2896
-
-
-
C:\Users\Admin\bthost.exeC:\Users\Admin\bthost.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Users\Admin\bthost.exebthost.exe4⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
PID:860
-
-
-
C:\Users\Admin\cthost.exeC:\Users\Admin\cthost.exe3⤵
- Modifies security service
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1968 -
C:\Users\Admin\cthost.exeC:\Users\Admin\cthost.exe startC:\Users\Admin\AppData\Roaming\FFABF\85DB3.exe%C:\Users\Admin\AppData\Roaming\FFABF4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2280
-
-
C:\Users\Admin\cthost.exeC:\Users\Admin\cthost.exe startC:\Program Files (x86)\BF0C0\lvvm.exe%C:\Program Files (x86)\BF0C04⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2640
-
-
C:\Program Files (x86)\LP\B3EF\4598.tmp"C:\Program Files (x86)\LP\B3EF\4598.tmp"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2632
-
-
-
C:\Users\Admin\dthost.exeC:\Users\Admin\dthost.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"4⤵
- System Location Discovery: System Language Discovery
PID:2088
-
-
-
C:\Users\Admin\ethost.exeC:\Users\Admin\ethost.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1524
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del 304d553299e245f0b907b0b50a50d3ad_JaffaCakes118.exe3⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2180 -
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2640
-
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:872
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
- Loads dropped DLL
PID:2084
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2980
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵PID:2476
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
5Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
95KB
MD5a1d80ed250788260ffd66258555a4876
SHA110b81c2cdc4a7d645f9058c220587fac79281351
SHA256d4d9a7028cda13828d7a6796dd12369ab1d4af80946776aa5b5c0369dd322fb3
SHA512fee72d46425a0c1f755de2e34ad742ff579a86b2a3bff3485a15ddcbcf55d60c6297bb588650a9a673aa0a5e8f35f1ae0bc1a454154d26848c49cab700d7e5d8
-
Filesize
600B
MD53c324688af181fbb2c8e8b9248435c48
SHA1045b47a2dd4625cd94e74c9e31c44563c3a65d18
SHA25677667c3e012a05b279c2c378f412e8d166ba433fef4004ac81fccc6f26760bc5
SHA512041dff8b392e60d5e93dca12700736c3698fa327669aacfc9d785682a0255e310fbedc7cd7b1f5f610494d771ca0a101e9d4079f2c0bb3b1ad7eaebf1379b548
-
Filesize
996B
MD5ff5073548352b3a57b360fe767e60f3a
SHA12ac9ce725477dba9f44448b0d96f49091734926a
SHA256310c74a514381712a412a5efbf7bbcf03ec807d4589c43c51293f5eaab210f0e
SHA512e45fdfd6d8a5d1ae5b963de000e7f9a4ad5726b166fee0725d5222008c322b315b5f868c764e583fda4c1e8571cf6c5e87571495005e0f9aa60f56fe3fddf8b0
-
Filesize
1KB
MD538ca845880545ddc87e29cd754aece64
SHA1c80f42530c18a586451148057794abade30e8dab
SHA256b1ca7deee65d6d1497e88f48626fd4a5d6c900b7b54d26a396551e9b2c77d0b0
SHA512fd82daa0277f8ad4e6531c8ad69e27af1b4d2a956e49b5f3b3ce057c89477d357e01cdb8dbcbcef9babf692b15c12f180d07d4acb1c1be0f549fb4be556ec0df
-
Filesize
53KB
MD563e99b675a1337db6d8430195ea3efd2
SHA11baead2bf8f433dc82f9b2c03fd65ce697a92155
SHA2566616179477849205eb4075b75a042056d196f45d67f78929dbb3317a35ccbea9
SHA512f5b986eafa38dbc9ad7759784ac887ecbb9c8d8009a3f33e91b9c9ceeaf043ed3e4ddab8e6b6b77e54aed9fcecab02442c8ff253f2136ea06996d05ddd68199f
-
Filesize
2KB
MD52f69b8ff5cb623c9ef0846535fd6c4ea
SHA1bbdc170e586d7777b9a30b5f0c814b297a4f6b7e
SHA256a3f172c907008c5050fe8efc60a6e8dcc5775626825bc131f24d263e0c85ba86
SHA5126f640f7c9703bae6e1e38f4f368291c506486c3ac1c1a7f3d70993c8b835415027308ccbd067530d5cc0415c4b620758c938fecdb40deaf246a45645f764b8c9
-
Filesize
256KB
MD577e425fe955cbc4b6245cf8a3ed645b3
SHA1921dad95a28283f2138e8c36d4cbf295572d33ac
SHA25686b35dd61f186218356ecced37723e647b612cb8c44ef904917f4c783e424809
SHA512ee0a6ac25c021baf6974a23afd999bcdd519da465ee849ebd52d99ff437812165650fe8f05e5ff72f6eadf8d5a44d5c7c73853e4d5e00f8fbab45444fd56a44b
-
Filesize
263KB
MD56b7d559166467ef651497836feef65e3
SHA19edda6cd07a1960ba52abe17fc7402ff93d44ce6
SHA2566151ab998d7821e147551b5ff24b11d3194c207c3ff8322fe2e2860a8b978bb0
SHA512d58ddfe8ce3b9f4092d554713502065c351a46251ff0ce126dd05528771cd727bf636f15a4c76224d8db22117234d39b1a2bf8030b55aadcf98087a5a1814356
-
Filesize
153KB
MD5f28e94ce33674d8cf13f31bb5f20f745
SHA1e79332b18af7b31caa195956c23303d35c2808c8
SHA25642f40ac82f47f4eb009dbd11d7233ed2e67f80392dd4fa770faa68dd973ded2f
SHA5128bcb1311302bbf1b6cfbbb863cffa95d5934c9bfc613cd2dc2abd425fe39ad2ec9cae7dca1e5b60d2acec4c9d422a35aeb5ab7b0433f25c01202ab3b4ca96112
-
Filesize
278KB
MD5d0bf4ea3b6fc02afd2c6ed5f4b0d142e
SHA12187968df184c18f945497dd410f90f4b6ff186d
SHA2563c7ee6117b9c2e39593f452e163f16334ab1b9196b5b5616c9ff7496bb4676a0
SHA512e0efb8672a81a8aa6c11a0f1f871033b10c6a5c6b28d30eab4f8ef7509fca8710c417b9cbbbf7844888f02858295304c23bf217e41d157e2bed594a39c2641f4
-
Filesize
227KB
MD5d39d17b38909180b0c65cb4081154100
SHA1b7a11d389d940273b91dd9ddb11137404eedceea
SHA256590aaa3add5efffd271c2b9cfc10fc304faf6caf83f2f9dd494a40a35b1053d3
SHA5125a0ccc785b15e92d38bf1436522dbe81645d2b16093f20f09dfd81602e9f496693a6b27a62f88e50cdf027147b89a21db1e15532d0d4e7c2fd65710ee2071fa6
-
Filesize
24KB
MD5b38b2a8c25efb39b245dbfa6c1ccc29b
SHA162fda766006bfbccbfaade649ceb29764c216ea4
SHA2561fee129dadbd67f7fab68c8fa285b5da0141785100b35bc7b66d55b10d24364d
SHA5128cdbb4e9404783ad4a2665a05a1e64e8ab393689c2425834e854933f58904910e248dfebc57c717313abbc62105d76875ebafd206ada15417beedd58bbd7e22d
-
Filesize
256KB
MD527b01ec3b37f753b376d3ced7f6bdc4c
SHA132854724b721d240990d04b1208078a39360a90b
SHA2560f71b9df8010da8c1b84c26c20ca5f992bf7531369bbd94efa503087db334f77
SHA5129439962d398fed4672912e768db3c00aa106f279df26885ebc3f9a5515dbab61f01a7b8392652d055d83df2a81f497bf2946a7c2f72e6df55a8bc1256ce8d18d
-
Filesize
4KB
MD5758f90d425814ea5a1d2694e44e7e295
SHA164d61731255ef2c3060868f92f6b81b4c9b5fe29
SHA256896221147d8172197cbbf06c45d461141ce6b4af38027c1a22d57c1165026433
SHA51211858e498309f611ee6241c026a402d6d979bffe28d4cbf7c9d5a89c3f3de25e1d253ab552ef7bc7cc43dd056307bd625e2e4f09beb21f0214c3946113b97ca9
-
Filesize
5KB
MD592f9cdae857253a3895faffa85b3d8b9
SHA1d28352ff5a02eeb98334e3d0f845a259b2aacff3
SHA2565653db84679ab49eec2e32127271dacd802b8ed53a5199c5fd5fe998be32a36b
SHA512f23ec0a005b5d84d26527cd6c26d494b9ecff4b099adfd780fe7953f5affb0f295f92dc663d79bcb60d42f82d249b7e61acb39a38bdbd66185da5bf6126737a6