Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12-10-2024 22:10
Behavioral task
behavioral1
Sample
3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe
-
Size
6.1MB
-
MD5
3c482e0e708ca8a714a5b2623f14fe6c
-
SHA1
039ef958e0f3f331980b02103f9fd012ef370411
-
SHA256
9931594c94b941e73879bb1818f7bb691e64885d6c8c6b877372d89f6881ee6b
-
SHA512
134c769f040ed4a9fbdfd0946ce58e0b5264f33d215953584ea0e7e7836c899aceb6ffe2d69aefdc30fb3b671f186570b2f9462ec7eac808a8553e370a68c5a2
-
SSDEEP
98304:f3HOZJ6BQaLV7Y8PrsR7DEbtLzRnRNcRAqN:PHOZJ6nJnDsNAtNzcR
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "2" 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "2" 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe -
Drops file in Drivers directory 5 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\host_new 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe File opened for modification C:\Windows\system32\drivers\etc\hosts 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe File created C:\Windows\System32\drivers\etc\hosts 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe File opened for modification C:\Windows\System32\drivers\etc\hosts 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe File created C:\Windows\system32\drivers\etc\host_new 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe -
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SaveDefense.exe\Debugger = "svchost.exe" 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PerAvir.exe 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dop.exe 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smrtdefp.exe 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\homeav2010.exe 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tapinstall.exe\Debugger = "svchost.exe" 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\windll32.exe\Debugger = "svchost.exe" 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Cl.exe\Debugger = "svchost.exe" 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\~2.exe\Debugger = "svchost.exe" 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qh.exe 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qh.exe\Debugger = "svchost.exe" 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntivirusXP.exe 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntivirusPlus\Debugger = "svchost.exe" 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Debugger = "svchost.exe" 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\~1.exe\Debugger = "svchost.exe" 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\protector.exe\Debugger = "svchost.exe" 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Security Center.exe 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SaveKeep.exe 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\frmwrk32.exe 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xpdeluxe.exe 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smartdefender.exe\Debugger = "svchost.exe" 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xpdeluxe.exe\Debugger = "svchost.exe" 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\W3asbas.exe 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smartprotector.exe\Debugger = "svchost.exe" 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tsc.exe\Debugger = "svchost.exe" 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winav.exe 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntivirusXP.exe\Debugger = "svchost.exe" 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntivirusXP\Debugger = "svchost.exe" 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PerAvir.exe\Debugger = "svchost.exe" 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsAuxs.exe\Debugger = "svchost.exe" 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dop.exe\Debugger = "svchost.exe" 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\~1.exe 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MalwareRemoval.exe\Debugger = "svchost.exe" 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SaveKeep.exe\Debugger = "svchost.exe" 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tsc.exe 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsAuxs.exe 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\antivirusxppro2009.exe 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\antivirusxppro2009.exe\Debugger = "svchost.exe" 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\frmwrk32.exe\Debugger = "svchost.exe" 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\homeav2010.exe\Debugger = "svchost.exe" 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Security Center.exe\Debugger = "svchost.exe" 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spywarexpguard.exe 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsTray.exe 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntiVirus_Pro.exe 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Cl.exe 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntivirusPlus 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\Debugger = "svchost.exe" 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\protector.exe 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\windll32.exe 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\av360.exe\Debugger = "svchost.exe" 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Quick Heal.exe 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Quick Heal.exe\Debugger = "svchost.exe" 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spywarexpguard.exe\Debugger = "svchost.exe" 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pc.exe 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntivirusPlus.exe\Debugger = "svchost.exe" 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\W3asbas.exe\Debugger = "svchost.exe" 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\av360.exe 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsTray.exe\Debugger = "svchost.exe" 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pc.exe\Debugger = "svchost.exe" 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntivirusPlus.exe 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntiVirus_Pro.exe\Debugger = "svchost.exe" 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsGui.exe\Debugger = "svchost.exe" 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Key deleted \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Protection Suite = "\"C:\\ProgramData\\8c623\\WIc94.exe\" /s /d" 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Protection Suite = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe\" /s " 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe -
Checks for any installed AV software in registry 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Eset\Nod\ 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\O: 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe File opened (read-only) \??\R: 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe File opened (read-only) \??\S: 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe File opened (read-only) \??\V: 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe File opened (read-only) \??\X: 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe File opened (read-only) \??\G: 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe File opened (read-only) \??\H: 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe File opened (read-only) \??\K: 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe File opened (read-only) \??\Y: 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe File opened (read-only) \??\Z: 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe File opened (read-only) \??\M: 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe File opened (read-only) \??\N: 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe File opened (read-only) \??\P: 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe File opened (read-only) \??\W: 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe File opened (read-only) \??\E: 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe File opened (read-only) \??\I: 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe File opened (read-only) \??\L: 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe File opened (read-only) \??\T: 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe File opened (read-only) \??\U: 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe File opened (read-only) \??\J: 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe File opened (read-only) \??\Q: 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe -
resource yara_rule behavioral2/memory/444-0-0x0000000000400000-0x0000000000A22000-memory.dmp upx behavioral2/memory/444-846-0x0000000000400000-0x0000000000A22000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mofcomp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe -
Kills process with taskkill 1 IoCs
pid Process 2828 taskkill.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no" 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Download\RunInvalidSignatures = "1" 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe -
Modifies registry class 10 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.DocHostUIHandler\Clsid 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID\ = "3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.DocHostUIHandler" 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF} 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ = "Implements DocHostUIHandler" 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe" 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.DocHostUIHandler\Clsid\ = "{3F2BBC05-40DF-11D2-9455-00104BC936FF}" 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.DocHostUIHandler 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.DocHostUIHandler\ = "Implements DocHostUIHandler" 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 444 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe Token: SeSecurityPrivilege 444 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe Token: SeDebugPrivilege 2828 taskkill.exe Token: SeSecurityPrivilege 1396 mofcomp.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 444 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe 444 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 444 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe 444 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 444 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe 444 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 444 wrote to memory of 2828 444 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe 87 PID 444 wrote to memory of 2828 444 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe 87 PID 444 wrote to memory of 2828 444 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe 87 PID 444 wrote to memory of 1396 444 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe 89 PID 444 wrote to memory of 1396 444 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe 89 PID 444 wrote to memory of 1396 444 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe 89 PID 444 wrote to memory of 4912 444 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe 91 PID 444 wrote to memory of 4912 444 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe 91 PID 444 wrote to memory of 4912 444 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe 91 -
System policy modification 1 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "2" 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "2" 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" 3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe"1⤵
- UAC bypass
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Checks computer location settings
- Adds Run key to start application
- Checks for any installed AV software in registry
- Checks whether UAC is enabled
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:444 -
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /F /IM MSASCui* /IM avg* /IM ash* /IM McSA*2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2828
-
-
C:\Windows\SysWOW64\wbem\mofcomp.exe"C:\Windows\System32\wbem\mofcomp.exe" "C:\Users\Admin\AppData\Local\Temp\51.mof"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1396
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" "firewall" add allowedprogram "C:\Users\Admin\AppData\Local\Temp\3c482e0e708ca8a714a5b2623f14fe6c_JaffaCakes118.exe" "Windows Protection Suite" ENABLE2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:4912
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
4Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
185B
MD5b8224e5293d4fad1927c751cc00c80e7
SHA1270b8c752c7e93ec5485361fe6ef7b37f0b4513b
SHA256c47da9be4fc4d757add73c49654c9179067af547d0cc758d6356e2955bbfcb61
SHA5128fed9a509e46319529145fa2159251e43040d26080af84e44badaab1dd339c767ff75a2c473bc0abfb448b03beb96718ee34ba6bc150ed3085322878b55a22f2
-
Filesize
304B
MD5d37eb59c3951a633840cdf5482d00781
SHA1841230605e520d101a6442b9c13f02c45e9c30bf
SHA256186a88fe7ec2f79f22fa9fb7877bd3d489b0a060e924008f874223653c5d772d
SHA51229f69a8f3a733d308ebf7f2128f5ec6473968fe414c3dd6a5dac3aea07391e0c21192097cacdf1d39e14c58cec72e36c39c31885569ba44692d795fec29c3835
-
Filesize
383B
MD5787dd7be2e827f03ad3cc0d9e5975c96
SHA1d5ec0c1dde9e69044e979123a8e13bc29b9725a6
SHA2560c86bb47cb3b90273b697fabc77cfa4a9c8c34762c674dd226bd125d14894855
SHA512b5cf37ac11e09c2319d94312783332e18ff179cb356314f2ee6d226317009600265709a9be9fef4cd0403ced193fcdc11df9294b9dab22ec8ae3e43327e7aae0
-
Filesize
676B
MD54454f72b1d3c01ea06c6988b88cb5e94
SHA1b5fe7037792207c7bcb3444a1414933a79696ff9
SHA25663ee263945a435cb2592534e7be36ce47ddb8868e0f9e6cba18270e4cfb8dbe5
SHA5129077e437b988186b3c27a94130886269c08a7c518ec01fceb00d4c630664c52d9ed866f3d36c69692e180eda5e3733ef0f66b8f0eb8570210698307721e0c12f
-
Filesize
1KB
MD5da6f0cf81d7afd914e7959c1b8c111a8
SHA1cfa145615cf76d70d2ae78fc8c354978eb958395
SHA256379d1d267e6dd6954a882f713ff7ff60c9d8f44617ebdc59d956896641855e4d
SHA51234a20f04ad658ffa26a16aecfdb4ce46b9dcb1aca01f461b13f0c69827aee129d2589be443bc2192426b71e85b3cf4c9624582a6c19ae5c545783e6d0a72eb36
-
Filesize
1KB
MD5ad27e086b4e233eff553804f7991d751
SHA1ea4925e429ecbf3c118b5d4f634e4ff9a45b9b58
SHA256461bc85ed07c7af36c2f8fc04929f5693723586e58584db9110c6b1fe462e405
SHA51296752cd7d9167e338532dd66dfc1694fea4bb48285a99e4652414e168e1c5c848c94d081663a07103ede225796e10e8e25638d7f786f804772bd5e65cc153e6d
-
Filesize
1KB
MD51c8fd15b883537c4231113a81f075f64
SHA14cbb70d4e988726902bf6849a966db52f491885b
SHA256811c39e10855fe28f39eb0cc1751bb189311c23be389dbc0445793e18ec51622
SHA51227f4a749a40a3be90098905ce029fe4a1cdc3ad5b9fe5387232aca8212be27ccc722878e70aa48647c4baf3db0af8532bf6834e877614bc5c0e80e9a0bd39c4f
-
Filesize
1KB
MD57fdaf436ef3955d4b50512c57158ef9e
SHA14ccd55ccce56bd116671487f96e74a7c57f79306
SHA2561c8d57152a4d1cd9bd5cc788ec6956b7661def92fc292ccd4e2edf70aa7a2a8b
SHA51292c22d27c905958638f57d93a343927ccdfbbf89f2b4acd7aaba641e77003334b842a8699944c778f4ece53d14b103bd0e30b91f0a41027e3fbcba6b1a8aa788
-
Filesize
1KB
MD5aabb9c20430a8006030fda16e6a4a9c8
SHA1ce450c0eeb27a8d74d059eaf8f3ddeb5e9f75d84
SHA256bebc4b8f05b2c1ac60c84679149f5be5b8cbb9e0a7fe5450a89e2fb28bee6dd8
SHA512bd6b2fabd4f6fd4180c8e98553ceec3f1c4822bde501a01e0aad7fade02a42e26dffea8c8b9d57dc27b61d705a9efa359e20ff64a2718ca2506976645727b8d9
-
Filesize
1KB
MD5bc62d7b6077e4fb7fbbcd99a1b460a17
SHA1688cc95cd5185b70cae556b1c70b5242e6a26e87
SHA2563e56515bdb81635ee98840cbee5499d3c155f2dde37f7e93b69783b229bc3b44
SHA51203f27285436a0a71efcab68ed9d96c9875c82f601abfac8d00e8700dbee0a60f2c3b5b967c0b69db04d70346ad9ed0961bb77ef029ef31dca7de0ce64085231f
-
Filesize
346B
MD5db6a3b1e58b3061737fd0b32b85d67a3
SHA191eba934acfefe47caedb0c84cff7ae32587f0a3
SHA25628ab7348d97bdf6dc473d78d0b7af70881edb86cbc326d24ee6fa025d26ae7d0
SHA512b866bba4e5c4c7ee62145552122d03c997f9e631ad36ed4969883cd37a913eab90a55f6fa0c6c9ccd575c65cdf67b92c73c1f6d0a8358a231e08ed6875e050e5
-
Filesize
11KB
MD5940df3ee1525bec7450f486fc374fa32
SHA1d214a953596c318ff5abe4a7ea98715c67ebbc4c
SHA2565a162cf7d393e2f5ed32c2808289ebdfffedb7bd7bbe319fc823ede2da4ff688
SHA51211e72484964548d5e7b35f80ae19719e935e6ee33a56a356f6810238b41666cb05811cf6f7c9691ade5a2b9416061582a416d77fb77971cb771c8b80844e1a16
-
Filesize
1KB
MD5791c0a6670337e84a775f110cf41aa1e
SHA1001a4c581a73338cf0dd76e1bbacc924f809e275
SHA256152aac04767a1689d1f724d9979bba88f2539a11ea2926cee712272557faa21c
SHA512bcf3b246350b7b4b87f1b370b6d842ec2dc05d22a74ce88a94cbd6cf85f9cf935a2d850af4f12d56f6784a824c21646b81584822db0cc3936e1afff67f6accf7
-
Filesize
1KB
MD5622d501323259cb728ff50c9cfb8f85b
SHA145447458412ce8fa90e35d9e37f2cf389ddbef4d
SHA25649fee3b7630760968f5e6c100c8d44ab25afc050ce0eeec69951de8b7c9b6c06
SHA51230af5dd61f84546991139bf2849b3cf904fd67b90f7bf20253a7f537c0640fdda9cc1e88ddb8a267bed55bd3ba10f2f5c47f06f44ed903f3038a598ae469a9ec
-
Filesize
1KB
MD5b7291dde6522bf775216774cd42f9670
SHA156dae8ec2a43320a9f211b41b21ae263cee06448
SHA2565aa5f80328630db55385f3d7bfd96b7ea2b37fe867ebbefe92d84683ad2bf17b
SHA512e0af823e082ee7f8bb3a344d0df16bc52210c1c0251ec222e32623b8cc3d62b9db0d30cd1d6b3cc32b81a4f901134c7e79340889ffae4620656762a5f545a25e
-
Filesize
1KB
MD59286dac521a9d1dce4a02e3a6b799500
SHA1f39129a22b5129997860c9f4c5971fcca3edb14a
SHA256c4c5d248e6298fdc02ce69ce8eb09334c88bacc2b92dd4607bb4b4fef7720fde
SHA5121128eb80734dc0cd1700a6a1b4bbffe8d1446567fd476422dcd1640b71fc38f6282484b87162b2d0b053325aaa72c3a304e83202efcc578efb135afb4f387187
-
Filesize
1KB
MD53cb900cbc0f494b73dfa9af114f1c944
SHA152f221d1850c14ec1dfa9831af1e278e8bf2e987
SHA2561c34cfe1a5bff75499786d569f5a8c466969fc9f97399ed0ee271524d0e25929
SHA512ed1761726ca2b524e7138b4275b6d604da4d77059975b79fd0448ca951858e0b8807cd035ada6df6d5d0f38fb696ca68eb3b370ea57efa40ed7ad594c0f48870
-
Filesize
1KB
MD5d16e68c02fe8c402432e925e91ca936e
SHA127550a30c839823564a54aa6a73faf86c42c72d2
SHA2569172692ae5df8e710e9ae7ca42525609570d82fd6474575528055f3bb6b96cab
SHA5120476bbdfbe0c45db8a0ddbfa228365704ccadfe1e190af445cd06c68ca42e90feab384a5ad1673909536a34822b2087fd08bce6edc5aa62a35e619b1ad1ffb03
-
Filesize
1KB
MD5dd30742dc6534822fb85e34f53d76c49
SHA1edfbce039975bbfcb71243a0219c18fbec83d0df
SHA2568fae5d5f754c7384f330197ed10ec29b7b7bf6411bd3a5bb02f3e345090e9e81
SHA512b25a0187d24d60a93f25023fe90d5d790ead912bd3ab58dbf50e1af6a6a49d284a858e5fde8344335ae8edafe552d649c9917058979ec544e688400b35261f97
-
Filesize
1KB
MD554f982cb956bfea832cc3bd548a5bc4c
SHA190e277ff33971ee5274a2c0b091ba9b40288256f
SHA25673bcf055e432d1fe96e5a17e203b07f980f5c7e89e16d4a7a53917e2bcb885f2
SHA5122ec47e58507282999db3c132a5246995a3b0ead3d220bf1914f73edbc93a7790383ae1f186621d730d8429796e1504ef0c4815489432fface12a31785093c91f
-
Filesize
1KB
MD555a5d1f9f6365c11acfe876fd7afe077
SHA1ea148590c0b0641cd5f263078630061278038c3a
SHA256c79509b90c20ca9ed9e0e773d6583644d231324f99624df8421dd95c25e6a929
SHA51286ecc1b94c82251aaab7e0c2444b541d9772693424443b20185205f33ff764208e03c63a863b2db3a90ff62f5a53a047551d80287c6b8cf50498a28d2c693a6a
-
Filesize
1KB
MD5a3f36a02007317a094d2eade9423d85a
SHA11986607395176a72378e7c5a744a424d6ea6c540
SHA256759fee12a5d61d061e634ea8643cb0a4bf5290419278a1f35fd754b4e63d6b41
SHA512d99031e5074df4a9e1c06bcb23d0a19bf0d3e8916e485a5dc44a0d7d7b4b54ea9e9b644cb303d2353b95bd7077041e53ceeb090b8e41bda82a6727b67a928b1d
-
Filesize
1KB
MD5ac69c2a6c1cd8bc8e2459ccff2dd5db1
SHA10f01415187049239993609c86c6261de2762efe5
SHA2568edd22e6f97518c8c0c4ca3b1f4f4ddb93b9da473400f0dc4bdc40d56540e61b
SHA512a0fff02c5d1d43555983a71058ec91ccbdf4eed035916372e24229954edeeff47f176e60f9adc2b32b7c1021db7290b4d2bc86144ad37a0341306a70e9b644cf
-
Filesize
1KB
MD5896525529a936564bbd08499fad4fd5d
SHA1ff01c4e589e663ee37986e91d093d4274c85b92d
SHA256ac6d9f8622812fa52c3ab9f20864bdc65a13c6545cfce48c9ba919f5256009c2
SHA5123bded918ea86132f5ce0f222fa77ccf77bf82791a3a8a03a38132a3c2775259ef94507b6c21c61530ca7131512918e9af5261bf7e75691d93839c999712bf536
-
Filesize
1KB
MD5649286ee6e3886d2708872dd3b5016e2
SHA1ed459e2f491d71e7a6b8838951d0b295e1ff3706
SHA2564596c39629a763df4161e29a4cd932cec5759a671bcf636ef51c8efb8acb5aae
SHA51224b38a48e834bc72344294c17b4b2573e02f0bce993a80ecb7b5e68b96c2981821f5f99d4f22d9515ba9079db6ffd59815fcd8fd2c94c71ca81e998174f63cf3