Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20241023-en -
submitted
31/10/2024, 02:26
Static task
static1
Behavioral task
behavioral1
Sample
8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe
-
Size
284KB
-
MD5
8134e598125e14e6bd192b3bf1a5fa85
-
SHA1
e6d8f38208f789e5880085c43db65ddb0422df67
-
SHA256
e13b8ea286f1d029c16412c194919057eb73732b06b0236516fa3971f493974d
-
SHA512
354dc28b7ebd1be9c1573937c19cce482872908237d90d53c0feac4db3b4d4b8f066bcd3a43088ccdb62b2da8c305ec0912bb8aaf373fdc6d07f3f18293c8ad8
-
SSDEEP
6144:lIfYOMlH5bmfynhMTMYX5evvwo86JQPDHDdx/Qtq8:ToWhMwYX5e3hPJQPDHvd
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" 8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gntykk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gntykk.exe -
Pykspa family
-
UAC bypass 3 TTPs 12 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" gntykk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" gntykk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" 8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gntykk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" gntykk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" gntykk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" gntykk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gntykk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" gntykk.exe -
Detect Pykspa worm 1 IoCs
resource yara_rule behavioral1/files/0x0008000000016332-7.dat family_pykspa -
Adds policy Run key to start application 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vbgkv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zriyvgaolytmygmnl.exe" gntykk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vbgkv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ibtkiupecqmgtcjlki.exe" gntykk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\irzguwhm = "gbvooczqqgeapajnoocx.exe" gntykk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vbgkv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vrmghwumnedaqcmrtujfa.exe" gntykk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\irzguwhm = "ibtkiupecqmgtcjlki.exe" gntykk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\irzguwhm = "tngyxkgwvkhcqaillkx.exe" gntykk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vbgkv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zriyvgaolytmygmnl.exe" gntykk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\irzguwhm = "vrmghwumnedaqcmrtujfa.exe" gntykk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vbgkv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tngyxkgwvkhcqaillkx.exe" gntykk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\irzguwhm = "ibtkiupecqmgtcjlki.exe" gntykk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\irzguwhm = "sjzokunawicufmrr.exe" gntykk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vbgkv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vrmghwumnedaqcmrtujfa.exe" gntykk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vbgkv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tngyxkgwvkhcqaillkx.exe" gntykk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\irzguwhm = "sjzokunawicufmrr.exe" gntykk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gntykk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gntykk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\irzguwhm = "zriyvgaolytmygmnl.exe" gntykk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vbgkv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ibtkiupecqmgtcjlki.exe" gntykk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\irzguwhm = "vrmghwumnedaqcmrtujfa.exe" gntykk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\irzguwhm = "gbvooczqqgeapajnoocx.exe" gntykk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\irzguwhm = "tngyxkgwvkhcqaillkx.exe" gntykk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\irzguwhm = "gbvooczqqgeapajnoocx.exe" 8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vbgkv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vrmghwumnedaqcmrtujfa.exe" 8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" gntykk.exe Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" gntykk.exe Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" gntykk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" gntykk.exe -
Executes dropped EXE 2 IoCs
pid Process 3036 gntykk.exe 1008 gntykk.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend gntykk.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc gntykk.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power gntykk.exe -
Loads dropped DLL 4 IoCs
pid Process 2132 8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe 2132 8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe 2132 8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe 2132 8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nzkulqemdkz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ibtkiupecqmgtcjlki.exe ." gntykk.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\sdnwmqdkag = "vrmghwumnedaqcmrtujfa.exe ." gntykk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gntykk = "gbvooczqqgeapajnoocx.exe" gntykk.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\zjsapsekz = "sjzokunawicufmrr.exe" gntykk.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\tbiobcm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tngyxkgwvkhcqaillkx.exe ." gntykk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gntykk = "tngyxkgwvkhcqaillkx.exe" gntykk.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\gntykk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vrmghwumnedaqcmrtujfa.exe" gntykk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tbiobcm = "zriyvgaolytmygmnl.exe ." gntykk.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\tbiobcm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gbvooczqqgeapajnoocx.exe ." gntykk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kxjumshqiqgu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tngyxkgwvkhcqaillkx.exe" gntykk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kxjumshqiqgu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ibtkiupecqmgtcjlki.exe" 8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gntykk = "tngyxkgwvkhcqaillkx.exe" gntykk.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\sdnwmqdkag = "gbvooczqqgeapajnoocx.exe ." gntykk.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\gntykk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sjzokunawicufmrr.exe" gntykk.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\tbiobcm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vrmghwumnedaqcmrtujfa.exe ." 8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gntykk = "ibtkiupecqmgtcjlki.exe" gntykk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kxjumshqiqgu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sjzokunawicufmrr.exe" gntykk.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\tbiobcm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sjzokunawicufmrr.exe ." gntykk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nzkulqemdkz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vrmghwumnedaqcmrtujfa.exe ." gntykk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gntykk = "zriyvgaolytmygmnl.exe" gntykk.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\sdnwmqdkag = "vrmghwumnedaqcmrtujfa.exe ." gntykk.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\zjsapsekz = "vrmghwumnedaqcmrtujfa.exe" 8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kxjumshqiqgu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tngyxkgwvkhcqaillkx.exe" gntykk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gntykk = "gbvooczqqgeapajnoocx.exe" gntykk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kxjumshqiqgu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vrmghwumnedaqcmrtujfa.exe" gntykk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gntykk = "vrmghwumnedaqcmrtujfa.exe" gntykk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gntykk = "zriyvgaolytmygmnl.exe" gntykk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kxjumshqiqgu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zriyvgaolytmygmnl.exe" gntykk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gntykk = "zriyvgaolytmygmnl.exe" 8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\sdnwmqdkag = "zriyvgaolytmygmnl.exe ." gntykk.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\gntykk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gbvooczqqgeapajnoocx.exe" gntykk.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\sdnwmqdkag = "sjzokunawicufmrr.exe ." gntykk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nzkulqemdkz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sjzokunawicufmrr.exe ." gntykk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gntykk = "sjzokunawicufmrr.exe" gntykk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nzkulqemdkz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zriyvgaolytmygmnl.exe ." gntykk.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\tbiobcm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sjzokunawicufmrr.exe ." gntykk.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\zjsapsekz = "gbvooczqqgeapajnoocx.exe" gntykk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tbiobcm = "gbvooczqqgeapajnoocx.exe ." gntykk.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\zjsapsekz = "gbvooczqqgeapajnoocx.exe" gntykk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nzkulqemdkz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zriyvgaolytmygmnl.exe ." gntykk.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\tbiobcm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vrmghwumnedaqcmrtujfa.exe ." gntykk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gntykk = "vrmghwumnedaqcmrtujfa.exe" gntykk.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\sdnwmqdkag = "gbvooczqqgeapajnoocx.exe ." gntykk.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\sdnwmqdkag = "tngyxkgwvkhcqaillkx.exe ." gntykk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kxjumshqiqgu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gbvooczqqgeapajnoocx.exe" gntykk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nzkulqemdkz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ibtkiupecqmgtcjlki.exe ." gntykk.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\zjsapsekz = "zriyvgaolytmygmnl.exe" 8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tbiobcm = "sjzokunawicufmrr.exe ." gntykk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tbiobcm = "vrmghwumnedaqcmrtujfa.exe ." gntykk.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\zjsapsekz = "tngyxkgwvkhcqaillkx.exe" gntykk.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\gntykk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gbvooczqqgeapajnoocx.exe" gntykk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nzkulqemdkz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ibtkiupecqmgtcjlki.exe ." 8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\zjsapsekz = "sjzokunawicufmrr.exe" gntykk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nzkulqemdkz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tngyxkgwvkhcqaillkx.exe ." gntykk.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\gntykk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ibtkiupecqmgtcjlki.exe" gntykk.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\gntykk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tngyxkgwvkhcqaillkx.exe" gntykk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gntykk = "ibtkiupecqmgtcjlki.exe" gntykk.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\sdnwmqdkag = "zriyvgaolytmygmnl.exe ." gntykk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nzkulqemdkz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vrmghwumnedaqcmrtujfa.exe ." gntykk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tbiobcm = "tngyxkgwvkhcqaillkx.exe ." 8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tbiobcm = "ibtkiupecqmgtcjlki.exe ." 8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\sdnwmqdkag = "ibtkiupecqmgtcjlki.exe ." gntykk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nzkulqemdkz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gbvooczqqgeapajnoocx.exe ." gntykk.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\tbiobcm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gbvooczqqgeapajnoocx.exe ." gntykk.exe -
Checks whether UAC is enabled 1 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gntykk.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gntykk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gntykk.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gntykk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" gntykk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" gntykk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" 8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 6 www.showmyipaddress.com 8 www.whatismyip.ca 10 whatismyipaddress.com 5 whatismyip.everdot.org -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\SysWOW64\xxwuzsuqvqtuoesbhmffe.hac gntykk.exe File opened for modification C:\Windows\SysWOW64\sdnwmqdkaguglmlfwmqblukobiyesejk.duk gntykk.exe File created C:\Windows\SysWOW64\sdnwmqdkaguglmlfwmqblukobiyesejk.duk gntykk.exe File opened for modification C:\Windows\SysWOW64\xxwuzsuqvqtuoesbhmffe.hac gntykk.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\xxwuzsuqvqtuoesbhmffe.hac gntykk.exe File created C:\Program Files (x86)\xxwuzsuqvqtuoesbhmffe.hac gntykk.exe File opened for modification C:\Program Files (x86)\sdnwmqdkaguglmlfwmqblukobiyesejk.duk gntykk.exe File created C:\Program Files (x86)\sdnwmqdkaguglmlfwmqblukobiyesejk.duk gntykk.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\xxwuzsuqvqtuoesbhmffe.hac gntykk.exe File created C:\Windows\xxwuzsuqvqtuoesbhmffe.hac gntykk.exe File opened for modification C:\Windows\sdnwmqdkaguglmlfwmqblukobiyesejk.duk gntykk.exe File created C:\Windows\sdnwmqdkaguglmlfwmqblukobiyesejk.duk gntykk.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gntykk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gntykk.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3036 gntykk.exe 3036 gntykk.exe 3036 gntykk.exe 3036 gntykk.exe 3036 gntykk.exe 3036 gntykk.exe 3036 gntykk.exe 3036 gntykk.exe 3036 gntykk.exe 3036 gntykk.exe 3036 gntykk.exe 3036 gntykk.exe 3036 gntykk.exe 3036 gntykk.exe 3036 gntykk.exe 3036 gntykk.exe 3036 gntykk.exe 3036 gntykk.exe 3036 gntykk.exe 3036 gntykk.exe 3036 gntykk.exe 3036 gntykk.exe 3036 gntykk.exe 3036 gntykk.exe 3036 gntykk.exe 3036 gntykk.exe 3036 gntykk.exe 3036 gntykk.exe 3036 gntykk.exe 3036 gntykk.exe 3036 gntykk.exe 3036 gntykk.exe 3036 gntykk.exe 3036 gntykk.exe 3036 gntykk.exe 3036 gntykk.exe 3036 gntykk.exe 3036 gntykk.exe 3036 gntykk.exe 3036 gntykk.exe 3036 gntykk.exe 3036 gntykk.exe 3036 gntykk.exe 3036 gntykk.exe 3036 gntykk.exe 3036 gntykk.exe 3036 gntykk.exe 3036 gntykk.exe 3036 gntykk.exe 3036 gntykk.exe 3036 gntykk.exe 3036 gntykk.exe 3036 gntykk.exe 3036 gntykk.exe 3036 gntykk.exe 3036 gntykk.exe 3036 gntykk.exe 3036 gntykk.exe 3036 gntykk.exe 3036 gntykk.exe 3036 gntykk.exe 3036 gntykk.exe 3036 gntykk.exe 3036 gntykk.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3036 gntykk.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2132 wrote to memory of 1008 2132 8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe 30 PID 2132 wrote to memory of 1008 2132 8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe 30 PID 2132 wrote to memory of 1008 2132 8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe 30 PID 2132 wrote to memory of 1008 2132 8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe 30 PID 2132 wrote to memory of 3036 2132 8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe 31 PID 2132 wrote to memory of 3036 2132 8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe 31 PID 2132 wrote to memory of 3036 2132 8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe 31 PID 2132 wrote to memory of 3036 2132 8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe 31 -
System policy modification 1 TTPs 36 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" gntykk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" 8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" 8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" gntykk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" gntykk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer gntykk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gntykk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" gntykk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" 8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gntykk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" gntykk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gntykk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" gntykk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" gntykk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gntykk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer 8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" gntykk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" gntykk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" gntykk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" 8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" gntykk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" gntykk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer gntykk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" gntykk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" gntykk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" gntykk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" 8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" 8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" gntykk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" gntykk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" gntykk.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2132 -
C:\Users\Admin\AppData\Local\Temp\gntykk.exe"C:\Users\Admin\AppData\Local\Temp\gntykk.exe" "-"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- System Location Discovery: System Language Discovery
- System policy modification
PID:1008
-
-
C:\Users\Admin\AppData\Local\Temp\gntykk.exe"C:\Users\Admin\AppData\Local\Temp\gntykk.exe" "-"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3036
-
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
272B
MD52ff93e17adbef39f5140fd7584782fab
SHA10d583f223aa0dc9212ce5921adcac454824130d5
SHA256d17f03b074275a9fb904b6c96d67f59d4e8da294a70b74c9007697566505f3b7
SHA51246609c0e4848986ce4c67b33bc249b4179d906a58d08aa226c1dcf3246daefed2b73d00da0f37b3776bc70d49c1eb5653725caa4ea06c0e0dbac77821020de33
-
Filesize
272B
MD5cd20324b24c3a3316dcc9c8a147f451a
SHA13d19be4a7ff3aef1dd401bc308573fa98fb87727
SHA256255a779d72156d8c622ea472ae23b52f9f4974ef1c2055848bc68f546ad6447a
SHA5129a29adaa3dbd250c0fc07cada4a85ebc71efdf946ce277c54d77bb46c177dc0c3eb40d133df193425a66233732c891ff4323d969d239ca6ab9b2d4c0407ce66f
-
Filesize
272B
MD5b5eb3ceb015e29461b685708ee3b0d1f
SHA1aa08ab133785cff5a06810db1fce2d6555d85d13
SHA2566314329d3951efe28ac1e910a8ec88bf0010bdc480de4cb2fcda649697bce504
SHA51267045daaae4839b04bb077832197189ffd3276b22e1d64b9dc6fcc7e53418a25f20948624fe42df504f806df064f07f98f81624cd3e003e608fd6380f0a48b54
-
Filesize
272B
MD52361d686cc863f817dd97006fcf2137a
SHA1f045f6a650fc9e2f44ac072de1c88c080cf73e76
SHA256348f23df7d8ac548d30541068e9e950a3739bab9008bb1113f4477c3c7836434
SHA5125e329a1f5f15e6a444ff62062caf34044f74e24d15188c61fc3ea81ca802a441efbea7be3e51a75b456ff268aed23f80a23349ded5901fbe8a6d990143f171be
-
Filesize
272B
MD5edb7fb7176f0e98a66d508e5d12cc3db
SHA1c31ee5476ff54d4b496ada6f49614a7d0481b2d8
SHA256abb9203da8d05c5a4dcbbf13752dc4cb971c81ce95ad7a84e69dbb3c40ab60b7
SHA5127f0b80a63390a78a34dd25738e612d93140cc1feb664c51c2c60511e8090de4230b9506492eeb7c795a21203626ef8adb72346a1efc99faae5d5855787cb0f72
-
Filesize
3KB
MD51d6c0d0e16bab99e4caea6ea96941e50
SHA17bff05a7036caefad80a8f27459ae108561e27c9
SHA2563194dbf98acdca12cb762156ee650a292cb23b541ac5632aff70ee12f2973ac4
SHA51278712a27c57ac941d7b137a0d2313c442526a9838f5ad300146f1aed34f9420aae5d1321667e12179a3de9b18cf97de9e1090f20d957144be44bb774ba48d21d
-
Filesize
272B
MD572eb2d192442aa4f87d720f94a739bef
SHA1b6e01dbf4f0cd73c5d7d2907a51297d179f31645
SHA256e6528ebd23c36be58345c31b71f7d8f66db8b30437d448b822664ee26a032393
SHA512c46a549bbef7a447b08d9a83595244c469faeb05266e8f9b96b210368c6d29c0f5e6d1243c198696f89e8a02915444dd174c7fd0974e82f33222618135b8766d
-
Filesize
272B
MD5a64dc1cf41b9c06ea08707fd1170a94e
SHA187e8fb1d26b856740d39df1de2c17e4fe99ba900
SHA256b867fed39402e3ba1114cdb4991fb087882635ea8ed49577b74c359b77be97c9
SHA512708ef8f57fbd5ece43e0dd32ddff1ccdc7593804abfa3b7deebabd361003b82861133401eb713c575e5a14410aa3bcbc9c24514ca582b95a729248c798c50686
-
Filesize
272B
MD5d59af82888de7665ca41a85b16bc2fb8
SHA1c76261fee4f9081ab1e8b8e69b506458143a3ec0
SHA25671f1ba6620a286e34c686296940935510838b54c25d9a0d81c233b55f38ed1d8
SHA512b6314aba624ce3f3d68c30053d6d83e69a03b150cf43012bb7324914a16b79fa97d618ed4dfecc92df7cf65b7753c7ee3eb1758b26027f9eeaaa1ceb2fbae3a4
-
Filesize
596KB
MD523da8c70234ad82083977a176f7b182b
SHA16ec55e256151e2b0e20bfafd3b9c5dfa8a30a831
SHA25651ecf28c3dfe6429007902f96dc2abb319ff296ae39b492ef9e89f4dc2d32e04
SHA512614340e77fa26cc9d89ee1aa622a28e50f7baa3fe8a1769760398f2c8f9d58c91d11376f9975e506ca0b55281d65d35fb7082edc51163a4f7385c31ac76568d3