Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
28-11-2024 20:08
Static task
static1
Behavioral task
behavioral1
Sample
ad7376353773464755502b50dea5fabd_JaffaCakes118.exe
Resource
win7-20240729-en
General
-
Target
ad7376353773464755502b50dea5fabd_JaffaCakes118.exe
-
Size
2.6MB
-
MD5
ad7376353773464755502b50dea5fabd
-
SHA1
0d9d5e10885659ec3925db9cfb17cadf20e1293c
-
SHA256
6f3e7496171fc07feb0c1dfecf7d6bb367c15836acb5571b2f9fc4f980db2a32
-
SHA512
036e68309853dd2793bd95246243e85125c12bbb093a6572df8ff35b0ea189b81b44aa25f852432b40e393ede014bb6b7d25ef5df826fe30d642b609e7096afe
-
SSDEEP
49152:UWSaaeEQcNm036hvpmIXUXg2z1qRJKvYG8OlA82MNg9/Et:NSaaeExE0ERUwe1aJKQhuND
Malware Config
Extracted
quasar
1.3.0.0
PC
etoneratnik.ddns.net:28015
localhost:28015
FCK_RAT_1WsrmPyKlRpwcMNdsv
-
encryption_key
hUeALvSVdWkKP5gkYVqc
-
install_name
stеamwеbhеlper.exe
-
log_directory
Logs
-
reconnect_delay
2000
-
startup_key
Steam Client WebHelper (32 бита)
-
subdirectory
Steam
Signatures
-
Quasar family
-
Quasar payload 44 IoCs
resource yara_rule behavioral1/memory/1960-2-0x0000000000BC0000-0x0000000001186000-memory.dmp family_quasar behavioral1/memory/1960-3-0x0000000000BC0000-0x0000000001186000-memory.dmp family_quasar behavioral1/memory/1960-12-0x0000000000BC0000-0x0000000001186000-memory.dmp family_quasar behavioral1/memory/2820-15-0x0000000000230000-0x00000000007F6000-memory.dmp family_quasar behavioral1/memory/2820-16-0x0000000000230000-0x00000000007F6000-memory.dmp family_quasar behavioral1/memory/2820-33-0x0000000000230000-0x00000000007F6000-memory.dmp family_quasar behavioral1/memory/2996-35-0x0000000000990000-0x0000000000F56000-memory.dmp family_quasar behavioral1/memory/2996-36-0x0000000000990000-0x0000000000F56000-memory.dmp family_quasar behavioral1/memory/2996-54-0x0000000000990000-0x0000000000F56000-memory.dmp family_quasar behavioral1/memory/1680-56-0x0000000000360000-0x0000000000926000-memory.dmp family_quasar behavioral1/memory/1680-57-0x0000000000360000-0x0000000000926000-memory.dmp family_quasar behavioral1/memory/1680-58-0x0000000000360000-0x0000000000926000-memory.dmp family_quasar behavioral1/memory/1680-76-0x0000000000360000-0x0000000000926000-memory.dmp family_quasar behavioral1/memory/2432-79-0x00000000002C0000-0x0000000000886000-memory.dmp family_quasar behavioral1/memory/2432-80-0x00000000002C0000-0x0000000000886000-memory.dmp family_quasar behavioral1/memory/2432-98-0x00000000002C0000-0x0000000000886000-memory.dmp family_quasar behavioral1/memory/2628-100-0x00000000010E0000-0x00000000016A6000-memory.dmp family_quasar behavioral1/memory/2628-101-0x00000000010E0000-0x00000000016A6000-memory.dmp family_quasar behavioral1/memory/2628-119-0x00000000010E0000-0x00000000016A6000-memory.dmp family_quasar behavioral1/memory/1044-121-0x00000000010E0000-0x00000000016A6000-memory.dmp family_quasar behavioral1/memory/1044-122-0x00000000010E0000-0x00000000016A6000-memory.dmp family_quasar behavioral1/memory/1044-123-0x00000000010E0000-0x00000000016A6000-memory.dmp family_quasar behavioral1/memory/1044-141-0x00000000010E0000-0x00000000016A6000-memory.dmp family_quasar behavioral1/memory/1544-143-0x00000000010E0000-0x00000000016A6000-memory.dmp family_quasar behavioral1/memory/1544-144-0x00000000010E0000-0x00000000016A6000-memory.dmp family_quasar behavioral1/memory/1544-162-0x00000000010E0000-0x00000000016A6000-memory.dmp family_quasar behavioral1/memory/2840-164-0x00000000010E0000-0x00000000016A6000-memory.dmp family_quasar behavioral1/memory/2840-165-0x00000000010E0000-0x00000000016A6000-memory.dmp family_quasar behavioral1/memory/2840-181-0x00000000010E0000-0x00000000016A6000-memory.dmp family_quasar behavioral1/memory/2620-182-0x00000000012B0000-0x0000000001876000-memory.dmp family_quasar behavioral1/memory/2620-183-0x00000000012B0000-0x0000000001876000-memory.dmp family_quasar behavioral1/memory/2620-194-0x00000000012B0000-0x0000000001876000-memory.dmp family_quasar behavioral1/memory/928-195-0x0000000000300000-0x00000000008C6000-memory.dmp family_quasar behavioral1/memory/928-196-0x0000000000300000-0x00000000008C6000-memory.dmp family_quasar behavioral1/memory/928-207-0x0000000000300000-0x00000000008C6000-memory.dmp family_quasar behavioral1/memory/1820-208-0x0000000000040000-0x0000000000606000-memory.dmp family_quasar behavioral1/memory/1820-209-0x0000000000040000-0x0000000000606000-memory.dmp family_quasar behavioral1/memory/1820-220-0x0000000000040000-0x0000000000606000-memory.dmp family_quasar behavioral1/memory/1268-221-0x0000000000220000-0x00000000007E6000-memory.dmp family_quasar behavioral1/memory/1268-222-0x0000000000220000-0x00000000007E6000-memory.dmp family_quasar behavioral1/memory/1268-233-0x0000000000220000-0x00000000007E6000-memory.dmp family_quasar behavioral1/memory/2864-234-0x00000000000E0000-0x00000000006A6000-memory.dmp family_quasar behavioral1/memory/2864-235-0x00000000000E0000-0x00000000006A6000-memory.dmp family_quasar behavioral1/memory/2864-246-0x00000000000E0000-0x00000000006A6000-memory.dmp family_quasar -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 14 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ stеamwеbhеlper.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ stеamwеbhеlper.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ stеamwеbhеlper.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ stеamwеbhеlper.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ stеamwеbhеlper.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ stеamwеbhеlper.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ad7376353773464755502b50dea5fabd_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ stеamwеbhеlper.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ stеamwеbhеlper.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ stеamwеbhеlper.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ stеamwеbhеlper.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ stеamwеbhеlper.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ stеamwеbhеlper.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ stеamwеbhеlper.exe -
Checks BIOS information in registry 2 TTPs 28 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion stеamwеbhеlper.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion stеamwеbhеlper.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion stеamwеbhеlper.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion stеamwеbhеlper.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion stеamwеbhеlper.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion stеamwеbhеlper.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion stеamwеbhеlper.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ad7376353773464755502b50dea5fabd_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion stеamwеbhеlper.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion stеamwеbhеlper.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion stеamwеbhеlper.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion stеamwеbhеlper.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ad7376353773464755502b50dea5fabd_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion stеamwеbhеlper.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion stеamwеbhеlper.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion stеamwеbhеlper.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion stеamwеbhеlper.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion stеamwеbhеlper.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion stеamwеbhеlper.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion stеamwеbhеlper.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion stеamwеbhеlper.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion stеamwеbhеlper.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion stеamwеbhеlper.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion stеamwеbhеlper.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion stеamwеbhеlper.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion stеamwеbhеlper.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion stеamwеbhеlper.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion stеamwеbhеlper.exe -
Executes dropped EXE 13 IoCs
pid Process 2820 stеamwеbhеlper.exe 2996 stеamwеbhеlper.exe 1680 stеamwеbhеlper.exe 2432 stеamwеbhеlper.exe 2628 stеamwеbhеlper.exe 1044 stеamwеbhеlper.exe 1544 stеamwеbhеlper.exe 2840 stеamwеbhеlper.exe 2620 stеamwеbhеlper.exe 928 stеamwеbhеlper.exe 1820 stеamwеbhеlper.exe 1268 stеamwеbhеlper.exe 2864 stеamwеbhеlper.exe -
Identifies Wine through registry keys 2 TTPs 14 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine ad7376353773464755502b50dea5fabd_JaffaCakes118.exe Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine stеamwеbhеlper.exe Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine stеamwеbhеlper.exe Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine stеamwеbhеlper.exe Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine stеamwеbhеlper.exe Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine stеamwеbhеlper.exe Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine stеamwеbhеlper.exe Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine stеamwеbhеlper.exe Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine stеamwеbhеlper.exe Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine stеamwеbhеlper.exe Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine stеamwеbhеlper.exe Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine stеamwеbhеlper.exe Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine stеamwеbhеlper.exe Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine stеamwеbhеlper.exe -
Loads dropped DLL 64 IoCs
pid Process 1960 ad7376353773464755502b50dea5fabd_JaffaCakes118.exe 2900 WerFault.exe 2900 WerFault.exe 2900 WerFault.exe 2900 WerFault.exe 2900 WerFault.exe 592 WerFault.exe 592 WerFault.exe 592 WerFault.exe 592 WerFault.exe 592 WerFault.exe 1908 WerFault.exe 1908 WerFault.exe 1908 WerFault.exe 1908 WerFault.exe 1908 WerFault.exe 2980 WerFault.exe 2980 WerFault.exe 2980 WerFault.exe 2980 WerFault.exe 2980 WerFault.exe 2116 WerFault.exe 2116 WerFault.exe 2116 WerFault.exe 2116 WerFault.exe 2116 WerFault.exe 2548 WerFault.exe 2548 WerFault.exe 2548 WerFault.exe 2548 WerFault.exe 2548 WerFault.exe 2108 WerFault.exe 2108 WerFault.exe 2108 WerFault.exe 2108 WerFault.exe 2108 WerFault.exe 2140 WerFault.exe 2140 WerFault.exe 2140 WerFault.exe 2140 WerFault.exe 2140 WerFault.exe 2384 WerFault.exe 2384 WerFault.exe 2384 WerFault.exe 2384 WerFault.exe 2384 WerFault.exe 2848 WerFault.exe 2848 WerFault.exe 2848 WerFault.exe 2848 WerFault.exe 2848 WerFault.exe 2508 WerFault.exe 2508 WerFault.exe 2508 WerFault.exe 2508 WerFault.exe 2508 WerFault.exe 2432 WerFault.exe 2432 WerFault.exe 2432 WerFault.exe 2432 WerFault.exe 2432 WerFault.exe 480 WerFault.exe 480 WerFault.exe 480 WerFault.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA stеamwеbhеlper.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA stеamwеbhеlper.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA stеamwеbhеlper.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA stеamwеbhеlper.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA stеamwеbhеlper.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA stеamwеbhеlper.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA stеamwеbhеlper.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA stеamwеbhеlper.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ad7376353773464755502b50dea5fabd_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA stеamwеbhеlper.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA stеamwеbhеlper.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA stеamwеbhеlper.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA stеamwеbhеlper.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA stеamwеbhеlper.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 2 ip-api.com 10 ip-api.com 17 ip-api.com -
Writes to the Master Boot Record (MBR) 1 TTPs 14 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 stеamwеbhеlper.exe File opened for modification \??\PhysicalDrive0 stеamwеbhеlper.exe File opened for modification \??\PhysicalDrive0 stеamwеbhеlper.exe File opened for modification \??\PhysicalDrive0 stеamwеbhеlper.exe File opened for modification \??\PhysicalDrive0 stеamwеbhеlper.exe File opened for modification \??\PhysicalDrive0 stеamwеbhеlper.exe File opened for modification \??\PhysicalDrive0 stеamwеbhеlper.exe File opened for modification \??\PhysicalDrive0 stеamwеbhеlper.exe File opened for modification \??\PhysicalDrive0 stеamwеbhеlper.exe File opened for modification \??\PhysicalDrive0 stеamwеbhеlper.exe File opened for modification \??\PhysicalDrive0 stеamwеbhеlper.exe File opened for modification \??\PhysicalDrive0 stеamwеbhеlper.exe File opened for modification \??\PhysicalDrive0 ad7376353773464755502b50dea5fabd_JaffaCakes118.exe File opened for modification \??\PhysicalDrive0 stеamwеbhеlper.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 14 IoCs
pid Process 1960 ad7376353773464755502b50dea5fabd_JaffaCakes118.exe 2820 stеamwеbhеlper.exe 2996 stеamwеbhеlper.exe 1680 stеamwеbhеlper.exe 2432 stеamwеbhеlper.exe 2628 stеamwеbhеlper.exe 1044 stеamwеbhеlper.exe 1544 stеamwеbhеlper.exe 2840 stеamwеbhеlper.exe 2620 stеamwеbhеlper.exe 928 stеamwеbhеlper.exe 1820 stеamwеbhеlper.exe 1268 stеamwеbhеlper.exe 2864 stеamwеbhеlper.exe -
Drops file in Program Files directory 16 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Steam\stеamwеbhеlper.exe ad7376353773464755502b50dea5fabd_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Steam\stеamwеbhеlper.exe stеamwеbhеlper.exe File opened for modification C:\Program Files (x86)\Steam\stеamwеbhеlper.exe stеamwеbhеlper.exe File opened for modification C:\Program Files (x86)\Steam\stеamwеbhеlper.exe stеamwеbhеlper.exe File opened for modification C:\Program Files (x86)\Steam\stеamwеbhеlper.exe stеamwеbhеlper.exe File opened for modification C:\Program Files (x86)\Steam\stеamwеbhеlper.exe stеamwеbhеlper.exe File opened for modification C:\Program Files (x86)\Steam\stеamwеbhеlper.exe stеamwеbhеlper.exe File opened for modification C:\Program Files (x86)\Steam\stеamwеbhеlper.exe stеamwеbhеlper.exe File opened for modification C:\Program Files (x86)\Steam\stеamwеbhеlper.exe stеamwеbhеlper.exe File created C:\Program Files (x86)\Steam\st?amw?bh?lper.exe ad7376353773464755502b50dea5fabd_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Steam\stеamwеbhеlper.exe stеamwеbhеlper.exe File opened for modification C:\Program Files (x86)\Steam\stеamwеbhеlper.exe stеamwеbhеlper.exe File opened for modification C:\Program Files (x86)\Steam\stеamwеbhеlper.exe stеamwеbhеlper.exe File created C:\Program Files (x86)\Steam\stеamwеbhеlper.exe ad7376353773464755502b50dea5fabd_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Steam\stеamwеbhеlper.exe stеamwеbhеlper.exe File opened for modification C:\Program Files (x86)\Steam\stеamwеbhеlper.exe stеamwеbhеlper.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 13 IoCs
pid pid_target Process procid_target 2900 2820 WerFault.exe 34 592 2996 WerFault.exe 42 1908 1680 WerFault.exe 50 2980 2432 WerFault.exe 58 2116 2628 WerFault.exe 66 2548 1044 WerFault.exe 74 2108 1544 WerFault.exe 82 2140 2840 WerFault.exe 91 2384 2620 WerFault.exe 99 2848 928 WerFault.exe 107 2508 1820 WerFault.exe 115 2432 1268 WerFault.exe 123 480 2864 WerFault.exe 131 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language stеamwеbhеlper.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language stеamwеbhеlper.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language stеamwеbhеlper.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ad7376353773464755502b50dea5fabd_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language stеamwеbhеlper.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language stеamwеbhеlper.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language stеamwеbhеlper.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language stеamwеbhеlper.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language stеamwеbhеlper.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language stеamwеbhеlper.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language stеamwеbhеlper.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language stеamwеbhеlper.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 13 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1248 PING.EXE 1360 PING.EXE 2488 PING.EXE 2908 PING.EXE 2928 PING.EXE 2584 PING.EXE 1468 PING.EXE 2940 PING.EXE 480 PING.EXE 2160 PING.EXE 1616 PING.EXE 1000 PING.EXE 288 PING.EXE -
Runs ping.exe 1 TTPs 13 IoCs
pid Process 1360 PING.EXE 2908 PING.EXE 480 PING.EXE 2160 PING.EXE 2928 PING.EXE 1248 PING.EXE 2940 PING.EXE 2488 PING.EXE 2584 PING.EXE 1616 PING.EXE 1000 PING.EXE 1468 PING.EXE 288 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 14 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2076 schtasks.exe 1040 schtasks.exe 288 schtasks.exe 3052 schtasks.exe 612 schtasks.exe 2916 schtasks.exe 2516 schtasks.exe 1700 schtasks.exe 1248 schtasks.exe 2824 schtasks.exe 2308 schtasks.exe 2252 schtasks.exe 932 schtasks.exe 844 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 1960 ad7376353773464755502b50dea5fabd_JaffaCakes118.exe 2820 stеamwеbhеlper.exe 2996 stеamwеbhеlper.exe 1680 stеamwеbhеlper.exe 2432 stеamwеbhеlper.exe 2628 stеamwеbhеlper.exe 1044 stеamwеbhеlper.exe 1544 stеamwеbhеlper.exe 2840 stеamwеbhеlper.exe 2620 stеamwеbhеlper.exe 928 stеamwеbhеlper.exe 1820 stеamwеbhеlper.exe 1268 stеamwеbhеlper.exe 2864 stеamwеbhеlper.exe -
Suspicious use of AdjustPrivilegeToken 14 IoCs
description pid Process Token: SeDebugPrivilege 1960 ad7376353773464755502b50dea5fabd_JaffaCakes118.exe Token: SeDebugPrivilege 2820 stеamwеbhеlper.exe Token: SeDebugPrivilege 2996 stеamwеbhеlper.exe Token: SeDebugPrivilege 1680 stеamwеbhеlper.exe Token: SeDebugPrivilege 2432 stеamwеbhеlper.exe Token: SeDebugPrivilege 2628 stеamwеbhеlper.exe Token: SeDebugPrivilege 1044 stеamwеbhеlper.exe Token: SeDebugPrivilege 1544 stеamwеbhеlper.exe Token: SeDebugPrivilege 2840 stеamwеbhеlper.exe Token: SeDebugPrivilege 2620 stеamwеbhеlper.exe Token: SeDebugPrivilege 928 stеamwеbhеlper.exe Token: SeDebugPrivilege 1820 stеamwеbhеlper.exe Token: SeDebugPrivilege 1268 stеamwеbhеlper.exe Token: SeDebugPrivilege 2864 stеamwеbhеlper.exe -
Suspicious use of SetWindowsHookEx 13 IoCs
pid Process 2820 stеamwеbhеlper.exe 2996 stеamwеbhеlper.exe 1680 stеamwеbhеlper.exe 2432 stеamwеbhеlper.exe 2628 stеamwеbhеlper.exe 1044 stеamwеbhеlper.exe 1544 stеamwеbhеlper.exe 2840 stеamwеbhеlper.exe 2620 stеamwеbhеlper.exe 928 stеamwеbhеlper.exe 1820 stеamwеbhеlper.exe 1268 stеamwеbhеlper.exe 2864 stеamwеbhеlper.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1960 wrote to memory of 2252 1960 ad7376353773464755502b50dea5fabd_JaffaCakes118.exe 32 PID 1960 wrote to memory of 2252 1960 ad7376353773464755502b50dea5fabd_JaffaCakes118.exe 32 PID 1960 wrote to memory of 2252 1960 ad7376353773464755502b50dea5fabd_JaffaCakes118.exe 32 PID 1960 wrote to memory of 2252 1960 ad7376353773464755502b50dea5fabd_JaffaCakes118.exe 32 PID 1960 wrote to memory of 2820 1960 ad7376353773464755502b50dea5fabd_JaffaCakes118.exe 34 PID 1960 wrote to memory of 2820 1960 ad7376353773464755502b50dea5fabd_JaffaCakes118.exe 34 PID 1960 wrote to memory of 2820 1960 ad7376353773464755502b50dea5fabd_JaffaCakes118.exe 34 PID 1960 wrote to memory of 2820 1960 ad7376353773464755502b50dea5fabd_JaffaCakes118.exe 34 PID 2820 wrote to memory of 2916 2820 stеamwеbhеlper.exe 35 PID 2820 wrote to memory of 2916 2820 stеamwеbhеlper.exe 35 PID 2820 wrote to memory of 2916 2820 stеamwеbhеlper.exe 35 PID 2820 wrote to memory of 2916 2820 stеamwеbhеlper.exe 35 PID 2820 wrote to memory of 3016 2820 stеamwеbhеlper.exe 37 PID 2820 wrote to memory of 3016 2820 stеamwеbhеlper.exe 37 PID 2820 wrote to memory of 3016 2820 stеamwеbhеlper.exe 37 PID 2820 wrote to memory of 3016 2820 stеamwеbhеlper.exe 37 PID 3016 wrote to memory of 2704 3016 cmd.exe 39 PID 3016 wrote to memory of 2704 3016 cmd.exe 39 PID 3016 wrote to memory of 2704 3016 cmd.exe 39 PID 3016 wrote to memory of 2704 3016 cmd.exe 39 PID 2820 wrote to memory of 2900 2820 stеamwеbhеlper.exe 40 PID 2820 wrote to memory of 2900 2820 stеamwеbhеlper.exe 40 PID 2820 wrote to memory of 2900 2820 stеamwеbhеlper.exe 40 PID 2820 wrote to memory of 2900 2820 stеamwеbhеlper.exe 40 PID 3016 wrote to memory of 2940 3016 cmd.exe 41 PID 3016 wrote to memory of 2940 3016 cmd.exe 41 PID 3016 wrote to memory of 2940 3016 cmd.exe 41 PID 3016 wrote to memory of 2940 3016 cmd.exe 41 PID 3016 wrote to memory of 2996 3016 cmd.exe 42 PID 3016 wrote to memory of 2996 3016 cmd.exe 42 PID 3016 wrote to memory of 2996 3016 cmd.exe 42 PID 3016 wrote to memory of 2996 3016 cmd.exe 42 PID 2996 wrote to memory of 2076 2996 stеamwеbhеlper.exe 43 PID 2996 wrote to memory of 2076 2996 stеamwеbhеlper.exe 43 PID 2996 wrote to memory of 2076 2996 stеamwеbhеlper.exe 43 PID 2996 wrote to memory of 2076 2996 stеamwеbhеlper.exe 43 PID 2996 wrote to memory of 1616 2996 stеamwеbhеlper.exe 45 PID 2996 wrote to memory of 1616 2996 stеamwеbhеlper.exe 45 PID 2996 wrote to memory of 1616 2996 stеamwеbhеlper.exe 45 PID 2996 wrote to memory of 1616 2996 stеamwеbhеlper.exe 45 PID 2996 wrote to memory of 592 2996 stеamwеbhеlper.exe 47 PID 2996 wrote to memory of 592 2996 stеamwеbhеlper.exe 47 PID 2996 wrote to memory of 592 2996 stеamwеbhеlper.exe 47 PID 2996 wrote to memory of 592 2996 stеamwеbhеlper.exe 47 PID 1616 wrote to memory of 1352 1616 cmd.exe 48 PID 1616 wrote to memory of 1352 1616 cmd.exe 48 PID 1616 wrote to memory of 1352 1616 cmd.exe 48 PID 1616 wrote to memory of 1352 1616 cmd.exe 48 PID 1616 wrote to memory of 1360 1616 cmd.exe 49 PID 1616 wrote to memory of 1360 1616 cmd.exe 49 PID 1616 wrote to memory of 1360 1616 cmd.exe 49 PID 1616 wrote to memory of 1360 1616 cmd.exe 49 PID 1616 wrote to memory of 1680 1616 cmd.exe 50 PID 1616 wrote to memory of 1680 1616 cmd.exe 50 PID 1616 wrote to memory of 1680 1616 cmd.exe 50 PID 1616 wrote to memory of 1680 1616 cmd.exe 50 PID 1680 wrote to memory of 2516 1680 stеamwеbhеlper.exe 51 PID 1680 wrote to memory of 2516 1680 stеamwеbhеlper.exe 51 PID 1680 wrote to memory of 2516 1680 stеamwеbhеlper.exe 51 PID 1680 wrote to memory of 2516 1680 stеamwеbhеlper.exe 51 PID 1680 wrote to memory of 1900 1680 stеamwеbhеlper.exe 53 PID 1680 wrote to memory of 1900 1680 stеamwеbhеlper.exe 53 PID 1680 wrote to memory of 1900 1680 stеamwеbhеlper.exe 53 PID 1680 wrote to memory of 1900 1680 stеamwеbhеlper.exe 53
Processes
-
C:\Users\Admin\AppData\Local\Temp\ad7376353773464755502b50dea5fabd_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ad7376353773464755502b50dea5fabd_JaffaCakes118.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Steam Client WebHelper (32 бита)" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\ad7376353773464755502b50dea5fabd_JaffaCakes118.exe" /rl HIGHEST /f2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2252
-
-
C:\Program Files (x86)\Steam\stеamwеbhеlper.exe"C:\Program Files (x86)\Steam\stеamwеbhеlper.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Steam Client WebHelper (32 бита)" /sc ONLOGON /tr "C:\Program Files (x86)\Steam\stеamwеbhеlper.exe" /rl HIGHEST /f3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2916
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\SQJKfmBU72J7.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
- System Location Discovery: System Language Discovery
PID:2704
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost4⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2940
-
-
C:\Program Files (x86)\Steam\stеamwеbhеlper.exe"C:\Program Files (x86)\Steam\stеamwеbhеlper.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Steam Client WebHelper (32 бита)" /sc ONLOGON /tr "C:\Program Files (x86)\Steam\stеamwеbhеlper.exe" /rl HIGHEST /f5⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2076
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\yUKVFjARv3Cm.bat" "5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Windows\SysWOW64\chcp.comchcp 650016⤵
- System Location Discovery: System Language Discovery
PID:1352
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost6⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1360
-
-
C:\Program Files (x86)\Steam\stеamwеbhеlper.exe"C:\Program Files (x86)\Steam\stеamwеbhеlper.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Steam Client WebHelper (32 бита)" /sc ONLOGON /tr "C:\Program Files (x86)\Steam\stеamwеbhеlper.exe" /rl HIGHEST /f7⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2516
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\uHKorPUjDmZp.bat" "7⤵
- System Location Discovery: System Language Discovery
PID:1900 -
C:\Windows\SysWOW64\chcp.comchcp 650018⤵
- System Location Discovery: System Language Discovery
PID:880
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost8⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2488
-
-
C:\Program Files (x86)\Steam\stеamwеbhеlper.exe"C:\Program Files (x86)\Steam\stеamwеbhеlper.exe"8⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2432 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Steam Client WebHelper (32 бита)" /sc ONLOGON /tr "C:\Program Files (x86)\Steam\stеamwеbhеlper.exe" /rl HIGHEST /f9⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:932
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\aPmBoaycZCYC.bat" "9⤵
- System Location Discovery: System Language Discovery
PID:2936 -
C:\Windows\SysWOW64\chcp.comchcp 6500110⤵
- System Location Discovery: System Language Discovery
PID:2952
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost10⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2908
-
-
C:\Program Files (x86)\Steam\stеamwеbhеlper.exe"C:\Program Files (x86)\Steam\stеamwеbhеlper.exe"10⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2628 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Steam Client WebHelper (32 бита)" /sc ONLOGON /tr "C:\Program Files (x86)\Steam\stеamwеbhеlper.exe" /rl HIGHEST /f11⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:844
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\9Vc5CH7st18k.bat" "11⤵
- System Location Discovery: System Language Discovery
PID:2504 -
C:\Windows\SysWOW64\chcp.comchcp 6500112⤵
- System Location Discovery: System Language Discovery
PID:404
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost12⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:480
-
-
C:\Program Files (x86)\Steam\stеamwеbhеlper.exe"C:\Program Files (x86)\Steam\stеamwеbhеlper.exe"12⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1044 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Steam Client WebHelper (32 бита)" /sc ONLOGON /tr "C:\Program Files (x86)\Steam\stеamwеbhеlper.exe" /rl HIGHEST /f13⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1040
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\mcFiMjRSjeQD.bat" "13⤵
- System Location Discovery: System Language Discovery
PID:832 -
C:\Windows\SysWOW64\chcp.comchcp 6500114⤵
- System Location Discovery: System Language Discovery
PID:872
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost14⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2160
-
-
C:\Program Files (x86)\Steam\stеamwеbhеlper.exe"C:\Program Files (x86)\Steam\stеamwеbhеlper.exe"14⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1544 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Steam Client WebHelper (32 бита)" /sc ONLOGON /tr "C:\Program Files (x86)\Steam\stеamwеbhеlper.exe" /rl HIGHEST /f15⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1700
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\BayJtDSsRp7z.bat" "15⤵
- System Location Discovery: System Language Discovery
PID:2796 -
C:\Windows\SysWOW64\chcp.comchcp 6500116⤵
- System Location Discovery: System Language Discovery
PID:1488
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost16⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2928
-
-
C:\Program Files (x86)\Steam\stеamwеbhеlper.exe"C:\Program Files (x86)\Steam\stеamwеbhеlper.exe"16⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2840 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Steam Client WebHelper (32 бита)" /sc ONLOGON /tr "C:\Program Files (x86)\Steam\stеamwеbhеlper.exe" /rl HIGHEST /f17⤵
- Scheduled Task/Job: Scheduled Task
PID:288
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\ohcx4fmSGSOR.bat" "17⤵
- System Location Discovery: System Language Discovery
PID:3016 -
C:\Windows\SysWOW64\chcp.comchcp 6500118⤵
- System Location Discovery: System Language Discovery
PID:1136
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost18⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2584
-
-
C:\Program Files (x86)\Steam\stеamwеbhеlper.exe"C:\Program Files (x86)\Steam\stеamwеbhеlper.exe"18⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2620 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Steam Client WebHelper (32 бита)" /sc ONLOGON /tr "C:\Program Files (x86)\Steam\stеamwеbhеlper.exe" /rl HIGHEST /f19⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1248
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tTKx9NEvghBd.bat" "19⤵
- System Location Discovery: System Language Discovery
PID:2096 -
C:\Windows\SysWOW64\chcp.comchcp 6500120⤵
- System Location Discovery: System Language Discovery
PID:852
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost20⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1616
-
-
C:\Program Files (x86)\Steam\stеamwеbhеlper.exe"C:\Program Files (x86)\Steam\stеamwеbhеlper.exe"20⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:928 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Steam Client WebHelper (32 бита)" /sc ONLOGON /tr "C:\Program Files (x86)\Steam\stеamwеbhеlper.exe" /rl HIGHEST /f21⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3052
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\WUnPaVxSKEkv.bat" "21⤵
- System Location Discovery: System Language Discovery
PID:1044 -
C:\Windows\SysWOW64\chcp.comchcp 6500122⤵
- System Location Discovery: System Language Discovery
PID:2268
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost22⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1000
-
-
C:\Program Files (x86)\Steam\stеamwеbhеlper.exe"C:\Program Files (x86)\Steam\stеamwеbhеlper.exe"22⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1820 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Steam Client WebHelper (32 бита)" /sc ONLOGON /tr "C:\Program Files (x86)\Steam\stеamwеbhеlper.exe" /rl HIGHEST /f23⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:612
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\PApng7XNu2iu.bat" "23⤵
- System Location Discovery: System Language Discovery
PID:2180 -
C:\Windows\SysWOW64\chcp.comchcp 6500124⤵
- System Location Discovery: System Language Discovery
PID:2872
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost24⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1468
-
-
C:\Program Files (x86)\Steam\stеamwеbhеlper.exe"C:\Program Files (x86)\Steam\stеamwеbhеlper.exe"24⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1268 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Steam Client WebHelper (32 бита)" /sc ONLOGON /tr "C:\Program Files (x86)\Steam\stеamwеbhеlper.exe" /rl HIGHEST /f25⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2824
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\mctUC40YnNbh.bat" "25⤵
- System Location Discovery: System Language Discovery
PID:932 -
C:\Windows\SysWOW64\chcp.comchcp 6500126⤵
- System Location Discovery: System Language Discovery
PID:2252
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost26⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:288
-
-
C:\Program Files (x86)\Steam\stеamwеbhеlper.exe"C:\Program Files (x86)\Steam\stеamwеbhеlper.exe"26⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2864 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Steam Client WebHelper (32 бита)" /sc ONLOGON /tr "C:\Program Files (x86)\Steam\stеamwеbhеlper.exe" /rl HIGHEST /f27⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2308
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\HYV3Qq0q7H1g.bat" "27⤵
- System Location Discovery: System Language Discovery
PID:2144 -
C:\Windows\SysWOW64\chcp.comchcp 6500128⤵
- System Location Discovery: System Language Discovery
PID:2624
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost28⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1248
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2864 -s 162827⤵
- Loads dropped DLL
- Program crash
PID:480
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1268 -s 157625⤵
- Loads dropped DLL
- Program crash
PID:2432
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1820 -s 160823⤵
- Loads dropped DLL
- Program crash
PID:2508
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 928 -s 161621⤵
- Loads dropped DLL
- Program crash
PID:2848
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2620 -s 158419⤵
- Loads dropped DLL
- Program crash
PID:2384
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2840 -s 163617⤵
- Loads dropped DLL
- Program crash
PID:2140
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1544 -s 159615⤵
- Loads dropped DLL
- Program crash
PID:2108
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 160813⤵
- Loads dropped DLL
- Program crash
PID:2548
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2628 -s 160011⤵
- Loads dropped DLL
- Program crash
PID:2116
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2432 -s 16049⤵
- Loads dropped DLL
- Program crash
PID:2980
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1680 -s 16167⤵
- Loads dropped DLL
- Program crash
PID:1908
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2996 -s 16085⤵
- Loads dropped DLL
- Program crash
PID:592
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2820 -s 16243⤵
- Loads dropped DLL
- Program crash
PID:2900
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16B
MD55e8f2c353e1dfd37b50552309f381dec
SHA1c5c8ac1ea59bd7fb9cd2b6fb3b99b79bc0269110
SHA256731b57d61b7b8068204682adcc13f019cbdcccd184be56a806c8094d732d937b
SHA51273edbdf23d7c07902709bd7d8a6181e12caa4675b0194c35f27be917226f8661a90e5e4ecc28b1917e8be8801aac9dba6f278e584a2b3b6e557cb86fd4063672
-
Filesize
209B
MD5085eb06c2318d1c98058d3a7dcbe0efc
SHA12a3e3972a376cc772401657725decc2c6e758ffe
SHA2565cf1c0f7ed2de81caf84b2ab9a38b3c801662a47b6ee1ed9edd05ea0f592e0eb
SHA512a670bc6d7637b65b74b55619a194df02a8ac79bd3763f37c40d84888989c6685698212dfbf92727b34fc39811d6d865d4f05142d5e9f63f77e9e36b5b1562885
-
Filesize
209B
MD52e8cfe59141668c6246721350b95524b
SHA13d26444fe44f7afa5e9280356355443c0194354c
SHA256458a40c4d814512eb0476b9e475b9ee3f54b0c2318f6246574a24b8408b5095b
SHA51224ad065fb7efd0025b40cae42693b2e32171799bc7d1d48873fd65f5430e1884f05b4e3d1f107ed69e65947580d22b179d8726dce5d109e0a106e7c38a1911a1
-
Filesize
209B
MD57d867c47872855d314762269711c874f
SHA1100e2b17d6abda18d1df6f32835ba31a56f4d7ca
SHA256866af79d4d583f5305b1468713bcc111acd5487a459f4a8de0988483f39e8193
SHA512e31ebedf13449a1a509891369f71808e8a3b7a00f69e9a37f5b506f1e69d64d79446db9fe99bde03a5d960fe865682d9474d7effa9ed302463d2ea6003869a61
-
Filesize
209B
MD5d214c5fe4190381c8d66ca541582bbf9
SHA17a153ffa61d10de78f27e534f5cb2ab6042be476
SHA256ffb67b1e94a88edaabc9033bc9c2145ffcaba49f84ddf955a8656f0ed6297572
SHA512048b46137f39bc6b03503b8c43ffb73a21db3f5f11aff768d997616b89e6023a0d05d82ae60dff384c01c533116c1436b4876f679e7c5a6252ffe89286794d28
-
Filesize
209B
MD5331e291e34967c6fb8b9acc8d398a1f6
SHA1eff9de104d94dbf43b1c4d48f37c447e035455da
SHA25643dd060c71a9eb20286a0a708b8a7af69ee18dc3952123cd8c020f625bb7e480
SHA5123a0151534dcef679108c1c99fc45313f761c1b3a06522bc934c1e9240509a78cb794e269eaff0866ed97c00af294797b3ca18c5327f7ea35b0d0c0063f78ea40
-
Filesize
209B
MD556964254b573f7cb01a7423f6fe19f23
SHA1ac0d88489281329c81c4c291df68a6081c5f7857
SHA256a65c06ee2fa4f7f6c7143c2251f80625674ab4b733f886274fa14ef742f71eab
SHA512f29aee2024a28e8af7209f0be1ee70ad7ed9207d1a6e354cdbbe2ff48245c62da169a1a9680a17ad52176194e9804a1b5ef41c89c1c7feb03c04f5c632600102
-
Filesize
209B
MD5878900b3b9f0702bde25881e9742e77d
SHA1495d3fe9eb7badf3b3e794c2560c209b12c897a8
SHA256059aedac799c1c318d8a70b9b9ec1196fdb474cae79c59ca717b6d8322f0ccf1
SHA5124e33beb9b4bfef9d2491249f3f0ef201d5adb0b409757154484de90f37ab425545f034925424b70b594775a07b6b7bbdd37264625dfc7f92982c7e8266a5491a
-
Filesize
209B
MD5ca3670023a9176b3a4bc53887dc55100
SHA12945ddb38571f95aabf4ded61fdc0f2501baabda
SHA2560ebe451dbeeefe45606ccdf079c015196c712d2b9ddcb4d2312626ea4acf8c93
SHA5125a0ef994b9b58f850aa07a132027e62bfc98fabd805b85a14a9b2b721405a279d23a3fc56cc302b0737fc91aa81b1fab0620c4706b64ad95bb6b2936750f97be
-
Filesize
209B
MD590360de647a9466dde0a71ea9f745500
SHA11fcc32c91541e823ed2374f481bd8d21f53b190a
SHA2566fb783713e3089f2075fe5bcb05b5f4b4fdfe21e63d798c7b0a6fc94d7f7dd89
SHA5126788eae055b3a88547c59047014d65b3375020036390af91636c45d232db9ec581d812eef79e6c8991e8a01a194532ca5b97ae812742b64529047f84a4496d9b
-
Filesize
209B
MD57d0bb31a11015c0a08c2f28c764e470a
SHA1c1a44947d58f1c2a4b034d441ef31ff5cdb622de
SHA25664b46e6663dfef71bd92887f0037ececfa1732c25319d807625fd6fb822f7b10
SHA51263dd95fb0e3a1faf25b40e8a4a009023c45e4fc9bc053b7b2d63810db11cc506f000c096db8dc09cbbfaaa0f3a76e625672fd055eaf30691196d150c37432c4f
-
Filesize
209B
MD57184a7cb232a3f7e8e4f7b387a5fa53b
SHA182d2d88d4b86b5e2e550e1fc02140ff1d7b9daf4
SHA25639d5690fd2cedbd644e1760de825214b831c365e12c559caa70ceabb5eccc0a2
SHA51294e5fd07b9cfa98e79dd7c57c271fc05be84ad521595057b2bc6d45efdfc196b6358943e376768582fc9c945022f65170215e9f6fcfdc4c1f104938c8840ae2e
-
Filesize
209B
MD51b079a302edb52e62daba9499879a803
SHA11cc4e32ff626d357a9834e6a1e676394e92fd3e8
SHA256c3bd30dd1ab756ab3b206591f7123bf1bebd88b3280426f4200aabb0f8371170
SHA51252ce364ab12f0b8e515f951bbfd9a5108d03cc2481fe0fd69713758012820fe18dc42fec0ff48ea7024281b6d33b84ca458a230a29d301d773640025b99a79c3
-
Filesize
209B
MD5288652c82934a586b8fdbd3946610658
SHA16ba5231c86837f66604df0e52ca7962fd2fd8c45
SHA256985ddd2f2897b4d9bbac0a14779ebe0da9f41ba803238fec7bdb530af73b4f4b
SHA512bc2dff917ddd49ee6cd0ae2e9bcc860215f16e2a91d6a5bc4877febbba70fd94d501ce31108ba9720b89b2d6602ebdb583f6298caf558344622ca6413f6d3d20
-
Filesize
224B
MD5ddd37f7965c8aaa85f4459e9634a3ca7
SHA121ae3a48fb05279b18e2807f1e06608fda0f4b67
SHA256a4ddf5ded17e91a55f742b774d1311fde8aba36eba9305ab449fea6671a49159
SHA512f359279d0e8282e132b9fae757a95d1529a2ee5cfdeddf40cfd8e8db8ebe45598121c0bfc305be15a330ee83d363cfc89b3cc39248bea99a4f321cbf1a644c2f
-
Filesize
224B
MD581c5a15b18384e75817a305777cfef5f
SHA16bd1a4e2997f1b5fd1aad921d2f3497a63d17d25
SHA2562a377f674b354893bbde978396e974bedd1476f9959cfe92cfe9af625d8b1e72
SHA5124f081a89e8d406838729559fc824c1f7e15d5409e8a37a60ff1e45254a8d8e255ff06cd07c384e1288cd165d52767a7388e1e2a07af6a7aff55a317714035dea
-
Filesize
224B
MD54ae7e3d8f5f3a85928d7cdfb4bb0525f
SHA16bb9193a21de09311fc9ff1b0d85f51f0184f25b
SHA256a204711623639964b01da84627a3bd7605ceff14db8f20ac55073e5b7d86fdf1
SHA512db0b5d84960f49adbf50f94c2a96d6f4b15093b16a4acce8105c5dc10f86971adf9abc7c39e631edcf41e68fd61f3c48a8138ed96cb3c3abafc519e7d4ce7418
-
Filesize
224B
MD5aa0d6bf5ad4abe767352ef6d038bad67
SHA17ab597235fc96e3d1541de3353fe54909d99301f
SHA256e8efba61e8fc14fc22409ed6c5843871c627597b001b5f03105cf08bb7c3c88e
SHA512e9a2751cd690057c00face469cd4952603f9ce2db2dcc18b7d1d4cd7f760f2fe9070b22be99250945a2d3a9aafa7f922e4ea93bed3e588254ae77240db719c72
-
Filesize
224B
MD5a7d261d74ec2a8542d1cf87ff0b0b3f8
SHA1e270cf4c124b7f4d2acc9a90e2f3521069c19e3b
SHA256b73be3ee12e189c55c763135f64d0183bc4c1c5ef041eac49f75325868ce6988
SHA51203607c4ed20627e48a686f72826b977ea4b25b477a19dc8dbc260a08fddd6491a406a84c5b243fa39a26c4f6765f2a32f5585dad3f5e02e051959c45db898c3e
-
Filesize
224B
MD576eaa42c893b36602d583ca4f9ae5d5f
SHA1177577dff5e222b975503ace39499c394f0f906b
SHA25607e586784770383ce2daaad0bfc0f646633867613534912400de2cb2fb48fbdc
SHA512bfa7867a8a76cd67ffcd8856599237a3d7cded4b3490eb06ebcde2e1f62437326beb17da7a5cdeb04725aac1a6a6241378cba20e20c05bf4fc0f4e1a98c501b2
-
Filesize
224B
MD523337a8b01619b610252e72fceef852b
SHA1cfb1859b39a15e1d42a0cafb80d4015a8ba5ac32
SHA256434dde652a662527cb44c0bbc3d233f0c9b1c5d0bef1d5edcaf8c5746e8a65a2
SHA5121bb2023e19789971b74781459c94bf1c71ba672c3b140f92191503a0e6bbd37ec726c03b86ed9ef9aa44011fe8cd865e79fcaa4a1b7ad8ef8cdb929dccb77691
-
Filesize
2.6MB
MD5ad7376353773464755502b50dea5fabd
SHA10d9d5e10885659ec3925db9cfb17cadf20e1293c
SHA2566f3e7496171fc07feb0c1dfecf7d6bb367c15836acb5571b2f9fc4f980db2a32
SHA512036e68309853dd2793bd95246243e85125c12bbb093a6572df8ff35b0ea189b81b44aa25f852432b40e393ede014bb6b7d25ef5df826fe30d642b609e7096afe