Analysis
-
max time kernel
149s -
max time network
131s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
18-12-2024 18:24
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
fca24879dc6cff884cf7791fcc35f38e_JaffaCakes118.exe
Resource
win7-20240708-en
windows7-x64
34 signatures
150 seconds
General
-
Target
fca24879dc6cff884cf7791fcc35f38e_JaffaCakes118.exe
-
Size
964KB
-
MD5
fca24879dc6cff884cf7791fcc35f38e
-
SHA1
669266f85613f69b52457d4a642b7c2614424b4e
-
SHA256
11418537179c5ca817791471b4532bc734c02d8a71c5155fae3f6068d5f1ec28
-
SHA512
568223b4a36d54396af6e4a5f8f09f542c540f6b796a1c4daaa01ec6f15263c275ec3351b57b62cf40838ce50f59191a3cef433fdb1d8b30f8b9439cb5e7a47e
-
SSDEEP
24576:SNDtgSt8ux/FI5QhM5BtON/X5aP/SdqJyybYfxk/5GFaidS0:IjImitOWXSdSrbjz
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\04fa235b\\X" Explorer.EXE -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" u2AzQ8M2.exe Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" hiekeu.exe -
Pony family
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Disables taskbar notifications via registry modification
-
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\drivers\etc\hosts 5eod.exe -
Deletes itself 1 IoCs
pid Process 2220 cmd.exe -
Executes dropped EXE 16 IoCs
pid Process 292 u2AzQ8M2.exe 2260 hiekeu.exe 3036 2eod.exe 3016 2eod.exe 2696 2eod.exe 2860 2eod.exe 2428 2eod.exe 2408 2eod.exe 1696 3eod.exe 2936 4eod.exe 332 csrss.exe 1348 X 824 3eod.exe 2780 3eod.exe 1532 5eod.exe 612 2156.tmp -
Loads dropped DLL 16 IoCs
pid Process 2292 fca24879dc6cff884cf7791fcc35f38e_JaffaCakes118.exe 2292 fca24879dc6cff884cf7791fcc35f38e_JaffaCakes118.exe 292 u2AzQ8M2.exe 292 u2AzQ8M2.exe 2292 fca24879dc6cff884cf7791fcc35f38e_JaffaCakes118.exe 2292 fca24879dc6cff884cf7791fcc35f38e_JaffaCakes118.exe 2292 fca24879dc6cff884cf7791fcc35f38e_JaffaCakes118.exe 2292 fca24879dc6cff884cf7791fcc35f38e_JaffaCakes118.exe 2292 fca24879dc6cff884cf7791fcc35f38e_JaffaCakes118.exe 2292 fca24879dc6cff884cf7791fcc35f38e_JaffaCakes118.exe 2936 4eod.exe 2936 4eod.exe 2292 fca24879dc6cff884cf7791fcc35f38e_JaffaCakes118.exe 2292 fca24879dc6cff884cf7791fcc35f38e_JaffaCakes118.exe 1696 3eod.exe 1696 3eod.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unexpected DNS network traffic destination 5 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 31.193.3.240 Destination IP 31.193.3.240 Destination IP 31.193.3.240 Destination IP 31.193.3.240 Destination IP 31.193.3.240 -
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Adds Run key to start application 2 TTPs 54 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\hiekeu = "C:\\Users\\Admin\\hiekeu.exe /l" hiekeu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\hiekeu = "C:\\Users\\Admin\\hiekeu.exe /m" hiekeu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\hiekeu = "C:\\Users\\Admin\\hiekeu.exe /D" hiekeu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\hiekeu = "C:\\Users\\Admin\\hiekeu.exe /k" hiekeu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\hiekeu = "C:\\Users\\Admin\\hiekeu.exe /f" hiekeu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\hiekeu = "C:\\Users\\Admin\\hiekeu.exe /i" hiekeu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\hiekeu = "C:\\Users\\Admin\\hiekeu.exe /p" hiekeu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\hiekeu = "C:\\Users\\Admin\\hiekeu.exe /Z" hiekeu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\hiekeu = "C:\\Users\\Admin\\hiekeu.exe /F" hiekeu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\hiekeu = "C:\\Users\\Admin\\hiekeu.exe /J" hiekeu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\hiekeu = "C:\\Users\\Admin\\hiekeu.exe /W" hiekeu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\hiekeu = "C:\\Users\\Admin\\hiekeu.exe /q" hiekeu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\hiekeu = "C:\\Users\\Admin\\hiekeu.exe /G" hiekeu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\hiekeu = "C:\\Users\\Admin\\hiekeu.exe /s" hiekeu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\hiekeu = "C:\\Users\\Admin\\hiekeu.exe /P" hiekeu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\hiekeu = "C:\\Users\\Admin\\hiekeu.exe /a" hiekeu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\hiekeu = "C:\\Users\\Admin\\hiekeu.exe /u" hiekeu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\5F4.exe = "C:\\Program Files (x86)\\LP\\DF6D\\5F4.exe" 3eod.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\hiekeu = "C:\\Users\\Admin\\hiekeu.exe /S" hiekeu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\hiekeu = "C:\\Users\\Admin\\hiekeu.exe /Y" hiekeu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\hiekeu = "C:\\Users\\Admin\\hiekeu.exe /z" hiekeu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\hiekeu = "C:\\Users\\Admin\\hiekeu.exe /I" hiekeu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\hiekeu = "C:\\Users\\Admin\\hiekeu.exe /K" hiekeu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\hiekeu = "C:\\Users\\Admin\\hiekeu.exe /e" hiekeu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\hiekeu = "C:\\Users\\Admin\\hiekeu.exe /n" hiekeu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\hiekeu = "C:\\Users\\Admin\\hiekeu.exe /j" hiekeu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\hiekeu = "C:\\Users\\Admin\\hiekeu.exe /V" hiekeu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\hiekeu = "C:\\Users\\Admin\\hiekeu.exe /x" hiekeu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\hiekeu = "C:\\Users\\Admin\\hiekeu.exe /r" hiekeu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\hiekeu = "C:\\Users\\Admin\\hiekeu.exe /T" hiekeu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\hiekeu = "C:\\Users\\Admin\\hiekeu.exe /E" hiekeu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\hiekeu = "C:\\Users\\Admin\\hiekeu.exe /S" u2AzQ8M2.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\hiekeu = "C:\\Users\\Admin\\hiekeu.exe /d" hiekeu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\hiekeu = "C:\\Users\\Admin\\hiekeu.exe /w" hiekeu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\hiekeu = "C:\\Users\\Admin\\hiekeu.exe /y" hiekeu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\hiekeu = "C:\\Users\\Admin\\hiekeu.exe /c" hiekeu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\hiekeu = "C:\\Users\\Admin\\hiekeu.exe /Q" hiekeu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\hiekeu = "C:\\Users\\Admin\\hiekeu.exe /L" hiekeu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Init = "\"C:\\Users\\Admin\\AppData\\Roaming\\xzrzkrbtmyli1r2puchetszqfffzfkde2\\svcnost.exe\"" 5eod.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\hiekeu = "C:\\Users\\Admin\\hiekeu.exe /g" hiekeu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\hiekeu = "C:\\Users\\Admin\\hiekeu.exe /X" hiekeu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\hiekeu = "C:\\Users\\Admin\\hiekeu.exe /C" hiekeu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\hiekeu = "C:\\Users\\Admin\\hiekeu.exe /U" hiekeu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\hiekeu = "C:\\Users\\Admin\\hiekeu.exe /H" hiekeu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\hiekeu = "C:\\Users\\Admin\\hiekeu.exe /v" hiekeu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\hiekeu = "C:\\Users\\Admin\\hiekeu.exe /h" hiekeu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\hiekeu = "C:\\Users\\Admin\\hiekeu.exe /B" hiekeu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\hiekeu = "C:\\Users\\Admin\\hiekeu.exe /O" hiekeu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\hiekeu = "C:\\Users\\Admin\\hiekeu.exe /R" hiekeu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\hiekeu = "C:\\Users\\Admin\\hiekeu.exe /N" hiekeu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\hiekeu = "C:\\Users\\Admin\\hiekeu.exe /b" hiekeu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\hiekeu = "C:\\Users\\Admin\\hiekeu.exe /A" hiekeu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\hiekeu = "C:\\Users\\Admin\\hiekeu.exe /M" hiekeu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\hiekeu = "C:\\Users\\Admin\\hiekeu.exe /t" hiekeu.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 2eod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 2eod.exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 2416 tasklist.exe 3064 tasklist.exe -
Suspicious use of SetThreadContext 6 IoCs
description pid Process procid_target PID 3036 set thread context of 3016 3036 2eod.exe 34 PID 3036 set thread context of 2696 3036 2eod.exe 35 PID 3036 set thread context of 2860 3036 2eod.exe 36 PID 3036 set thread context of 2428 3036 2eod.exe 38 PID 3036 set thread context of 2408 3036 2eod.exe 39 PID 2936 set thread context of 2644 2936 4eod.exe 52 -
resource yara_rule behavioral1/memory/3016-43-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/3016-41-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/3016-48-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/2696-64-0x0000000000400000-0x000000000040E000-memory.dmp upx behavioral1/memory/2860-76-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2428-81-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/2428-84-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/2428-87-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/2428-86-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/2428-79-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/2696-63-0x0000000000400000-0x000000000040E000-memory.dmp upx behavioral1/memory/2696-62-0x0000000000400000-0x000000000040E000-memory.dmp upx behavioral1/memory/2860-75-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2860-74-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2860-67-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2860-72-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2860-69-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2696-60-0x0000000000400000-0x000000000040E000-memory.dmp upx behavioral1/memory/2696-55-0x0000000000400000-0x000000000040E000-memory.dmp upx behavioral1/memory/2696-53-0x0000000000400000-0x000000000040E000-memory.dmp upx behavioral1/memory/3016-50-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/3016-46-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/3016-105-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/2428-161-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/files/0x0016000000004ed7-434.dat upx behavioral1/memory/2292-436-0x0000000002BE0000-0x00000000032F9000-memory.dmp upx behavioral1/memory/1532-438-0x0000000000400000-0x0000000000B19000-memory.dmp upx behavioral1/memory/1532-461-0x0000000000400000-0x0000000000B19000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\LP\DF6D\5F4.exe 3eod.exe File opened for modification C:\Program Files (x86)\LP\DF6D\5F4.exe 3eod.exe File opened for modification C:\Program Files (x86)\LP\DF6D\2156.tmp 3eod.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 16 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2eod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fca24879dc6cff884cf7791fcc35f38e_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u2AzQ8M2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4eod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3eod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hiekeu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2eod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3eod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2156.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2eod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3eod.exe -
Modifies registry class 8 IoCs
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \registry\machine\Software\Classes\Interface\{07ff6090-7824-f88b-387c-b3a0a15df8b0} 4eod.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{07ff6090-7824-f88b-387c-b3a0a15df8b0}\u = "188" 4eod.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{07ff6090-7824-f88b-387c-b3a0a15df8b0}\cid = "8410401211857518760" 4eod.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 292 u2AzQ8M2.exe 292 u2AzQ8M2.exe 2696 2eod.exe 2860 2eod.exe 2260 hiekeu.exe 2260 hiekeu.exe 2860 2eod.exe 2696 2eod.exe 2260 hiekeu.exe 2260 hiekeu.exe 2260 hiekeu.exe 2260 hiekeu.exe 2696 2eod.exe 1696 3eod.exe 1696 3eod.exe 1696 3eod.exe 1696 3eod.exe 1696 3eod.exe 1696 3eod.exe 2260 hiekeu.exe 2696 2eod.exe 2696 2eod.exe 2260 hiekeu.exe 2260 hiekeu.exe 2936 4eod.exe 2936 4eod.exe 2936 4eod.exe 2936 4eod.exe 1348 X 2260 hiekeu.exe 2696 2eod.exe 2696 2eod.exe 2260 hiekeu.exe 2696 2eod.exe 2260 hiekeu.exe 2260 hiekeu.exe 2696 2eod.exe 2260 hiekeu.exe 2696 2eod.exe 2260 hiekeu.exe 2696 2eod.exe 2260 hiekeu.exe 2696 2eod.exe 2696 2eod.exe 2260 hiekeu.exe 2696 2eod.exe 2260 hiekeu.exe 2696 2eod.exe 2260 hiekeu.exe 2696 2eod.exe 2260 hiekeu.exe 2696 2eod.exe 2696 2eod.exe 2260 hiekeu.exe 2696 2eod.exe 2260 hiekeu.exe 2696 2eod.exe 2696 2eod.exe 2260 hiekeu.exe 2260 hiekeu.exe 2260 hiekeu.exe 2696 2eod.exe 2696 2eod.exe 2696 2eod.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2424 explorer.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
description pid Process Token: SeDebugPrivilege 2416 tasklist.exe Token: SeRestorePrivilege 1408 msiexec.exe Token: SeTakeOwnershipPrivilege 1408 msiexec.exe Token: SeSecurityPrivilege 1408 msiexec.exe Token: SeDebugPrivilege 2936 4eod.exe Token: SeDebugPrivilege 2936 4eod.exe Token: SeShutdownPrivilege 2424 explorer.exe Token: SeShutdownPrivilege 2424 explorer.exe Token: SeShutdownPrivilege 2424 explorer.exe Token: SeShutdownPrivilege 2424 explorer.exe Token: SeShutdownPrivilege 2424 explorer.exe Token: SeShutdownPrivilege 2424 explorer.exe Token: SeShutdownPrivilege 2424 explorer.exe Token: SeShutdownPrivilege 2424 explorer.exe Token: SeShutdownPrivilege 2424 explorer.exe Token: SeShutdownPrivilege 2424 explorer.exe Token: SeShutdownPrivilege 2424 explorer.exe Token: SeShutdownPrivilege 2424 explorer.exe Token: SeDebugPrivilege 3064 tasklist.exe -
Suspicious use of FindShellTrayWindow 28 IoCs
pid Process 2424 explorer.exe 2424 explorer.exe 2424 explorer.exe 2424 explorer.exe 2424 explorer.exe 2424 explorer.exe 2424 explorer.exe 2424 explorer.exe 2424 explorer.exe 2424 explorer.exe 2424 explorer.exe 2424 explorer.exe 2424 explorer.exe 2424 explorer.exe 2424 explorer.exe 2424 explorer.exe 2424 explorer.exe 2424 explorer.exe 2424 explorer.exe 2424 explorer.exe 2424 explorer.exe 2424 explorer.exe 2424 explorer.exe 2424 explorer.exe 2424 explorer.exe 2424 explorer.exe 2424 explorer.exe 2424 explorer.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 2424 explorer.exe 2424 explorer.exe 2424 explorer.exe 2424 explorer.exe 2424 explorer.exe 2424 explorer.exe 2424 explorer.exe 2424 explorer.exe 2424 explorer.exe 2424 explorer.exe 2424 explorer.exe 2424 explorer.exe 2424 explorer.exe 2424 explorer.exe 2424 explorer.exe 2424 explorer.exe 2424 explorer.exe 2424 explorer.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2292 fca24879dc6cff884cf7791fcc35f38e_JaffaCakes118.exe 292 u2AzQ8M2.exe 2260 hiekeu.exe 3036 2eod.exe 3016 2eod.exe 2428 2eod.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 332 csrss.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2292 wrote to memory of 292 2292 fca24879dc6cff884cf7791fcc35f38e_JaffaCakes118.exe 28 PID 2292 wrote to memory of 292 2292 fca24879dc6cff884cf7791fcc35f38e_JaffaCakes118.exe 28 PID 2292 wrote to memory of 292 2292 fca24879dc6cff884cf7791fcc35f38e_JaffaCakes118.exe 28 PID 2292 wrote to memory of 292 2292 fca24879dc6cff884cf7791fcc35f38e_JaffaCakes118.exe 28 PID 292 wrote to memory of 2260 292 u2AzQ8M2.exe 29 PID 292 wrote to memory of 2260 292 u2AzQ8M2.exe 29 PID 292 wrote to memory of 2260 292 u2AzQ8M2.exe 29 PID 292 wrote to memory of 2260 292 u2AzQ8M2.exe 29 PID 292 wrote to memory of 2232 292 u2AzQ8M2.exe 30 PID 292 wrote to memory of 2232 292 u2AzQ8M2.exe 30 PID 292 wrote to memory of 2232 292 u2AzQ8M2.exe 30 PID 292 wrote to memory of 2232 292 u2AzQ8M2.exe 30 PID 2232 wrote to memory of 2416 2232 cmd.exe 32 PID 2232 wrote to memory of 2416 2232 cmd.exe 32 PID 2232 wrote to memory of 2416 2232 cmd.exe 32 PID 2232 wrote to memory of 2416 2232 cmd.exe 32 PID 2292 wrote to memory of 3036 2292 fca24879dc6cff884cf7791fcc35f38e_JaffaCakes118.exe 33 PID 2292 wrote to memory of 3036 2292 fca24879dc6cff884cf7791fcc35f38e_JaffaCakes118.exe 33 PID 2292 wrote to memory of 3036 2292 fca24879dc6cff884cf7791fcc35f38e_JaffaCakes118.exe 33 PID 2292 wrote to memory of 3036 2292 fca24879dc6cff884cf7791fcc35f38e_JaffaCakes118.exe 33 PID 3036 wrote to memory of 3016 3036 2eod.exe 34 PID 3036 wrote to memory of 3016 3036 2eod.exe 34 PID 3036 wrote to memory of 3016 3036 2eod.exe 34 PID 3036 wrote to memory of 3016 3036 2eod.exe 34 PID 3036 wrote to memory of 3016 3036 2eod.exe 34 PID 3036 wrote to memory of 3016 3036 2eod.exe 34 PID 3036 wrote to memory of 3016 3036 2eod.exe 34 PID 3036 wrote to memory of 3016 3036 2eod.exe 34 PID 3036 wrote to memory of 2696 3036 2eod.exe 35 PID 3036 wrote to memory of 2696 3036 2eod.exe 35 PID 3036 wrote to memory of 2696 3036 2eod.exe 35 PID 3036 wrote to memory of 2696 3036 2eod.exe 35 PID 3036 wrote to memory of 2696 3036 2eod.exe 35 PID 3036 wrote to memory of 2696 3036 2eod.exe 35 PID 3036 wrote to memory of 2696 3036 2eod.exe 35 PID 3036 wrote to memory of 2696 3036 2eod.exe 35 PID 3036 wrote to memory of 2860 3036 2eod.exe 36 PID 3036 wrote to memory of 2860 3036 2eod.exe 36 PID 3036 wrote to memory of 2860 3036 2eod.exe 36 PID 3036 wrote to memory of 2860 3036 2eod.exe 36 PID 3036 wrote to memory of 2860 3036 2eod.exe 36 PID 3036 wrote to memory of 2860 3036 2eod.exe 36 PID 3036 wrote to memory of 2860 3036 2eod.exe 36 PID 3036 wrote to memory of 2860 3036 2eod.exe 36 PID 3036 wrote to memory of 2428 3036 2eod.exe 38 PID 3036 wrote to memory of 2428 3036 2eod.exe 38 PID 3036 wrote to memory of 2428 3036 2eod.exe 38 PID 3036 wrote to memory of 2428 3036 2eod.exe 38 PID 3036 wrote to memory of 2428 3036 2eod.exe 38 PID 3036 wrote to memory of 2428 3036 2eod.exe 38 PID 3036 wrote to memory of 2428 3036 2eod.exe 38 PID 3036 wrote to memory of 2428 3036 2eod.exe 38 PID 3036 wrote to memory of 2408 3036 2eod.exe 39 PID 3036 wrote to memory of 2408 3036 2eod.exe 39 PID 3036 wrote to memory of 2408 3036 2eod.exe 39 PID 3036 wrote to memory of 2408 3036 2eod.exe 39 PID 3036 wrote to memory of 2408 3036 2eod.exe 39 PID 2292 wrote to memory of 1696 2292 fca24879dc6cff884cf7791fcc35f38e_JaffaCakes118.exe 40 PID 2292 wrote to memory of 1696 2292 fca24879dc6cff884cf7791fcc35f38e_JaffaCakes118.exe 40 PID 2292 wrote to memory of 1696 2292 fca24879dc6cff884cf7791fcc35f38e_JaffaCakes118.exe 40 PID 2292 wrote to memory of 1696 2292 fca24879dc6cff884cf7791fcc35f38e_JaffaCakes118.exe 40 PID 2292 wrote to memory of 2936 2292 fca24879dc6cff884cf7791fcc35f38e_JaffaCakes118.exe 44 PID 2292 wrote to memory of 2936 2292 fca24879dc6cff884cf7791fcc35f38e_JaffaCakes118.exe 44 PID 2292 wrote to memory of 2936 2292 fca24879dc6cff884cf7791fcc35f38e_JaffaCakes118.exe 44 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer 3eod.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" 3eod.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:332
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies WinLogon for persistence
PID:1204 -
C:\Users\Admin\AppData\Local\Temp\fca24879dc6cff884cf7791fcc35f38e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fca24879dc6cff884cf7791fcc35f38e_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Users\Admin\u2AzQ8M2.exeC:\Users\Admin\u2AzQ8M2.exe3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:292 -
C:\Users\Admin\hiekeu.exe"C:\Users\Admin\hiekeu.exe"4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2260
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del u2AzQ8M2.exe4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2416
-
-
-
-
C:\Users\Admin\2eod.exeC:\Users\Admin\2eod.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Users\Admin\2eod.exe"C:\Users\Admin\2eod.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3016
-
-
C:\Users\Admin\2eod.exe"C:\Users\Admin\2eod.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2696
-
-
C:\Users\Admin\2eod.exe"C:\Users\Admin\2eod.exe"4⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
PID:2860
-
-
C:\Users\Admin\2eod.exe"C:\Users\Admin\2eod.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2428
-
-
C:\Users\Admin\2eod.exe"C:\Users\Admin\2eod.exe"4⤵
- Executes dropped EXE
PID:2408
-
-
-
C:\Users\Admin\3eod.exeC:\Users\Admin\3eod.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- System policy modification
PID:1696 -
C:\Users\Admin\3eod.exeC:\Users\Admin\3eod.exe startC:\Users\Admin\AppData\Roaming\D38D6\E6DDF.exe%C:\Users\Admin\AppData\Roaming\D38D64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:824
-
-
C:\Users\Admin\3eod.exeC:\Users\Admin\3eod.exe startC:\Program Files (x86)\D6021\lvvm.exe%C:\Program Files (x86)\D60214⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2780
-
-
C:\Program Files (x86)\LP\DF6D\2156.tmp"C:\Program Files (x86)\LP\DF6D\2156.tmp"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:612
-
-
-
C:\Users\Admin\4eod.exeC:\Users\Admin\4eod.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2936 -
C:\Users\Admin\AppData\Local\04fa235b\X*0*bc*8b4840a8*31.193.3.240:534⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1348
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"4⤵
- System Location Discovery: System Language Discovery
PID:2644
-
-
-
C:\Users\Admin\5eod.exeC:\Users\Admin\5eod.exe3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
PID:1532
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del fca24879dc6cff884cf7791fcc35f38e_JaffaCakes118.exe3⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2220 -
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3064
-
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1408
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵PID:2444
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R1⤵PID:2404
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2424
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵PID:1504
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
5Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
136KB
MD5449cf714ddba0f68cb17bc7f9698949b
SHA13639bfa3d1563f9a4e2caad9a21074e87b3bfa73
SHA2563c3c398934492f2073aa3a725bff53909ef1bd1a7df82a7467a66d712df12010
SHA5128a08aef0b537395f2503790c7eee4c28986c4fd76670d05018004b3c77011fa4b9d8d3d791ec65ccf6a638f47f007666ea708957776772d5ab6f6d5cae64c81f
-
Filesize
120KB
MD53fe209cb336f44a0719e53e3b9354aa8
SHA1c37a59ba00521c78d81f0e7cf2713b41593e12a3
SHA25619102a9ce99b067f69ec9b53844aa2e29fbed3d53efbb06e24501ee70af60db1
SHA5126e872ee319e1900fa8ab9b257ec3ee62cc2578476bfc2770090255706f5ea685a5034a1c7b857a088547e130c5cc2b35d65aed54df6965a5274e019293065c09
-
Filesize
600B
MD52187f7bd83def2cd1889818fcd39f700
SHA13d482c684276f023071a38a6a839a3a45b75b686
SHA256b7597309ac917fb3994b02ed5b392cb08be80c5f18bd970396d22ac4d11763d1
SHA512d77178f9df6bdef805a773e87f0584ae3dc8bdffee578f4d1e74ab50e76964e6b48891d9748520c3c818f43916696cd0268dbb8ea31490f1a255ad969ca53c67
-
Filesize
996B
MD5b627bc3261f11693ee6bf84f84bae02d
SHA1a5c9f2e19f036c90f0cba3fe3cf8010aa29a2162
SHA256475f47efcc50f1c8ad94d92921c2dfacd7c801dc736848d2411278943ef73c12
SHA512fd3e8a726553c5524b0ca4dd9cf3c21dade3e67c7bb4393a10d4f14ea9c9c7361478f894561199019155ddd8ce34c8cb534ecfeefa4235afa6328e94bbb6ba27
-
Filesize
1KB
MD5ba7d5d487c448df71bc353c33ce4fa12
SHA153ed90f4b8dd2f5115d46daa2046486aa33c0ec6
SHA256649f6170174cd17436ea185581ce42384a13aad795a86be07bda2beb8acc66b4
SHA512a59befb2f7c2adbb872fae7c656e38c59ab4c35b68d3210046d947029d7a47cc3b387829df3484049b63c980ca028f0c591ff02c8bfe92e522b4965410c78d8e
-
Filesize
100KB
MD5340f18faddf54d738f6e56fe3d8b1d54
SHA1bb247a2f8db305906d558c0c665cc7fd7f86ff67
SHA2564613dcf13e53312b483bfebb7866b9e1111c434beabd1b19a03721ab7a2ec572
SHA512e47e375ec6c8cd07411da44cec52c35c1c28e3fce9d09acf390371ea6b1c456e1d43f87d7b5de6f8ba9b233d11caf25cfd5b4890f356b510688286322d7cab74
-
Filesize
282KB
MD52c24a5f9f31ac5a0d3830187617cf6dc
SHA1e71116ab32e0dfa7495f0562c86f232df7202991
SHA256007e9c74a2ee70d46460c91a3c36aa08602bb51a792e89f2d89a358ecbac94c6
SHA512f59a98a728c0d923443d10b2419b6a9bb5ac613949f26fa923240cc2162c93bc462e65f46f46000a1120065bf344b32ddba0f674cfc8007dd1d7591f4cb19b04
-
Filesize
277KB
MD500b72668c42555c6d9e3cee383730fc0
SHA1509a7c39baf2b9a46813c641cca687b37e244d5a
SHA256baaacce5c3f18154d4925ec6568ccf66f4ab9ee5477bd0faf44f08d9397641dd
SHA5121bfa5cd6081a5e8556b452cf4741831da829fcc9e2b51c77c92a4fdacfa1b934d14bc049f8185be09b1447664f55956f69e7fd16a868c9655eb32f9b9ef02e78
-
Filesize
38KB
MD572de2dadaf875e2fd7614e100419033c
SHA15f17c5330e91a42daa9ff24c4aa602bd1a72bf6e
SHA256c44993768a4dc5a58ddbfc9cb05ce2a7d3a0a56be45643d70a72bcf811b6c381
SHA512e2520a53326a7d3b056e65d0cf60e9d823ffb34ca026cdddc7ea3a714f8396c53c37e13a887fc86a7dd7076c97fdfad53c3f5a68342ebc1bdec948c76bda8df3
-
Filesize
320KB
MD56982c0aba357ff01fd92c61ee6a2cea1
SHA14e1a8c3f031b1b2d349e47d93783c97dcf943ba6
SHA256fcb880e88c37718b454f1a1fa3ab9277f4be3b51740c3751a366c75478970774
SHA51244a24c27d06596d6af54358b5a4671612b4073afb59afe916b2bded6f25d5f6aa43bb4e0c7f1e0391cae09bd81cd4191f0dc5c77482533a2e98dd0d8bed6ac7f
-
Filesize
320KB
MD5ca2acc28a24d14c7e282bd1c689229d0
SHA1c253b9ce5fa1db5bd8a02a49af44a751331e624c
SHA256bd67e3974c9108c7f2bd1cb266f6c3aad420fc63860fd653d0198e26927e2c25
SHA512007c6df499080b538deeffa552d09e0cddba64c6494fe98d6eaf883bd39180d4d9fba0bf08f7d650b256bd54fa52deafc415865dd69b00426452470a173ab2d2
-
Filesize
29KB
MD51149c1bd71248a9d170e4568fb08df30
SHA16f77f183d65709901f476c5d6eebaed060a495f9
SHA256c2dcf387cb4d218f50463338291e7db38afbdab9aab88fc54e7f9283df1792d1
SHA5129e6eac8facb23b38552d37c9f3cb24098f871d2885ecb3630fcd0199c5600b12a42f095f9fbeb90e5632496491d46fd987660cdda695e92dc386bd482d3ff459
-
Filesize
2KB
MD53a7482ba479bf81871823c500396d7f4
SHA14bfe4b0745895cce782cc0a90a8cfe9ba1cc3ca0
SHA25693fd7ce6c6fc5480976b1053b6fe569c589ff5e32ed7731074b827a220b7877e
SHA5124841c45264b44e15a96a438fe6c6ab94b56fa59f67b09f75b2c74850af88df7f5b9b2071d490eb1da4132cfe190f2ab716d8d86e9f80e87d1663bc48213f7cf3