Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 11:38
Static task
static1
Behavioral task
behavioral1
Sample
ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe
-
Size
278KB
-
MD5
ffb5f42044d2007e717e5c06e3d7f1ef
-
SHA1
88845a13d26ba329a4531ae5aa18d3e2df6198de
-
SHA256
71ced23be02f5ecb884c8c9211e18bbaef872d9d3b825090343f1ecccbc69a1b
-
SHA512
90089c7dd7ee2c365cbaacb10286b8b7322c449bd663c5b310e3771395a97246d62e0b3a20370a8e5f983559ad0cc90704d13f97601fb5c18b93000de9176d6b
-
SSDEEP
6144:gwiGe38VeuvU/YCiSld17dx6mOdiW9lWPbtgwvJfQA8jJ:3efuvUQnIdwmCuRdOH9
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe -
Disables Task Manager via registry modification
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2796 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 4076 AUDIEN~1.EXE -
Loads dropped DLL 1 IoCs
pid Process 4616 ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe -
resource yara_rule behavioral2/memory/4616-5-0x0000000002370000-0x00000000033A3000-memory.dmp upx behavioral2/memory/4616-15-0x0000000002370000-0x00000000033A3000-memory.dmp upx behavioral2/memory/4616-7-0x0000000002370000-0x00000000033A3000-memory.dmp upx behavioral2/memory/4616-21-0x0000000002370000-0x00000000033A3000-memory.dmp upx behavioral2/memory/4616-22-0x0000000002370000-0x00000000033A3000-memory.dmp upx behavioral2/memory/4616-34-0x0000000002370000-0x00000000033A3000-memory.dmp upx behavioral2/memory/4616-242-0x0000000002370000-0x00000000033A3000-memory.dmp upx -
Drops file in Program Files directory 59 IoCs
description ioc Process File opened for modification C:\PROGRA~2\Neostrada TP\Audience\bodybar6.htm ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe File created C:\PROGRA~2\Neostrada TP\Audience\Icons\~GLH0018.TMP ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Neostrada TP\Audience\Icons\Z.GIF ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Neostrada TP\Audience\Icons\bullet_orange.gif ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe File created C:\PROGRA~2\Neostrada TP\~GLH0002.TMP ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Neostrada TP\Audience\bodybar.htm ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe File created C:\PROGRA~2\Neostrada TP\Audience\Icons\~GLH000a.TMP ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Neostrada TP\Audience\Icons\bullet_blue.gif ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe File created C:\PROGRA~2\Neostrada TP\Audience\Icons\~GLH0013.TMP ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Neostrada TP\Audience\Icons\arrow_bottom.gif ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Neostrada TP\Audience\Icons\picto_logo.gif ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Neostrada TP\Audience.ini ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe File created C:\PROGRA~2\Neostrada TP\Audience\~GLH0001.TMP ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Neostrada TP\Audience\bodybarframe.htm ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Neostrada TP\Audience\bodybarframebis.htm ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe File created C:\PROGRA~2\Neostrada TP\Audience\Icons\~GLH000b.TMP ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe File created C:\PROGRA~2\Neostrada TP\Audience\Icons\~GLH0015.TMP ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Neostrada TP\Audience\IEHelper.dll ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe File created C:\PROGRA~2\Neostrada TP\~GLH0003.TMP ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Neostrada TP\Audience\Icons\bullet_red.gif ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe File created C:\PROGRA~2\Neostrada TP\Audience\Icons\~GLH0014.TMP ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe File created C:\PROGRA~2\Neostrada TP\Audience\Icons\~GLH0019.TMP ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Neostrada TP\install.LOG ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe File created C:\PROGRA~2\Neostrada TP\Audience\~GLH0008.TMP ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe File created C:\PROGRA~2\Neostrada TP\Audience\Icons\~GLH0017.TMP ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Neostrada TP\Audience\Icons\title_decouvrez.gif ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Neostrada TP\Audience\Icons\bullet_green.gif ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Neostrada TP\Audience\Icons\bullet_mag.gif ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Neostrada TP\Audience\Icons\bullet_yellow.gif ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Neostrada TP\Audience\Icons\logo_woo2.gif ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Neostrada TP\Audience\Icons\resize_top_nocon.gif ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe File created C:\PROGRA~2\Neostrada TP\~GLH001a.TMP ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe File created C:\PROGRA~2\Neostrada TP\Audience\Icons\~GLH0012.TMP ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe File created C:\PROGRA~2\Neostrada TP\Audience\Icones\~GLH0009.TMP ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Neostrada TP\Audience\Icones\tp_16.ico ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Neostrada TP\Audience\Icons\img_modele.gif ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Neostrada TP\Audience\Icons\TIRET.GIF ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe File created C:\PROGRA~2\Neostrada TP\Audience\~GLH0000.TMP ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe File created C:\PROGRA~2\Neostrada TP\Audience\~GLH0004.TMP ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe File created C:\PROGRA~2\Neostrada TP\Audience\Icons\~GLH000d.TMP ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe File created C:\PROGRA~2\Neostrada TP\Audience\Icons\~GLH000e.TMP ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe File created C:\PROGRA~2\Neostrada TP\Audience\Icons\~GLH0010.TMP ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Neostrada TP\Audience.ini ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Neostrada TP\AudienceInstaller.exe ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe File created C:\PROGRA~2\Neostrada TP\Audience\~GLH0007.TMP ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Neostrada TP\Audience\index_pc_nc.html ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe File created C:\PROGRA~2\Neostrada TP\Audience\Icons\~GLH000f.TMP ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe File created C:\Program Files (x86)\Neostrada TP\install.LOG ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe File created C:\PROGRA~2\Neostrada TP\Audience\~GLH0006.TMP ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe File created C:\PROGRA~2\Neostrada TP\Audience\Icons\~GLH0016.TMP ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Neostrada TP\Audience\Icons\title_encemoment.gif ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Neostrada TP\Audience\Audience.dll ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Neostrada TP\CnxMon.exe ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe File created C:\PROGRA~2\Neostrada TP\Audience\~GLH0005.TMP ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe File created C:\PROGRA~2\Neostrada TP\Audience\Icons\~GLH000c.TMP ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe File created C:\PROGRA~2\Neostrada TP\Audience\Icons\~GLH0011.TMP ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Neostrada TP\Audience\Icons\resize_top.gif ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AUDIEN~1.EXE -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000e3c1c56297b3270b0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000e3c1c5620000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900e3c1c562000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1de3c1c562000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000e3c1c56200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4616 ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe 4616 ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe 4616 ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe 4616 ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4616 ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe Token: SeDebugPrivilege 4616 ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe Token: SeDebugPrivilege 4616 ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe Token: SeDebugPrivilege 4616 ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe Token: SeDebugPrivilege 4616 ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe Token: SeDebugPrivilege 4616 ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe Token: SeDebugPrivilege 4616 ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe Token: SeDebugPrivilege 4616 ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe Token: SeDebugPrivilege 4616 ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe Token: SeDebugPrivilege 4616 ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe Token: SeDebugPrivilege 4616 ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe Token: SeDebugPrivilege 4616 ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe Token: SeDebugPrivilege 4616 ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe Token: SeDebugPrivilege 4616 ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe Token: SeDebugPrivilege 4616 ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe Token: SeDebugPrivilege 4616 ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe Token: SeDebugPrivilege 4616 ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe Token: SeDebugPrivilege 4616 ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe Token: SeDebugPrivilege 4616 ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe Token: SeDebugPrivilege 4616 ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe Token: SeDebugPrivilege 4616 ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe Token: SeDebugPrivilege 4616 ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe Token: SeDebugPrivilege 4616 ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe Token: SeDebugPrivilege 4616 ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe Token: SeDebugPrivilege 4616 ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe Token: SeDebugPrivilege 4616 ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe Token: SeDebugPrivilege 4616 ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe Token: SeDebugPrivilege 4616 ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe Token: SeDebugPrivilege 4616 ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe Token: SeDebugPrivilege 4616 ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe Token: SeDebugPrivilege 4616 ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe Token: SeDebugPrivilege 4616 ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe Token: SeDebugPrivilege 4616 ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe Token: SeDebugPrivilege 4616 ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe Token: SeDebugPrivilege 4616 ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe Token: SeDebugPrivilege 4616 ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe Token: SeDebugPrivilege 4616 ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe Token: SeDebugPrivilege 4616 ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe Token: SeDebugPrivilege 4616 ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe Token: SeDebugPrivilege 4616 ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe Token: SeDebugPrivilege 4616 ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe Token: SeDebugPrivilege 4616 ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe Token: SeDebugPrivilege 4616 ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe Token: SeDebugPrivilege 4616 ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe Token: SeDebugPrivilege 4616 ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe Token: SeDebugPrivilege 4616 ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe Token: SeDebugPrivilege 4616 ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe Token: SeDebugPrivilege 4616 ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe Token: SeDebugPrivilege 4616 ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe Token: SeDebugPrivilege 4616 ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe Token: SeDebugPrivilege 4616 ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe Token: SeDebugPrivilege 4616 ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe Token: SeDebugPrivilege 4616 ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe Token: SeDebugPrivilege 4616 ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe Token: SeDebugPrivilege 4616 ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe Token: SeDebugPrivilege 4616 ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe Token: SeDebugPrivilege 4616 ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe Token: SeDebugPrivilege 4616 ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe Token: SeDebugPrivilege 4616 ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe Token: SeDebugPrivilege 4616 ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe Token: SeDebugPrivilege 4616 ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe Token: SeDebugPrivilege 4616 ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe Token: SeDebugPrivilege 4616 ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe Token: SeDebugPrivilege 4616 ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4076 AUDIEN~1.EXE -
Suspicious use of WriteProcessMemory 37 IoCs
description pid Process procid_target PID 4616 wrote to memory of 768 4616 ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe 8 PID 4616 wrote to memory of 772 4616 ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe 9 PID 4616 wrote to memory of 64 4616 ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe 13 PID 4616 wrote to memory of 2876 4616 ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe 49 PID 4616 wrote to memory of 2928 4616 ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe 51 PID 4616 wrote to memory of 2104 4616 ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe 52 PID 4616 wrote to memory of 3356 4616 ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe 55 PID 4616 wrote to memory of 3520 4616 ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe 57 PID 4616 wrote to memory of 3708 4616 ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe 58 PID 4616 wrote to memory of 3800 4616 ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe 59 PID 4616 wrote to memory of 3888 4616 ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe 60 PID 4616 wrote to memory of 3992 4616 ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe 61 PID 4616 wrote to memory of 3540 4616 ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe 62 PID 4616 wrote to memory of 2180 4616 ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe 64 PID 4616 wrote to memory of 4364 4616 ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe 76 PID 4616 wrote to memory of 2796 4616 ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe 82 PID 4616 wrote to memory of 2796 4616 ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe 82 PID 4616 wrote to memory of 2796 4616 ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe 82 PID 4616 wrote to memory of 768 4616 ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe 8 PID 4616 wrote to memory of 772 4616 ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe 9 PID 4616 wrote to memory of 64 4616 ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe 13 PID 4616 wrote to memory of 2876 4616 ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe 49 PID 4616 wrote to memory of 2928 4616 ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe 51 PID 4616 wrote to memory of 2104 4616 ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe 52 PID 4616 wrote to memory of 3356 4616 ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe 55 PID 4616 wrote to memory of 3520 4616 ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe 57 PID 4616 wrote to memory of 3708 4616 ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe 58 PID 4616 wrote to memory of 3800 4616 ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe 59 PID 4616 wrote to memory of 3888 4616 ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe 60 PID 4616 wrote to memory of 3992 4616 ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe 61 PID 4616 wrote to memory of 3540 4616 ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe 62 PID 4616 wrote to memory of 2180 4616 ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe 64 PID 4616 wrote to memory of 4364 4616 ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe 76 PID 4616 wrote to memory of 2500 4616 ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe 84 PID 4616 wrote to memory of 4076 4616 ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe 94 PID 4616 wrote to memory of 4076 4616 ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe 94 PID 4616 wrote to memory of 4076 4616 ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe 94 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:768
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:772
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:64
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2876
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2928
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2104
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3356
-
C:\Users\Admin\AppData\Local\Temp\ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ffb5f42044d2007e717e5c06e3d7f1ef_JaffaCakes118.exe"2⤵
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Checks computer location settings
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4616 -
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode disable3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2796
-
-
C:\PROGRA~2\NEOSTR~1\AUDIEN~1.EXE"C:\PROGRA~2\NEOSTR~1\AUDIEN~1.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4076
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3520
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3708
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3800
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3888
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3992
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3540
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2180
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:4364
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F32D97DF-E3E5-4CB9-9E3E-0EB5B4E49801}1⤵PID:2500
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:2720
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
PID:4960
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
56KB
MD59cda2c075518ddd4fd2e2f1510c073dc
SHA1da0b262f4e8eee6b97eeae9c47af431bb116bb53
SHA2565ed318df71b4a7be3fcc4ce2f0df741d204f3a3cb5c35078f5170c39c87a6f0e
SHA51221bba90e47e5135d510a06d1f63cf353fdc59ddf0837d199b1c2a0ba5a25f4b7f017710fc974ddd29beac1a0e8d7aaa9b0c5887debdc91451f87ee520ce6043c
-
Filesize
93B
MD576268bcb9f46e18f74002eddf3bb3f1a
SHA185340f27ac22d2eb0d60f02286897f15ce1053cc
SHA256ada13044b32331deed5050f8d6c56bbb0e4db3be3cf5f218676761cd02117035
SHA5125965f8c4a2724a9b52e50e89a92939961f15ce18234046902b4a5281d2e8c7c71ffee42c1e783e28430f3bb681736e495875eb2b7f9a34595383c0e91dbdcb6b
-
Filesize
124KB
MD5469335912ff532419be558aedbb60657
SHA123d30ebc874703fd28b2ea3002e827fd05487721
SHA25648e7f9ac719c0cff7fcb9965e45e1f12b5697948c6ee442702bae173c021df7f
SHA5125dcc59cc3b4fe5630cd663b2b797b388ded07224f70a5fc0d718910b746f90a993bff514c2fc905604e80136c097c1b5bc5444d376804c8202c3a384911bced4
-
Filesize
216B
MD545feac32d6f2c5e33adfb273122d298e
SHA1e8f485ac368b7050b3074658029722355ad853ff
SHA256cac9ea34e05d711e791feb994b7b73fac91b2571058e7a137d7b1b682b374f89
SHA512c6bee84bf5a848ee1ca756aa73c80bb59e986d3e9041934c9912c3805f19d23e7e04a65baa11566f1f4971d2cd17162be33e04bae1260fba9f04dc348edbf799
-
Filesize
103B
MD521763fc1bd7055b601855256999dcf22
SHA11c1d48442633711fb17e86e83ee3b3951527ee41
SHA256602b974b48ed0226fd6846a4ab18cfc9a567eef8afa75a088c906204bdecf44e
SHA5125836c1d1e0ef4a198ed2af4571b775daa4aaebb51ceff9d10f4b26578d5469a4f0daaa219715b408e90aeb6a0dd7dbbf343ac7f3b03ce958b008610322f33a10
-
Filesize
40KB
MD5ef2ddb8da13d1058e29c31f2a5cd316a
SHA1ee61219c8ab04d51a8094af32cd352d18b6c8d2a
SHA2560d1906f3ba51f0cb0934a3ed69ae3ae9d96eb0dd037c40573bb05a7b2899deb2
SHA5120c62f2b1cae8ae922a4ed18fbc7068e5ebacd3ce2cd28ec39c8d05cb6a400c3754eb2159fb25c4b85bdd86e32342371b18e94e40cc0edc8497ed8bbd30152eaa
-
Filesize
7KB
MD50673bec182285480601fa976726161eb
SHA174dde8800148821d9199f3733c3fc5fe49b905cb
SHA2565ed98876a81cfd2468138b3694ce8b4d97284ac830fb1bdde37b13c92ee1a9cb
SHA51265a8aaf39239b1fda57970129b6fe511198098aa098648081f3a25c20d26602a6b4da155356029167db341ca49e46fe88720ac94aef76218e2c365bb2042cf7a
-
Filesize
1KB
MD5eb5a9e9ecb6cc5bb3493656262c97245
SHA1f5a92d87be4073491d69f1ab42f472ff214181e6
SHA256f7dd797bd4f725924132590fb371f2accdf37223e71130849d300cc3a6c87491
SHA5127e910408ddaec4d9b4458ff0fb5f8f3a44f0dce7b7b23cffeac1247d31d498a0a75b21ea45261923e7f5e2b74dda068325ccf59d27e81bdaca6c711fb7c08aba
-
Filesize
53B
MD58353391a340a7628eff2457e08a6ae17
SHA139867a50ce4c0c1b05bf6b75ede85c285a541845
SHA256625e5f47bccb6ffc667b79b0a01b1ff8238e55129281bf756a3962885a986c42
SHA512d0ecc438ad987ab8e4b36eca3fa29fff946194363d9230d5805362c390c2b3fc9d8a7a2f4abcfdaafe38243ec80582d622be7e471858a8cc103d42a5d7741ac9
-
Filesize
56B
MD52aacbc03de647079b5aa4ddfe4e83f8a
SHA11326a2726233a3266a40fb419858d8c3f3933417
SHA256c5274039475d53744ead1246ab860de1f8ccdb11b2955c58a11328616a76ad26
SHA512370113fc4ee46b44d4ae2b6350aff2f70fefa9f4393df0616e2f2c3d5cb537aa015f0809b8f2ee7553b04f54eda0f6d63bbe58ff427bbfca1cac4ad83f02e558
-
Filesize
56B
MD560d1287cfa91d16533aee316cc1a5fc3
SHA1b1b20398808a20c65504b7ec4ead70e89c4075b5
SHA25671ef49b252c050be705f4098be5bb48d2c9a3076ed1b0b57a1fbb67dde9d119a
SHA5123d7a06c74e56a71e416f6ce83471c17319da6f8b09f060b89c310063f8e9f08a47d2bfb44949cc3a9565850535cca5aea214f86d4cebac8be21527446e1f0c94
-
Filesize
56B
MD5c8517e9e2645909e50870207ad019efc
SHA186308edbdd4f929292a6f990f0ed9863cf075665
SHA25653221f8ec36009e798b48828444a9f78aa7547195dabb3898c173f39119f7939
SHA512b20c5de449c3ed394c274845e9f355afe7a3f49b3075c2395884ff36f1f7f256df793fefbd50098ff4c1fe732d7cd3a7c3db119b68fce81cd932cb9b20d92dc2
-
Filesize
56B
MD5d22779fa368f0335bcd5f09b3ded82cb
SHA1ece5011cb452abe1ba4bbf1937c296d7a03f0946
SHA25671d0d34db92d926fc0315bd1825d96e84ab01e0772c30e18456d3b6ff32fa4d5
SHA512562501aef9e5f847e86566144012066519c26108a92dfd238b06e5e8bbd7dfbc46941519a413b848a3369d0267a49fb7c4bb305081e1a617c8dbad7d41ca9d90
-
Filesize
56B
MD53c1918dbeb039154882d0af8bac2d1d2
SHA1a8c98d52726183f95a76b76701fb5a518c669833
SHA25611fb6327a9177bf7ff17ad7cc25f443271f45a602620a1864345c942ebe963df
SHA5127b6b451535c5bb8ca0257cd59a74a82cb0396f3d4b8cc4cb3041da629abbf5e01a6162fc7ef9748f59b993fa27ddd8bbd893c39def51394fcb637ae6b60044f6
-
Filesize
56B
MD5765899fea41494648ae26ccf518d1b01
SHA136abb4cd8c5df644a165135516dea5a749a0040c
SHA256b29cf18bac33bd6787c7096bddd50d538528cf2cf4ca68681772b1aa681b7abd
SHA512d4781af310a51a579b8096924f5a7ad78a880f67c4ca14cdcf3868c9af3eff16dad7e4306542cab9954ec61ebfdc3ffb94f2e4c86fb44dbb671106ea3fada0b3
-
Filesize
947B
MD5578b112fa38515214f45c8346911e169
SHA1c958db1e94cd1cf5b383d5121c25a7068f9cb7e6
SHA256879ab5eb5a663e7bca7bb0562dc85ab46d61a7c3549ce6c694b0a13226fd95d1
SHA512767a416734b44f6c15f247f30a6b6fff0e95bf1c0898f32516d1a110e2ad36d2dd78323d7fe1752b3a7d3335c9958d5442114ef02826f16b9a8ddd23da087917
-
Filesize
545B
MD5e5f836fdab9e63875aef45bb2f0ccf41
SHA1704bf9e23cc7f4ed080d1f28192079aa0d5dce90
SHA25613d90af55b22c238f4d02b5daa7b8aa75e4c7c4ff04f97971cfdb50cd291ac41
SHA512d9aa4354357fd0fdb84ca9c08a417a598757669d77b78234d1fd6196a544af75d65369e3a6624f5de2636f5e9ba2a3516265c0f6db3d217a3441f555097cbd79
-
Filesize
272B
MD5dd2c7b045bba4957084e6bc6af715b8a
SHA18ed920d3d8c529232b907c09b648389bf96ad584
SHA256c2f3b7d837feefda461a4bd69500a6181344a5abd072eaa4ac58065301ecb46d
SHA5127248a41cb41457223d12649b9c08a270fcbdd07a5fb096ffb7b2efdf62f3e7ac42e9edb65db0a072c274420984c9d1c55a9aa7ebe9d3545c84f89e951f09f571
-
Filesize
46B
MD59ff0232f656d2e8232f6a41ec51ac523
SHA189f0b5b34ecbe063d0d3b9372d5c4317265e8a14
SHA256d969563bb88e5fe0984af055d13ccd7c61d9dbcbb220240570b441fb62572866
SHA5123e7ac2632c3ee82d043f8c6595a0aa4c68af79e1b0b7938c2955bb2093f2c2cc55a9dc5c36e4dafed2c009490633b9007b60abe9a3789f69715c53cef1d47b98
-
Filesize
53B
MD5472ba2affba34b30707a1f644a042921
SHA14c7833daac2dff02f5b9f5d880c510a3febb9ffb
SHA256df1bbbdee9c91537dd17b5d1fd604d8dba2f9a6a9e871b10cf344e32b874469a
SHA512879bb66dd0369896615495f1b1ebe5dd5e497a4e4f25963fe15a7c778ff00a44ff5b25cf220d3371c6847edeb91b4dd584346d23432fd0e5e4c7815051ba7b8a
-
Filesize
51B
MD53099206360e6abfa0fd061f8179fc585
SHA12ae7e171930843a72e981a6c5d15f2a6c3d5d163
SHA2568e1595260f135a4e20009906b5fcb19e4a00413ba301ad1fad1c894e3d468d67
SHA512d2bc72eb5b602c31bc71edc806a8a3ff767dc6d838c706d67fdceba02f1e726305c5a5ae243db88afd4872dbd1a810f701114c678470b54e12515424da74cef7
-
Filesize
694B
MD5b463f10611267ae3982b4abf9c1ece10
SHA181c276eb858a3597aed0640fecb33af0ebb4a6cf
SHA25615655a1fe6f99889889d5ea9579aa036800decb5d932ed72b174067f0f9ff195
SHA512f96486bef9819c02d774ef1d2639e4dd3b8fcbcd58081d5f184216147793b7f8e251b730e51dd2bd1150e30e3558fa52c595a3ce82fad048c12ece4782bcc30e
-
Filesize
739B
MD57bb161d4638f948bba8e2feedf29a072
SHA1fc91e9a2dff5dcaeb7214ef07ecfec7467f8aa27
SHA2565451dbd7fe8103d450b73da27204eb80540b00311ce94d75be0cd198c3d0c984
SHA512443233054a5981ba2bdbbba6e67f8802fa553ea479b14b8d8c300427f84bb2e537dd793db6eeab33462f35c8d33c8d34388b0ea5ad72b3198b51679ca4e9cad7
-
Filesize
43B
MD5f7f26805de1a1f270e665bf7873d7e19
SHA1c32085898c6e36d361d4b8017087de90e1b8465c
SHA2562188414d64d2930eb54f4731b6eb9a931358ba625d1cd7535a889409218609d2
SHA5126755bed154762d44a97d836c1201a518b98c7df673c42fc125de88d5e8c73a43a08883280954c92cac7f62cc6ce31ce2e2208000c6be31c5f132446cddf702c0
-
Filesize
316B
MD575c6762f959d7531737899d6382b31ea
SHA13481848c9a1d945fd08271187aec9e6bfdaacd52
SHA25671e84c0b16f7d86dd0880dfec51d2edcb1c980c3c0728b8372aae618cf84bedf
SHA512a538ea5158f63128d1655d1331ad7bf4ffcab32e52eb69f184453ace2a9f0d95212e46a5808d4032091a4ad61e2c50f5bc5f6bcac3cd6e9dcaa3885d38db2d61
-
Filesize
441B
MD5c7d0ec6435af0a28c4454a97ae0cc1f8
SHA179af15ce6e1691c9f736a7cd275ec60b6264fd5d
SHA2569495db57a1b08ec5dfcf949566f11ac821427a7586fb7efcd3cf5e825ba0fcde
SHA512c8aa4c4be316a402e76d8751ef9ec0e008b322fc3e681ee344dc0a47e0830262e0f005275050c8a918cd1631ff31eade634594884c4e1c8b1cdc215b317bd2c0
-
Filesize
24KB
MD592b7b96a77d5feef8f2bacc1278ebc9f
SHA1a057e0e1c9f7bb937833bea6964515bf9fc2292e
SHA25644839309366e74d69340036a36acbda27542c0dfacbbbe583f49ce8d8e2bdc3b
SHA512de9d63a6c2cee82684fcf5e9e9f2a01671c5662c5d7329ef59a58896afadbf48d2e85a9e8b05402ea4de8ee721db86546f10b6de885a1db737eae3bcf5909685
-
Filesize
143KB
MD51f7ee3353eafec7c81cf39a849b1ae95
SHA1f3d25db0114aa59158d8fedf9bb6881b6de7505e
SHA256c88070dff47e09b823c819efbfd309146b2145ae7af21a31e21fdb33d51bd32f
SHA512547366c5ac66ba3aa1864d1667c1cc1a511b18115435adff85466387773a08a510e4261ecdb1f8bf372b94a32752115a2956263c91be426fb951bac71631afe8