Overview
overview
7Static
static
7JaffaCakes...c0.exe
windows7-x64
7JaffaCakes...c0.exe
windows10-2004-x64
7$LOCALAPPD...ds.exe
windows7-x64
7$LOCALAPPD...ds.exe
windows10-2004-x64
7$PLUGINSDI...Ex.dll
windows7-x64
3$PLUGINSDI...Ex.dll
windows10-2004-x64
3$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDI...ad.dll
windows7-x64
3$PLUGINSDI...ad.dll
windows10-2004-x64
3$PLUGINSDI...dl.dll
windows7-x64
3$PLUGINSDI...dl.dll
windows10-2004-x64
3$PLUGINSDI...es.dll
windows7-x64
3$PLUGINSDI...es.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDIR/Time.dll
windows7-x64
3$PLUGINSDIR/Time.dll
windows10-2004-x64
3$PLUGINSDI...fo.dll
windows7-x64
3$PLUGINSDI...fo.dll
windows10-2004-x64
3$PLUGINSDI...ef.dll
windows7-x64
3$PLUGINSDI...ef.dll
windows10-2004-x64
3$PLUGINSDIR/mt.dll
windows7-x64
3$PLUGINSDIR/mt.dll
windows10-2004-x64
3$PLUGINSDI...os.dll
windows7-x64
3$PLUGINSDI...os.dll
windows10-2004-x64
3FM4ffx.exe
windows7-x64
7FM4ffx.exe
windows10-2004-x64
7$PLUGINSDI...dl.dll
windows7-x64
3$PLUGINSDI...dl.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3Analysis
-
max time kernel
94s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
15/01/2025, 16:42
Behavioral task
behavioral1
Sample
JaffaCakes118_5c7f6d6e11f4eb14a890fd8084669bc0.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_5c7f6d6e11f4eb14a890fd8084669bc0.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
$LOCALAPPDATA/funmoods.exe
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
$LOCALAPPDATA/funmoods.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/ExtractDLLEx.dll
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/ExtractDLLEx.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/IEFunctions.dll
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/IEFunctions.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/InetLoad.dll
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/InetLoad.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
$PLUGINSDIR/NSISdl.dll
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
$PLUGINSDIR/NSISdl.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
$PLUGINSDIR/Processes.dll
Resource
win7-20240729-en
Behavioral task
behavioral14
Sample
$PLUGINSDIR/Processes.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
$PLUGINSDIR/System.dll
Resource
win7-20241010-en
Behavioral task
behavioral16
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
$PLUGINSDIR/Time.dll
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
$PLUGINSDIR/Time.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
$PLUGINSDIR/UserInfo.dll
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
$PLUGINSDIR/UserInfo.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
$PLUGINSDIR/chrmPref.dll
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
$PLUGINSDIR/chrmPref.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
$PLUGINSDIR/mt.dll
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
$PLUGINSDIR/mt.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral25
Sample
$PLUGINSDIR/nsisos.dll
Resource
win7-20240729-en
Behavioral task
behavioral26
Sample
$PLUGINSDIR/nsisos.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral27
Sample
FM4ffx.exe
Resource
win7-20240903-en
Behavioral task
behavioral28
Sample
FM4ffx.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral29
Sample
$PLUGINSDIR/NSISdl.dll
Resource
win7-20240903-en
Behavioral task
behavioral30
Sample
$PLUGINSDIR/NSISdl.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral31
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240729-en
Behavioral task
behavioral32
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_5c7f6d6e11f4eb14a890fd8084669bc0.exe
-
Size
1.7MB
-
MD5
5c7f6d6e11f4eb14a890fd8084669bc0
-
SHA1
542ec2fbe7ffbb14e5de2f2635604b452e8a532e
-
SHA256
19a18b2cd97bcb69202c9f203fadcaff5f23aa4b7c6b79ede8acb310b479fb0c
-
SHA512
4c2458bfce224b29ff5493d363cabd4dd0cd853570e9eadf9926cbc76ce3abb19b2101377559b060236521ab23f06dcf2dd2d888ba5b5f7289751219c88c4180
-
SSDEEP
24576:97AnB5GaUEMm6S9j5nWT1zU9uWIMS06Pn6K+ZSq7pm2rhqmN4dWQVhhlZo6rOWgq:mFUrm6S9ATFUNcbn2F9/NGWOO6rufjO
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 2 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral2/files/0x000700000001e104-14.dat acprotect behavioral2/files/0x0008000000023cc5-186.dat acprotect -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation funmoods.exe -
Executes dropped EXE 4 IoCs
pid Process 1400 funmoods.exe 2376 FM4ie.exe 2596 FM4ffx.exe 3312 funmoodssrv.exe -
Loads dropped DLL 64 IoCs
pid Process 4816 JaffaCakes118_5c7f6d6e11f4eb14a890fd8084669bc0.exe 4816 JaffaCakes118_5c7f6d6e11f4eb14a890fd8084669bc0.exe 4816 JaffaCakes118_5c7f6d6e11f4eb14a890fd8084669bc0.exe 4816 JaffaCakes118_5c7f6d6e11f4eb14a890fd8084669bc0.exe 4816 JaffaCakes118_5c7f6d6e11f4eb14a890fd8084669bc0.exe 4816 JaffaCakes118_5c7f6d6e11f4eb14a890fd8084669bc0.exe 4816 JaffaCakes118_5c7f6d6e11f4eb14a890fd8084669bc0.exe 4816 JaffaCakes118_5c7f6d6e11f4eb14a890fd8084669bc0.exe 4816 JaffaCakes118_5c7f6d6e11f4eb14a890fd8084669bc0.exe 4816 JaffaCakes118_5c7f6d6e11f4eb14a890fd8084669bc0.exe 4816 JaffaCakes118_5c7f6d6e11f4eb14a890fd8084669bc0.exe 1400 funmoods.exe 1400 funmoods.exe 1400 funmoods.exe 1400 funmoods.exe 1400 funmoods.exe 1400 funmoods.exe 1400 funmoods.exe 1400 funmoods.exe 1400 funmoods.exe 1400 funmoods.exe 1400 funmoods.exe 1400 funmoods.exe 1400 funmoods.exe 1400 funmoods.exe 1400 funmoods.exe 1400 funmoods.exe 1400 funmoods.exe 1400 funmoods.exe 1400 funmoods.exe 1400 funmoods.exe 1400 funmoods.exe 1400 funmoods.exe 1400 funmoods.exe 1400 funmoods.exe 1400 funmoods.exe 1400 funmoods.exe 4816 JaffaCakes118_5c7f6d6e11f4eb14a890fd8084669bc0.exe 4816 JaffaCakes118_5c7f6d6e11f4eb14a890fd8084669bc0.exe 1400 funmoods.exe 4816 JaffaCakes118_5c7f6d6e11f4eb14a890fd8084669bc0.exe 4816 JaffaCakes118_5c7f6d6e11f4eb14a890fd8084669bc0.exe 1400 funmoods.exe 1400 funmoods.exe 1400 funmoods.exe 1400 funmoods.exe 1400 funmoods.exe 1400 funmoods.exe 1400 funmoods.exe 1400 funmoods.exe 1400 funmoods.exe 1400 funmoods.exe 1400 funmoods.exe 1400 funmoods.exe 1400 funmoods.exe 1400 funmoods.exe 1400 funmoods.exe 1400 funmoods.exe 1400 funmoods.exe 1400 funmoods.exe 1400 funmoods.exe 1400 funmoods.exe 1400 funmoods.exe 1400 funmoods.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Installs/modifies Browser Helper Object 2 TTPs 4 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7} FM4ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\ = "Funmoods Helper Object" FM4ie.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\NoExplorer = "1" FM4ie.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects FM4ie.exe -
resource yara_rule behavioral2/files/0x000700000001e104-14.dat upx behavioral2/memory/4816-19-0x0000000002320000-0x0000000002332000-memory.dmp upx behavioral2/memory/4816-20-0x0000000002320000-0x0000000002332000-memory.dmp upx behavioral2/memory/4816-58-0x0000000002320000-0x0000000002332000-memory.dmp upx behavioral2/memory/4816-59-0x0000000002320000-0x0000000002332000-memory.dmp upx behavioral2/files/0x0008000000023cc5-186.dat upx -
Drops file in Program Files directory 7 IoCs
description ioc Process File created C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\bh\funmoods.dll FM4ie.exe File created C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodsApp.dll FM4ie.exe File created C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodsEng.dll FM4ie.exe File created C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodsTlbr.dll FM4ie.exe File created C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodssrv.exe FM4ie.exe File created C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodsoem.crx FM4ie.exe File created C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\uninstall.exe FM4ie.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FM4ie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FM4ffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language funmoodssrv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_5c7f6d6e11f4eb14a890fd8084669bc0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language funmoods.exe -
NSIS installer 4 IoCs
resource yara_rule behavioral2/files/0x0009000000023c9a-61.dat nsis_installer_1 behavioral2/files/0x0009000000023c9a-61.dat nsis_installer_2 behavioral2/files/0x0007000000023cdf-1228.dat nsis_installer_1 behavioral2/files/0x0007000000023cdf-1228.dat nsis_installer_2 -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} = "Funmoods Toolbar" FM4ie.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A}\Policy = "3" FM4ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A}\AppName = "funmoodssrv.exe" FM4ie.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\SearchScopes\{A559D348-67C3-4789-9DF9-F108563D4082} funmoods.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{A559D348-67C3-4789-9DF9-F108563D4082}\OSDFileURL = "file:///C:/Users/Admin/AppData/Local/Temp/FNMD/FM/1.5.11.1/funmoods.xml" funmoods.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main funmoods.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing funmoods.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AboutUrls FM4ie.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A} FM4ie.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{A559D348-67C3-4789-9DF9-F108563D4082}\FaviconURL = "http://start.funmoods.com/favicon.ico" funmoods.exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPageShow = "1" funmoods.exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{A559D348-67C3-4789-9DF9-F108563D4082}\Codepage = "65001" funmoods.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{A559D348-67C3-4789-9DF9-F108563D4082}\DisplayName = "Search" funmoods.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AboutURLs\Tabs = "http://start.funmoods.com/?f=2&a=down" FM4ie.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Toolbar\ FM4ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A}\AppPath = "C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.1" FM4ie.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{A559D348-67C3-4789-9DF9-F108563D4082}\URL = "http://start.funmoods.com/results.php?f=4&a=down&q={searchTerms}" funmoods.exe -
Modifies Internet Explorer start page 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://start.funmoods.com/?f=1&a=down" funmoods.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\InprocServer32\ = "C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.1\\bh\\funmoods.dll" FM4ie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}\1.0 FM4ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{59C63F11-D4E5-46E7-9B8A-EE158DCA83A8}\ = "Ixtrnlmain" FM4ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{23D8EEF7-0E13-4000-B9C4-6603C1E912D1}\TypeLib\Version = "1.0" FM4ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\f\CLSID\ = "{F03FD9D0-4F2B-497C-8A71-DD41D70B07D9}" FM4ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F03FD9D0-4F2B-497C-8A71-DD41D70B07D9}\AppID = "{B12E99ED-69BD-437C-86BE-C862B9E5444D}" FM4ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}\Instl\Data\aflt = "down" FM4ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.1" FM4ie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\escort.DLL FM4ie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{965B9DBE-B104-44AC-950A-8A5F97AFF439}\InprocServer32 FM4ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{54291324-7A3D-4F11-B707-3FB6A2C97BD9}\TypeLib\Version = "1.0" FM4ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C0585B2F-74D7-4734-88DE-6C150C5D4036}\ = "IEHostWnd" FM4ie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{34C1FDF7-02C1-4F23-B393-F48B16E071D1} FM4ie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{B12E99ED-69BD-437C-86BE-C862B9E5444D} FM4ie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F03FD9D0-4F2B-497C-8A71-DD41D70B07D9}\ProgID FM4ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{75A4D144-506D-4BE5-81DB-EC7DA1E7F840}\LocalServer32\ThreadingModel = "apartment" funmoodssrv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}\Instl\Data\tlbrSrchUrl = "http://start.funmoods.com/results.php?f=3&a=down&q=" FM4ie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\1.0\0 FM4ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane\CLSID\ = "{965B9DBE-B104-44AC-950A-8A5F97AFF439}" FM4ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{965B9DBE-B104-44AC-950A-8A5F97AFF439}\InprocServer32\ThreadingModel = "apartment" FM4ie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A9DB719C-7156-415E-B49D-BAD039DE4F13}\TypeLib FM4ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D8242E89-2F81-484A-AE5B-BA8CAD5B7347}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" FM4ie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\escortEng.DLL FM4ie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921} FM4ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3}\AppID = "{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}" FM4ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{965B9DBE-B104-44AC-950A-8A5F97AFF439}\InprocServer32\ = "C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.1\\bh\\funmoods.dll" FM4ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\ = "CescrtHlpr Object" FM4ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\InprocServer32\ThreadingModel = "apartment" FM4ie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\funmoodsApp.appCore.1 FM4ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A9DB719C-7156-415E-B49D-BAD039DE4F13}\InprocServer32\ = "C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.1\\funmoodsApp.dll" FM4ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\1.0\0\win32\ = "C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.1\\funmoodsApp.dll" FM4ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3}\ = "CDskBnd Object" FM4ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{54291324-7A3D-4F11-B707-3FB6A2C97BD9}\TypeLib\Version = "1.0" FM4ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{34C1FDF7-02C1-4F23-B393-F48B16E071D1}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" FM4ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0D80F1C5-D17B-4177-AC68-955F3EF9F191}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" FM4ie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{77A6E7D4-4A83-4A9B-A2A0-EF3B125DC29D}\TypeLib FM4ie.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}\Instl\Data\instlDay = "20103" FM4ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane\CurVer\ = "escort.escortIEPane.1" FM4ie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\funmoods.funmoodsHlpr FM4ie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}\1.0\0\win32 FM4ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2CE5C4B9-6DBE-4528-96FA-C9FF38EF1762}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" FM4ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C0585B2F-74D7-4734-88DE-6C150C5D4036}\ = "IEHostWnd" FM4ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EF0588D6-1621-4A75-B8BE-F4BC34794136}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" FM4ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F03FD9D0-4F2B-497C-8A71-DD41D70B07D9}\ProgID\ = "f" FM4ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\funmoods.dskBnd\CLSID\ = "{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3}" FM4ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A9DB719C-7156-415E-B49D-BAD039DE4F13}\AppID = "{D7EE8177-D51E-4F89-92B6-83EA2EC40800}" FM4ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{295CACB4-51F5-46FD-914E-C72BAAE1B672}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" FM4ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\1.0\0\win32\ = "C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.1\\funmoodsTlbr.dll" FM4ie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{965B9DBE-B104-44AC-950A-8A5F97AFF439}\ProgID FM4ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}\1.0\0\win32\ = "C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.1\\funmoodsEng.dll\\2" FM4ie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5DA22CBD-0029-4A09-B757-CF0FAFC488ED}\ProxyStubClsid32 FM4ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5DA22CBD-0029-4A09-B757-CF0FAFC488ED}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" FM4ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{23C70BCA-6E23-4A65-AD2E-1389062074F1}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" FM4ie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D8242E89-2F81-484A-AE5B-BA8CAD5B7347}\ProxyStubClsid32 FM4ie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D8242E89-2F81-484A-AE5B-BA8CAD5B7347}\TypeLib FM4ie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\esrv.funmoodsESrvc.1\CLSID funmoodssrv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{295CACB4-51F5-46FD-914E-C72BAAE1B672}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" FM4ie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{75A4D144-506D-4BE5-81DB-EC7DA1E7F840}\Programmable funmoodssrv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2CE5C4B9-6DBE-4528-96FA-C9FF38EF1762}\ = "IappCore" FM4ie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{54291324-7A3D-4F11-B707-3FB6A2C97BD9}\TypeLib FM4ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{34C1FDF7-02C1-4F23-B393-F48B16E071D1}\ = "IwebAtrbts" FM4ie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\esrv.EXE funmoodssrv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{75A4D144-506D-4BE5-81DB-EC7DA1E7F840}\TypeLib funmoodssrv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\ = "escortApp" FM4ie.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E JaffaCakes118_5c7f6d6e11f4eb14a890fd8084669bc0.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E\Blob = 5c0000000100000004000000000800000b000000010000005400000053007400610072006600690065006c006400200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f007200690074007900200013202000470032000000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000002500000030233021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c06200000001000000200000002ce1cb0bf9d2f9e102993fbe215152c3b2dd0cabde1c68e5319b839154dbb7f51400000001000000140000007c0c321fa7d9307fc47d68a362a8a1ceab075b271d000000010000001000000054e2cd85ba79cda018fed9e6a863aa46030000000100000014000000b51c067cee2b0c3df855ab2d92f4fe39d4e70f0e2000000001000000e1030000308203dd308202c5a003020102020100300d06092a864886f70d01010b050030818f310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e3132303006035504031329537461726669656c6420526f6f7420436572746966696361746520417574686f72697479202d204732301e170d3039303930313030303030305a170d3337313233313233353935395a30818f310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e3132303006035504031329537461726669656c6420526f6f7420436572746966696361746520417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bdedc103fcf68ffc02b16f5b9f48d99d79e2a2b703615618c347b6d7ca3d352e8943f7a1699bde8a1afd13209cb44977322956fdb9ec8cdd22fa72dc276197eef65a84ec6e19b9892cdc845bd574fb6b5fc589a51052894655f4b8751ce67fe454ae4bf85572570219f8177159eb1e280774c59d48be6cb4f4a4b0f364377992c0ec465e7fe16d534c62afcd1f0b63bb3a9dfbfc7900986174cf26824063f3b2726a190d99cad40e75cc37fb8b89c159f1627f5fb35f6530f8a7b74d765a1e765e34c0e89656998ab3f07fa4cdbddc32317c91cfe05f11f86baa495cd19994d1a2e3635b0976b55662e14b741d96d426d4080459d0980e0ee6defcc3ec1f90f10203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147c0c321fa7d9307fc47d68a362a8a1ceab075b27300d06092a864886f70d01010b050003820101001159fa254f036f94993b9a1f828539d47605945ee128936d625d09c2a0a8d4b07538f1346a9de49f8a862651e62cd1c62d6e95204a9201ecb88a677b31e2672e8c9503262e439d4a31f60eb50cbbb7e2377f22ba00a30e7b52fb6bbb3bc4d379514ecd90f4670719c83c467a0d017dc558e76de68530179a24c410e004f7e0f27fd4aa0aff421d37ed94e5645912207738d3323e3881759673fa688fb1cbce1fc5ecfa9c7ecf7eb1f1072db6fcbfcaa4bfd097054abcea18280290bd5478092171d3d17d1dd916b0a9613dd00a0022fcc77bcb0964450b3b4081f77d7c32f598ca588e7d2aee90597364f936745e25a1f566052e7f3915a92afb508b8e8569f4 JaffaCakes118_5c7f6d6e11f4eb14a890fd8084669bc0.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 1400 funmoods.exe 1400 funmoods.exe 1400 funmoods.exe 1400 funmoods.exe 1400 funmoods.exe 1400 funmoods.exe 1400 funmoods.exe 1400 funmoods.exe 1400 funmoods.exe 1400 funmoods.exe 1400 funmoods.exe 1400 funmoods.exe 1400 funmoods.exe 1400 funmoods.exe 1400 funmoods.exe 1400 funmoods.exe 1400 funmoods.exe 1400 funmoods.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1400 funmoods.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4816 wrote to memory of 1400 4816 JaffaCakes118_5c7f6d6e11f4eb14a890fd8084669bc0.exe 97 PID 4816 wrote to memory of 1400 4816 JaffaCakes118_5c7f6d6e11f4eb14a890fd8084669bc0.exe 97 PID 4816 wrote to memory of 1400 4816 JaffaCakes118_5c7f6d6e11f4eb14a890fd8084669bc0.exe 97 PID 1400 wrote to memory of 2376 1400 funmoods.exe 99 PID 1400 wrote to memory of 2376 1400 funmoods.exe 99 PID 1400 wrote to memory of 2376 1400 funmoods.exe 99 PID 1400 wrote to memory of 2596 1400 funmoods.exe 100 PID 1400 wrote to memory of 2596 1400 funmoods.exe 100 PID 1400 wrote to memory of 2596 1400 funmoods.exe 100 PID 2376 wrote to memory of 3312 2376 FM4ie.exe 101 PID 2376 wrote to memory of 3312 2376 FM4ie.exe 101 PID 2376 wrote to memory of 3312 2376 FM4ie.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c7f6d6e11f4eb14a890fd8084669bc0.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c7f6d6e11f4eb14a890fd8084669bc0.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:4816 -
C:\Users\Admin\AppData\Local\funmoods.exe"C:\Users\Admin\AppData\Local\funmoods.exe" /S /aflt=down /mhp /mds /mnt /stagedXpi2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1400 -
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe"C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe" /S /aflt=down /mhp /mds /mnt /stagedXpi3⤵
- Executes dropped EXE
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodssrv.exe"C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodssrv.exe" /RegServer4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3312
-
-
-
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ffx.exeC:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ffx.exe /S /aflt=down /mhp /mds /mnt /stagedXpi3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2596
-
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Modify Registry
4Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
328KB
MD5f95617b082693af8490edb28b771870e
SHA1e6e7ffa25aa1acfa07888fd388af8dfaf28da656
SHA2567352aaebffcaf4293bfcc66b4b3af0d9a20ea9cf5746e3fc6d548ed2d31a6b0f
SHA51272bec0ad4efc4508b3720ed47e45da49b2c92d49878524dd1245d066788e4c508c96866b16ef8d984a8031fe8d5be6a4388acb46ed80c8b35e5a7b56f9a22508
-
Filesize
534KB
MD59001188b424b2c2fa40368ee2b1df506
SHA16ac9d3d3e42acc49524bf9bf80ff3a473c90212b
SHA2565809a200cc0524511e3769e2a8be748404eb75b317cec3fac3ebcc4bae850cea
SHA5129d7b793a5fbec2311f7c2ab11b15fa641286d1bfd5d04df78ae535002ea693edbdaefa30fb0fd3b288ce0f8045d743fd1bd1eba8c5f8f5a6f53dfc51260e8906
-
Filesize
243KB
MD5ac557d58c73411da1d2aa66109182dfa
SHA1d464184873099e2f3f1700bcb74284b8ca7959ed
SHA25601f196deedc9c921e810e083f8f593695596718af1a216df25c4b9b8bfdb662e
SHA512ceeb8705cda49ef5b17d30cfb8264a57cbecd1fa799906246e2e2ac82575be28547b4bd96953518504067a7538affc570205ee22914945a3f41c0a729eda8617
-
Filesize
10KB
MD51caa54207c56b9df0fd4aa6cd3002d87
SHA1dcd5bdf23c52bbb57574366dd3a07158a3198603
SHA25639325ac4d09d4ac26f7a7f62d727fff3f98c8d12c2934ea74d6e6c449c1a962c
SHA5121775d915cbc07cb908cfad0418b08fa0841bdf6548111bbe044da404e23c7c9cd320154050e5a19a283d06527ce79201577b106dfdf6d4c25eafe21712fc45f7
-
Filesize
1.1MB
MD5ce86ace6982b9f2d8836ff204c592dd2
SHA160ed4aeb4cf23e043e19d3746a1bcd9afa58a3ac
SHA2563d808021dfa4617de80d49c7aa6620868577cf573b7a88ed24b7de30a1d4736a
SHA512c95f53b180ef67fa74c892dcb3b878a6a722716708387b13153d6b660b3111fbfaf9aeb9381c444ebf28166a66923817d0ad57acf076e23650b1ca4496348caa
-
Filesize
544B
MD54572bfac1a74abe2d4d716871b2c9cad
SHA1daa25567a196e9e7b10b2bf33ba35299f2c16f84
SHA2568f2ac3e5f4345b19010d7dc0a7ed835727f5e7780f4c00517aadb18724dcaf29
SHA512285f22cea572aab5b37acb00e1e77db684e57c40361bf7eb05dc27c0ac42587b1dd9666cfaa9547862db43d5284c0e9087dd2c45247635fa22a51a6431267d15
-
Filesize
1KB
MD5bdbec4d620b4c4658d39070752f0e5e4
SHA1bb9e0b89cfd028a79bd1cad9db4fb54c029c7ccd
SHA256ff07e15a4e1e1ba84ad9d9e0892c4bd4a369c00bbbd6ea0c514f60acce26a05d
SHA512adc6a8e4c8ab0d3c4b1931c86ae40b4335a567d680700809b4cacd465c9d53a9759a4e480a1deb6da26f5c873fe2729186f6b88e7ab059fed98a609badc36308
-
Filesize
1KB
MD51b6970ff0e42aab8cda50dad88c79003
SHA1283be10551400779ce7e21af8d2441a83abc6fe4
SHA256d5c5583827312d026ed17b5963dd7cd2d8c659a2755afd6c4281ca41c93f4fd2
SHA512b7a1568ec9009348778996d14f780be56a9c2770303cc9c2dcb8787a30635f3b3e0ac72c7fa8a7fea70ca5b3e1bfd096cad8b3de02f14eebda9df8f9c8a51eb0
-
Filesize
861B
MD59a573122109bd0eb9d9d89601f5baae0
SHA17bb54aec051f708a8e7d0383a3937fec89e91ed5
SHA256a04e1eaa4b876e6fc57810383076142ecf7c44844379c87aace0730ba5316732
SHA5124305aa38b28d830663eabeead44b348dfbc7cad784e53abe8709b9cba42bfc94c8c1102d072aa26af5c4fc0a65be12f251d6d66549ea4c9aa0714ab3840b7a32
-
Filesize
1KB
MD5dd93dd3ebfb0b592732bdee5bdcf23db
SHA13e56df3803c4c23b52c031d749ab627b0515a586
SHA256eb9d282bc22910cc105ce4566971cd17cd400b0a1ac4ceefa11a6cc10008329b
SHA5125872221127bd77139ef2572cc9a90ffc1dd74fe45630c0a32e5d568354ae43d7de201bc494da5b4e9fe0607661e81ada212e32d7daf7ab416019cdeaea8c7515
-
Filesize
1KB
MD5c459f044c8acab0ea20b4d96d9611e6c
SHA136e1a94b96909c333830d0272f1f06ebc33ea64c
SHA256dc0d996f5f64c2982b0f554aa8419901ef8ccbde6a2817ef9c2eae254db01069
SHA512ea340b7ecfbeea0de0ced8f274c40db42f87f1fb9a761af18f4a0c3a5621f47ab0c509f933c9c93a86cebaafdad6b5c6d78c206d8ef75ff8e480dd9fb4daf707
-
Filesize
1KB
MD54fd339ef0589a83c3eab32699267716d
SHA1ad2af6cf7375f15e7270a214ccf0a3f864d111cf
SHA25651247d54f9cc800d5435191b202298ea0f3ebc3baaedf0f40d9431d44e0c3539
SHA512b9d461315cf1689a7917abc9f2f5bf93ad0a589668117d0e7198a7d2dffbc775bf1fd5384a68a228b609ea17151274d4201fe8c6959d50fb20a6ca6bbca4388c
-
Filesize
970B
MD562a82675fe80409c19902610a0a0c085
SHA10c80c106a2601bef89b3b6e5eef206216c6cd0f2
SHA2565bef586c04f5c27e8dc16b62aacb56acdd828347019f9dbcc9711691f956a5d0
SHA51264ee95fe38f2f932b5a9335387c16c95fac1b07e7f74875d9f2edba1fcc96778d0cf2109b23cb81839946fc3e3124ea31356b263ca84957459930583460c35bc
-
Filesize
1KB
MD572098deaaad52be23940e72f28c7680d
SHA1a5361fc2b4cf32b1876a88b7e8eeca25d1f5ca1d
SHA256e2e484a10428663298a35c82c858937c001b099e39fa0d60e1fe2a09f744c494
SHA512f84faeedcdd79fda1750aafc58c44fdfbf0497e26bd6b4ddacc24cf5f8e6a7edbac0ec084d22d62fa21d31c9269223cfcdb3b14fd72e8bf3dde054b9a453c838
-
Filesize
1KB
MD5412da775db4b54c49ad156b8b6f5ab74
SHA1c736d65d487aabe591ce42bf6e8d10fc7f5829b7
SHA2567cad7e22a9b84cf52691e666cbc99e4977defc74de12f772f8752e551544ad99
SHA51268b3e6c274b035d48e68dc73996212154a92cbcf6ae508f18280349b7e1c26efeda76024530a8a0d4cf495eb27afc264d71c7e14fbfe1ce46b1199516a924346
-
Filesize
951B
MD539dfcf2906eee958e051a42cc5aacea0
SHA1ef97c611be6646c003a262237b5139820e7c4ce3
SHA256d6b7d13bd2aa7f19b44d7275ed61eb72d2a2eb411757a14fcdbdb153803a2793
SHA512c1b7d0fef62e4870d4c109f05a5a38742ce7ceb77bce0507f0f3e410143b9a82881c9a636e97e1246a7e1b8418696ae33ccf5b9515b63b7e403d1be085bd6d68
-
Filesize
1KB
MD5005fab27b135b16b0d1ea525dcb0c793
SHA1ea0de0edd5c2ba5f0d9d851c089c4c09dc0376af
SHA2564735f776aa686198c80f523fa78b68a3668f6753f8f51a91b023611634d97ea2
SHA51298f265e24c7e70ef2996c3a112776e3d20212df2b9e56ac2cd93c39f49f0a16e0da0df0994dfff179418bcb7dbcb6ee94826176122cd2976c5d92d75fdeba766
-
Filesize
916B
MD5f0e0de251179e1d4f03ee28c211d6d70
SHA14951792a9ec8329145ab4f176e61d4efa70cf99e
SHA256d1e2ca289fd4e353e1307446ec2f66fd01665cd0b7a84e8936eedaf7c7ba33fb
SHA5129dc68d752c1f7ae57d28f1375b06bd5f1a3f4023d7eef05143de0f5412893dc4b45f5ea35b62a9efb30962749079975eacdd336ce52b490c1fdce411fe0458f6
-
Filesize
666B
MD5fb91b861e2eff8844a79b3d20481415e
SHA15678e1cb7e56972ddb38f493dab8f6dcb2c55452
SHA256f49c1a6f2c93f0fb61a43e61716f47371508ff5affedf1d1f53777bf3dd90f29
SHA5128857b67fe57932631cf05e6b5be19a1fe95208b33183e354a121cc61ee0fe5c955ecd1c192a1e956046b7f1f93a50fb366111ab1c7c95c04b395d9279ed38319
-
Filesize
896B
MD5f44793fe2999354e679e47bf6a5fbdb9
SHA148f904a170935a2aa80b45b9e6222d41e2a93782
SHA2565a38839f7d8574ebe7b0fdaa0e5099690b053ad8ee46ee0e730649b0177ceb9d
SHA512c0d1e155a0d8865b15683c29898357af10cdcda2a57b017cfeaea5a113a3c2fc3b3db1cd51c5abc65e660bea21d24fad63c0995046be224acc59014ca007f829
-
Filesize
1001B
MD51da1785492e6a2721ba238ce5dd9b5b3
SHA1c39f01af6c273e70c6ddb2c92bbcdec7d983c125
SHA25622d101e38d14b29e22cce6cc6229ff7681b938d16d32ab984e8d76b9da626453
SHA5126e13bd0e8e84f36a0ef52b20e043194237d026ff8e135c9b826cd4ff0a71ffa1531b40fbc01f0dd93560875786897107ffcc841e821b75ae553ad722e0d1f9e9
-
Filesize
1KB
MD5f30994449ab5fb1c6129e98b0b968f2b
SHA1d0da0692377c4bfe2ff990321eb387bed7d333ca
SHA256b8f379228ab4bf4bed62af0179f45e8b307aee4c3ba5a5f7b561b43a4bf16674
SHA5121a8e2e731ef300183f879feb78d35f7d5f8ced67e11130eca2f3776b24fd5c61dfcb61b9633f93160780fe4b8687798bbfecf1254b6244d370a3fe1b659aa0f6
-
Filesize
5KB
MD59384f4007c492d4fa040924f31c00166
SHA1aba37faef30d7c445584c688a0b5638f5db31c7b
SHA25660a964095af1be79f6a99b22212fefe2d16f5a0afd7e707d14394e4143e3f4f5
SHA51268f158887e24302673227adffc688fd3edabf097d7f5410f983e06c6b9c7344ca1d8a45c7fa05553adcc5987993df3a298763477168d4842e554c4eb93b9aaaf
-
Filesize
11KB
MD5c17103ae9072a06da581dec998343fc1
SHA1b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f
-
Filesize
24KB
MD51efbbf5a54eb145a1a422046fd8dfb2c
SHA1ec4efd0a95bb72fd4cf47423647e33e5a3fddf26
SHA256983859570099b941c19d5eb9755eda19dd21f63e8ccad70f6e93f055c329d341
SHA5127fdeba8c961f3507162eb59fb8b9b934812d449cc85c924f61722a099618d771fed91cfb3944e10479280b73648a9a5cbb23482d7b7f8bfb130f23e8fd6c15fb
-
Filesize
6KB
MD50745ff646f5af1f1cdd784c06f40fce9
SHA1bf7eba06020d7154ce4e35f696bec6e6c966287f
SHA256fbed2f1160469f42ce97c33ad558201b2b43e3020257f9b2259e3ce295317a70
SHA5128d31627c719e788b5d0f5f34d4cb175989eaa35aa3335c98f2ba7902c8ae01b23de3ccb9c6eb95945f0b08ef74d456f9f22ca7539df303e1df3f6a7e67b358da
-
Filesize
9KB
MD5c10e04dd4ad4277d5adc951bb331c777
SHA1b1e30808198a3ae6d6d1cca62df8893dc2a7ad43
SHA256e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a
SHA512853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e
-
Filesize
21KB
MD5ab467b8dfaa660a0f0e5b26e28af5735
SHA1596abd2c31eaff3479edf2069db1c155b59ce74d
SHA256db267d9920395b4badc48de04df99dfd21d579480d103cae0f48e6578197ff73
SHA5127d002dc203997b8a4d8ec20c92cd82848e29d746414f4a61265c76d4afb12c05bce826fc63f4d2bd3d527f38506c391855767d864c37584df11b5db9ca008301
-
Filesize
7KB
MD5ba4063f437abb349aa9120e9c320c467
SHA1b045d785f6041e25d6be031ae2af4d4504e87b12
SHA25673acba7dd477dfd6cf4249911f4e3c781196c7cf6b28425761dcb2d4f90c36c5
SHA51248a813f55834069f8c6b90740de3df01564a136b0fe637f9f85cc1a19d7f32b1f70205ff2462526508fe3c1962d7c1e8e384c40463e328538aeba28e8d0fb92a
-
Filesize
7KB
MD55a3a8d916dd0071f16d217bbcfe7d047
SHA1c2265fa5cec491706d0921e4274c674b693f326f
SHA256465e81022be2df0433a6e02d427a79dc733031abc89d99746b73576a976857e3
SHA5128908ee2e329171d2ee430aacf7f86be565472cdb9b338786188ab37d6e6a714e5bc98552a39737ff8a5f314730c9f351aa0f1fa8207eff32289d7bccb3e05a08
-
Filesize
18KB
MD5994669c5737b25c26642c94180e92fa2
SHA1d8a1836914a446b0e06881ce1be8631554adafde
SHA256bf01a1f272e0daf82df3407690b646e0ff6b2c562e36e47cf177eda71ccb6f6c
SHA512d0ab7ca7f890ef9e59015c33e6b400a0a4d1ce0d24599537e09e845f4b953e3ecd44bf3e3cbe584f57c2948743e689ed67d2d40e6caf923bd630886e89c38563
-
Filesize
14KB
MD5a5f8399a743ab7f9c88c645c35b1ebb5
SHA1168f3c158913b0367bf79fa413357fbe97018191
SHA256dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9
SHA512824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977
-
Filesize
56KB
MD5cc0bd4f5a79107633084471dbd4af796
SHA109dfcf182b1493161dec8044a5234c35ee24c43a
SHA2563b5388e13dab53d53e08791f492ed7d3094a0cee51e9841af83ce02534e0621c
SHA51267ba90ec04366e07d0922ffb4dbbb4f12f90b6785b87700adaae29327db9ec2a03d750b229f858db0594f439499d6346fbf1ebc17c77162bf8da027515219ee3
-
Filesize
10KB
MD538977533750fe69979b2c2ac801f96e6
SHA174643c30cda909e649722ed0c7f267903558e92a
SHA256b4a95a455e53372c59f91bc1b5fb9e5c8e4a10a506fa04aaf7be27048b30ae35
SHA512e17069395ad4a17e24f7cd3c532670d40244bd5ae3887c82e3b2e4a68c250cd55e2d8b329d6ff0e2d758955ab7470534e6307779e49fe331c1fd2242ea73fd53
-
Filesize
4KB
MD57579ade7ae1747a31960a228ce02e666
SHA18ec8571a296737e819dcf86353a43fcf8ec63351
SHA256564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5
SHA512a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b
-
Filesize
193KB
MD557d63d48f0bb2fe9b3751342e1b0cc67
SHA165afbce77b4990f7f5efb5251e90bd9cc744583c
SHA25672753db55778180ebd90cb10173c7a87d8d919c6b34a07962e7e1fff80092eab
SHA5125766ff289869a252a9d08fe826e9e7df70796b2faddb470898e4f710aa33ed19094bd73e6637c9c720da417e7f5b9ca7645fa7cd36a8fae2b0718ced10892cf8
-
Filesize
5KB
MD5aac69f856c4540edd4ef7ce6c8571639
SHA12860f55ea9774d631219e66604051e90a43258b7
SHA2566dc2644a389feeef9e0ac65e2c8b01fc18ca6e53b253f10efffcb117e0a852dd
SHA512ebacc8117c44d298ae519705510285c576932761b3c7b697eeb91cb7620150ebe551102d1ab83d68f4c78e1496b191a55ad8f78c491f5b4af456c4de6ad72dcd
-
Filesize
5KB
MD569806691d649ef1c8703fd9e29231d44
SHA1e2193fcf5b4863605eec2a5eb17bf84c7ac00166
SHA256ba79ab7f63f02ed5d5d46b82b11d97dac5b7ef7e9b9a4df926b43ceac18483b6
SHA5125e5e0319e701d15134a01cb6472c624e271e99891058aef4dfe779c29c73899771a5b6f8b1cd61b543a3b3defeaecaa080c9cc4e76e84038ca08e12084f128eb
-
Filesize
1.6MB
MD5e10aa65bc9f094483b45ee6745e89606
SHA1f69007d78c2636c53afe608f9eb8d116603652f7
SHA2565211d85e3d577f54134a8ab8c5c9f23bd3b7332825dcab75a19258b25790b37f
SHA512b7c55c05f53bcac6d077cdd69c37459f3e3a39c719489d7027d16d87eea96479f7baaedb31f4a7b2e0a39aba872b6435be6dd7fcdce66d42a94c87ed2b49cba6
-
Filesize
189KB
MD509fbaede48cfedb759e640bed10d5dbf
SHA1e1c0a5a77042595beae53955cad72143aac61045
SHA256e9be711645adceef7a7f55ad9b573cf67910c885ebf63024928656823079512b
SHA512aeb67c0ccfea4b5c09dcbb398be9e863c3c35eb3f9cb8c8eb666e8d69fd00ac6195024e443333ce5645a04b00c38c17182533d9f8ba7312ff446f1be5cba0d28
-
Filesize
134B
MD5a6586122c0662f36a4f26b6c3959811c
SHA1929259027561933065e6267fe948b33bd549d2a8
SHA2562bce865f219fe68157cf29b115642d1c68a0cf062c14e3853321e4d7b4fc4edb
SHA512622683523e7049eef983dfd0fa177882b1a1fe153aac634308b2ebee5b6b1d7bca93ce67327d77d9e2df13010ef7d2785cee5752dc7847435f71ba1c8d156bcf
-
Filesize
11KB
MD58cd889b2732d44f4b63bb9e376128973
SHA1d1fd1621ac821c096c5de67367403270c868b423
SHA256b828a98fa04a684e67cc7094e2a53ab7b611e39dc655f6e812541560ef99cc79
SHA512c878d6bb0941dbdb9ec32fc8437e8ba775645818c114f8ae2b154cd20ec9cdc3759e4151a30582cd0e55f8b73603a4283335a98145d201b8bd816ce5533c0808
-
Filesize
384B
MD506c42349f82ace83f953695a7036967e
SHA13488e08a3fb81316456f6449bdeb9254c3b4f5f8
SHA256afa2580870da87ca052d778bb13ea37bea1cf83aae932dcc575d700e1c9e831b
SHA512272c97324cd7922a9fb6514f3b082655a09d37e70381f520c012ad285fe8f55d88c8c79dbd5b80cf6009e4934c2255c98f99c6ee97639c481330c8c9f509061e
-
Filesize
81B
MD53062047a2880b6809f9f5e203a624692
SHA16ae308f3d7b8c4d30f85a8e6288f88f1500f0d4a
SHA256eb8861bc4c152c0c8fe13e9ee53b4fcb84733ac5539d0e86c98e2ec3015d6184
SHA512066e4a0cb8c06ae1c96d7d0d9b39a5abac8e5fad258ec8c8841bcf81293fc9a727f275813836a0e41c1b34bd67f0f33532a701bbc888aa3f1edcede970cc64d3
-
Filesize
293B
MD57278e2536cdb7b7b289d1608b8bb731f
SHA1ae9ae0d8c25ca64553b56eb8fb4ed5edc5c8833c
SHA256145136f0c0ed3502e8721cf84cb1c6f686216e1027d232202a2811141914fdcb
SHA512b4650b56ce6f7457a1783f20bce99106fbeb46d5a6b7740e165d5c9273c6337c93f1145afb00f64fcff141d082a1153a70da257d6d00562fe9479f4d8e2f45ab
-
Filesize
1KB
MD5720b65b2a770bc6138438fddc6962500
SHA17df0b1c24c8c2322ccbb95a30aba10d7b17b9259
SHA256531819f9be5b043f982080a0e801dc27b37e7f0d6ef10f4d6cedb8b5bf31a1e0
SHA51254f05ae9ff38b13e7f547ef59cf88b291f8aab8d7892a6ca448e05bef34ca405cd09e8c3b5a3d7e47009d5dcf53e03f7368e1ac8e7f1cef6c61b22a8dc3d9ba3
-
Filesize
1KB
MD56c9c0e1c065d8b3e26b7fa0497d3ea75
SHA17df20f1abaf04ca5f94d492e0ad9fe2f8eb0d6fe
SHA2568e143c953a4f72586023bc183ae49a5f6116aa213dc7287e5ad591c0e8207c66
SHA512ce8138386e7f56ebf721a611376441d80b9f7b227d352671aa4cc6d6664095fb904f9ff401e26c171c61235971094130baddd8029e9fbe58dfe8c0a759379c68
-
Filesize
681B
MD50c7c8a283b16e0fa47c0016069de06e6
SHA156dfdd0983f1ff14fd39acf3094f38e40a221e8e
SHA256d34969a861d89c54d6a1f430cac910c32203c47def8ceb55c28065f508c3d7d9
SHA5124028c03372de5c43493709adbef322156fecced278707c3c26949dd54ff3f9219f8c4f405ad8f4e69cebc77257fdbe4ea5986aa5e659098e5094f0f666c1d314
-
Filesize
343B
MD5b804e77d692f76f6b411f020cc930dc0
SHA1019911c69ba034cf0be5f9ef70d9d748df9eb98c
SHA256d469d6f59a86889c7d5d0282279b19109b8f5d7ba1e8552d355805417a8c2c46
SHA51247978f97fe69ef35b7ffa7649f3289ebc8fb5c3a12a201d763a4607b9f63ff39d2e66be629b82f8af0521bd1930d604a981dad63d976a21d69f2be2219da7c75
-
Filesize
611B
MD5122384a2fb0a6d2defd644ac0a614227
SHA1a43a0dfd8faf6cc8d2922e5dc551f24381708d76
SHA256370572aaa27d7b6c1bf15cee5f5c148f002db60b44fed73ae58a2fa1afc96fb8
SHA512b8c0699e77450055a290cb60aae5b5d3466cf02d30453390b6aa33c60db4d8a9f991d6001fc383ca3575528cc038a8c16f60b7eb380bb68eea4767c7e6f42c1c
-
Filesize
775B
MD53a49c3d986994bdf8ec9ca1f13ab9308
SHA1f2b65b981f81b403053aff34e3eb7cb1665a281d
SHA256e1dca9a4d2acdbb45629e66d70e82c9e4e05e60eadce0b08836b587acfc86d0b
SHA512a48e14a3cbefab953172514b01bdca9db1962ce22cd8e4f552a8845f6e72290757256c9ae4aa42bfe4d9398c7c18887addde4685f946940b66a919f40ecc39b1
-
Filesize
243B
MD521e2ca66b86e5bf3a6032fdbc45e90b5
SHA1ea70be42630e89f7a650abb4e71852efa9893c9b
SHA256704628eb647ff0f3e61d951bd0cb3f97f7e58a8284c4e50c71f4369aa111873a
SHA5123757f022724b7ba2efb3c0f5da649bfa8e609752266fde6b2999de31fc01390eae20e6a65d8cbcffaf338936de5dd018b76953679e763448078e27b208b9fd65