Overview
overview
7Static
static
3JaffaCakes...ad.exe
windows7-x64
7JaffaCakes...ad.exe
windows10-2004-x64
7$PLUGINSDI...er.exe
windows7-x64
3$PLUGINSDI...er.exe
windows10-2004-x64
3$PLUGINSDI...ar.exe
windows7-x64
3$PLUGINSDI...ar.exe
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...st.exe
windows7-x64
7$PLUGINSDI...st.exe
windows10-2004-x64
7$PLUGINSDI...ec.dll
windows7-x64
3$PLUGINSDI...ec.dll
windows10-2004-x64
3AdminWorker.exe
windows7-x64
3AdminWorker.exe
windows10-2004-x64
3Uninstall.exe
windows7-x64
7Uninstall.exe
windows10-2004-x64
7WebInstaller.exe
windows7-x64
6WebInstaller.exe
windows10-2004-x64
6WebUpdater.exe
windows7-x64
3WebUpdater.exe
windows10-2004-x64
3content/iwa-ovr.js
windows7-x64
3content/iwa-ovr.js
windows10-2004-x64
3content/iwinarcade.js
windows7-x64
3content/iwinarcade.js
windows10-2004-x64
3firefox/iW...er.exe
windows7-x64
3firefox/iW...er.exe
windows10-2004-x64
3iWinGames.exe
windows7-x64
6iWinGames.exe
windows10-2004-x64
7iWinGamesHookIE.dll
windows7-x64
6iWinGamesHookIE.dll
windows10-2004-x64
6iWinInfo.dll
windows7-x64
3iWinInfo.dll
windows10-2004-x64
3Analysis
-
max time kernel
144s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20/01/2025, 11:40
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/InstGameInfoHelper.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/InstGameInfoHelper.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/IwinToolbar.exe
Resource
win7-20241010-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/IwinToolbar.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240708-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/iwintoolbarinst.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/iwintoolbarinst.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
$PLUGINSDIR/nsExec.dll
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
AdminWorker.exe
Resource
win7-20240729-en
Behavioral task
behavioral14
Sample
AdminWorker.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
Uninstall.exe
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
Uninstall.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
WebInstaller.exe
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
WebInstaller.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
WebUpdater.exe
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
WebUpdater.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
content/iwa-ovr.js
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
content/iwa-ovr.js
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
content/iwinarcade.js
Resource
win7-20241023-en
Behavioral task
behavioral24
Sample
content/iwinarcade.js
Resource
win10v2004-20241007-en
Behavioral task
behavioral25
Sample
firefox/iWinArcadeLauncher.exe
Resource
win7-20240903-en
Behavioral task
behavioral26
Sample
firefox/iWinArcadeLauncher.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral27
Sample
iWinGames.exe
Resource
win7-20241010-en
Behavioral task
behavioral28
Sample
iWinGames.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral29
Sample
iWinGamesHookIE.dll
Resource
win7-20240903-en
Behavioral task
behavioral30
Sample
iWinGamesHookIE.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral31
Sample
iWinInfo.dll
Resource
win7-20240903-en
Behavioral task
behavioral32
Sample
iWinInfo.dll
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe
-
Size
3.6MB
-
MD5
e60156f6d9a9642465da11d0915b43ad
-
SHA1
c332bc20c25fb9bbc94185992811e977243c5664
-
SHA256
672d70ad03e526910432bcc74c21e184b33b1bedd80c6a29223f4e52175b78f1
-
SHA512
806d626f2181c3968e90e0fe254a2956807d8beaed45ea20348c121a6db425cea3008a3518c2c0e77681e08a7c7bbca686b2189aba813628f2ebbcf2185e2997
-
SSDEEP
98304:6jiX418wVrgGlg9iHjOzZYr8d/GXGtQ9TANT:6jiIBy6O9d/GXAx
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation iWinGames.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation AdminWorker.exe -
Executes dropped EXE 11 IoCs
pid Process 4804 InstGameInfoHelper.exe 3672 AdminWorker.exe 2244 AdminWorker.exe 3228 iWinTrusted.exe 3488 WebInstaller.exe 1772 iwintoolbar.exe 4352 iWinGames.exe 3484 iWinTrusted.exe 3632 WebInstaller.exe 4484 AdminWorker.exe 4200 iWinTrusted.exe -
Loads dropped DLL 5 IoCs
pid Process 2940 JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe 2940 JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe 3416 regsvr32.exe 1408 regsvr32.exe 2716 regsvr32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Installs/modifies Browser Helper Object 2 TTPs 1 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8CA5ED52-F3FB-4414-A105-2E3491156990} regsvr32.exe -
Drops file in Program Files directory 41 IoCs
description ioc Process File created C:\Program Files (x86)\iWin Games\iWinGamesHookIE.dll JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe File created C:\Program Files (x86)\iWin Games\firefox\iWinArcadeLauncher.exe JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe File created C:\Program Files (x86)\iWin Games\pages\alert32x32.gif JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe File created C:\Program Files (x86)\iWin Games\pages\iwin_logo.gif JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe File opened for modification C:\Program Files (x86)\iWin Games\ftdownload.dat JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe File created C:\Program Files (x86)\iWin Games\iWinGames.exe JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe File created C:\Program Files (x86)\iWin Games\pages\offline.html JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe File created C:\Program Files (x86)\iWin Games\sounds\animation.wav JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe File created C:\Program Files (x86)\iWin Games\iWinTrusted.exe JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe File created C:\Program Files (x86)\iWin Games\pages\arcadeCheck.js JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe File created C:\Program Files (x86)\iWin Games\pages\maintenance.html JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe File created C:\Program Files (x86)\iWin Games\pages\terrie404.gif JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe File created C:\Program Files (x86)\iWin Games\AdminWorker.exe JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe File created C:\Program Files (x86)\iWin Games\iWinInfo.dll JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe File created C:\Program Files (x86)\iWin Games\firefox\chrome.manifest JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe File created C:\Program Files (x86)\iWin Games\pages\offline.css JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe File created C:\Program Files (x86)\iWin Games\sounds\slideout.wav JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe File created C:\Program Files (x86)\iWin Games\Uninstall.exe JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe File created C:\Program Files (x86)\iWin Games\WebInstaller.exe JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe File created C:\Program Files (x86)\iWin Games\WebUpdater.exe JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe File created C:\Program Files (x86)\iWin Games\firefox\install.rdf JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe File created C:\Program Files (x86)\iWin Games\firefox\version JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe File created C:\Program Files (x86)\iWin Games\pages\blank2.html JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe File created C:\Program Files (x86)\iWin Games\pages\offline_tag.gif JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe File created C:\Program Files (x86)\iWin Games\host.cfg JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe File created C:\Program Files (x86)\iWin Games\firefox\chrome\iwinarcade.jar JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe File created C:\Program Files (x86)\iWin Games\pages\error.html JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe File created C:\Program Files (x86)\iWin Games\pages\login.html JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe File created C:\Program Files (x86)\iWin Games\pages\offline.jpg JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe File created C:\Program Files (x86)\iWin Games\pages\orange-im-connected-60.gif JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe File created C:\Program Files (x86)\iWin Games\sounds\start.wav JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe File created C:\Program Files (x86)\iWin Games\pages\blank.html JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe File created C:\Program Files (x86)\iWin Games\pages\offlineBg.gif JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe File created C:\Program Files (x86)\iWin Games\pages\test.html JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe File created C:\Program Files (x86)\iWin Games\sounds\animationBack.wav JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe File created C:\Program Files (x86)\iWin Games\sounds\button_click.wav JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe File created C:\Program Files (x86)\iWin Games\sounds\download_completed.wav JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe File created C:\Program Files (x86)\iWin Games\sounds\slidebackin.wav JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe File created C:\Program Files (x86)\iWin Games\ftdownload.dat JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe File created C:\Program Files (x86)\iWin Games\WebUpdater.bmp JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe File created C:\Program Files (x86)\iWin Games\pages\error404.css JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 15 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WebInstaller.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AdminWorker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language InstGameInfoHelper.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AdminWorker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iWinTrusted.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iWinGames.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iWinTrusted.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AdminWorker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WebInstaller.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iwintoolbar.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iWinTrusted.exe -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" iWinGames.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iWinGames.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iWinGames.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\IESettingSync iWinGames.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\ = "IIEHlprObj" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\VersionIndependentProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\Programmable iWinTrusted.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\CLSID\ = "{8CA5ED52-F3FB-4414-A105-2E3491156990}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}\1.0\0\win32\ = "C:\\Program Files (x86)\\iWin Games\\iWinGamesHookIE.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}\1.0\HELPDIR regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\TypeLib iWinTrusted.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" iWinTrusted.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{15ABA6D1-9386-45a2-BE26-3289E9FF0A2B}\ProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\ = "IEHlprObj Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\TypeLib iWinTrusted.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\VersionIndependentProgID iWinTrusted.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}\1.0\0\win32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{28201F8B-C56C-4260-A99D-73A42093CDE6}\TypeLib\ = "{511FEB59-57D5-4B0C-AE92-ABBA854413AF}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28201F8B-C56C-4260-A99D-73A42093CDE6}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted.1\CLSID iWinTrusted.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}\1.0\FLAGS\ = "0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{15ABA6D1-9386-45a2-BE26-3289E9FF0A2B}\ProgID\ = "iWinSuppot.iWinSuppot.1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\ = "IEHlprObj Class" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\ProgID\ = "IEHlprObj.IEHlprObj.1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}\1.0 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\ = "IEHlprObj Class" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{15ABA6D1-9386-45a2-BE26-3289E9FF0A2B}\InprocServer32\ = "C:\\Program Files (x86)\\iWin Games\\iWinInfo.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{28201F8B-C56C-4260-A99D-73A42093CDE6}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\Programmable regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\ = "iWinTrusted" iWinTrusted.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{511FEB59-57D5-4B0C-AE92-ABBA854413AF}\1.0\FLAGS regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\ProxyStubClsid32 iWinTrusted.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\iWinSuppot.iWinSuppot.1\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\CurVer\ = "IEHlprObj.IEHlprObj.1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted\CLSID\ = "{635ADC07-6F19-42a7-8043-EDD19678CE14}" iWinTrusted.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\AppID = "{635ADC07-6F19-42a7-8043-EDD19678CE14}" iWinTrusted.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted\ = "iWinTrusted Class" iWinTrusted.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\ = "iWinTrusted Class" iWinTrusted.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937} iWinTrusted.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\Programmable regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted.1\ = "iWinTrusted Class" iWinTrusted.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44E6B68E-8DA5-4093-921B-7275E5B3906A}\1.0 iWinTrusted.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\TypeLib\ = "{495874FE-4A82-4AD1-9476-0B957E0B95EB}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{28201F8B-C56C-4260-A99D-73A42093CDE6}\ = "IiWinInformer" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\iwin JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\TypeLib\Version = "1.0" iWinTrusted.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\TypeLib\ = "{495874FE-4A82-4AD1-9476-0B957E0B95EB}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\iWinSuppot.iWinSuppot\CurVer regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{15ABA6D1-9386-45a2-BE26-3289E9FF0A2B}\VersionIndependentProgID\ = "iWinSuppot.iWinSuppot" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{511FEB59-57D5-4B0C-AE92-ABBA854413AF}\1.0\FLAGS\ = "0" regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44E6B68E-8DA5-4093-921B-7275E5B3906A}\1.0\0\win32\ = "C:\\Program Files (x86)\\iWin Games\\iWinTrusted.exe" iWinTrusted.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\LocalService = "iWinTrusted" iWinTrusted.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\iWin Games\\" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\iWinSuppot.iWinSuppot\ = "iWinSuppot Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{511FEB59-57D5-4B0C-AE92-ABBA854413AF}\1.0 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted\CLSID iWinTrusted.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{15ABA6D1-9386-45a2-BE26-3289E9FF0A2B}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{495874FE-4A82-4AD1-9476-0B957E0B95EB}\1.0\ = "iFunWebHookIE Type Library for IE Integration" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\LocalServer32\ = "\"C:\\Program Files (x86)\\iWin Games\\iWinTrusted.exe\" /server" iWinTrusted.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28201F8B-C56C-4260-A99D-73A42093CDE6}\TypeLib\ = "{511FEB59-57D5-4B0C-AE92-ABBA854413AF}" regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4352 iWinGames.exe 4352 iWinGames.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: 33 2812 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2812 AUDIODG.EXE -
Suspicious use of SetWindowsHookEx 9 IoCs
pid Process 1772 iwintoolbar.exe 1772 iwintoolbar.exe 4352 iWinGames.exe 4352 iWinGames.exe 3484 iWinTrusted.exe 4484 AdminWorker.exe 4200 iWinTrusted.exe 4352 iWinGames.exe 4352 iWinGames.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 2940 wrote to memory of 4804 2940 JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe 85 PID 2940 wrote to memory of 4804 2940 JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe 85 PID 2940 wrote to memory of 4804 2940 JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe 85 PID 2940 wrote to memory of 3672 2940 JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe 87 PID 2940 wrote to memory of 3672 2940 JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe 87 PID 2940 wrote to memory of 3672 2940 JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe 87 PID 2940 wrote to memory of 2244 2940 JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe 88 PID 2940 wrote to memory of 2244 2940 JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe 88 PID 2940 wrote to memory of 2244 2940 JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe 88 PID 2940 wrote to memory of 3228 2940 JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe 89 PID 2940 wrote to memory of 3228 2940 JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe 89 PID 2940 wrote to memory of 3228 2940 JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe 89 PID 2940 wrote to memory of 3488 2940 JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe 90 PID 2940 wrote to memory of 3488 2940 JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe 90 PID 2940 wrote to memory of 3488 2940 JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe 90 PID 3488 wrote to memory of 3416 3488 WebInstaller.exe 91 PID 3488 wrote to memory of 3416 3488 WebInstaller.exe 91 PID 3488 wrote to memory of 3416 3488 WebInstaller.exe 91 PID 2940 wrote to memory of 1408 2940 JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe 92 PID 2940 wrote to memory of 1408 2940 JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe 92 PID 2940 wrote to memory of 1408 2940 JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe 92 PID 2940 wrote to memory of 1772 2940 JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe 93 PID 2940 wrote to memory of 1772 2940 JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe 93 PID 2940 wrote to memory of 1772 2940 JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe 93 PID 2940 wrote to memory of 4352 2940 JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe 95 PID 2940 wrote to memory of 4352 2940 JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe 95 PID 2940 wrote to memory of 4352 2940 JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe 95 PID 4352 wrote to memory of 3484 4352 iWinGames.exe 96 PID 4352 wrote to memory of 3484 4352 iWinGames.exe 96 PID 4352 wrote to memory of 3484 4352 iWinGames.exe 96 PID 4352 wrote to memory of 3632 4352 iWinGames.exe 99 PID 4352 wrote to memory of 3632 4352 iWinGames.exe 99 PID 4352 wrote to memory of 3632 4352 iWinGames.exe 99 PID 3632 wrote to memory of 2716 3632 WebInstaller.exe 100 PID 3632 wrote to memory of 2716 3632 WebInstaller.exe 100 PID 3632 wrote to memory of 2716 3632 WebInstaller.exe 100 PID 4352 wrote to memory of 4484 4352 iWinGames.exe 101 PID 4352 wrote to memory of 4484 4352 iWinGames.exe 101 PID 4352 wrote to memory of 4484 4352 iWinGames.exe 101 PID 4484 wrote to memory of 4200 4484 AdminWorker.exe 102 PID 4484 wrote to memory of 4200 4484 AdminWorker.exe 102 PID 4484 wrote to memory of 4200 4484 AdminWorker.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e60156f6d9a9642465da11d0915b43ad.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Users\Admin\AppData\Local\Temp\nsyB5E3.tmp\InstGameInfoHelper.exe"C:\Users\Admin\AppData\Local\Temp\nsyB5E3.tmp\InstGameInfoHelper.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4804
-
-
C:\Program Files (x86)\iWin Games\AdminWorker.exe"C:\Program Files (x86)\iWin Games\AdminWorker.exe" AddArcadeToFireWallExceptions2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3672
-
-
C:\Program Files (x86)\iWin Games\AdminWorker.exe"C:\Program Files (x86)\iWin Games\AdminWorker.exe" restoreShortcutsPathes2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2244
-
-
C:\Program Files (x86)\iWin Games\iWinTrusted.exe"C:\Program Files (x86)\iWin Games\iWinTrusted.exe" -install2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3228
-
-
C:\Program Files (x86)\iWin Games\WebInstaller.exe"C:\Program Files (x86)\iWin Games\WebInstaller.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3488 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s /i "C:\Program Files (x86)\iWin Games\iWinGamesHookIE.dll"3⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3416
-
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\iWin Games\iWinInfo.dll"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1408
-
-
C:\Users\Admin\AppData\Local\Temp\nsyB5E3.tmp\iwintoolbar.exeiwintoolbar.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1772
-
-
C:\Program Files (x86)\iWin Games\iWinGames.exe"C:\Program Files (x86)\iWin Games\iWinGames.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4352 -
C:\Program Files (x86)\iWin Games\iWinTrusted.exe"C:\Program Files (x86)\iWin Games\iWinTrusted.exe" -install3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3484
-
-
C:\Program Files (x86)\iWin Games\WebInstaller.exe"C:\Program Files (x86)\iWin Games\WebInstaller.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3632 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s /i "C:\Program Files (x86)\iWin Games\iWinGamesHookIE.dll"4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2716
-
-
-
C:\Program Files (x86)\iWin Games\AdminWorker.exe"C:\Program Files (x86)\iWin Games\AdminWorker.exe" StartProcessNoWait "C:\Program Files (x86)\iWin Games\iWinTrusted.exe" "-install"3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4484 -
C:\Program Files (x86)\iWin Games\iWinTrusted.exe"C:\Program Files (x86)\iWin Games\iWinTrusted.exe" -install4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4200
-
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x2f8 0x5181⤵
- Suspicious use of AdjustPrivilegeToken
PID:2812
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
90KB
MD54c0f8f3cf26f0396ead85a2356807c3c
SHA1ce72ae607bf5bc4b3eeb7494e2e1bd4ebcbb69ff
SHA256b024f78e61fbb1e26c844a35cbe1c49c34a36af3ec1fff6528e5539c30b7132e
SHA512574d76ef6cc7f705ee084faa8900bad77fb93732b37732e4d9e9bc66585690d623dff51921b0918904600da27fa607938fdca6fdc42733c73e6a94fd6adc3240
-
Filesize
119KB
MD568f57e85a24b56f8ef8147594d36cdce
SHA15a0a2df45c1d3a9ebed83eae74bbd1c13ad5d053
SHA2565c8c6afa74f03fb0d2ac31cb9cf19077211dd5c08c0166881893efb7d2a3977f
SHA5127ecfb670e4d3672413d9274cf7ebd888d007ba09d6c2dd24f88175817663d0b67064603f1e011fa2cdaf7a160dce62c2502516dd29c4a28b8686315bea0cb042
-
Filesize
80KB
MD53287302f72a0011d9460da21c7b37ae1
SHA1e7430de4d6a8bbd2b79a80ec75b09240aef74cae
SHA256dca222382828a4e2a3c9dbe03dc637b704ea3b9e078595e3e18980a1fe3daa23
SHA512835b401a6952ba9d176fa531bd250925488b0464e64627003dbd0f791fe77b3951909296ebfb702e8d3ca045f801c98db043446d49642d77fb21d11fa5b0811d
-
Filesize
5B
MD5c314a4674d7e2d0d0df34fb27a0983d8
SHA156b9cdb1f345be8212ffa03722d792edf09b55fa
SHA2562e8516fe8eade72d519ce204c2c296bf838589585c14d28170e1621bd10e4dc4
SHA5121d25fa966a36fe0d12a0f58b1a94bb0b9787738b321d79aa8db9934a494a412117273cad836a37ef3ff44540441e3e343c8260a28e8883581a9def37ad0e5b60
-
Filesize
18B
MD548219b846f8111f0064fd38788b9ab98
SHA1542cb5f93dbf610f28d6c66fca0a49da0076d31d
SHA25638d321b4d09d2d0192d11d7356ebd2f94d413661b126b7494b223a57b04084de
SHA51250ac1b46f6eb79bcad7c20927a95b734fb9b7a7e5d5a0927264fbeba82c9374cfd6437149f9cc43cfe50bfac52cc2948fae20074385ea0e4530841436b5120ad
-
Filesize
1.5MB
MD54851958fad503e3467be9b047517e4d3
SHA195d09a8bae10756fe41739336f5768dc14d27dd9
SHA2562c8e819d3cfec79cce6fa9ecc2402a7bdc1839c6af98505e38215318f511ed28
SHA5127bb53990f50512fc1550b91789fc7b3190fb0cdba9bca068f49579d162d46782895d1d518de00e7f95e82823d1f855670492d5dde057b44720bae71d85f063d1
-
Filesize
138KB
MD5f841c2d5f930cf4ae834b67a9eba5809
SHA150d550e3d9ea5585148f644f12e33d113dd303e8
SHA2569b22d81b76219c30914dbf93f431cf72a6dc071a34fda46c4534a24eb6ca43c7
SHA512ee5f53e67826dd6542b39e5808c6bcfc4b5ddb09ef566de7167c57e7ebfe1a4dd915bb3ab6c7c6693b0b3b499dd35ca6c16f782fc11ea4262f4955a08e206702
-
Filesize
120KB
MD5067b2c0a3d6b801fc8c9bcce8411dfd1
SHA1ff26f2c84a6c256b2959c9482f45524a9ab06781
SHA2561e692ee7bbd08d0862055a4bf69647c8022385706bf3b07462f28de9d1a6cf7d
SHA5128b7e372c3a15d27cbf449b51ced7485b40f687cb7429a0765f4cc6ff2a8f67ace2b0594662183b5a0292f1b46873694d9b8e2208f56d542cac5cddabfdb8e3b3
-
Filesize
76KB
MD5dc2c60e7d42d67a560918f8e497a0980
SHA155efe25e33e660d0284c73517a37d019777488c0
SHA256b79f06804168a096ee499fed0dcdf0b73a4ce742b455d5de0059d2ec7e1bb89f
SHA512e7c4e53ee45f5d1030c2c361194457e3e3a4009f2e356c687aaf299872a9c1388f2a86c8f5b69e68c64353ae5286c9dd411da218dd0fd20ff2f5d16219a83474
-
Filesize
251B
MD5f8ab4f67022399715ff3e862f59bd27e
SHA12606eca361d217990708bb1714e6de2d0bb21584
SHA2563db213886c1a831f8c1867c367cf46ffc84065ce5831b04eb398837abcfd6965
SHA5129bd33cd117228af88aef403472edf669a12aa4ec68fdc4cd168e1c6ad8aaa63e12278475583268aeff37609eef5b3118747f8be9792ca6cc59ded647dac86ad5
-
Filesize
74B
MD590b42fd8e93203218847a3c0a646d377
SHA10d485e2de867448e4853031d5714942128d92983
SHA256aec450600b1ea9c5cd12a92ff9764092434c2cca7e56c10c7b11a63a13209c5f
SHA512de8ab5192fbb9e1df4f1baa7436f2d21cbb94f921931d502aed87049b46affe2dba1929ef48b528f114722cff7c797d381070b35884f7bea18813df355b0ffab
-
Filesize
5KB
MD50dc284616d7449d447d4d5a9ac2a230b
SHA1377a3077c320f639c8e58b50aab55725f2bb6e34
SHA2561a75196360b1ce49017e0dac6fb29797e1a947085e6f5dcf03a37747b51e83a1
SHA512044a70e9a448ea2f4ef0a8971420a230aaebf3cd1c4e896d1dcc1c52a20f94e48d0a59484077c2ff1bd2e4cb23b6fad041b87e1ea06a43e768b96b372d2955c9
-
Filesize
77KB
MD53ef7618619348fbbeca7b0f772be7e5c
SHA1d86829f29c8f22c2d3562269b3d2f0c3b822ad0c
SHA256d361e7b9d8d6e1e3c2b4977f53a06a363183b74796b27cbba2d0277a7e19a872
SHA512b7c339678b214ff57594f02f2953ec762584f8b31644b1f63ac55586423fd34a7afae9c3d208db7caaab6e30bcb806cc9720cdb34c58f466aabad547d3263376
-
Filesize
57KB
MD594ab5e493c7fd8358c9a893d0a108d5f
SHA15dd41e775bb246ee33cbbb6bbf1a4a6b65da1173
SHA25654e995d1600802e1dccb785ba3ea20d14c85b54e70c397d48074135f2c731b4a
SHA512f95197a3f28d57c77ad4f40346d941ce075e83bec79531eb7000b981f9587f0ccbe962edb11390c4a122386666e0665f1572091489338760a2dcd2bba0113164
-
Filesize
98KB
MD5ec08c1c867ded8f5221aefb969b161c1
SHA1839866cc28b401d1d3f0f07aa8f13803f56b496a
SHA256f3bd166834e626631abe30c2353dd1c015d8b9cf6b63cf94164478e6cbf3c0be
SHA51234c35aab50e9207bdb50cb619c0882b585577b46cdd23710663dcfeceaca8b7c4248e082ad28c2718201225c42d0ad559ebd0ebe904a588d324d50d44774a7a7
-
Filesize
103KB
MD52977804931e9cf61cf86d1d0d0d7eb3e
SHA13e96c8baa8d6ebeb8deb021a453adc02b4f7a288
SHA256c79f67e60d4d9d8e3446bcf804b9f78fc7a52a994a47383c1aff9a7b58790979
SHA5124004e12a59d175d7d88c7e6cd8ddddc78ee787ca0f82b63ee63d1e271d828655aa10c2d8463928a9db1fcf13308572c55d407194baa941f9162d6d08a5a47b14
-
Filesize
10KB
MD54c0c6163b636f627e0d505deda672c90
SHA12eae4e6f00673a03ae2434f1b22dc9218e4761a8
SHA256bea71368433f91e32c597db990089ecb7599879f76a64f7f3446489578b2d5fb
SHA512e817ad35f0e89ecce9d73add641d9eab95de6c6c30153e594673c8e0243e738a31dfb872cc76a8d51bc513775fc1dabc9adb65019298048539d6c3aa7d33e2ef
-
Filesize
512B
MD5e45db6ebc4de21e77ddd6ac9a7735dc7
SHA12230443ffa9c45016b17aaaf05492e155032d8b5
SHA2569af15500af37d4bba70bf38ed1100eb81553f6a6171d8dba84c1eb8cfc6fc2f9
SHA51295078c3ee3abd00e97d99cb93f554c51ba935d21e5884e35c045e06c77474e45610ff43740bc5d6eadfd1a7ca2cec9967bb04bbc344158660ad3e8ddb2d70945
-
Filesize
10B
MD509413be548245a232bf1857a0c94524b
SHA1367cae47d819a19202c30a801d05b3114f02bcb9
SHA256cb60483845cf9bced83019d3825d76fc6d1c2cea8430c2d3d33a0a926d5a5073
SHA512953c3fb3ebebfec1856454b423154c425986af4eecf3ffd741639ea4c4be9d47dc9663b73683171b68db753abb1219241a8082cdf40e915a2411c38e755bccf7
-
Filesize
6KB
MD50eaa468e975017262a246e03e23b3172
SHA117064408bd1c2fe2a6aa8588fba7d34018f94241
SHA2562a0b28de70575228c2bf63f0d3c4073904e2c854427c006f187532f1d0349bd6
SHA512e5946258c126fb0a6657d862931b6c965bfd899a499f023ee3626f62039acdbf844f495c714eaaae47c08de4d8b668377e23f7b5632c0b9d83391aaf08378de7
-
Filesize
243B
MD51da2c13d7f658d4dbda4cd08933cba0d
SHA155447016919661e7f86dee62f620a3640dcf31c0
SHA25661ba87f145a9edd68a2d6a7f1f8b840f992f00827bb7a8f86aad728d7d8969c4
SHA5129c770ac6757904d6c81e7f6cc18f97acb3ed4379975b6981744b339b959ab906699a4f53c4d5300047abfda333b6cbda48c884da76dae8cd4d3b93415686f05d