Analysis
-
max time kernel
150s -
max time network
132s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
21-01-2025 02:14
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
JaffaCakes118_01574a7ced39cbf89da4d00fd652402b.exe
Resource
win7-20241010-en
windows7-x64
36 signatures
150 seconds
Behavioral task
behavioral2
Sample
JaffaCakes118_01574a7ced39cbf89da4d00fd652402b.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
3 signatures
150 seconds
General
-
Target
JaffaCakes118_01574a7ced39cbf89da4d00fd652402b.exe
-
Size
964KB
-
MD5
01574a7ced39cbf89da4d00fd652402b
-
SHA1
a41cde6dabcf451122acc33b17ad34d6a7f1c202
-
SHA256
2fd730dc9bb9675f04535b564481d65a20098a26ee3d6bf6eaaf41ec516ad9ad
-
SHA512
ca59c9a862f52b9cb046987687f29843ac7c23041995aecaa28ce21e5699497da9ccbac796182976f4c7adbb4f4564da5b632a3eb9b00df006da75fc359a678b
-
SSDEEP
24576:YNDtgSt8ux/FI5QhM5BtON/X5aP/SdqJyybYfxk/5GFaidS0:+jImitOWXSdSrbjz
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\561eee82\\X" Explorer.EXE -
Modifies firewall policy service 3 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List svcnost.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\xh1nqpusiv3u1jcxbsiqqwcaw2uj1vtf2\svcnost.exe = "C:\\Users\\Admin\\AppData\\Roaming\\xh1nqpusiv3u1jcxbsiqqwcaw2uj1vtf2\\svcnost.exe:*:Enabled:ldrsoft" svcnost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" u2AzQ8M2.exe Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" miigue.exe -
Pony family
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Disables taskbar notifications via registry modification
-
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\drivers\etc\hosts 5eod.exe -
Deletes itself 1 IoCs
pid Process 2864 cmd.exe -
Executes dropped EXE 16 IoCs
pid Process 2056 u2AzQ8M2.exe 2508 miigue.exe 3016 2eod.exe 2720 2eod.exe 2760 2eod.exe 748 2eod.exe 1008 2eod.exe 1744 2eod.exe 1732 3eod.exe 2680 4eod.exe 336 csrss.exe 1656 X 1580 3eod.exe 1152 3eod.exe 756 5eod.exe 1532 53AC.tmp -
Loads dropped DLL 16 IoCs
pid Process 2428 JaffaCakes118_01574a7ced39cbf89da4d00fd652402b.exe 2428 JaffaCakes118_01574a7ced39cbf89da4d00fd652402b.exe 2056 u2AzQ8M2.exe 2056 u2AzQ8M2.exe 2428 JaffaCakes118_01574a7ced39cbf89da4d00fd652402b.exe 2428 JaffaCakes118_01574a7ced39cbf89da4d00fd652402b.exe 2428 JaffaCakes118_01574a7ced39cbf89da4d00fd652402b.exe 2428 JaffaCakes118_01574a7ced39cbf89da4d00fd652402b.exe 2428 JaffaCakes118_01574a7ced39cbf89da4d00fd652402b.exe 2428 JaffaCakes118_01574a7ced39cbf89da4d00fd652402b.exe 2680 4eod.exe 2680 4eod.exe 2428 JaffaCakes118_01574a7ced39cbf89da4d00fd652402b.exe 2428 JaffaCakes118_01574a7ced39cbf89da4d00fd652402b.exe 1732 3eod.exe 1732 3eod.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unexpected DNS network traffic destination 5 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 31.193.3.240 Destination IP 31.193.3.240 Destination IP 31.193.3.240 Destination IP 31.193.3.240 Destination IP 31.193.3.240 -
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Adds Run key to start application 2 TTPs 55 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\miigue = "C:\\Users\\Admin\\miigue.exe /C" miigue.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\miigue = "C:\\Users\\Admin\\miigue.exe /T" miigue.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\miigue = "C:\\Users\\Admin\\miigue.exe /G" miigue.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\miigue = "C:\\Users\\Admin\\miigue.exe /w" miigue.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\miigue = "C:\\Users\\Admin\\miigue.exe /z" miigue.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\miigue = "C:\\Users\\Admin\\miigue.exe /t" miigue.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\miigue = "C:\\Users\\Admin\\miigue.exe /O" miigue.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\miigue = "C:\\Users\\Admin\\miigue.exe /I" miigue.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\miigue = "C:\\Users\\Admin\\miigue.exe /E" miigue.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\miigue = "C:\\Users\\Admin\\miigue.exe /i" miigue.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\miigue = "C:\\Users\\Admin\\miigue.exe /n" miigue.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\miigue = "C:\\Users\\Admin\\miigue.exe /B" miigue.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\miigue = "C:\\Users\\Admin\\miigue.exe /H" miigue.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\miigue = "C:\\Users\\Admin\\miigue.exe /D" miigue.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\miigue = "C:\\Users\\Admin\\miigue.exe /N" miigue.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\miigue = "C:\\Users\\Admin\\miigue.exe /S" miigue.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\miigue = "C:\\Users\\Admin\\miigue.exe /x" miigue.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\miigue = "C:\\Users\\Admin\\miigue.exe /m" miigue.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\miigue = "C:\\Users\\Admin\\miigue.exe /K" miigue.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\miigue = "C:\\Users\\Admin\\miigue.exe /V" miigue.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\miigue = "C:\\Users\\Admin\\miigue.exe /k" miigue.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\miigue = "C:\\Users\\Admin\\miigue.exe /f" miigue.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\miigue = "C:\\Users\\Admin\\miigue.exe /L" miigue.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\miigue = "C:\\Users\\Admin\\miigue.exe /d" miigue.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\miigue = "C:\\Users\\Admin\\miigue.exe /A" miigue.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\miigue = "C:\\Users\\Admin\\miigue.exe /M" miigue.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\miigue = "C:\\Users\\Admin\\miigue.exe /P" miigue.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\miigue = "C:\\Users\\Admin\\miigue.exe /g" miigue.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\miigue = "C:\\Users\\Admin\\miigue.exe /y" miigue.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\miigue = "C:\\Users\\Admin\\miigue.exe /Q" miigue.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\miigue = "C:\\Users\\Admin\\miigue.exe /e" miigue.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\miigue = "C:\\Users\\Admin\\miigue.exe /h" miigue.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\miigue = "C:\\Users\\Admin\\miigue.exe /o" miigue.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\miigue = "C:\\Users\\Admin\\miigue.exe /Z" miigue.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\miigue = "C:\\Users\\Admin\\miigue.exe /R" miigue.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\C29.exe = "C:\\Program Files (x86)\\LP\\1B8E\\C29.exe" 3eod.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\miigue = "C:\\Users\\Admin\\miigue.exe /U" u2AzQ8M2.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\miigue = "C:\\Users\\Admin\\miigue.exe /j" miigue.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\miigue = "C:\\Users\\Admin\\miigue.exe /s" miigue.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\miigue = "C:\\Users\\Admin\\miigue.exe /r" miigue.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\miigue = "C:\\Users\\Admin\\miigue.exe /l" miigue.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\miigue = "C:\\Users\\Admin\\miigue.exe /X" miigue.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\miigue = "C:\\Users\\Admin\\miigue.exe /U" miigue.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\miigue = "C:\\Users\\Admin\\miigue.exe /p" miigue.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\miigue = "C:\\Users\\Admin\\miigue.exe /q" miigue.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\miigue = "C:\\Users\\Admin\\miigue.exe /v" miigue.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\miigue = "C:\\Users\\Admin\\miigue.exe /Y" miigue.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\miigue = "C:\\Users\\Admin\\miigue.exe /J" miigue.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Init = "\"C:\\Users\\Admin\\AppData\\Roaming\\xh1nqpusiv3u1jcxbsiqqwcaw2uj1vtf2\\svcnost.exe\"" 5eod.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\miigue = "C:\\Users\\Admin\\miigue.exe /c" miigue.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\miigue = "C:\\Users\\Admin\\miigue.exe /F" miigue.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\miigue = "C:\\Users\\Admin\\miigue.exe /u" miigue.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\miigue = "C:\\Users\\Admin\\miigue.exe /b" miigue.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\miigue = "C:\\Users\\Admin\\miigue.exe /W" miigue.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\miigue = "C:\\Users\\Admin\\miigue.exe /a" miigue.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 2eod.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 2eod.exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 2972 tasklist.exe 2472 tasklist.exe -
Suspicious use of SetThreadContext 6 IoCs
description pid Process procid_target PID 3016 set thread context of 2720 3016 2eod.exe 37 PID 3016 set thread context of 2760 3016 2eod.exe 38 PID 3016 set thread context of 748 3016 2eod.exe 39 PID 3016 set thread context of 1008 3016 2eod.exe 40 PID 3016 set thread context of 1744 3016 2eod.exe 41 PID 2680 set thread context of 2972 2680 4eod.exe 53 -
resource yara_rule behavioral1/memory/2720-42-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/2720-40-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/2720-48-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/2720-47-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/2720-45-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/2760-61-0x0000000000400000-0x000000000040E000-memory.dmp upx behavioral1/memory/2760-60-0x0000000000400000-0x000000000040E000-memory.dmp upx behavioral1/memory/2760-58-0x0000000000400000-0x000000000040E000-memory.dmp upx behavioral1/memory/2760-55-0x0000000000400000-0x000000000040E000-memory.dmp upx behavioral1/memory/2760-53-0x0000000000400000-0x000000000040E000-memory.dmp upx behavioral1/memory/2760-63-0x0000000000400000-0x000000000040E000-memory.dmp upx behavioral1/memory/748-74-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/748-77-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/748-71-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/748-68-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/748-66-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/748-73-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1008-80-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/1008-87-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/1008-85-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/1008-83-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/1008-78-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/2720-105-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/1008-161-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/files/0x00170000000195fd-356.dat upx behavioral1/memory/756-358-0x0000000000400000-0x0000000000B19000-memory.dmp upx behavioral1/memory/2068-483-0x0000000000400000-0x0000000000B19000-memory.dmp upx behavioral1/memory/756-501-0x0000000000400000-0x0000000000B19000-memory.dmp upx behavioral1/memory/2068-508-0x0000000000400000-0x0000000000B19000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\LP\1B8E\C29.exe 3eod.exe File opened for modification C:\Program Files (x86)\LP\1B8E\C29.exe 3eod.exe File opened for modification C:\Program Files (x86)\LP\1B8E\53AC.tmp 3eod.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 18 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3eod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2eod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5eod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svcnost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language miigue.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2eod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2eod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4eod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3eod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u2AzQ8M2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3eod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 53AC.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_01574a7ced39cbf89da4d00fd652402b.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\SOFTWARE\Microsoft\Internet Explorer\LowRegistry svcnost.exe Set value (data) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry\SavedLegacySettingsML = 313633303932363438 svcnost.exe -
Modifies registry class 8 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5f3e4c35-3c7f-0fca-611a-e16dd929dc50}\cid = "3558121249875886995" 4eod.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \registry\machine\Software\Classes\Interface\{5f3e4c35-3c7f-0fca-611a-e16dd929dc50} 4eod.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5f3e4c35-3c7f-0fca-611a-e16dd929dc50}\u = "188" 4eod.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2056 u2AzQ8M2.exe 2056 u2AzQ8M2.exe 2760 2eod.exe 748 2eod.exe 2508 miigue.exe 2508 miigue.exe 2760 2eod.exe 748 2eod.exe 2508 miigue.exe 2508 miigue.exe 2508 miigue.exe 2508 miigue.exe 2760 2eod.exe 1732 3eod.exe 1732 3eod.exe 1732 3eod.exe 1732 3eod.exe 1732 3eod.exe 1732 3eod.exe 2508 miigue.exe 2760 2eod.exe 2760 2eod.exe 2508 miigue.exe 2508 miigue.exe 2680 4eod.exe 2680 4eod.exe 2680 4eod.exe 2680 4eod.exe 1656 X 2508 miigue.exe 2760 2eod.exe 2760 2eod.exe 2508 miigue.exe 2760 2eod.exe 2508 miigue.exe 2508 miigue.exe 2760 2eod.exe 2508 miigue.exe 2760 2eod.exe 2508 miigue.exe 2760 2eod.exe 2508 miigue.exe 2760 2eod.exe 2760 2eod.exe 2508 miigue.exe 2760 2eod.exe 2508 miigue.exe 2760 2eod.exe 2508 miigue.exe 2760 2eod.exe 2508 miigue.exe 2760 2eod.exe 2760 2eod.exe 2508 miigue.exe 2760 2eod.exe 2508 miigue.exe 2760 2eod.exe 2760 2eod.exe 2508 miigue.exe 2508 miigue.exe 2760 2eod.exe 2760 2eod.exe 2508 miigue.exe 2760 2eod.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2292 explorer.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
description pid Process Token: SeDebugPrivilege 2972 tasklist.exe Token: SeRestorePrivilege 2896 msiexec.exe Token: SeTakeOwnershipPrivilege 2896 msiexec.exe Token: SeSecurityPrivilege 2896 msiexec.exe Token: SeDebugPrivilege 2680 4eod.exe Token: SeDebugPrivilege 2680 4eod.exe Token: SeShutdownPrivilege 2292 explorer.exe Token: SeShutdownPrivilege 2292 explorer.exe Token: SeShutdownPrivilege 2292 explorer.exe Token: SeShutdownPrivilege 2292 explorer.exe Token: SeShutdownPrivilege 2292 explorer.exe Token: SeShutdownPrivilege 2292 explorer.exe Token: SeShutdownPrivilege 2292 explorer.exe Token: SeShutdownPrivilege 2292 explorer.exe Token: SeShutdownPrivilege 2292 explorer.exe Token: SeShutdownPrivilege 2292 explorer.exe Token: SeShutdownPrivilege 2292 explorer.exe Token: SeShutdownPrivilege 2292 explorer.exe Token: SeDebugPrivilege 2472 tasklist.exe -
Suspicious use of FindShellTrayWindow 28 IoCs
pid Process 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe 2292 explorer.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2428 JaffaCakes118_01574a7ced39cbf89da4d00fd652402b.exe 2056 u2AzQ8M2.exe 2508 miigue.exe 3016 2eod.exe 2720 2eod.exe 1008 2eod.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 336 csrss.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2428 wrote to memory of 2056 2428 JaffaCakes118_01574a7ced39cbf89da4d00fd652402b.exe 30 PID 2428 wrote to memory of 2056 2428 JaffaCakes118_01574a7ced39cbf89da4d00fd652402b.exe 30 PID 2428 wrote to memory of 2056 2428 JaffaCakes118_01574a7ced39cbf89da4d00fd652402b.exe 30 PID 2428 wrote to memory of 2056 2428 JaffaCakes118_01574a7ced39cbf89da4d00fd652402b.exe 30 PID 2056 wrote to memory of 2508 2056 u2AzQ8M2.exe 31 PID 2056 wrote to memory of 2508 2056 u2AzQ8M2.exe 31 PID 2056 wrote to memory of 2508 2056 u2AzQ8M2.exe 31 PID 2056 wrote to memory of 2508 2056 u2AzQ8M2.exe 31 PID 2056 wrote to memory of 2960 2056 u2AzQ8M2.exe 32 PID 2056 wrote to memory of 2960 2056 u2AzQ8M2.exe 32 PID 2056 wrote to memory of 2960 2056 u2AzQ8M2.exe 32 PID 2056 wrote to memory of 2960 2056 u2AzQ8M2.exe 32 PID 2960 wrote to memory of 2972 2960 cmd.exe 34 PID 2960 wrote to memory of 2972 2960 cmd.exe 34 PID 2960 wrote to memory of 2972 2960 cmd.exe 34 PID 2960 wrote to memory of 2972 2960 cmd.exe 34 PID 2428 wrote to memory of 3016 2428 JaffaCakes118_01574a7ced39cbf89da4d00fd652402b.exe 36 PID 2428 wrote to memory of 3016 2428 JaffaCakes118_01574a7ced39cbf89da4d00fd652402b.exe 36 PID 2428 wrote to memory of 3016 2428 JaffaCakes118_01574a7ced39cbf89da4d00fd652402b.exe 36 PID 2428 wrote to memory of 3016 2428 JaffaCakes118_01574a7ced39cbf89da4d00fd652402b.exe 36 PID 3016 wrote to memory of 2720 3016 2eod.exe 37 PID 3016 wrote to memory of 2720 3016 2eod.exe 37 PID 3016 wrote to memory of 2720 3016 2eod.exe 37 PID 3016 wrote to memory of 2720 3016 2eod.exe 37 PID 3016 wrote to memory of 2720 3016 2eod.exe 37 PID 3016 wrote to memory of 2720 3016 2eod.exe 37 PID 3016 wrote to memory of 2720 3016 2eod.exe 37 PID 3016 wrote to memory of 2720 3016 2eod.exe 37 PID 3016 wrote to memory of 2760 3016 2eod.exe 38 PID 3016 wrote to memory of 2760 3016 2eod.exe 38 PID 3016 wrote to memory of 2760 3016 2eod.exe 38 PID 3016 wrote to memory of 2760 3016 2eod.exe 38 PID 3016 wrote to memory of 2760 3016 2eod.exe 38 PID 3016 wrote to memory of 2760 3016 2eod.exe 38 PID 3016 wrote to memory of 2760 3016 2eod.exe 38 PID 3016 wrote to memory of 2760 3016 2eod.exe 38 PID 3016 wrote to memory of 748 3016 2eod.exe 39 PID 3016 wrote to memory of 748 3016 2eod.exe 39 PID 3016 wrote to memory of 748 3016 2eod.exe 39 PID 3016 wrote to memory of 748 3016 2eod.exe 39 PID 3016 wrote to memory of 748 3016 2eod.exe 39 PID 3016 wrote to memory of 748 3016 2eod.exe 39 PID 3016 wrote to memory of 748 3016 2eod.exe 39 PID 3016 wrote to memory of 748 3016 2eod.exe 39 PID 3016 wrote to memory of 1008 3016 2eod.exe 40 PID 3016 wrote to memory of 1008 3016 2eod.exe 40 PID 3016 wrote to memory of 1008 3016 2eod.exe 40 PID 3016 wrote to memory of 1008 3016 2eod.exe 40 PID 3016 wrote to memory of 1008 3016 2eod.exe 40 PID 3016 wrote to memory of 1008 3016 2eod.exe 40 PID 3016 wrote to memory of 1008 3016 2eod.exe 40 PID 3016 wrote to memory of 1008 3016 2eod.exe 40 PID 3016 wrote to memory of 1744 3016 2eod.exe 41 PID 3016 wrote to memory of 1744 3016 2eod.exe 41 PID 3016 wrote to memory of 1744 3016 2eod.exe 41 PID 3016 wrote to memory of 1744 3016 2eod.exe 41 PID 3016 wrote to memory of 1744 3016 2eod.exe 41 PID 2428 wrote to memory of 1732 2428 JaffaCakes118_01574a7ced39cbf89da4d00fd652402b.exe 43 PID 2428 wrote to memory of 1732 2428 JaffaCakes118_01574a7ced39cbf89da4d00fd652402b.exe 43 PID 2428 wrote to memory of 1732 2428 JaffaCakes118_01574a7ced39cbf89da4d00fd652402b.exe 43 PID 2428 wrote to memory of 1732 2428 JaffaCakes118_01574a7ced39cbf89da4d00fd652402b.exe 43 PID 2428 wrote to memory of 2680 2428 JaffaCakes118_01574a7ced39cbf89da4d00fd652402b.exe 46 PID 2428 wrote to memory of 2680 2428 JaffaCakes118_01574a7ced39cbf89da4d00fd652402b.exe 46 PID 2428 wrote to memory of 2680 2428 JaffaCakes118_01574a7ced39cbf89da4d00fd652402b.exe 46 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer 3eod.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" 3eod.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:336
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies WinLogon for persistence
PID:1184 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_01574a7ced39cbf89da4d00fd652402b.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_01574a7ced39cbf89da4d00fd652402b.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Users\Admin\u2AzQ8M2.exeC:\Users\Admin\u2AzQ8M2.exe3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Users\Admin\miigue.exe"C:\Users\Admin\miigue.exe"4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2508
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del u2AzQ8M2.exe4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2972
-
-
-
-
C:\Users\Admin\2eod.exeC:\Users\Admin\2eod.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Users\Admin\2eod.exe"C:\Users\Admin\2eod.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2720
-
-
C:\Users\Admin\2eod.exe"C:\Users\Admin\2eod.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2760
-
-
C:\Users\Admin\2eod.exe"C:\Users\Admin\2eod.exe"4⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
PID:748
-
-
C:\Users\Admin\2eod.exe"C:\Users\Admin\2eod.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1008
-
-
C:\Users\Admin\2eod.exe"C:\Users\Admin\2eod.exe"4⤵
- Executes dropped EXE
PID:1744
-
-
-
C:\Users\Admin\3eod.exeC:\Users\Admin\3eod.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- System policy modification
PID:1732 -
C:\Users\Admin\3eod.exeC:\Users\Admin\3eod.exe startC:\Users\Admin\AppData\Roaming\E46DE\35A1B.exe%C:\Users\Admin\AppData\Roaming\E46DE4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1580
-
-
C:\Users\Admin\3eod.exeC:\Users\Admin\3eod.exe startC:\Program Files (x86)\DE867\lvvm.exe%C:\Program Files (x86)\DE8674⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1152
-
-
C:\Program Files (x86)\LP\1B8E\53AC.tmp"C:\Program Files (x86)\LP\1B8E\53AC.tmp"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1532
-
-
-
C:\Users\Admin\4eod.exeC:\Users\Admin\4eod.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2680 -
C:\Users\Admin\AppData\Local\561eee82\X*0*bc*ce9f0393*31.193.3.240:534⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1656
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"4⤵
- System Location Discovery: System Language Discovery
PID:2972
-
-
-
C:\Users\Admin\5eod.exeC:\Users\Admin\5eod.exe3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:756 -
C:\Users\Admin\AppData\Roaming\xh1nqpusiv3u1jcxbsiqqwcaw2uj1vtf2\svcnost.exe"C:\Users\Admin\AppData\Roaming\xh1nqpusiv3u1jcxbsiqqwcaw2uj1vtf2\svcnost.exe"4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
PID:2068
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del JaffaCakes118_01574a7ced39cbf89da4d00fd652402b.exe3⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2864 -
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2472
-
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2896
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵PID:2588
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2292
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵PID:1256
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
7Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
136KB
MD5449cf714ddba0f68cb17bc7f9698949b
SHA13639bfa3d1563f9a4e2caad9a21074e87b3bfa73
SHA2563c3c398934492f2073aa3a725bff53909ef1bd1a7df82a7467a66d712df12010
SHA5128a08aef0b537395f2503790c7eee4c28986c4fd76670d05018004b3c77011fa4b9d8d3d791ec65ccf6a638f47f007666ea708957776772d5ab6f6d5cae64c81f
-
Filesize
282KB
MD52c24a5f9f31ac5a0d3830187617cf6dc
SHA1e71116ab32e0dfa7495f0562c86f232df7202991
SHA256007e9c74a2ee70d46460c91a3c36aa08602bb51a792e89f2d89a358ecbac94c6
SHA512f59a98a728c0d923443d10b2419b6a9bb5ac613949f26fa923240cc2162c93bc462e65f46f46000a1120065bf344b32ddba0f674cfc8007dd1d7591f4cb19b04
-
Filesize
120KB
MD53fe209cb336f44a0719e53e3b9354aa8
SHA1c37a59ba00521c78d81f0e7cf2713b41593e12a3
SHA25619102a9ce99b067f69ec9b53844aa2e29fbed3d53efbb06e24501ee70af60db1
SHA5126e872ee319e1900fa8ab9b257ec3ee62cc2578476bfc2770090255706f5ea685a5034a1c7b857a088547e130c5cc2b35d65aed54df6965a5274e019293065c09
-
Filesize
600B
MD5b36153ed67e4af624862c41e40982e3c
SHA1ca015e0a5b5e481462c5a44af534b8b6c84ad54d
SHA256bcd5b66aaf6158a75b90d3a899e6f68b26a15b88a741f8abd92dd0f3774ab124
SHA512559d58294b5d28d15a362a3ec61cce3c925d2c3cc91f5b1ed537726c3ab69848ae68c87d11f11aa18ff3876703bcb861cd63f9ee003a9853cf699e40c39f45ae
-
Filesize
996B
MD57e0da3ba8c4dd9a448874aea2549b607
SHA18ce5358caa900fefc195f73f26c6bdc8ce840570
SHA25659011f3107aa521de697338645d9d4fba647c2e1f7effe47f9ebf52d6ffde1b7
SHA512a2371a9ae6e4845000fb83e256c7881bd79a7bd209da8211e02db53471f09290890a2ca796c1e44fc079720e8cd2eb5ea8e210acf72460164f84b571c2a353e7
-
Filesize
1KB
MD5e0bd2c43c164355d1f274ccd1afd591f
SHA1f890280a7557f371cdc7f3329ad8c9ad915d4e41
SHA2566ef95d0ab153a17e268e87e4691ec898bd55a5acb09596d9f22bb01820f66aa3
SHA51244b9f43d69e55df8c4c47826531dd4509b37a2235bff1e186130b70daa82b0411201c22048e0f368c06daf142deccd7d15ab66d94492009c07cfc7820b60367a
-
Filesize
29KB
MD51149c1bd71248a9d170e4568fb08df30
SHA16f77f183d65709901f476c5d6eebaed060a495f9
SHA256c2dcf387cb4d218f50463338291e7db38afbdab9aab88fc54e7f9283df1792d1
SHA5129e6eac8facb23b38552d37c9f3cb24098f871d2885ecb3630fcd0199c5600b12a42f095f9fbeb90e5632496491d46fd987660cdda695e92dc386bd482d3ff459
-
Filesize
100KB
MD5340f18faddf54d738f6e56fe3d8b1d54
SHA1bb247a2f8db305906d558c0c665cc7fd7f86ff67
SHA2564613dcf13e53312b483bfebb7866b9e1111c434beabd1b19a03721ab7a2ec572
SHA512e47e375ec6c8cd07411da44cec52c35c1c28e3fce9d09acf390371ea6b1c456e1d43f87d7b5de6f8ba9b233d11caf25cfd5b4890f356b510688286322d7cab74
-
Filesize
277KB
MD500b72668c42555c6d9e3cee383730fc0
SHA1509a7c39baf2b9a46813c641cca687b37e244d5a
SHA256baaacce5c3f18154d4925ec6568ccf66f4ab9ee5477bd0faf44f08d9397641dd
SHA5121bfa5cd6081a5e8556b452cf4741831da829fcc9e2b51c77c92a4fdacfa1b934d14bc049f8185be09b1447664f55956f69e7fd16a868c9655eb32f9b9ef02e78
-
Filesize
38KB
MD572de2dadaf875e2fd7614e100419033c
SHA15f17c5330e91a42daa9ff24c4aa602bd1a72bf6e
SHA256c44993768a4dc5a58ddbfc9cb05ce2a7d3a0a56be45643d70a72bcf811b6c381
SHA512e2520a53326a7d3b056e65d0cf60e9d823ffb34ca026cdddc7ea3a714f8396c53c37e13a887fc86a7dd7076c97fdfad53c3f5a68342ebc1bdec948c76bda8df3
-
Filesize
320KB
MD5304946fa63317201cd8b7933a9acbabe
SHA1a7ba14b0784e0a48678d8cc5ab2deebb1ec08317
SHA256f15d283d8bfaaadb4f894f32c0886d3eee781c2dac590bff89f5d1fff4c7b38c
SHA512c4e51d17e842ef3ea74b4fec07402b89229cd5a86847e8ff4af9f26b3149a7d334be4a1a4108e1c6c6ec31e2ae0db66729a294cf9101e7cc9c8a28723180f209
-
Filesize
320KB
MD5ca2acc28a24d14c7e282bd1c689229d0
SHA1c253b9ce5fa1db5bd8a02a49af44a751331e624c
SHA256bd67e3974c9108c7f2bd1cb266f6c3aad420fc63860fd653d0198e26927e2c25
SHA512007c6df499080b538deeffa552d09e0cddba64c6494fe98d6eaf883bd39180d4d9fba0bf08f7d650b256bd54fa52deafc415865dd69b00426452470a173ab2d2
-
Filesize
2KB
MD53a7482ba479bf81871823c500396d7f4
SHA14bfe4b0745895cce782cc0a90a8cfe9ba1cc3ca0
SHA25693fd7ce6c6fc5480976b1053b6fe569c589ff5e32ed7731074b827a220b7877e
SHA5124841c45264b44e15a96a438fe6c6ab94b56fa59f67b09f75b2c74850af88df7f5b9b2071d490eb1da4132cfe190f2ab716d8d86e9f80e87d1663bc48213f7cf3