Analysis
-
max time kernel
149s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
21-01-2025 06:38
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
JaffaCakes118_02b3f6e2f7d3900f9415c7ae1780390c.exe
Resource
win7-20241010-en
windows7-x64
34 signatures
150 seconds
Behavioral task
behavioral2
Sample
JaffaCakes118_02b3f6e2f7d3900f9415c7ae1780390c.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
41 signatures
150 seconds
General
-
Target
JaffaCakes118_02b3f6e2f7d3900f9415c7ae1780390c.exe
-
Size
964KB
-
MD5
02b3f6e2f7d3900f9415c7ae1780390c
-
SHA1
73f425ca50ed5beac51114fc79b4007c9db6fe52
-
SHA256
ab87d4f3a0397b7e30c2e6636ba0a59571a5f7c2b787e8c28af32684e66fcfc0
-
SHA512
d5dbd0c36ba12e32c2443ea11c86548c894f036b8c8cefd6703cd5f5bb1c6016151531f3c254d5be4f04b3354feffbaf4310ee099390f9298a0bfe2366c896bb
-
SSDEEP
24576:0NDtgSt8ux/FI5QhM5BtON/X5aP/SdqJyybYfxk/5GFaidS0:ijImitOWXSdSrbjz
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\d9d1177c\\X" Explorer.EXE -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" juaceu.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" u2AzQ8M2.exe -
Pony family
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Disables taskbar notifications via registry modification
-
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\drivers\etc\hosts 5eod.exe -
Deletes itself 1 IoCs
pid Process 1616 cmd.exe -
Executes dropped EXE 16 IoCs
pid Process 2000 u2AzQ8M2.exe 2724 juaceu.exe 2920 2eod.exe 2932 2eod.exe 2376 2eod.exe 3016 2eod.exe 2720 2eod.exe 1152 2eod.exe 1284 3eod.exe 2856 4eod.exe 332 csrss.exe 2360 X 2900 3eod.exe 896 3eod.exe 1480 5eod.exe 896 90BB.tmp -
Loads dropped DLL 17 IoCs
pid Process 1552 JaffaCakes118_02b3f6e2f7d3900f9415c7ae1780390c.exe 1552 JaffaCakes118_02b3f6e2f7d3900f9415c7ae1780390c.exe 2000 u2AzQ8M2.exe 2000 u2AzQ8M2.exe 1552 JaffaCakes118_02b3f6e2f7d3900f9415c7ae1780390c.exe 1552 JaffaCakes118_02b3f6e2f7d3900f9415c7ae1780390c.exe 2920 2eod.exe 1552 JaffaCakes118_02b3f6e2f7d3900f9415c7ae1780390c.exe 1552 JaffaCakes118_02b3f6e2f7d3900f9415c7ae1780390c.exe 1552 JaffaCakes118_02b3f6e2f7d3900f9415c7ae1780390c.exe 1552 JaffaCakes118_02b3f6e2f7d3900f9415c7ae1780390c.exe 2856 4eod.exe 2856 4eod.exe 1552 JaffaCakes118_02b3f6e2f7d3900f9415c7ae1780390c.exe 1552 JaffaCakes118_02b3f6e2f7d3900f9415c7ae1780390c.exe 1284 3eod.exe 1284 3eod.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unexpected DNS network traffic destination 5 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 31.193.3.240 Destination IP 31.193.3.240 Destination IP 31.193.3.240 Destination IP 31.193.3.240 Destination IP 31.193.3.240 -
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Adds Run key to start application 2 TTPs 52 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\juaceu = "C:\\Users\\Admin\\juaceu.exe /L" juaceu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\juaceu = "C:\\Users\\Admin\\juaceu.exe /Y" juaceu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\juaceu = "C:\\Users\\Admin\\juaceu.exe /F" juaceu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\juaceu = "C:\\Users\\Admin\\juaceu.exe /K" juaceu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\juaceu = "C:\\Users\\Admin\\juaceu.exe /V" juaceu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\juaceu = "C:\\Users\\Admin\\juaceu.exe /j" juaceu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\juaceu = "C:\\Users\\Admin\\juaceu.exe /N" juaceu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\juaceu = "C:\\Users\\Admin\\juaceu.exe /u" juaceu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\juaceu = "C:\\Users\\Admin\\juaceu.exe /p" juaceu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\juaceu = "C:\\Users\\Admin\\juaceu.exe /v" juaceu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\juaceu = "C:\\Users\\Admin\\juaceu.exe /A" juaceu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\juaceu = "C:\\Users\\Admin\\juaceu.exe /h" juaceu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\juaceu = "C:\\Users\\Admin\\juaceu.exe /s" juaceu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\juaceu = "C:\\Users\\Admin\\juaceu.exe /m" u2AzQ8M2.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\juaceu = "C:\\Users\\Admin\\juaceu.exe /I" juaceu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\juaceu = "C:\\Users\\Admin\\juaceu.exe /m" juaceu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\juaceu = "C:\\Users\\Admin\\juaceu.exe /r" juaceu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\juaceu = "C:\\Users\\Admin\\juaceu.exe /b" juaceu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Init = "\"C:\\Users\\Admin\\AppData\\Roaming\\xd2xewbhw3syirl1deskyn3fqdqtzhmu2\\svcnost.exe\"" 5eod.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\juaceu = "C:\\Users\\Admin\\juaceu.exe /e" juaceu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\juaceu = "C:\\Users\\Admin\\juaceu.exe /T" juaceu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\juaceu = "C:\\Users\\Admin\\juaceu.exe /z" juaceu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\juaceu = "C:\\Users\\Admin\\juaceu.exe /H" juaceu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\juaceu = "C:\\Users\\Admin\\juaceu.exe /R" juaceu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\juaceu = "C:\\Users\\Admin\\juaceu.exe /B" juaceu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\juaceu = "C:\\Users\\Admin\\juaceu.exe /X" juaceu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\EBD.exe = "C:\\Program Files (x86)\\LP\\6B93\\EBD.exe" 3eod.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\juaceu = "C:\\Users\\Admin\\juaceu.exe /M" juaceu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\juaceu = "C:\\Users\\Admin\\juaceu.exe /Z" juaceu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\juaceu = "C:\\Users\\Admin\\juaceu.exe /G" juaceu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\juaceu = "C:\\Users\\Admin\\juaceu.exe /t" juaceu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\juaceu = "C:\\Users\\Admin\\juaceu.exe /k" juaceu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\juaceu = "C:\\Users\\Admin\\juaceu.exe /f" juaceu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\juaceu = "C:\\Users\\Admin\\juaceu.exe /O" juaceu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\juaceu = "C:\\Users\\Admin\\juaceu.exe /Q" juaceu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\juaceu = "C:\\Users\\Admin\\juaceu.exe /q" juaceu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\juaceu = "C:\\Users\\Admin\\juaceu.exe /P" juaceu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\juaceu = "C:\\Users\\Admin\\juaceu.exe /S" juaceu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\juaceu = "C:\\Users\\Admin\\juaceu.exe /x" juaceu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\juaceu = "C:\\Users\\Admin\\juaceu.exe /n" juaceu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\juaceu = "C:\\Users\\Admin\\juaceu.exe /c" juaceu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\juaceu = "C:\\Users\\Admin\\juaceu.exe /y" juaceu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\juaceu = "C:\\Users\\Admin\\juaceu.exe /J" juaceu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\juaceu = "C:\\Users\\Admin\\juaceu.exe /w" juaceu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\juaceu = "C:\\Users\\Admin\\juaceu.exe /W" juaceu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\juaceu = "C:\\Users\\Admin\\juaceu.exe /E" juaceu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\juaceu = "C:\\Users\\Admin\\juaceu.exe /D" juaceu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\juaceu = "C:\\Users\\Admin\\juaceu.exe /o" juaceu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\juaceu = "C:\\Users\\Admin\\juaceu.exe /U" juaceu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\juaceu = "C:\\Users\\Admin\\juaceu.exe /l" juaceu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\juaceu = "C:\\Users\\Admin\\juaceu.exe /g" juaceu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\juaceu = "C:\\Users\\Admin\\juaceu.exe /a" juaceu.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 2eod.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 2eod.exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 2628 tasklist.exe 2628 tasklist.exe -
Suspicious use of SetThreadContext 6 IoCs
description pid Process procid_target PID 2920 set thread context of 2932 2920 2eod.exe 38 PID 2920 set thread context of 2376 2920 2eod.exe 39 PID 2920 set thread context of 3016 2920 2eod.exe 40 PID 2920 set thread context of 2720 2920 2eod.exe 41 PID 2920 set thread context of 1152 2920 2eod.exe 42 PID 2856 set thread context of 2300 2856 4eod.exe 53 -
resource yara_rule behavioral1/memory/2932-50-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/2932-49-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/2932-48-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/2932-43-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/2932-41-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/2376-63-0x0000000000400000-0x000000000040E000-memory.dmp upx behavioral1/memory/2376-62-0x0000000000400000-0x000000000040E000-memory.dmp upx behavioral1/memory/2376-60-0x0000000000400000-0x000000000040E000-memory.dmp upx behavioral1/memory/2376-57-0x0000000000400000-0x000000000040E000-memory.dmp upx behavioral1/memory/2376-55-0x0000000000400000-0x000000000040E000-memory.dmp upx behavioral1/memory/2376-65-0x0000000000400000-0x000000000040E000-memory.dmp upx behavioral1/memory/3016-68-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2720-82-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/2720-80-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/3016-77-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/3016-76-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/3016-75-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2720-88-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/2720-87-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/2720-85-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/3016-73-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/3016-70-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2932-103-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/3016-107-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2720-112-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/files/0x0017000000005587-392.dat upx behavioral1/memory/1552-399-0x0000000002AD0000-0x00000000031E9000-memory.dmp upx behavioral1/memory/1480-400-0x0000000000400000-0x0000000000B19000-memory.dmp upx behavioral1/memory/1480-530-0x0000000000400000-0x0000000000B19000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\LP\6B93\EBD.exe 3eod.exe File opened for modification C:\Program Files (x86)\LP\6B93\EBD.exe 3eod.exe File opened for modification C:\Program Files (x86)\LP\6B93\90BB.tmp 3eod.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 16 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2eod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4eod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3eod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_02b3f6e2f7d3900f9415c7ae1780390c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u2AzQ8M2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language juaceu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2eod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3eod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 90BB.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2eod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3eod.exe -
Modifies registry class 8 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{f18e6533-6f28-5340-e634-48197a6ea32b}\u = "188" 4eod.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{f18e6533-6f28-5340-e634-48197a6ea32b}\cid = "386869058838040740" 4eod.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \registry\machine\Software\Classes\Interface\{f18e6533-6f28-5340-e634-48197a6ea32b} 4eod.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2000 u2AzQ8M2.exe 2000 u2AzQ8M2.exe 2376 2eod.exe 3016 2eod.exe 2724 juaceu.exe 2724 juaceu.exe 2724 juaceu.exe 2376 2eod.exe 3016 2eod.exe 2724 juaceu.exe 2724 juaceu.exe 2724 juaceu.exe 2724 juaceu.exe 2376 2eod.exe 2724 juaceu.exe 2376 2eod.exe 2376 2eod.exe 2724 juaceu.exe 2724 juaceu.exe 1284 3eod.exe 1284 3eod.exe 1284 3eod.exe 1284 3eod.exe 1284 3eod.exe 1284 3eod.exe 2724 juaceu.exe 2376 2eod.exe 2376 2eod.exe 2724 juaceu.exe 2376 2eod.exe 2724 juaceu.exe 2724 juaceu.exe 2376 2eod.exe 2724 juaceu.exe 2376 2eod.exe 2724 juaceu.exe 2376 2eod.exe 2856 4eod.exe 2856 4eod.exe 2856 4eod.exe 2856 4eod.exe 2360 X 2376 2eod.exe 2724 juaceu.exe 2376 2eod.exe 2724 juaceu.exe 2376 2eod.exe 2724 juaceu.exe 2376 2eod.exe 2724 juaceu.exe 2376 2eod.exe 2724 juaceu.exe 2376 2eod.exe 2376 2eod.exe 2724 juaceu.exe 2376 2eod.exe 2724 juaceu.exe 2376 2eod.exe 2376 2eod.exe 2724 juaceu.exe 2724 juaceu.exe 2376 2eod.exe 2724 juaceu.exe 2376 2eod.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2580 explorer.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
description pid Process Token: SeDebugPrivilege 2628 tasklist.exe Token: SeRestorePrivilege 1332 msiexec.exe Token: SeTakeOwnershipPrivilege 1332 msiexec.exe Token: SeSecurityPrivilege 1332 msiexec.exe Token: SeDebugPrivilege 2856 4eod.exe Token: SeDebugPrivilege 2856 4eod.exe Token: SeShutdownPrivilege 2580 explorer.exe Token: SeShutdownPrivilege 2580 explorer.exe Token: SeShutdownPrivilege 2580 explorer.exe Token: SeShutdownPrivilege 2580 explorer.exe Token: SeShutdownPrivilege 2580 explorer.exe Token: SeShutdownPrivilege 2580 explorer.exe Token: SeShutdownPrivilege 2580 explorer.exe Token: SeShutdownPrivilege 2580 explorer.exe Token: SeShutdownPrivilege 2580 explorer.exe Token: SeShutdownPrivilege 2580 explorer.exe Token: SeShutdownPrivilege 2580 explorer.exe Token: SeShutdownPrivilege 2580 explorer.exe Token: SeDebugPrivilege 2628 tasklist.exe -
Suspicious use of FindShellTrayWindow 29 IoCs
pid Process 2580 explorer.exe 2580 explorer.exe 2580 explorer.exe 2580 explorer.exe 2580 explorer.exe 2580 explorer.exe 2580 explorer.exe 2580 explorer.exe 2580 explorer.exe 2580 explorer.exe 2580 explorer.exe 2580 explorer.exe 2580 explorer.exe 2580 explorer.exe 2580 explorer.exe 2580 explorer.exe 2580 explorer.exe 2580 explorer.exe 2580 explorer.exe 2580 explorer.exe 2580 explorer.exe 2580 explorer.exe 2580 explorer.exe 2580 explorer.exe 2580 explorer.exe 2580 explorer.exe 2580 explorer.exe 2580 explorer.exe 2580 explorer.exe -
Suspicious use of SendNotifyMessage 19 IoCs
pid Process 2580 explorer.exe 2580 explorer.exe 2580 explorer.exe 2580 explorer.exe 2580 explorer.exe 2580 explorer.exe 2580 explorer.exe 2580 explorer.exe 2580 explorer.exe 2580 explorer.exe 2580 explorer.exe 2580 explorer.exe 2580 explorer.exe 2580 explorer.exe 2580 explorer.exe 2580 explorer.exe 2580 explorer.exe 2580 explorer.exe 2580 explorer.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 1552 JaffaCakes118_02b3f6e2f7d3900f9415c7ae1780390c.exe 2000 u2AzQ8M2.exe 2724 juaceu.exe 2920 2eod.exe 2932 2eod.exe 2720 2eod.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 332 csrss.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1552 wrote to memory of 2000 1552 JaffaCakes118_02b3f6e2f7d3900f9415c7ae1780390c.exe 31 PID 1552 wrote to memory of 2000 1552 JaffaCakes118_02b3f6e2f7d3900f9415c7ae1780390c.exe 31 PID 1552 wrote to memory of 2000 1552 JaffaCakes118_02b3f6e2f7d3900f9415c7ae1780390c.exe 31 PID 1552 wrote to memory of 2000 1552 JaffaCakes118_02b3f6e2f7d3900f9415c7ae1780390c.exe 31 PID 2000 wrote to memory of 2724 2000 u2AzQ8M2.exe 32 PID 2000 wrote to memory of 2724 2000 u2AzQ8M2.exe 32 PID 2000 wrote to memory of 2724 2000 u2AzQ8M2.exe 32 PID 2000 wrote to memory of 2724 2000 u2AzQ8M2.exe 32 PID 2000 wrote to memory of 3056 2000 u2AzQ8M2.exe 33 PID 2000 wrote to memory of 3056 2000 u2AzQ8M2.exe 33 PID 2000 wrote to memory of 3056 2000 u2AzQ8M2.exe 33 PID 2000 wrote to memory of 3056 2000 u2AzQ8M2.exe 33 PID 3056 wrote to memory of 2628 3056 cmd.exe 35 PID 3056 wrote to memory of 2628 3056 cmd.exe 35 PID 3056 wrote to memory of 2628 3056 cmd.exe 35 PID 3056 wrote to memory of 2628 3056 cmd.exe 35 PID 1552 wrote to memory of 2920 1552 JaffaCakes118_02b3f6e2f7d3900f9415c7ae1780390c.exe 37 PID 1552 wrote to memory of 2920 1552 JaffaCakes118_02b3f6e2f7d3900f9415c7ae1780390c.exe 37 PID 1552 wrote to memory of 2920 1552 JaffaCakes118_02b3f6e2f7d3900f9415c7ae1780390c.exe 37 PID 1552 wrote to memory of 2920 1552 JaffaCakes118_02b3f6e2f7d3900f9415c7ae1780390c.exe 37 PID 2920 wrote to memory of 2932 2920 2eod.exe 38 PID 2920 wrote to memory of 2932 2920 2eod.exe 38 PID 2920 wrote to memory of 2932 2920 2eod.exe 38 PID 2920 wrote to memory of 2932 2920 2eod.exe 38 PID 2920 wrote to memory of 2932 2920 2eod.exe 38 PID 2920 wrote to memory of 2932 2920 2eod.exe 38 PID 2920 wrote to memory of 2932 2920 2eod.exe 38 PID 2920 wrote to memory of 2932 2920 2eod.exe 38 PID 2920 wrote to memory of 2376 2920 2eod.exe 39 PID 2920 wrote to memory of 2376 2920 2eod.exe 39 PID 2920 wrote to memory of 2376 2920 2eod.exe 39 PID 2920 wrote to memory of 2376 2920 2eod.exe 39 PID 2920 wrote to memory of 2376 2920 2eod.exe 39 PID 2920 wrote to memory of 2376 2920 2eod.exe 39 PID 2920 wrote to memory of 2376 2920 2eod.exe 39 PID 2920 wrote to memory of 2376 2920 2eod.exe 39 PID 2920 wrote to memory of 3016 2920 2eod.exe 40 PID 2920 wrote to memory of 3016 2920 2eod.exe 40 PID 2920 wrote to memory of 3016 2920 2eod.exe 40 PID 2920 wrote to memory of 3016 2920 2eod.exe 40 PID 2920 wrote to memory of 3016 2920 2eod.exe 40 PID 2920 wrote to memory of 3016 2920 2eod.exe 40 PID 2920 wrote to memory of 3016 2920 2eod.exe 40 PID 2920 wrote to memory of 3016 2920 2eod.exe 40 PID 2920 wrote to memory of 2720 2920 2eod.exe 41 PID 2920 wrote to memory of 2720 2920 2eod.exe 41 PID 2920 wrote to memory of 2720 2920 2eod.exe 41 PID 2920 wrote to memory of 2720 2920 2eod.exe 41 PID 2920 wrote to memory of 2720 2920 2eod.exe 41 PID 2920 wrote to memory of 2720 2920 2eod.exe 41 PID 2920 wrote to memory of 2720 2920 2eod.exe 41 PID 2920 wrote to memory of 2720 2920 2eod.exe 41 PID 2920 wrote to memory of 1152 2920 2eod.exe 42 PID 2920 wrote to memory of 1152 2920 2eod.exe 42 PID 2920 wrote to memory of 1152 2920 2eod.exe 42 PID 2920 wrote to memory of 1152 2920 2eod.exe 42 PID 2920 wrote to memory of 1152 2920 2eod.exe 42 PID 1552 wrote to memory of 1284 1552 JaffaCakes118_02b3f6e2f7d3900f9415c7ae1780390c.exe 44 PID 1552 wrote to memory of 1284 1552 JaffaCakes118_02b3f6e2f7d3900f9415c7ae1780390c.exe 44 PID 1552 wrote to memory of 1284 1552 JaffaCakes118_02b3f6e2f7d3900f9415c7ae1780390c.exe 44 PID 1552 wrote to memory of 1284 1552 JaffaCakes118_02b3f6e2f7d3900f9415c7ae1780390c.exe 44 PID 1552 wrote to memory of 2856 1552 JaffaCakes118_02b3f6e2f7d3900f9415c7ae1780390c.exe 46 PID 1552 wrote to memory of 2856 1552 JaffaCakes118_02b3f6e2f7d3900f9415c7ae1780390c.exe 46 PID 1552 wrote to memory of 2856 1552 JaffaCakes118_02b3f6e2f7d3900f9415c7ae1780390c.exe 46 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer 3eod.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" 3eod.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:332
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies WinLogon for persistence
PID:1388 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_02b3f6e2f7d3900f9415c7ae1780390c.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_02b3f6e2f7d3900f9415c7ae1780390c.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1552 -
C:\Users\Admin\u2AzQ8M2.exeC:\Users\Admin\u2AzQ8M2.exe3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Users\Admin\juaceu.exe"C:\Users\Admin\juaceu.exe"4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2724
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del u2AzQ8M2.exe4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2628
-
-
-
-
C:\Users\Admin\2eod.exeC:\Users\Admin\2eod.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Users\Admin\2eod.exe"C:\Users\Admin\2eod.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2932
-
-
C:\Users\Admin\2eod.exe"C:\Users\Admin\2eod.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2376
-
-
C:\Users\Admin\2eod.exe"C:\Users\Admin\2eod.exe"4⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
PID:3016
-
-
C:\Users\Admin\2eod.exe"C:\Users\Admin\2eod.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2720
-
-
C:\Users\Admin\2eod.exe"C:\Users\Admin\2eod.exe"4⤵
- Executes dropped EXE
PID:1152
-
-
-
C:\Users\Admin\3eod.exeC:\Users\Admin\3eod.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- System policy modification
PID:1284 -
C:\Users\Admin\3eod.exeC:\Users\Admin\3eod.exe startC:\Users\Admin\AppData\Roaming\34D15\DD16B.exe%C:\Users\Admin\AppData\Roaming\34D154⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2900
-
-
C:\Users\Admin\3eod.exeC:\Users\Admin\3eod.exe startC:\Program Files (x86)\15778\lvvm.exe%C:\Program Files (x86)\157784⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:896
-
-
C:\Program Files (x86)\LP\6B93\90BB.tmp"C:\Program Files (x86)\LP\6B93\90BB.tmp"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:896
-
-
-
C:\Users\Admin\4eod.exeC:\Users\Admin\4eod.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2856 -
C:\Users\Admin\AppData\Local\d9d1177c\X*0*bc*faa190a4*31.193.3.240:534⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2360
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"4⤵
- System Location Discovery: System Language Discovery
PID:2300
-
-
-
C:\Users\Admin\5eod.exeC:\Users\Admin\5eod.exe3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
PID:1480
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del JaffaCakes118_02b3f6e2f7d3900f9415c7ae1780390c.exe3⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:1616 -
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2628
-
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1332
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵PID:2708
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2580
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵PID:2216
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
5Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
300B
MD585fc61785d77d29f7f6691fdb6ffda23
SHA15034d710c83787efe385370b0e284066648f5b82
SHA256480145bb4cd22f35bcd3e00ed827b526ee57ebfd19595f428fb9562e71e3788a
SHA512fa1c015279d0189a9040e1a7018d139465be91c48f8af15b44a3a3a01eff0abd99af65a2652a733ed3dcacf78592c8c0ded5e202240559234f1823525b6ced40
-
Filesize
600B
MD561fcb20af34408364bf21933d57d7480
SHA143fa74da3d853977d1a71432c33ba1804ed3f81a
SHA256bea5337996081dbf61f53faa6aff8c29ef55dcf1ba45dd88a72d4e7272927a40
SHA5129c71dbcea8c61ab39bbb50695ed1111f450b648a12b4ade81652a1b5047cf158cb5f080d3072d7910e4005971f0a0edcc5abaa69e14792fdc5006412a6e9df2f
-
Filesize
996B
MD5fc02c270b1463bbf406941c697146094
SHA113e16695562edda6bf35523c14e3d58f9f9ee010
SHA256acf33de50a05e7cde4875cc91305edeba2e71ad1edf1a47f0bd7698881c5dc01
SHA5120773885499a61fff5eed953cf02e3c43cb010c97534d3f81d57633b94738c60a530365f2598a458db6f9580aced3390608cc76a0ed51c46166a9d475015cc9b3
-
Filesize
1KB
MD5a47f445b2efc62c18639a7c6995a2f91
SHA13a5f1a7d952b22c246c749aea53241fea2304c8e
SHA25670b0f08a989a3992cf6dbfea5c3e8b469a174a80ad8ae0d90d5b0bd173b9f1b5
SHA512cba974f715578b508e84be8506e4e6afae37e885c5af922c5aa1ca1d0bcbe23fb4368a4876ba082c2ffb70b8bf970261714b3598dd0804b838f4a2362781be44
-
Filesize
29KB
MD51149c1bd71248a9d170e4568fb08df30
SHA16f77f183d65709901f476c5d6eebaed060a495f9
SHA256c2dcf387cb4d218f50463338291e7db38afbdab9aab88fc54e7f9283df1792d1
SHA5129e6eac8facb23b38552d37c9f3cb24098f871d2885ecb3630fcd0199c5600b12a42f095f9fbeb90e5632496491d46fd987660cdda695e92dc386bd482d3ff459
-
Filesize
100KB
MD5340f18faddf54d738f6e56fe3d8b1d54
SHA1bb247a2f8db305906d558c0c665cc7fd7f86ff67
SHA2564613dcf13e53312b483bfebb7866b9e1111c434beabd1b19a03721ab7a2ec572
SHA512e47e375ec6c8cd07411da44cec52c35c1c28e3fce9d09acf390371ea6b1c456e1d43f87d7b5de6f8ba9b233d11caf25cfd5b4890f356b510688286322d7cab74
-
Filesize
136KB
MD5449cf714ddba0f68cb17bc7f9698949b
SHA13639bfa3d1563f9a4e2caad9a21074e87b3bfa73
SHA2563c3c398934492f2073aa3a725bff53909ef1bd1a7df82a7467a66d712df12010
SHA5128a08aef0b537395f2503790c7eee4c28986c4fd76670d05018004b3c77011fa4b9d8d3d791ec65ccf6a638f47f007666ea708957776772d5ab6f6d5cae64c81f
-
Filesize
282KB
MD52c24a5f9f31ac5a0d3830187617cf6dc
SHA1e71116ab32e0dfa7495f0562c86f232df7202991
SHA256007e9c74a2ee70d46460c91a3c36aa08602bb51a792e89f2d89a358ecbac94c6
SHA512f59a98a728c0d923443d10b2419b6a9bb5ac613949f26fa923240cc2162c93bc462e65f46f46000a1120065bf344b32ddba0f674cfc8007dd1d7591f4cb19b04
-
Filesize
277KB
MD500b72668c42555c6d9e3cee383730fc0
SHA1509a7c39baf2b9a46813c641cca687b37e244d5a
SHA256baaacce5c3f18154d4925ec6568ccf66f4ab9ee5477bd0faf44f08d9397641dd
SHA5121bfa5cd6081a5e8556b452cf4741831da829fcc9e2b51c77c92a4fdacfa1b934d14bc049f8185be09b1447664f55956f69e7fd16a868c9655eb32f9b9ef02e78
-
Filesize
120KB
MD53fe209cb336f44a0719e53e3b9354aa8
SHA1c37a59ba00521c78d81f0e7cf2713b41593e12a3
SHA25619102a9ce99b067f69ec9b53844aa2e29fbed3d53efbb06e24501ee70af60db1
SHA5126e872ee319e1900fa8ab9b257ec3ee62cc2578476bfc2770090255706f5ea685a5034a1c7b857a088547e130c5cc2b35d65aed54df6965a5274e019293065c09
-
Filesize
38KB
MD572de2dadaf875e2fd7614e100419033c
SHA15f17c5330e91a42daa9ff24c4aa602bd1a72bf6e
SHA256c44993768a4dc5a58ddbfc9cb05ce2a7d3a0a56be45643d70a72bcf811b6c381
SHA512e2520a53326a7d3b056e65d0cf60e9d823ffb34ca026cdddc7ea3a714f8396c53c37e13a887fc86a7dd7076c97fdfad53c3f5a68342ebc1bdec948c76bda8df3
-
Filesize
320KB
MD51fd85d617774e5bad4d5b5a7ca2bb75d
SHA151e55bf68cd63e4b32ea2e8e1de1534a892af28b
SHA2563e08e672aace361586fa4b97f12cac26c75e31cc67636884dda291055bc74fb4
SHA5121ca2f73f4a064fcc10fad41932d0e0272b32c0eede8e74943d43f20c349714432560ff6e5ab984735e62f79ad099886dfea0b60c99a27bcaf90d44d576aeff80
-
Filesize
320KB
MD5ca2acc28a24d14c7e282bd1c689229d0
SHA1c253b9ce5fa1db5bd8a02a49af44a751331e624c
SHA256bd67e3974c9108c7f2bd1cb266f6c3aad420fc63860fd653d0198e26927e2c25
SHA512007c6df499080b538deeffa552d09e0cddba64c6494fe98d6eaf883bd39180d4d9fba0bf08f7d650b256bd54fa52deafc415865dd69b00426452470a173ab2d2
-
Filesize
2KB
MD53a7482ba479bf81871823c500396d7f4
SHA14bfe4b0745895cce782cc0a90a8cfe9ba1cc3ca0
SHA25693fd7ce6c6fc5480976b1053b6fe569c589ff5e32ed7731074b827a220b7877e
SHA5124841c45264b44e15a96a438fe6c6ab94b56fa59f67b09f75b2c74850af88df7f5b9b2071d490eb1da4132cfe190f2ab716d8d86e9f80e87d1663bc48213f7cf3