Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21/01/2025, 15:57
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_05bcfa3e64ce2d45b1457a1659291185.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
JaffaCakes118_05bcfa3e64ce2d45b1457a1659291185.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_05bcfa3e64ce2d45b1457a1659291185.exe
-
Size
2.0MB
-
MD5
05bcfa3e64ce2d45b1457a1659291185
-
SHA1
da44bc916a7e619a4958c34fb425f149b1b252ec
-
SHA256
a52a9093fdad5cc696b11845e8c2514cdeac7d4a9d97a49369412c39de7e524d
-
SHA512
d746cd39811b77ba90b66d50ccad4be47bd5f9fc85de9761d3b04b46587bef6949a5690ccd2ff675d03673bc24490505d0a8d0b395fb61266ad54a872219c40e
-
SSDEEP
24576:96WOxWsYOWrK3TaUZ7pz3eCswkMjQ7cst8LSTAiV3yl5bvQVhG:9u8OoK3eUZzswnYPDAiV3ylSG
Malware Config
Extracted
cybergate
2.7 Final
Thecoin77eur
ntspnet.no-ip.org:80
ntspnet.no-ip.org:81
ntspnet.no-ip.org:82
ntspnet.no-ip.org:83
***MUTEX***
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
install
-
install_file
x86_microsoft-windows-w..win32-dll.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Erreur de chargement de sqlite3.dll Fichier manquant ou endomagé.
-
message_box_title
Erreur de chargement
-
password
181098free
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Signatures
-
Cybergate family
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{V8060U3K-8R2W-IBN4-355A-474L6T44620Q} Idman.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{V8060U3K-8R2W-IBN4-355A-474L6T44620Q}\StubPath = "C:\\Windows\\install\\x86_microsoft-windows-w..win32-dll.exe Restart" Idman.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{V8060U3K-8R2W-IBN4-355A-474L6T44620Q} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{V8060U3K-8R2W-IBN4-355A-474L6T44620Q}\StubPath = "C:\\Windows\\install\\x86_microsoft-windows-w..win32-dll.exe" explorer.exe -
Possible privilege escalation attempt 5 IoCs
pid Process 6192 icacls.exe 5608 takeown.exe 5548 icacls.exe 6080 takeown.exe 6140 takeown.exe -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation JaffaCakes118_05bcfa3e64ce2d45b1457a1659291185.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation Idman.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation S.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation Idman.exe -
Executes dropped EXE 7 IoCs
pid Process 2244 Idman.exe 2072 S.exe 2284 Windows Theme Installer v 1.1.exe 2160 Idman.exe 3684 UTP.exe 2072 Idman.exe 5832 x86_microsoft-windows-w..win32-dll.exe -
Modifies file permissions 1 TTPs 5 IoCs
pid Process 5608 takeown.exe 5548 icacls.exe 6080 takeown.exe 6140 takeown.exe 6192 icacls.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\install\\x86_microsoft-windows-w..win32-dll.exe" Idman.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\install\\x86_microsoft-windows-w..win32-dll.exe" Idman.exe -
resource yara_rule behavioral2/files/0x0008000000023cad-43.dat upx behavioral2/memory/2160-47-0x0000000000400000-0x00000000004AF000-memory.dmp upx behavioral2/memory/2072-747-0x0000000000400000-0x00000000004AF000-memory.dmp upx behavioral2/memory/2160-1415-0x0000000000400000-0x00000000004AF000-memory.dmp upx behavioral2/memory/5832-1451-0x0000000000400000-0x00000000004AF000-memory.dmp upx -
Drops file in Windows directory 7 IoCs
description ioc Process File opened for modification C:\Windows\explorer_backup_wti.exe Windows Theme Installer v 1.1.exe File created C:\Windows\explorer.exe Windows Theme Installer v 1.1.exe File opened for modification C:\Windows\explorer.exe Windows Theme Installer v 1.1.exe File created C:\Windows\install\x86_microsoft-windows-w..win32-dll.exe Idman.exe File opened for modification C:\Windows\install\x86_microsoft-windows-w..win32-dll.exe Idman.exe File opened for modification C:\Windows\UTP.exe Windows Theme Installer v 1.1.exe File created C:\Windows\explorer_backup_wti.exe Windows Theme Installer v 1.1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 5560 5832 WerFault.exe 95 -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UTP.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idman.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language x86_microsoft-windows-w..win32-dll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idman.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idman.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2072 Idman.exe 2072 Idman.exe 2072 Idman.exe 2072 Idman.exe 2072 Idman.exe 2072 Idman.exe 2072 Idman.exe 2072 Idman.exe 2072 Idman.exe 2072 Idman.exe 2072 Idman.exe 2072 Idman.exe 2072 Idman.exe 2072 Idman.exe 2072 Idman.exe 2072 Idman.exe 2072 Idman.exe 2072 Idman.exe 2072 Idman.exe 2072 Idman.exe 2072 Idman.exe 2072 Idman.exe 2072 Idman.exe 2072 Idman.exe 2072 Idman.exe 2072 Idman.exe 2072 Idman.exe 2072 Idman.exe 2072 Idman.exe 2072 Idman.exe 2072 Idman.exe 2072 Idman.exe 2072 Idman.exe 2072 Idman.exe 2072 Idman.exe 2072 Idman.exe 2072 Idman.exe 2072 Idman.exe 2072 Idman.exe 2072 Idman.exe 2072 Idman.exe 2072 Idman.exe 2072 Idman.exe 2072 Idman.exe 2072 Idman.exe 2072 Idman.exe 2072 Idman.exe 2072 Idman.exe 2072 Idman.exe 2072 Idman.exe 2072 Idman.exe 2072 Idman.exe 2072 Idman.exe 2072 Idman.exe 2072 Idman.exe 2072 Idman.exe 2072 Idman.exe 2072 Idman.exe 2072 Idman.exe 2072 Idman.exe 2072 Idman.exe 2072 Idman.exe 2072 Idman.exe 2072 Idman.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2072 Idman.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2072 Idman.exe Token: SeDebugPrivilege 2072 Idman.exe Token: SeTakeOwnershipPrivilege 5608 takeown.exe Token: SeTakeOwnershipPrivilege 6140 takeown.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2160 Idman.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3684 UTP.exe 3684 UTP.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4804 wrote to memory of 2244 4804 JaffaCakes118_05bcfa3e64ce2d45b1457a1659291185.exe 82 PID 4804 wrote to memory of 2244 4804 JaffaCakes118_05bcfa3e64ce2d45b1457a1659291185.exe 82 PID 4804 wrote to memory of 2244 4804 JaffaCakes118_05bcfa3e64ce2d45b1457a1659291185.exe 82 PID 2244 wrote to memory of 2072 2244 Idman.exe 83 PID 2244 wrote to memory of 2072 2244 Idman.exe 83 PID 2244 wrote to memory of 2284 2244 Idman.exe 84 PID 2244 wrote to memory of 2284 2244 Idman.exe 84 PID 2072 wrote to memory of 2160 2072 S.exe 85 PID 2072 wrote to memory of 2160 2072 S.exe 85 PID 2072 wrote to memory of 2160 2072 S.exe 85 PID 2160 wrote to memory of 3472 2160 Idman.exe 56 PID 2160 wrote to memory of 3472 2160 Idman.exe 56 PID 2160 wrote to memory of 3472 2160 Idman.exe 56 PID 2160 wrote to memory of 3472 2160 Idman.exe 56 PID 2160 wrote to memory of 3472 2160 Idman.exe 56 PID 2160 wrote to memory of 3472 2160 Idman.exe 56 PID 2160 wrote to memory of 3472 2160 Idman.exe 56 PID 2160 wrote to memory of 3472 2160 Idman.exe 56 PID 2160 wrote to memory of 3472 2160 Idman.exe 56 PID 2160 wrote to memory of 3472 2160 Idman.exe 56 PID 2160 wrote to memory of 3472 2160 Idman.exe 56 PID 2160 wrote to memory of 3472 2160 Idman.exe 56 PID 2160 wrote to memory of 3472 2160 Idman.exe 56 PID 2160 wrote to memory of 3472 2160 Idman.exe 56 PID 2160 wrote to memory of 3472 2160 Idman.exe 56 PID 2160 wrote to memory of 3472 2160 Idman.exe 56 PID 2160 wrote to memory of 3472 2160 Idman.exe 56 PID 2160 wrote to memory of 3472 2160 Idman.exe 56 PID 2160 wrote to memory of 3472 2160 Idman.exe 56 PID 2160 wrote to memory of 3472 2160 Idman.exe 56 PID 2160 wrote to memory of 3472 2160 Idman.exe 56 PID 2160 wrote to memory of 3472 2160 Idman.exe 56 PID 2160 wrote to memory of 3472 2160 Idman.exe 56 PID 2160 wrote to memory of 3472 2160 Idman.exe 56 PID 2160 wrote to memory of 3472 2160 Idman.exe 56 PID 2160 wrote to memory of 3472 2160 Idman.exe 56 PID 2160 wrote to memory of 3472 2160 Idman.exe 56 PID 2160 wrote to memory of 3472 2160 Idman.exe 56 PID 2160 wrote to memory of 3472 2160 Idman.exe 56 PID 2160 wrote to memory of 3472 2160 Idman.exe 56 PID 2160 wrote to memory of 3472 2160 Idman.exe 56 PID 2160 wrote to memory of 3472 2160 Idman.exe 56 PID 2160 wrote to memory of 3472 2160 Idman.exe 56 PID 2160 wrote to memory of 3472 2160 Idman.exe 56 PID 2160 wrote to memory of 3472 2160 Idman.exe 56 PID 2160 wrote to memory of 3472 2160 Idman.exe 56 PID 2160 wrote to memory of 3472 2160 Idman.exe 56 PID 2160 wrote to memory of 3472 2160 Idman.exe 56 PID 2160 wrote to memory of 3472 2160 Idman.exe 56 PID 2160 wrote to memory of 3472 2160 Idman.exe 56 PID 2160 wrote to memory of 3472 2160 Idman.exe 56 PID 2160 wrote to memory of 3472 2160 Idman.exe 56 PID 2160 wrote to memory of 3472 2160 Idman.exe 56 PID 2160 wrote to memory of 3472 2160 Idman.exe 56 PID 2160 wrote to memory of 3472 2160 Idman.exe 56 PID 2160 wrote to memory of 3472 2160 Idman.exe 56 PID 2160 wrote to memory of 3472 2160 Idman.exe 56 PID 2160 wrote to memory of 3472 2160 Idman.exe 56 PID 2160 wrote to memory of 3472 2160 Idman.exe 56 PID 2160 wrote to memory of 3472 2160 Idman.exe 56 PID 2160 wrote to memory of 3472 2160 Idman.exe 56 PID 2160 wrote to memory of 3472 2160 Idman.exe 56 PID 2160 wrote to memory of 3472 2160 Idman.exe 56 PID 2160 wrote to memory of 3472 2160 Idman.exe 56
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:620
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"2⤵PID:792
-
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵PID:380
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:680
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:784
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p1⤵PID:800
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding2⤵PID:2692
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}2⤵PID:3764
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca2⤵PID:3852
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵PID:3920
-
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca2⤵PID:4004
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵PID:4124
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵PID:4392
-
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding2⤵PID:4560
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}2⤵PID:3268
-
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca2⤵PID:3132
-
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding2⤵PID:5784
-
-
C:\Windows\System32\mousocoreworker.exeC:\Windows\System32\mousocoreworker.exe -Embedding2⤵PID:5708
-
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding2⤵PID:2392
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS -p1⤵PID:908
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:960
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:520
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:868
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:1036
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:1048
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵PID:1056
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵PID:2972
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p1⤵PID:1092
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1176
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵PID:1288
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:1328
-
C:\Windows\system32\sihost.exesihost.exe2⤵PID:2768
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵PID:1356
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵PID:1368
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:1388
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵PID:1496
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵PID:1560
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵PID:1588
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵PID:1644
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵PID:1696
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵PID:1744
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1816
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵PID:1876
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1888
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵PID:1952
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵PID:2000
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:1688
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p1⤵PID:2080
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵PID:2168
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵PID:2232
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵PID:2384
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵PID:2396
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵PID:2408
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵PID:2552
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵PID:2576
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵PID:2632
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵PID:2664
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵PID:2672
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2824
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵PID:2564
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵PID:3364
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3472
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_05bcfa3e64ce2d45b1457a1659291185.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_05bcfa3e64ce2d45b1457a1659291185.exe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4804 -
C:\Users\Admin\AppData\Local\Temp\Idman.exe"C:\Users\Admin\AppData\Local\Temp\Idman.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Users\Admin\AppData\Local\Temp\S.exe"C:\Users\Admin\AppData\Local\Temp\S.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Users\Admin\AppData\Local\Temp\Idman.exe"C:\Users\Admin\AppData\Local\Temp\Idman.exe"5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe6⤵
- Boot or Logon Autostart Execution: Active Setup
- System Location Discovery: System Language Discovery
PID:1228
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:4956
-
-
C:\Users\Admin\AppData\Local\Temp\Idman.exe"C:\Users\Admin\AppData\Local\Temp\Idman.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2072 -
C:\Windows\install\x86_microsoft-windows-w..win32-dll.exe"C:\Windows\install\x86_microsoft-windows-w..win32-dll.exe"7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5832 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5832 -s 5648⤵
- Program crash
PID:5560
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Windows Theme Installer v 1.1.exe"C:\Users\Admin\AppData\Local\Temp\Windows Theme Installer v 1.1.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2284 -
C:\Windows\UTP.exeC:\Windows\UTP.exe -Silent5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3684
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c takeown /f C:\Windows\explorer.exe && icacls C:\Windows\explorer.exe /grant administrators:F5⤵PID:5884
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\explorer.exe6⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:5608
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\explorer.exe /grant administrators:F6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5548
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c takeown /f C:\Windows\explorer.exe && icacls C:\Windows\explorer.exe /grant administrators:F5⤵PID:1260
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵PID:3164
-
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\explorer.exe6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:6080
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\explorer.exe /grant administrators:F6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:6192
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c takeown /f C:\Windows\system32\OobeFldr.dll && icacls C:\Windows\system32\OobeFldr.dll /grant administrators:F5⤵PID:856
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵PID:1276
-
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\system32\OobeFldr.dll6⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:6140
-
-
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3592
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵PID:440
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵PID:3680
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵PID:1412
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵PID:4360
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵PID:2832
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵PID:5032
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc1⤵PID:760
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe d9cb2f1f84a237e0c7fd0a90f8227249 YnafAUwiEkucKvkvKUGe4g.0.1.0.0.01⤵PID:2416
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2368
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵PID:5964
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵PID:5772
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5832 -ip 58322⤵PID:5640
-
-
C:\Windows\servicing\TrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exe1⤵PID:3304
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵PID:2112
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD57b3ce789e266bcf032d193b4deb1cf44
SHA1f5c0c5d14cce01096b4693a3e4bade6864645cde
SHA256c060688ed4df13eeb4e78ad9f3a7408ccf88ed6ea593698f4e1d0f50571688d6
SHA5124ee206357cd05affaf9944c4dba940b58eab67a8e38c9949d87938bbc1c2339ba2bc0d2b8276dc886b6cbddf03b9d89647c0ebffe87a5a05741846233edb223c
-
Filesize
1.0MB
MD5712f44fa4d49cc9cc7de5bf393858078
SHA1644943daca2e8ee8ac8472d519d3e65d3171671a
SHA2565689bdcb98e00b7a476558cd55161f744f04e15943ce52fc64a24be6d83c66ed
SHA512281b7455331943d689959f0dc776c88244738ba632136197134f608409cdfc1b98ba785346e36611f86a9828f0aeeb119b31855d3be685929de5d97402a2692a
-
Filesize
1.5MB
MD5b598f74bc5257fabd541c48ed549d1af
SHA17c40ae388cce2dd6363a1c6b45da5ac16add2d9c
SHA2569ed830fc5f59c7c35195aa5d719e0b225757ed0a115a5eeba429b69d8725e5b0
SHA5128e074d43db1b5e0eaf5e8c8cb48ac8af6b260226e86fd790e91ffa186432558059742ef639f9f58520b3dabb5f76c32bdaf96780dcf06acb33a1578300b6ab11
-
Filesize
224KB
MD51dafaf48678f594b202a772905b47129
SHA1a4c66a74d0b86370f66036c977ad763ae2b2883e
SHA256d128551002d4323679f1db77fe3a6100ba55a14c90680caf515179d49eb589b1
SHA512f74aea180deea6ce2e07be8f27411940c74a2c97845a9381f46ccc66f21f86000ae49aceb2c6254ca2759f607b14a12859c04c5778c63ce9c5a2e5299bbb5467
-
Filesize
605KB
MD5e63285183e174aed7bda3c522b7df196
SHA1cfdcf7408c04b2a62103ba992bb653d1bc51fbd1
SHA25611f3700a8151d7ab37d5dedab9f558a558605db41abef0ccd5ee7415c7a4e82d
SHA5129b415cd182b041cdce5df6a4dbbbf4d8f2d7018fde0cd7efdaee41f071a141f53297556a27e487d29b8f123be59440ba23ac97645f11459bf1e7b705982f8c19
-
Filesize
8B
MD526c0aa793ba4700c4acf490c0fadfbd6
SHA12058a3a8c3923c6ebc25ff0a316aac605994ac7a
SHA256303cda5c0f13b44cfbe75efe87227b566826328f50f63c3cc7772a7d60b9eae2
SHA51281388f71cd7387cbc966d0097f6dda46f774d6c429f35d5806fb8b7565b647eb8db07bf62c8374bcfc18ae563ed587ba0b4a636d5b7ab9f815dfa046e481b179
-
Filesize
8B
MD51ef4999b3e25f574694dd21544e87900
SHA10b52aded6498c516b7b6339f53a00a5696bc8d1b
SHA2565967698f3881742b4fcc056c83ef0eb2523725197c2969981a02f2e002b297d2
SHA5124226eb5abe7dd7216d70a1f7f7ca7116ce019327221384abec2b379f2ace0e0cc7d514723fa510a42f395e57c4e2991b23eba529fbf098a985a29a57b789ad4a
-
Filesize
8B
MD564d90ba9f60512cdad60e80e923326f1
SHA11b86dfff3df2f39bb38d70ec81d3293fbede711f
SHA25600954c098fa847852ba93d377530a9469560365d59d44d9dae52b2c1b1410f7b
SHA5126b08c0e23bfff99271ed8e58cd6c9181e399c06dc4be56a6599e01f7590260e514d3589a74dc4760e1a2e3be4c367af2aa855d5e4a5a612a9eb138bacd25eccf
-
Filesize
8B
MD53068d5f530fd325bfb1499e990e9a612
SHA1468dc6b35e430d5463074c518257ca39dc2abeab
SHA25660135e491a8a2682c2b39574d0eff131df756815f784952d31aca901fac22745
SHA512ea2745732cbe28b9cd7721899f86e3f7526084675c30e21cf78e2b6b8eed648f94fd278f466c8814a458877221673430748aa9291729651fc307020b6b95a920
-
Filesize
8B
MD5eebef440583482aebc2085f458e6cb82
SHA15129242fd54e35d00af9f6d3631f403fdf7a845f
SHA256f03d6d4404c5cf1ca95424fb953d2bd85918a90265dc8cc09a37fdbe0e70c5b7
SHA512975a9dbbbe331a2df3d8a9f882f4d62a4f458815613acb01097b67a01d4c1195d5263cc31feab0495544b1ab67f5c4c70ddd52d3a3f401fdaffc37922e544f34
-
Filesize
8B
MD571c762993e0edd9aebf6d1ba449f619f
SHA184546cc08819d57a8f1b287887d35b6d44465758
SHA2560c1c72ddf17d782c878b82f0002799a0c6bf6325f07f96aee06f9e053e358986
SHA512b55567719550f62aebccd9268d74767e9ea3fc8c228cb28295a1fbc1d1d805bc101b62ebeeb34f2629c421a23d2625c92723bf468f20331f4aa85905f8539acd
-
Filesize
8B
MD5c1b737b2ab00f4099654fb66910311e2
SHA1149105a0cdcde2f4d2c2e77aa7fae62e0cc9b1b2
SHA256ef5683fb52e1cea0d270cd96dedcbe5b2bd7cebcd5a7f723a24ca7b62e59577d
SHA5129d13103dfcbbc2ebaf4fb52cb087ffe8edbc085aee0648fd0f49ebe4813f7dda29bc9377506d41e4177f693eb0b1c1ce02d5aa22cc9442343ffe35ca82616792
-
Filesize
8B
MD58b7f25b7508c163060b215e5e090fa28
SHA1f5cc3f2146d85f782cd2c4a8e28c33a0eecd320c
SHA256bf286bd20ab12efc64069638bf9090e1a7a6746b421ff4ffab27d796697b55bb
SHA5121649eea510fe98a6ed2e0cf83d7a84464d3f58cc220dd98ef768fd000e83bd9771e335b5d05799954cd5d900a12ce0b25665feda3ead6ce9efb1287c93e02e7a
-
Filesize
8B
MD58e0d8f4953ad156270488d72d9e5ace7
SHA1af4132a47d5767b0a2d2115d7d8905c837386d9d
SHA25688bb3f23cb496cd8dfaa60b99ea5b6b782b15e4d3d3eb65e1d6b33b39b551c38
SHA512c7f88c8d03d9083898f2971970d211d168a05a63bbc16068fb7b77541766188863999b8673dc3e961d9b8972fe40457c2aa88c47f5dca649b44552cbc9cdb2e2
-
Filesize
8B
MD597bbbd1dc28813f02362fe1d55955c3a
SHA111923062283397ee39f70d896bcaecfece2b84f8
SHA256d8c0110ab93b89e30604f3fca41ce59f61dc78c839092490241d100de9750ee9
SHA512b7a1e689cc37ab00379b4d06506f7dce65f3e6d2400749c6b6c2008fa93b6699cc855e192d12f1fab30fa0b02fbdfee36cf43358b791c406a4484751e59ca879
-
Filesize
8B
MD5c8ccaaa00c06799a01b36455f4afa0e6
SHA1fa8cb5800de77062cef50b5d129daf2443c9bd47
SHA256c6ef4784f73222e431abe041d98debd705826ee0c76402bc3bfdb052f890380e
SHA5124ed0bc1f66e9fe1bb5533c07d2de33c6753b55414a7f05a3cb78037c4ba1dd31a06694e24fbedbf7e2b0d30f1b4cdf507a4f9740bf2ec0c4724024dcd8151ada
-
Filesize
8B
MD5005b16f73342226dbd8c5a4d6e0cf681
SHA13f5b3c7ae64cb46056b1643e9ebfaebf2e660641
SHA256ec71ad0436feae066ecbc8b2b291c8303dc62a14e1256c8429c69a9ffc0440ad
SHA512044630dc23485a863c9535868b08ecae2d89cbef5db71262ce8fd167d64adb7e53bb0db211a6c03cc25a5f438856d41aa1caf8223a32aad14a6244449f0c7ab8
-
Filesize
8B
MD5261b5df639e3bb3ec7151f49dab93b5a
SHA10271b1b09ab996a4cc93847172ca9220f6eb9056
SHA256a60b75e98db217701323aa848f91852fc047863af5e47ead0c223e24a445a8e6
SHA512d484e57a91a40170ddfcc8af2851a0eafd1b4ea643bbc0dd7ba23f4a2d1a16fd034f32688aa5310fa997dfe24b5cc25b9cc398715768331446362298fba3f266
-
Filesize
8B
MD519252b5c03b62ffd28898fbd754c5a78
SHA1aef8865ee123130d1e4685d2dcdd5b3d89d4f8bd
SHA256a7139af2459d89026d68b0de056ef6c641b21d4137fb731fa373f46fa57b7dc6
SHA512ecf0db8f46646d383e377f74b2dbc1770bd04fe63fcebd0fdca80bde043b1f191de14b8a0deb57d391a3cfa66f2dccaed43e7b20d2f5deddbd51bd1f87589216
-
Filesize
8B
MD572f00da8c035771e3cb987fa272b90cc
SHA12b52f1b9b94e3a9d6c8648ade88431eb1c9da858
SHA256568df8cc4be112c31d293a8fce97dd90f728e0131c574357ca8d90ccbef0910c
SHA512a47f72590cf2007a956677cbad6be97831d4ee492e07c70e66a7345f00c4d1ce099638ea5842dc063cab439b56e0d248a7421bbcedf0203d667b9e0ca2555df9
-
Filesize
8B
MD5f69ba5c2a623cff43fa519db3c599670
SHA1201bac6ac66bd3adfe709045b0b8143cbeace3ee
SHA2560bdf762e926804652265c7caddc5339f0a0f0540379890a6f580382abd39e89c
SHA512dcb39bdd721942b62affa87babde847abd8b879a146d89b64af88a7cbfaaa8f9afbd3d5a6ecf207575bde25385fd12adccd6972eebdaf37d5be4c1e54753cb09
-
Filesize
8B
MD586281a863e4d7c3d50483fd184ec2285
SHA16335dac26cf3aec8623835a843d17d7e12dd741e
SHA256b93307f94e3c7b94d3a4a378a3aad1f345711592975936856c1378645d999700
SHA512a54a35b4b82ce7b03d72cf99d27f91b95825e090a303730d9546a4dcd16b4392caaadd82d09f29e2b54cc8d3ef1cedceef13eda6c876fc46500299c01922b87d
-
Filesize
8B
MD5601c321af608bbb66ff32555e8dd4451
SHA1e971c427b3204d2225328a496bf448f6ca06952f
SHA2563a80d46107103863df64d7c1ed89a4c86791915d18df1783f5ba3d69e55c09ef
SHA51202ef073233d67bc24d95e020c301b747e291b4585500e8de61c388aa12b4a75f0d4ee5f1887f76749d9448cdf4a22c07b9f7982be64b8336b9473e1f683c0a29
-
Filesize
8B
MD5457ef0f9fbed5cb1d9b335aa3b79f080
SHA180cde7cc63266c055e7a64162cbe70e57a2eb8db
SHA256933a1e7a367937ab68f5c13484ed8758f33794039b53cb3f2db800314cdc773d
SHA51288ee387842b5694598fc2821df99def0d3bb683f3bac5f9d3e1a6c020a5af794e6b0fb2e2afe4f9034869d1718bd9f30f837f48c6ff1276bfce4f2bc834b9ed2
-
Filesize
8B
MD50a65ae2fa49a7aea1dbff0d295b6ae9a
SHA1a43f740567e9131d8ae8b296215c063d9bbf00b6
SHA256bca3b43239f80f61d03ac8fbcc138152435828d6e3ffc762a46c8fd105f394dc
SHA512a1eb96bbb79f47d53c0b65bb92398adf45c48394df7cb328bbcdb640c2df729f25ae98ba5ef5afd8125080f72f7cff4ed76ad8244c8d5bd9a94126813e2087bb
-
Filesize
8B
MD5481fbfe61bc5499481f0ae5db2928d18
SHA106a55b78fdf7319358bc2309dfc1c150c032db43
SHA2561982d37d76d6d25e4d7ea7fdb92202adcba612d5bf1b64e5c395cd20db7446ef
SHA512b838fca9c11d3c19fe8f47d42b00a58468ac087701afaa9b503d67c18a7a7f40944ec8fad307ae74def0a0ab2166b54e5a17159d44ad7f4bf5417033cb2b7061
-
Filesize
8B
MD542b52b99cf6b85c55cc5a9dfa1377f2b
SHA13f47b7e4b4f8e8c1d4226824486e73d98b54fc91
SHA256cf628ac4e90b294604abab459479f24dcd24e3ceef22f8e5a9b414aff08912ae
SHA512194f4d89fc9e48e57b560641f6ab329ab9631ddc63997ee2466b28faf81d00984dc26abbaac3c8fd0b880ab643362425cf7d65946db6f157c2e7b4f1d3f3e543
-
Filesize
8B
MD59f9e0f7d11d5849565c50855b87d8ed6
SHA1f94f8161e9083d5303e04c91132209965669498b
SHA256fee15b9e6676bb38827e3226e38a44751ca58b97a1ada3d630984ae065c9e8e0
SHA5129f0e185a0c1441054df180b6d307972d0feee22fe28ae9af762109ee8da00cd0f3726bfba962fc0403df8dedd2d687be679c567dd517b0ac2aeb70fec8fdc515
-
Filesize
8B
MD51f5b2e4c2e0286192dbf70c9c41bfe54
SHA1c6ebfab48011105816f145eddedbb7cd3eca2cf7
SHA25632aac4c25517763077108b02d40524817886507fdf38caeeaafac4d182f32ebf
SHA51292a18f01966bbdc7f6f04de6bc6d9314e2352afe3cd40d2f53719eaeb1e1cb96744f62bb1d480bfc11097ba267c36b5fb4774785c850dcad764b282857adfef0
-
Filesize
8B
MD5f822c27ada4d11b7298b665a7b357dce
SHA198e9e89d9af9085db7b9084a99300d891f45e50a
SHA25603dada1d674f5591f1f06de1e5e30ab8da4782e01d4c211e856d9eb86022038a
SHA5124ae695f17732370932e0dc1c829251e0ec3f4a8e68509dff9837c69aaf93347b2b7b5dbca02f6bbf95675cf79316ec50bf343219f01fd738bd51f6daf1229be0
-
Filesize
8B
MD5515534b24cfec2d6802b6109f69b83c4
SHA11377d187cf2ac2403821b8c11890fe00cf14f29f
SHA256f391ea3a70ff4d5d154ebcd0214141d002506339c4c15ae5aba580b19655ba92
SHA5123b8396637e6a111b2b5cd60bac5a51aaae7a31e409c492db7f3220ee5696b6702f1fbcc906f54766dcc8c5be748db9c7cf1ed0ae40f729bf207ac5d6051f9d72
-
Filesize
8B
MD5cb23ce679adda64ee7955d9bb124940b
SHA1418bd8a6d0be0e2b34e19aa62e0d7ee6abb7c870
SHA25619e12f8140090d2548abe4b66248b30e5cf04e72772ad0a2fffe16d8c50a2ef0
SHA512515dcd26c6700e1aa1045ac17d44c222cf594eb4baec56c3c032a8a4fe6628cdada273e46dbf51bfe433b34dc3b13deb6482e341f68dbb5238ff24b3ea20df94
-
Filesize
8B
MD5f91cd03a4fb9861c64cde5a3288abbbd
SHA147c3d3d696778ddbf6dfc552f1a9bc513b1e68e6
SHA25648088fe461845212389487da0c264b53293085e5248051a5a68d3d3956e4a478
SHA512f65a4fab03a19ce2ac9aabcc2a9812604df37c467f5a5bb95129a634b78fcc0575a28bbab4a039e8cb9f4520b3f2b742f6e0d7a5004fbcb20190592131bf9e00
-
Filesize
8B
MD5fac8a8aba35867405c517e5cf9480354
SHA105aacd4e7d4541f1002c72c4aa4986957a738019
SHA25634e2a1e8846e4101082c6991467508d57c1d3c783622ebebf684d8dd51abfc8e
SHA5120cc540bc0c20e8cf4a5994befb7dcd889e9b4dace649be3969540a76202e94e297ddaad9e50a9f6556b15cac3d7f0657d8d7026792d35aaa36798caff47c1295
-
Filesize
8B
MD52fa96a3f9b5f5b52edbd9df587938b1f
SHA1c0326d41d18f2fd46c21a6a6a4f8e4a0969e37a2
SHA256b521458cebe33abed9bda6cdb0b89ea1a4c43c694079a4d1deccd984e6cec99e
SHA51253639fb3bc416c1f6e20b7e412d6c368439e0d9ac16630f2321835e23db9d7173dc383dfb85efc8c5b1bde5877bbc30da76f84fe494abd10f0edabad980f0533
-
Filesize
8B
MD563d0d77062de97ca9372b706aaeac9af
SHA1527b247579bd4b92dcb85b31a2d31202228666fc
SHA256fd5b6da5d9a6522afd827369b749aaf4409e0ae966113c8ff97a58ecb013cac9
SHA512eb38a1de5e8912742b72ea072957967bc94480fe6341bd8c6bf8d4d36d532cfaa812c44aa16e55889497b5548f0916edb34d9cf3a61f60b90b8949d6388f03e9
-
Filesize
8B
MD5579aa36b25f340a80c8dff82526eb269
SHA17398aa3c9caa4432c7748007857c8af93b3a1762
SHA256f7c88d188bccea61a948668f38929be7cd34b50333dd660d79038914a26b63f0
SHA51281a87cd933dd7f1e6e047fd068b45a7c27b00703b19724c1eadde2073b655090ea691b138b2bbe454a64bacedddbf29e818f02b886e5ca04a0f72e2e86d709eb
-
Filesize
8B
MD5b058211afaa9aa561988ac346882fa89
SHA1ce451f92235d446f8c7851eab30867fe69249502
SHA256477b28003e974f468eabf53dc97cc8c92774cc9d30ae0e5cc954b459ce3f5169
SHA512cf725638b30727542961dbb6923586d8dbbe82f60914ca18c79ab2ba8e1bcfdeeec5975eddd5e1a9f22501b1ad5d59c985e2dc135f17b2418b5536ac39c958f8
-
Filesize
8B
MD5f8e484d7b64997dc54d9fc782c475217
SHA1998514356c4869ea76a64eef75f366c49fbad618
SHA256535ac663a7653071f9817785bb4e093a5b44d995da798da037b46838401927fa
SHA5122662bb18b330dce7b84aa7f85472e21cea4a6656d6b052c82bdc11acfb59d21d3d8c10717b7c0a94c5bc45f7a8464e64e7b4ed1531bb981f9ba1b35ab996126d
-
Filesize
8B
MD53a36ef46624f01ac532d96d188b6d805
SHA130bcd8d6ec404bbe940dbf05b2b519949c0dc007
SHA256531776806bf07a60271cce2f58f155b62436e0140f8139e446ad34ffcba1d317
SHA51281bb5e0ccd7fcf76742d1c4382c220384e17141d0dafc3a75b4097070f9208fc8ddb40ac6d0c685830bccb63f456173de82766fe3f7c3ccec32365415750dc68
-
Filesize
15B
MD5bf3dba41023802cf6d3f8c5fd683a0c7
SHA1466530987a347b68ef28faad238d7b50db8656a5
SHA2564a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314
-
Filesize
49KB
MD5e126b77aa21df82fbd267b6785b5c154
SHA14dabd87c4d7c3bd5d6b75157ddafafefc233cbe9
SHA25670fc5da0c8090091e9abba82f6185f60606b0e5f5bcb3fb03e0a6289c6c911f3
SHA5127e2ec83c395c0a0210f308f87beeab6bb0e0c5331aef24cac1513617001db3eb099fb3144b9437b9e063eb987e256c56a930b61ce686e232edf532e227e45d39
-
Filesize
4.6MB
MD530decee483a8196b30643ec6a453a7de
SHA192266131aff3595c5a95d3aa23c9e40c85d5f982
SHA2563dc254ad131a691acb1f9e3a5bb5ca5b3ea891869e516f4b3580ea4fcfdf2e76
SHA512a8f370c060223d4c2985ac16e78547779e584020e95428e85b497464fc487611d7b080908f904c11aa93bc7b56ec102845fbb6554d97dcba7fdc856c93087f00