Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
22-01-2025 00:22
Behavioral task
behavioral1
Sample
JaffaCakes118_08b4bebcf4bda9e48c61d7f31cbac4d6.exe
Resource
win7-20241010-en
cycbotmodiloaderponybackdoorcredential_accessdefense_evasiondiscoverypersistenceratspywarestealertrojanupx
windows7-x64
39 signatures
150 seconds
Behavioral task
behavioral2
Sample
JaffaCakes118_08b4bebcf4bda9e48c61d7f31cbac4d6.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
18 signatures
150 seconds
General
-
Target
JaffaCakes118_08b4bebcf4bda9e48c61d7f31cbac4d6.exe
-
Size
812KB
-
MD5
08b4bebcf4bda9e48c61d7f31cbac4d6
-
SHA1
dc007ab37f9c26daa5368602e7ae22c23d86e44c
-
SHA256
b93296b02018089da2625165cc46ad7826e7477df358eab5869fad8ba8d0cb79
-
SHA512
0a7a76acb80023302ea6271b3102fa088f0cc95a9979821c17093c782c5bd86b54836e643bacaeae3d0da11ec42714e7d8d4e36e41ac1e2c8c353c5d143668f7
-
SSDEEP
12288:4YknjLpDBNoLE126lU1tMGjYIFW4+zyZGumGgTtrDJrPsfL4oTO27uqULG1R:4YkjlDr+8lUCpeZM3BDhPC5u/G
Malware Config
Signatures
-
Cycbot family
-
Detects Cycbot payload 3 IoCs
Cycbot is a backdoor and trojan written in C++.
resource yara_rule behavioral1/memory/1932-115-0x0000000000400000-0x000000000046B000-memory.dmp family_cycbot behavioral1/memory/2472-138-0x0000000000400000-0x000000000046B000-memory.dmp family_cycbot behavioral1/memory/1932-140-0x0000000000400000-0x000000000046B000-memory.dmp family_cycbot -
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "3" ckhost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" bxpTXK8W.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" giuig.exe -
Modiloader family
-
Pony family
-
ModiLoader Second Stage 9 IoCs
resource yara_rule behavioral1/memory/1968-9-0x0000000000400000-0x0000000000417000-memory.dmp modiloader_stage2 behavioral1/memory/1480-14-0x0000000000400000-0x0000000000516000-memory.dmp modiloader_stage2 behavioral1/memory/1480-12-0x0000000000400000-0x0000000000516000-memory.dmp modiloader_stage2 behavioral1/files/0x00080000000197fd-43.dat modiloader_stage2 behavioral1/memory/1480-51-0x0000000000400000-0x0000000000516000-memory.dmp modiloader_stage2 behavioral1/memory/2988-69-0x0000000000400000-0x0000000000416000-memory.dmp modiloader_stage2 behavioral1/files/0x0007000000019820-72.dat modiloader_stage2 behavioral1/memory/3036-93-0x0000000000400000-0x0000000000417000-memory.dmp modiloader_stage2 behavioral1/memory/1480-363-0x0000000000400000-0x0000000000516000-memory.dmp modiloader_stage2 -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Disables taskbar notifications via registry modification
-
Deletes itself 1 IoCs
pid Process 1584 cmd.exe -
Executes dropped EXE 13 IoCs
pid Process 3008 bxpTXK8W.exe 2996 giuig.exe 2988 akhost.exe 2768 akhost.exe 3036 bkhost.exe 2964 bkhost.exe 1932 ckhost.exe 320 dkhost.exe 2472 ckhost.exe 3020 ckhost.exe 332 csrss.exe 2516 ekhost.exe 1832 CF70.tmp -
Loads dropped DLL 17 IoCs
pid Process 1480 JaffaCakes118_08b4bebcf4bda9e48c61d7f31cbac4d6.exe 1480 JaffaCakes118_08b4bebcf4bda9e48c61d7f31cbac4d6.exe 3008 bxpTXK8W.exe 3008 bxpTXK8W.exe 1480 JaffaCakes118_08b4bebcf4bda9e48c61d7f31cbac4d6.exe 1480 JaffaCakes118_08b4bebcf4bda9e48c61d7f31cbac4d6.exe 1480 JaffaCakes118_08b4bebcf4bda9e48c61d7f31cbac4d6.exe 1480 JaffaCakes118_08b4bebcf4bda9e48c61d7f31cbac4d6.exe 1480 JaffaCakes118_08b4bebcf4bda9e48c61d7f31cbac4d6.exe 1480 JaffaCakes118_08b4bebcf4bda9e48c61d7f31cbac4d6.exe 1480 JaffaCakes118_08b4bebcf4bda9e48c61d7f31cbac4d6.exe 1480 JaffaCakes118_08b4bebcf4bda9e48c61d7f31cbac4d6.exe 1480 JaffaCakes118_08b4bebcf4bda9e48c61d7f31cbac4d6.exe 1480 JaffaCakes118_08b4bebcf4bda9e48c61d7f31cbac4d6.exe 1932 ckhost.exe 1932 ckhost.exe 1832 CF70.tmp -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Adds Run key to start application 2 TTPs 53 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\giuig = "C:\\Users\\Admin\\giuig.exe /P" giuig.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\giuig = "C:\\Users\\Admin\\giuig.exe /m" giuig.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\giuig = "C:\\Users\\Admin\\giuig.exe /i" giuig.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\giuig = "C:\\Users\\Admin\\giuig.exe /x" giuig.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\giuig = "C:\\Users\\Admin\\giuig.exe /Q" giuig.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\giuig = "C:\\Users\\Admin\\giuig.exe /O" giuig.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\giuig = "C:\\Users\\Admin\\giuig.exe /M" giuig.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\giuig = "C:\\Users\\Admin\\giuig.exe /D" giuig.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\giuig = "C:\\Users\\Admin\\giuig.exe /e" giuig.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\giuig = "C:\\Users\\Admin\\giuig.exe /f" giuig.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\giuig = "C:\\Users\\Admin\\giuig.exe /A" giuig.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\giuig = "C:\\Users\\Admin\\giuig.exe /o" giuig.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\giuig = "C:\\Users\\Admin\\giuig.exe /X" giuig.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\giuig = "C:\\Users\\Admin\\giuig.exe /i" bxpTXK8W.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\giuig = "C:\\Users\\Admin\\giuig.exe /l" giuig.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\giuig = "C:\\Users\\Admin\\giuig.exe /u" giuig.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\giuig = "C:\\Users\\Admin\\giuig.exe /r" giuig.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\giuig = "C:\\Users\\Admin\\giuig.exe /a" giuig.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\giuig = "C:\\Users\\Admin\\giuig.exe /Z" giuig.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\giuig = "C:\\Users\\Admin\\giuig.exe /d" giuig.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\giuig = "C:\\Users\\Admin\\giuig.exe /G" giuig.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\giuig = "C:\\Users\\Admin\\giuig.exe /s" giuig.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\giuig = "C:\\Users\\Admin\\giuig.exe /S" giuig.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\giuig = "C:\\Users\\Admin\\giuig.exe /v" giuig.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\giuig = "C:\\Users\\Admin\\giuig.exe /y" giuig.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\giuig = "C:\\Users\\Admin\\giuig.exe /w" giuig.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\giuig = "C:\\Users\\Admin\\giuig.exe /b" giuig.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\giuig = "C:\\Users\\Admin\\giuig.exe /t" giuig.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\giuig = "C:\\Users\\Admin\\giuig.exe /Y" giuig.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\giuig = "C:\\Users\\Admin\\giuig.exe /U" giuig.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\giuig = "C:\\Users\\Admin\\giuig.exe /n" giuig.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\giuig = "C:\\Users\\Admin\\giuig.exe /N" giuig.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\giuig = "C:\\Users\\Admin\\giuig.exe /g" giuig.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\giuig = "C:\\Users\\Admin\\giuig.exe /T" giuig.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\giuig = "C:\\Users\\Admin\\giuig.exe /p" giuig.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\giuig = "C:\\Users\\Admin\\giuig.exe /V" giuig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\F7B.exe = "C:\\Program Files (x86)\\LP\\809F\\F7B.exe" ckhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\giuig = "C:\\Users\\Admin\\giuig.exe /q" giuig.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\giuig = "C:\\Users\\Admin\\giuig.exe /k" giuig.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\giuig = "C:\\Users\\Admin\\giuig.exe /J" giuig.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\giuig = "C:\\Users\\Admin\\giuig.exe /h" giuig.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\giuig = "C:\\Users\\Admin\\giuig.exe /j" giuig.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\giuig = "C:\\Users\\Admin\\giuig.exe /I" giuig.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\giuig = "C:\\Users\\Admin\\giuig.exe /K" giuig.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\giuig = "C:\\Users\\Admin\\giuig.exe /B" giuig.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\giuig = "C:\\Users\\Admin\\giuig.exe /L" giuig.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\giuig = "C:\\Users\\Admin\\giuig.exe /z" giuig.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\giuig = "C:\\Users\\Admin\\giuig.exe /R" giuig.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\giuig = "C:\\Users\\Admin\\giuig.exe /H" giuig.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\giuig = "C:\\Users\\Admin\\giuig.exe /E" giuig.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\giuig = "C:\\Users\\Admin\\giuig.exe /c" giuig.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\giuig = "C:\\Users\\Admin\\giuig.exe /C" giuig.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\giuig = "C:\\Users\\Admin\\giuig.exe /W" giuig.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 2 IoCs
description ioc Process File created \systemroot\assembly\GAC_32\Desktop.ini csrss.exe File created \systemroot\assembly\GAC_64\Desktop.ini csrss.exe -
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum akhost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 akhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum bkhost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 bkhost.exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 2752 tasklist.exe 1748 tasklist.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 1968 set thread context of 1480 1968 JaffaCakes118_08b4bebcf4bda9e48c61d7f31cbac4d6.exe 30 PID 2988 set thread context of 2768 2988 akhost.exe 38 PID 3036 set thread context of 2964 3036 bkhost.exe 40 PID 320 set thread context of 1612 320 dkhost.exe 50 -
resource yara_rule behavioral1/memory/1480-14-0x0000000000400000-0x0000000000516000-memory.dmp upx behavioral1/memory/1480-12-0x0000000000400000-0x0000000000516000-memory.dmp upx behavioral1/memory/1480-5-0x0000000000400000-0x0000000000516000-memory.dmp upx behavioral1/memory/1480-11-0x0000000000400000-0x0000000000516000-memory.dmp upx behavioral1/memory/1480-3-0x0000000000400000-0x0000000000516000-memory.dmp upx behavioral1/memory/1480-2-0x0000000000400000-0x0000000000516000-memory.dmp upx behavioral1/memory/1480-51-0x0000000000400000-0x0000000000516000-memory.dmp upx behavioral1/memory/2964-92-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2964-95-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2964-94-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2964-88-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2964-82-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2964-84-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1932-115-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/2472-138-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/1932-140-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/1480-363-0x0000000000400000-0x0000000000516000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\LP\809F\F7B.exe ckhost.exe File opened for modification C:\Program Files (x86)\LP\809F\CF70.tmp ckhost.exe File opened for modification C:\Program Files (x86)\LP\809F\F7B.exe ckhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 17 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ckhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language akhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ckhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ckhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ekhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CF70.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language giuig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_08b4bebcf4bda9e48c61d7f31cbac4d6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bxpTXK8W.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bkhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dkhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_08b4bebcf4bda9e48c61d7f31cbac4d6.exe -
Modifies registry class 5 IoCs
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3008 bxpTXK8W.exe 3008 bxpTXK8W.exe 2996 giuig.exe 2996 giuig.exe 2996 giuig.exe 2996 giuig.exe 2996 giuig.exe 2996 giuig.exe 2996 giuig.exe 2996 giuig.exe 2768 akhost.exe 2768 akhost.exe 2768 akhost.exe 2996 giuig.exe 2996 giuig.exe 2996 giuig.exe 2996 giuig.exe 2996 giuig.exe 2996 giuig.exe 2996 giuig.exe 2996 giuig.exe 2768 akhost.exe 2768 akhost.exe 2996 giuig.exe 2996 giuig.exe 2964 bkhost.exe 2996 giuig.exe 2996 giuig.exe 2996 giuig.exe 2996 giuig.exe 2996 giuig.exe 2768 akhost.exe 2768 akhost.exe 2996 giuig.exe 2996 giuig.exe 1932 ckhost.exe 1932 ckhost.exe 1932 ckhost.exe 1932 ckhost.exe 1932 ckhost.exe 1932 ckhost.exe 2996 giuig.exe 2996 giuig.exe 2996 giuig.exe 2996 giuig.exe 2996 giuig.exe 2996 giuig.exe 2768 akhost.exe 2768 akhost.exe 2996 giuig.exe 2996 giuig.exe 2996 giuig.exe 2996 giuig.exe 2996 giuig.exe 2996 giuig.exe 2996 giuig.exe 2768 akhost.exe 2768 akhost.exe 2996 giuig.exe 2996 giuig.exe 2996 giuig.exe 2996 giuig.exe 2996 giuig.exe 2996 giuig.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2772 explorer.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
description pid Process Token: SeDebugPrivilege 2752 tasklist.exe Token: SeRestorePrivilege 1648 msiexec.exe Token: SeTakeOwnershipPrivilege 1648 msiexec.exe Token: SeSecurityPrivilege 1648 msiexec.exe Token: SeDebugPrivilege 320 dkhost.exe Token: SeShutdownPrivilege 2772 explorer.exe Token: SeDebugPrivilege 320 dkhost.exe Token: SeShutdownPrivilege 2772 explorer.exe Token: SeShutdownPrivilege 2772 explorer.exe Token: SeShutdownPrivilege 2772 explorer.exe Token: SeShutdownPrivilege 2772 explorer.exe Token: SeShutdownPrivilege 2772 explorer.exe Token: SeShutdownPrivilege 2772 explorer.exe Token: SeShutdownPrivilege 2772 explorer.exe Token: SeShutdownPrivilege 2772 explorer.exe Token: SeShutdownPrivilege 2772 explorer.exe Token: 33 3044 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 3044 AUDIODG.EXE Token: 33 3044 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 3044 AUDIODG.EXE Token: SeShutdownPrivilege 2772 explorer.exe Token: SeShutdownPrivilege 2772 explorer.exe Token: SeDebugPrivilege 1748 tasklist.exe -
Suspicious use of FindShellTrayWindow 28 IoCs
pid Process 2772 explorer.exe 2772 explorer.exe 2772 explorer.exe 2772 explorer.exe 2772 explorer.exe 2772 explorer.exe 2772 explorer.exe 2772 explorer.exe 2772 explorer.exe 2772 explorer.exe 2772 explorer.exe 2772 explorer.exe 2772 explorer.exe 2772 explorer.exe 2772 explorer.exe 2772 explorer.exe 2772 explorer.exe 2772 explorer.exe 2772 explorer.exe 2772 explorer.exe 2772 explorer.exe 2772 explorer.exe 2772 explorer.exe 2772 explorer.exe 2772 explorer.exe 2772 explorer.exe 2772 explorer.exe 2772 explorer.exe -
Suspicious use of SendNotifyMessage 17 IoCs
pid Process 2772 explorer.exe 2772 explorer.exe 2772 explorer.exe 2772 explorer.exe 2772 explorer.exe 2772 explorer.exe 2772 explorer.exe 2772 explorer.exe 2772 explorer.exe 2772 explorer.exe 2772 explorer.exe 2772 explorer.exe 2772 explorer.exe 2772 explorer.exe 2772 explorer.exe 2772 explorer.exe 2772 explorer.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 1480 JaffaCakes118_08b4bebcf4bda9e48c61d7f31cbac4d6.exe 3008 bxpTXK8W.exe 2996 giuig.exe 2516 ekhost.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 332 csrss.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1968 wrote to memory of 1480 1968 JaffaCakes118_08b4bebcf4bda9e48c61d7f31cbac4d6.exe 30 PID 1968 wrote to memory of 1480 1968 JaffaCakes118_08b4bebcf4bda9e48c61d7f31cbac4d6.exe 30 PID 1968 wrote to memory of 1480 1968 JaffaCakes118_08b4bebcf4bda9e48c61d7f31cbac4d6.exe 30 PID 1968 wrote to memory of 1480 1968 JaffaCakes118_08b4bebcf4bda9e48c61d7f31cbac4d6.exe 30 PID 1968 wrote to memory of 1480 1968 JaffaCakes118_08b4bebcf4bda9e48c61d7f31cbac4d6.exe 30 PID 1968 wrote to memory of 1480 1968 JaffaCakes118_08b4bebcf4bda9e48c61d7f31cbac4d6.exe 30 PID 1968 wrote to memory of 1480 1968 JaffaCakes118_08b4bebcf4bda9e48c61d7f31cbac4d6.exe 30 PID 1968 wrote to memory of 1480 1968 JaffaCakes118_08b4bebcf4bda9e48c61d7f31cbac4d6.exe 30 PID 1480 wrote to memory of 3008 1480 JaffaCakes118_08b4bebcf4bda9e48c61d7f31cbac4d6.exe 31 PID 1480 wrote to memory of 3008 1480 JaffaCakes118_08b4bebcf4bda9e48c61d7f31cbac4d6.exe 31 PID 1480 wrote to memory of 3008 1480 JaffaCakes118_08b4bebcf4bda9e48c61d7f31cbac4d6.exe 31 PID 1480 wrote to memory of 3008 1480 JaffaCakes118_08b4bebcf4bda9e48c61d7f31cbac4d6.exe 31 PID 3008 wrote to memory of 2996 3008 bxpTXK8W.exe 32 PID 3008 wrote to memory of 2996 3008 bxpTXK8W.exe 32 PID 3008 wrote to memory of 2996 3008 bxpTXK8W.exe 32 PID 3008 wrote to memory of 2996 3008 bxpTXK8W.exe 32 PID 3008 wrote to memory of 2840 3008 bxpTXK8W.exe 33 PID 3008 wrote to memory of 2840 3008 bxpTXK8W.exe 33 PID 3008 wrote to memory of 2840 3008 bxpTXK8W.exe 33 PID 3008 wrote to memory of 2840 3008 bxpTXK8W.exe 33 PID 1480 wrote to memory of 2988 1480 JaffaCakes118_08b4bebcf4bda9e48c61d7f31cbac4d6.exe 35 PID 1480 wrote to memory of 2988 1480 JaffaCakes118_08b4bebcf4bda9e48c61d7f31cbac4d6.exe 35 PID 1480 wrote to memory of 2988 1480 JaffaCakes118_08b4bebcf4bda9e48c61d7f31cbac4d6.exe 35 PID 1480 wrote to memory of 2988 1480 JaffaCakes118_08b4bebcf4bda9e48c61d7f31cbac4d6.exe 35 PID 2840 wrote to memory of 2752 2840 cmd.exe 36 PID 2840 wrote to memory of 2752 2840 cmd.exe 36 PID 2840 wrote to memory of 2752 2840 cmd.exe 36 PID 2840 wrote to memory of 2752 2840 cmd.exe 36 PID 2988 wrote to memory of 2768 2988 akhost.exe 38 PID 2988 wrote to memory of 2768 2988 akhost.exe 38 PID 2988 wrote to memory of 2768 2988 akhost.exe 38 PID 2988 wrote to memory of 2768 2988 akhost.exe 38 PID 2988 wrote to memory of 2768 2988 akhost.exe 38 PID 2988 wrote to memory of 2768 2988 akhost.exe 38 PID 2988 wrote to memory of 2768 2988 akhost.exe 38 PID 2988 wrote to memory of 2768 2988 akhost.exe 38 PID 2988 wrote to memory of 2768 2988 akhost.exe 38 PID 2988 wrote to memory of 2768 2988 akhost.exe 38 PID 1480 wrote to memory of 3036 1480 JaffaCakes118_08b4bebcf4bda9e48c61d7f31cbac4d6.exe 39 PID 1480 wrote to memory of 3036 1480 JaffaCakes118_08b4bebcf4bda9e48c61d7f31cbac4d6.exe 39 PID 1480 wrote to memory of 3036 1480 JaffaCakes118_08b4bebcf4bda9e48c61d7f31cbac4d6.exe 39 PID 1480 wrote to memory of 3036 1480 JaffaCakes118_08b4bebcf4bda9e48c61d7f31cbac4d6.exe 39 PID 3036 wrote to memory of 2964 3036 bkhost.exe 40 PID 3036 wrote to memory of 2964 3036 bkhost.exe 40 PID 3036 wrote to memory of 2964 3036 bkhost.exe 40 PID 3036 wrote to memory of 2964 3036 bkhost.exe 40 PID 3036 wrote to memory of 2964 3036 bkhost.exe 40 PID 3036 wrote to memory of 2964 3036 bkhost.exe 40 PID 3036 wrote to memory of 2964 3036 bkhost.exe 40 PID 3036 wrote to memory of 2964 3036 bkhost.exe 40 PID 1480 wrote to memory of 1932 1480 JaffaCakes118_08b4bebcf4bda9e48c61d7f31cbac4d6.exe 41 PID 1480 wrote to memory of 1932 1480 JaffaCakes118_08b4bebcf4bda9e48c61d7f31cbac4d6.exe 41 PID 1480 wrote to memory of 1932 1480 JaffaCakes118_08b4bebcf4bda9e48c61d7f31cbac4d6.exe 41 PID 1480 wrote to memory of 1932 1480 JaffaCakes118_08b4bebcf4bda9e48c61d7f31cbac4d6.exe 41 PID 1480 wrote to memory of 320 1480 JaffaCakes118_08b4bebcf4bda9e48c61d7f31cbac4d6.exe 42 PID 1480 wrote to memory of 320 1480 JaffaCakes118_08b4bebcf4bda9e48c61d7f31cbac4d6.exe 42 PID 1480 wrote to memory of 320 1480 JaffaCakes118_08b4bebcf4bda9e48c61d7f31cbac4d6.exe 42 PID 1480 wrote to memory of 320 1480 JaffaCakes118_08b4bebcf4bda9e48c61d7f31cbac4d6.exe 42 PID 1932 wrote to memory of 2472 1932 ckhost.exe 44 PID 1932 wrote to memory of 2472 1932 ckhost.exe 44 PID 1932 wrote to memory of 2472 1932 ckhost.exe 44 PID 1932 wrote to memory of 2472 1932 ckhost.exe 44 PID 1932 wrote to memory of 3020 1932 ckhost.exe 46 PID 1932 wrote to memory of 3020 1932 ckhost.exe 46 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" ckhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer ckhost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Suspicious use of UnmapMainImage
PID:332
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs1⤵PID:860
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_08b4bebcf4bda9e48c61d7f31cbac4d6.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_08b4bebcf4bda9e48c61d7f31cbac4d6.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_08b4bebcf4bda9e48c61d7f31cbac4d6.exeJaffaCakes118_08b4bebcf4bda9e48c61d7f31cbac4d6.exe2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Users\Admin\bxpTXK8W.exeC:\Users\Admin\bxpTXK8W.exe3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Users\Admin\giuig.exe"C:\Users\Admin\giuig.exe"4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2996
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del bxpTXK8W.exe4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2752
-
-
-
-
C:\Users\Admin\akhost.exeC:\Users\Admin\akhost.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Users\Admin\akhost.exeakhost.exe4⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
PID:2768
-
-
-
C:\Users\Admin\bkhost.exeC:\Users\Admin\bkhost.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Users\Admin\bkhost.exebkhost.exe4⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
PID:2964
-
-
-
C:\Users\Admin\ckhost.exeC:\Users\Admin\ckhost.exe3⤵
- Modifies security service
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1932 -
C:\Users\Admin\ckhost.exeC:\Users\Admin\ckhost.exe startC:\Users\Admin\AppData\Roaming\F6A57\73180.exe%C:\Users\Admin\AppData\Roaming\F6A574⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2472
-
-
C:\Users\Admin\ckhost.exeC:\Users\Admin\ckhost.exe startC:\Program Files (x86)\57E85\lvvm.exe%C:\Program Files (x86)\57E854⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3020
-
-
C:\Program Files (x86)\LP\809F\CF70.tmp"C:\Program Files (x86)\LP\809F\CF70.tmp"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1832
-
-
-
C:\Users\Admin\dkhost.exeC:\Users\Admin\dkhost.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:320 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"4⤵
- System Location Discovery: System Language Discovery
PID:1612
-
-
-
C:\Users\Admin\ekhost.exeC:\Users\Admin\ekhost.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2516
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del JaffaCakes118_08b4bebcf4bda9e48c61d7f31cbac4d6.exe3⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:1584 -
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1748
-
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1648
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2772
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵PID:2548
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5501⤵
- Suspicious use of AdjustPrivilegeToken
PID:3044
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
5Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
600B
MD5c78a79e0da11636450c0a2c2c474c75a
SHA12b5c09d2ecbc0f0b6f85260c806919dd8491e105
SHA2568f47dabab24a0f6f5751db9b134e3f4ad0108ae3ebb89c1547feae9573e26ab8
SHA512734bcd2cec80d227da1548260f753de036a71568010bc19da80da0404c8a88ad0db120c2bd49b02404c08803e6500f6f7a2ccd1d32e705b569f2af33f036dd55
-
Filesize
996B
MD5c15528cbec08740c168573d293f22599
SHA1f67b203449a9f1f5ece8b6b0a6291fd46c579e97
SHA2566723fd65143cd49b5f868539a2b921b0ba1d298e37c102eda29c546110915431
SHA512bb01512bbf0839ae6112e560081559172dcf766c3d52e59f24526369a0f7d44d7a822f5d77b8043115012bfe0f7e0e916d25ea424868ba7a586f887296dc51c3
-
Filesize
1KB
MD5a5a7c82d9b0d42ae02bc95a5aaa82ea0
SHA1d561c34ee516779665c9b0f7f3362b54dc8c4a66
SHA256b8f2a85b5e6be6f8fc7b95154a449e39e07b8d496b433bceab025b5b77b4ad9f
SHA512c53d31e872767392ea1936f9947a9a511f3f721dea4d77837cf23447f088a8734e49b2e333de1102d89b4f932a43aa00306999a6bdaaff08a77a8df6a7b56f68
-
Filesize
2KB
MD582f58268eb13c6e3087c675720b6a954
SHA133feab8f91ab783d8ad16c8e63458091045d90f2
SHA256d660b568a87890faf72855611ffa7030aef062ada46f348c7efd5bdf334aa8be
SHA512a09a705ae3f52ceeb6db1326e2a7a88025d8c95957c644afcf11ad868e56b2cf49f85620b6aacadb2aa51aecf9dda64e1dec3272c80e2220180402546470fb46
-
Filesize
99KB
MD51e68864c3deefd4a81f2f505740f09fc
SHA18a12dea68e9924e27bed3076674ddd5e9448c443
SHA256a25f10f13be9dc44c25c88c0834ffce455e0e7ad0d7e4a32c825120c3a5dc1bf
SHA51260c98b7a8dfaba961363edbac2d58996b246b5a2e472b064173fa501ab06e3b800449e5020252450e73f13e1a59c704e10d778ee972396a19389217b0f0b4bce
-
Filesize
229KB
MD52c895814249b3630f5ef87aef065a6d2
SHA1785a02f3a3c958fb2f3fa7ce26860b65da34939d
SHA256cc6377f8d451bd5ceb97d95409b74c9589f86edd47fead3db05e3a3dbfc6204a
SHA51214e786deb9917c57dbdb6468a5b6b05ef0aacaa5a9efc962bac691648c1059c99537a85f9bd65013bb2765ebcbd1fa97027c6f2069ae2e1cc901d4247c7f404c
-
Filesize
122KB
MD56adba45c3cd86e3e4179c2489adc3ed0
SHA1c856828981816a028d9948d4e90e83779ba00cc6
SHA256e1432e8564f1a32df65a2cb433d4968e2109fef1508ad150a89e7c31227d3de8
SHA51213404f5c2a311bc87e96d550674c9a7c6fda0f7808db1b901747d4e7a2e4c76bea268e38a17d3206ae419144981a060d29f916f676e586cc4376ad81717de672
-
Filesize
184KB
MD52261c2411c6e581bf496a0be8d46c6d8
SHA179e709807dff36c8d9936db05c0adcce54a1a290
SHA25620e4fb3c4086c725feafdd50d8c8e405b20f6a9b868422455ca0b9cd007eb418
SHA512622f86d976e9c140b29a1b29c21ac26415acab2762bac6d429123cb73af002377a0ecc62afaea0ef06dea689ebb6e70a1c7251186a260eae279cc8587622cefd
-
Filesize
279KB
MD5b4004c548fec0ae0f7264b509b95e4d8
SHA16142664dc2b3ce927fecb96fa18a1dbc5219ae8f
SHA2563f4aae3b2ec5b1d842841e76a963f26b471ed15e9933c40d48469a48ed04ee56
SHA512750223d1cf30812b4c9dba9f21893f2ce34b717c17da2befe47f13e8d623c5098f5133053cb1a909da5e4ebc07b68979e72fa8f36c26c6c191665b213e838d90
-
Filesize
240KB
MD50a67782f34b335fe42be835ad4542124
SHA1c1838a364f27ed7b8a463edefeabf8d762d1f149
SHA2564f1d17a99aaf1719a96778e06edb417de118672ad3b0193a3fd2706a8e6f699c
SHA5124dd56baf20ad532e7c1933d83889c649ffe4069a23dde43486c32105c0df67ebc8f670cb54c13a902105d38f5efea06c3a7f6481aec49c4af1b40bc8cfa7b086
-
Filesize
32KB
MD549e105d54bf4201e39ef974f9e5c24dc
SHA170737f6e75e250cfa335f8ef10be4b934f6fa1af
SHA256a7d86eb136f345db624f4ddc577b61a2bb54f24c6b83a1de66dbdc167f3bb119
SHA5127b9c210b69535ffca2280bd54b88bb2644e39fb1db487fbf8d83ea420c6db7d05b2373bef172a07b3090139e29110c593b09151e39ff6358d1fc62c0e91783fe
-
Filesize
184KB
MD5e8e0131048e1d81d65a57721c59c5354
SHA1656dbcc439016fe2d1b8574be052c94dd1f48943
SHA2567e32fed06640cd67d52d10f839fa3941a964198826fdc885a4351c393803f05d
SHA5126946b32a1a0d9f2bf2892e5e8b633896386cfb7b86390b683a606a05e4315b28e1610cdfa61d4edc1ade5d400b6710264c74d88fbbd39924c798c44d4b199d79
-
Filesize
53KB
MD563e99b675a1337db6d8430195ea3efd2
SHA11baead2bf8f433dc82f9b2c03fd65ce697a92155
SHA2566616179477849205eb4075b75a042056d196f45d67f78929dbb3317a35ccbea9
SHA512f5b986eafa38dbc9ad7759784ac887ecbb9c8d8009a3f33e91b9c9ceeaf043ed3e4ddab8e6b6b77e54aed9fcecab02442c8ff253f2136ea06996d05ddd68199f
-
Filesize
4KB
MD5758f90d425814ea5a1d2694e44e7e295
SHA164d61731255ef2c3060868f92f6b81b4c9b5fe29
SHA256896221147d8172197cbbf06c45d461141ce6b4af38027c1a22d57c1165026433
SHA51211858e498309f611ee6241c026a402d6d979bffe28d4cbf7c9d5a89c3f3de25e1d253ab552ef7bc7cc43dd056307bd625e2e4f09beb21f0214c3946113b97ca9