Analysis
-
max time kernel
149s -
max time network
130s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
24-01-2025 15:31
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
JaffaCakes118_22d8537b3cd2f668d3f65ac3eb6dce86.exe
Resource
win7-20241023-en
windows7-x64
34 signatures
150 seconds
Behavioral task
behavioral2
Sample
JaffaCakes118_22d8537b3cd2f668d3f65ac3eb6dce86.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
3 signatures
150 seconds
General
-
Target
JaffaCakes118_22d8537b3cd2f668d3f65ac3eb6dce86.exe
-
Size
964KB
-
MD5
22d8537b3cd2f668d3f65ac3eb6dce86
-
SHA1
c3cf4b2d7c0eeab78574e04066c83d13e2fde78c
-
SHA256
6e3310dc399edd83271c6f5bd3c013f5d6107c4c1329d08923a689297f951ced
-
SHA512
1fb7992555ced3344f9a2045c8147a018dc03e9937e8759f8c4de871ad4c6a3fab22cb0a39a4ede038ba9ea6ca08ab75cf3c22eefa634d1f7185792acdfea4a4
-
SSDEEP
24576:VNDtgSt8ux/FI5QhM5BtON/X5aP/SdqJyybYfxk/5GFaidS0:djImitOWXSdSrbjz
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\a0440614\\X" Explorer.EXE -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" qaoku.exe Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" u2AzQ8M2.exe -
Pony family
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Disables taskbar notifications via registry modification
-
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\drivers\etc\hosts 5eod.exe -
Deletes itself 1 IoCs
pid Process 2372 cmd.exe -
Executes dropped EXE 16 IoCs
pid Process 1532 u2AzQ8M2.exe 2616 qaoku.exe 2976 2eod.exe 2848 2eod.exe 2692 2eod.exe 2196 2eod.exe 2880 2eod.exe 1220 2eod.exe 2024 3eod.exe 896 4eod.exe 332 csrss.exe 1484 X 844 3eod.exe 2288 3eod.exe 1844 5eod.exe 892 55ED.tmp -
Loads dropped DLL 16 IoCs
pid Process 2176 JaffaCakes118_22d8537b3cd2f668d3f65ac3eb6dce86.exe 2176 JaffaCakes118_22d8537b3cd2f668d3f65ac3eb6dce86.exe 1532 u2AzQ8M2.exe 1532 u2AzQ8M2.exe 2176 JaffaCakes118_22d8537b3cd2f668d3f65ac3eb6dce86.exe 2176 JaffaCakes118_22d8537b3cd2f668d3f65ac3eb6dce86.exe 2176 JaffaCakes118_22d8537b3cd2f668d3f65ac3eb6dce86.exe 2176 JaffaCakes118_22d8537b3cd2f668d3f65ac3eb6dce86.exe 2176 JaffaCakes118_22d8537b3cd2f668d3f65ac3eb6dce86.exe 2176 JaffaCakes118_22d8537b3cd2f668d3f65ac3eb6dce86.exe 896 4eod.exe 896 4eod.exe 2176 JaffaCakes118_22d8537b3cd2f668d3f65ac3eb6dce86.exe 2176 JaffaCakes118_22d8537b3cd2f668d3f65ac3eb6dce86.exe 2024 3eod.exe 2024 3eod.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unexpected DNS network traffic destination 5 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description flow ioc pid Process Destination IP 16 31.193.3.240 896 4eod.exe Destination IP 31.193.3.240 Process not Found Destination IP 31.193.3.240 Process not Found Destination IP 31.193.3.240 Process not Found Destination IP 14 31.193.3.240 896 4eod.exe -
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Adds Run key to start application 2 TTPs 52 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\qaoku = "C:\\Users\\Admin\\qaoku.exe /X" qaoku.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\qaoku = "C:\\Users\\Admin\\qaoku.exe /o" qaoku.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\qaoku = "C:\\Users\\Admin\\qaoku.exe /J" qaoku.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\qaoku = "C:\\Users\\Admin\\qaoku.exe /M" qaoku.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\qaoku = "C:\\Users\\Admin\\qaoku.exe /m" qaoku.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\qaoku = "C:\\Users\\Admin\\qaoku.exe /V" qaoku.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\qaoku = "C:\\Users\\Admin\\qaoku.exe /n" qaoku.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\qaoku = "C:\\Users\\Admin\\qaoku.exe /t" qaoku.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\qaoku = "C:\\Users\\Admin\\qaoku.exe /U" qaoku.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\qaoku = "C:\\Users\\Admin\\qaoku.exe /h" qaoku.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\qaoku = "C:\\Users\\Admin\\qaoku.exe /p" qaoku.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\qaoku = "C:\\Users\\Admin\\qaoku.exe /b" qaoku.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\qaoku = "C:\\Users\\Admin\\qaoku.exe /z" u2AzQ8M2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\97C.exe = "C:\\Program Files (x86)\\LP\\1D4D\\97C.exe" 3eod.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\qaoku = "C:\\Users\\Admin\\qaoku.exe /D" qaoku.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\qaoku = "C:\\Users\\Admin\\qaoku.exe /v" qaoku.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\qaoku = "C:\\Users\\Admin\\qaoku.exe /c" qaoku.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\qaoku = "C:\\Users\\Admin\\qaoku.exe /Q" qaoku.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\qaoku = "C:\\Users\\Admin\\qaoku.exe /r" qaoku.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\qaoku = "C:\\Users\\Admin\\qaoku.exe /G" qaoku.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\qaoku = "C:\\Users\\Admin\\qaoku.exe /I" qaoku.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\qaoku = "C:\\Users\\Admin\\qaoku.exe /Y" qaoku.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\qaoku = "C:\\Users\\Admin\\qaoku.exe /f" qaoku.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\qaoku = "C:\\Users\\Admin\\qaoku.exe /j" qaoku.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\qaoku = "C:\\Users\\Admin\\qaoku.exe /d" qaoku.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\qaoku = "C:\\Users\\Admin\\qaoku.exe /C" qaoku.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\qaoku = "C:\\Users\\Admin\\qaoku.exe /A" qaoku.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\qaoku = "C:\\Users\\Admin\\qaoku.exe /k" qaoku.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\qaoku = "C:\\Users\\Admin\\qaoku.exe /y" qaoku.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\qaoku = "C:\\Users\\Admin\\qaoku.exe /a" qaoku.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\qaoku = "C:\\Users\\Admin\\qaoku.exe /u" qaoku.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\qaoku = "C:\\Users\\Admin\\qaoku.exe /O" qaoku.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\qaoku = "C:\\Users\\Admin\\qaoku.exe /l" qaoku.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\qaoku = "C:\\Users\\Admin\\qaoku.exe /z" qaoku.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\qaoku = "C:\\Users\\Admin\\qaoku.exe /Z" qaoku.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\qaoku = "C:\\Users\\Admin\\qaoku.exe /H" qaoku.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\qaoku = "C:\\Users\\Admin\\qaoku.exe /i" qaoku.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\qaoku = "C:\\Users\\Admin\\qaoku.exe /B" qaoku.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\qaoku = "C:\\Users\\Admin\\qaoku.exe /w" qaoku.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\qaoku = "C:\\Users\\Admin\\qaoku.exe /e" qaoku.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\qaoku = "C:\\Users\\Admin\\qaoku.exe /T" qaoku.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\qaoku = "C:\\Users\\Admin\\qaoku.exe /L" qaoku.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\qaoku = "C:\\Users\\Admin\\qaoku.exe /W" qaoku.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\qaoku = "C:\\Users\\Admin\\qaoku.exe /R" qaoku.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\qaoku = "C:\\Users\\Admin\\qaoku.exe /E" qaoku.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\qaoku = "C:\\Users\\Admin\\qaoku.exe /q" qaoku.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\qaoku = "C:\\Users\\Admin\\qaoku.exe /F" qaoku.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\qaoku = "C:\\Users\\Admin\\qaoku.exe /K" qaoku.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\qaoku = "C:\\Users\\Admin\\qaoku.exe /s" qaoku.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\qaoku = "C:\\Users\\Admin\\qaoku.exe /P" qaoku.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Init = "\"C:\\Users\\Admin\\AppData\\Roaming\\xblqvkjsovxungazw2dvxvbcczpqvkzu2\\svcnost.exe\"" 5eod.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\qaoku = "C:\\Users\\Admin\\qaoku.exe /g" qaoku.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 2eod.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 2eod.exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 1748 tasklist.exe 2420 tasklist.exe -
Suspicious use of SetThreadContext 6 IoCs
description pid Process procid_target PID 2976 set thread context of 2848 2976 2eod.exe 38 PID 2976 set thread context of 2692 2976 2eod.exe 39 PID 2976 set thread context of 2196 2976 2eod.exe 40 PID 2976 set thread context of 2880 2976 2eod.exe 41 PID 2976 set thread context of 1220 2976 2eod.exe 42 PID 896 set thread context of 2856 896 4eod.exe 53 -
resource yara_rule behavioral1/memory/2848-40-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/2848-47-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/2848-49-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/2848-45-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/2848-42-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/2692-64-0x0000000000400000-0x000000000040E000-memory.dmp upx behavioral1/memory/2692-63-0x0000000000400000-0x000000000040E000-memory.dmp upx behavioral1/memory/2692-62-0x0000000000400000-0x000000000040E000-memory.dmp upx behavioral1/memory/2692-61-0x0000000000400000-0x000000000040E000-memory.dmp upx behavioral1/memory/2692-56-0x0000000000400000-0x000000000040E000-memory.dmp upx behavioral1/memory/2692-54-0x0000000000400000-0x000000000040E000-memory.dmp upx behavioral1/memory/2196-67-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2196-75-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2196-76-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2196-74-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2196-72-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2196-69-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2880-81-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/2880-79-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/2880-84-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/2880-87-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/2880-86-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/2848-105-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/2880-161-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/files/0x0017000000018739-455.dat upx behavioral1/memory/1844-457-0x0000000000400000-0x0000000000B19000-memory.dmp upx behavioral1/memory/1844-489-0x0000000000400000-0x0000000000B19000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\LP\1D4D\97C.exe 3eod.exe File opened for modification C:\Program Files (x86)\LP\1D4D\97C.exe 3eod.exe File opened for modification C:\Program Files (x86)\LP\1D4D\55ED.tmp 3eod.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 16 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 55ED.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qaoku.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2eod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4eod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3eod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_22d8537b3cd2f668d3f65ac3eb6dce86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2eod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u2AzQ8M2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2eod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3eod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3eod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry class 8 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{72c75e41-2578-11fe-128e-bc8664abcda1}\u = "188" 4eod.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{72c75e41-2578-11fe-128e-bc8664abcda1}\cid = "5736249991536885510" 4eod.exe Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \registry\machine\Software\Classes\Interface\{72c75e41-2578-11fe-128e-bc8664abcda1} 4eod.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1532 u2AzQ8M2.exe 1532 u2AzQ8M2.exe 2692 2eod.exe 2196 2eod.exe 2616 qaoku.exe 2616 qaoku.exe 2692 2eod.exe 2196 2eod.exe 2616 qaoku.exe 2616 qaoku.exe 2616 qaoku.exe 2616 qaoku.exe 2692 2eod.exe 2024 3eod.exe 2024 3eod.exe 2024 3eod.exe 2024 3eod.exe 2024 3eod.exe 2024 3eod.exe 2616 qaoku.exe 2692 2eod.exe 2692 2eod.exe 2616 qaoku.exe 2616 qaoku.exe 896 4eod.exe 896 4eod.exe 896 4eod.exe 896 4eod.exe 1484 X 2616 qaoku.exe 2692 2eod.exe 2692 2eod.exe 2616 qaoku.exe 2692 2eod.exe 2616 qaoku.exe 2616 qaoku.exe 2692 2eod.exe 2616 qaoku.exe 2692 2eod.exe 2616 qaoku.exe 2692 2eod.exe 2616 qaoku.exe 2692 2eod.exe 2692 2eod.exe 2616 qaoku.exe 2692 2eod.exe 2616 qaoku.exe 2692 2eod.exe 2616 qaoku.exe 2692 2eod.exe 2616 qaoku.exe 2692 2eod.exe 2616 qaoku.exe 2692 2eod.exe 2692 2eod.exe 2616 qaoku.exe 2692 2eod.exe 2692 2eod.exe 2616 qaoku.exe 2616 qaoku.exe 2616 qaoku.exe 2692 2eod.exe 2692 2eod.exe 2692 2eod.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1672 explorer.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
description pid Process Token: SeDebugPrivilege 2420 tasklist.exe Token: SeRestorePrivilege 2560 msiexec.exe Token: SeTakeOwnershipPrivilege 2560 msiexec.exe Token: SeSecurityPrivilege 2560 msiexec.exe Token: SeDebugPrivilege 896 4eod.exe Token: SeDebugPrivilege 896 4eod.exe Token: SeShutdownPrivilege 1672 explorer.exe Token: SeShutdownPrivilege 1672 explorer.exe Token: SeShutdownPrivilege 1672 explorer.exe Token: SeShutdownPrivilege 1672 explorer.exe Token: SeShutdownPrivilege 1672 explorer.exe Token: SeShutdownPrivilege 1672 explorer.exe Token: SeShutdownPrivilege 1672 explorer.exe Token: SeShutdownPrivilege 1672 explorer.exe Token: SeShutdownPrivilege 1672 explorer.exe Token: SeShutdownPrivilege 1672 explorer.exe Token: SeShutdownPrivilege 1672 explorer.exe Token: SeShutdownPrivilege 1672 explorer.exe Token: SeDebugPrivilege 1748 tasklist.exe -
Suspicious use of FindShellTrayWindow 28 IoCs
pid Process 1672 explorer.exe 1672 explorer.exe 1672 explorer.exe 1672 explorer.exe 1672 explorer.exe 1672 explorer.exe 1672 explorer.exe 1672 explorer.exe 1672 explorer.exe 1672 explorer.exe 1672 explorer.exe 1672 explorer.exe 1672 explorer.exe 1672 explorer.exe 1672 explorer.exe 1672 explorer.exe 1672 explorer.exe 1672 explorer.exe 1672 explorer.exe 1672 explorer.exe 1672 explorer.exe 1672 explorer.exe 1672 explorer.exe 1672 explorer.exe 1672 explorer.exe 1672 explorer.exe 1672 explorer.exe 1672 explorer.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 1672 explorer.exe 1672 explorer.exe 1672 explorer.exe 1672 explorer.exe 1672 explorer.exe 1672 explorer.exe 1672 explorer.exe 1672 explorer.exe 1672 explorer.exe 1672 explorer.exe 1672 explorer.exe 1672 explorer.exe 1672 explorer.exe 1672 explorer.exe 1672 explorer.exe 1672 explorer.exe 1672 explorer.exe 1672 explorer.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2176 JaffaCakes118_22d8537b3cd2f668d3f65ac3eb6dce86.exe 1532 u2AzQ8M2.exe 2616 qaoku.exe 2976 2eod.exe 2848 2eod.exe 2880 2eod.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 332 csrss.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2176 wrote to memory of 1532 2176 JaffaCakes118_22d8537b3cd2f668d3f65ac3eb6dce86.exe 30 PID 2176 wrote to memory of 1532 2176 JaffaCakes118_22d8537b3cd2f668d3f65ac3eb6dce86.exe 30 PID 2176 wrote to memory of 1532 2176 JaffaCakes118_22d8537b3cd2f668d3f65ac3eb6dce86.exe 30 PID 2176 wrote to memory of 1532 2176 JaffaCakes118_22d8537b3cd2f668d3f65ac3eb6dce86.exe 30 PID 1532 wrote to memory of 2616 1532 u2AzQ8M2.exe 31 PID 1532 wrote to memory of 2616 1532 u2AzQ8M2.exe 31 PID 1532 wrote to memory of 2616 1532 u2AzQ8M2.exe 31 PID 1532 wrote to memory of 2616 1532 u2AzQ8M2.exe 31 PID 1532 wrote to memory of 1488 1532 u2AzQ8M2.exe 32 PID 1532 wrote to memory of 1488 1532 u2AzQ8M2.exe 32 PID 1532 wrote to memory of 1488 1532 u2AzQ8M2.exe 32 PID 1532 wrote to memory of 1488 1532 u2AzQ8M2.exe 32 PID 1488 wrote to memory of 2420 1488 cmd.exe 34 PID 1488 wrote to memory of 2420 1488 cmd.exe 34 PID 1488 wrote to memory of 2420 1488 cmd.exe 34 PID 1488 wrote to memory of 2420 1488 cmd.exe 34 PID 2176 wrote to memory of 2976 2176 JaffaCakes118_22d8537b3cd2f668d3f65ac3eb6dce86.exe 37 PID 2176 wrote to memory of 2976 2176 JaffaCakes118_22d8537b3cd2f668d3f65ac3eb6dce86.exe 37 PID 2176 wrote to memory of 2976 2176 JaffaCakes118_22d8537b3cd2f668d3f65ac3eb6dce86.exe 37 PID 2176 wrote to memory of 2976 2176 JaffaCakes118_22d8537b3cd2f668d3f65ac3eb6dce86.exe 37 PID 2976 wrote to memory of 2848 2976 2eod.exe 38 PID 2976 wrote to memory of 2848 2976 2eod.exe 38 PID 2976 wrote to memory of 2848 2976 2eod.exe 38 PID 2976 wrote to memory of 2848 2976 2eod.exe 38 PID 2976 wrote to memory of 2848 2976 2eod.exe 38 PID 2976 wrote to memory of 2848 2976 2eod.exe 38 PID 2976 wrote to memory of 2848 2976 2eod.exe 38 PID 2976 wrote to memory of 2848 2976 2eod.exe 38 PID 2976 wrote to memory of 2692 2976 2eod.exe 39 PID 2976 wrote to memory of 2692 2976 2eod.exe 39 PID 2976 wrote to memory of 2692 2976 2eod.exe 39 PID 2976 wrote to memory of 2692 2976 2eod.exe 39 PID 2976 wrote to memory of 2692 2976 2eod.exe 39 PID 2976 wrote to memory of 2692 2976 2eod.exe 39 PID 2976 wrote to memory of 2692 2976 2eod.exe 39 PID 2976 wrote to memory of 2692 2976 2eod.exe 39 PID 2976 wrote to memory of 2196 2976 2eod.exe 40 PID 2976 wrote to memory of 2196 2976 2eod.exe 40 PID 2976 wrote to memory of 2196 2976 2eod.exe 40 PID 2976 wrote to memory of 2196 2976 2eod.exe 40 PID 2976 wrote to memory of 2196 2976 2eod.exe 40 PID 2976 wrote to memory of 2196 2976 2eod.exe 40 PID 2976 wrote to memory of 2196 2976 2eod.exe 40 PID 2976 wrote to memory of 2196 2976 2eod.exe 40 PID 2976 wrote to memory of 2880 2976 2eod.exe 41 PID 2976 wrote to memory of 2880 2976 2eod.exe 41 PID 2976 wrote to memory of 2880 2976 2eod.exe 41 PID 2976 wrote to memory of 2880 2976 2eod.exe 41 PID 2976 wrote to memory of 2880 2976 2eod.exe 41 PID 2976 wrote to memory of 2880 2976 2eod.exe 41 PID 2976 wrote to memory of 2880 2976 2eod.exe 41 PID 2976 wrote to memory of 2880 2976 2eod.exe 41 PID 2976 wrote to memory of 1220 2976 2eod.exe 42 PID 2976 wrote to memory of 1220 2976 2eod.exe 42 PID 2976 wrote to memory of 1220 2976 2eod.exe 42 PID 2976 wrote to memory of 1220 2976 2eod.exe 42 PID 2976 wrote to memory of 1220 2976 2eod.exe 42 PID 2176 wrote to memory of 2024 2176 JaffaCakes118_22d8537b3cd2f668d3f65ac3eb6dce86.exe 43 PID 2176 wrote to memory of 2024 2176 JaffaCakes118_22d8537b3cd2f668d3f65ac3eb6dce86.exe 43 PID 2176 wrote to memory of 2024 2176 JaffaCakes118_22d8537b3cd2f668d3f65ac3eb6dce86.exe 43 PID 2176 wrote to memory of 2024 2176 JaffaCakes118_22d8537b3cd2f668d3f65ac3eb6dce86.exe 43 PID 2176 wrote to memory of 896 2176 JaffaCakes118_22d8537b3cd2f668d3f65ac3eb6dce86.exe 46 PID 2176 wrote to memory of 896 2176 JaffaCakes118_22d8537b3cd2f668d3f65ac3eb6dce86.exe 46 PID 2176 wrote to memory of 896 2176 JaffaCakes118_22d8537b3cd2f668d3f65ac3eb6dce86.exe 46 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer 3eod.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" 3eod.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:332
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies WinLogon for persistence
PID:1224 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_22d8537b3cd2f668d3f65ac3eb6dce86.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_22d8537b3cd2f668d3f65ac3eb6dce86.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Users\Admin\u2AzQ8M2.exeC:\Users\Admin\u2AzQ8M2.exe3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Users\Admin\qaoku.exe"C:\Users\Admin\qaoku.exe"4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2616
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del u2AzQ8M2.exe4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2420
-
-
-
-
C:\Users\Admin\2eod.exeC:\Users\Admin\2eod.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Users\Admin\2eod.exe"C:\Users\Admin\2eod.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2848
-
-
C:\Users\Admin\2eod.exe"C:\Users\Admin\2eod.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2692
-
-
C:\Users\Admin\2eod.exe"C:\Users\Admin\2eod.exe"4⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
PID:2196
-
-
C:\Users\Admin\2eod.exe"C:\Users\Admin\2eod.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2880
-
-
C:\Users\Admin\2eod.exe"C:\Users\Admin\2eod.exe"4⤵
- Executes dropped EXE
PID:1220
-
-
-
C:\Users\Admin\3eod.exeC:\Users\Admin\3eod.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- System policy modification
PID:2024 -
C:\Users\Admin\3eod.exeC:\Users\Admin\3eod.exe startC:\Users\Admin\AppData\Roaming\D49BF\BD91D.exe%C:\Users\Admin\AppData\Roaming\D49BF4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:844
-
-
C:\Users\Admin\3eod.exeC:\Users\Admin\3eod.exe startC:\Program Files (x86)\BF26E\lvvm.exe%C:\Program Files (x86)\BF26E4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2288
-
-
C:\Program Files (x86)\LP\1D4D\55ED.tmp"C:\Program Files (x86)\LP\1D4D\55ED.tmp"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:892
-
-
-
C:\Users\Admin\4eod.exeC:\Users\Admin\4eod.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Unexpected DNS network traffic destination
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:896 -
C:\Users\Admin\AppData\Local\a0440614\X*0*bc*b064bf06*31.193.3.240:534⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1484
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"4⤵
- System Location Discovery: System Language Discovery
PID:2856
-
-
-
C:\Users\Admin\5eod.exeC:\Users\Admin\5eod.exe3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
PID:1844
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del JaffaCakes118_22d8537b3cd2f668d3f65ac3eb6dce86.exe3⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2372 -
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1748
-
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2560
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵PID:1440
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1672
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵PID:800
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
5Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
120KB
MD53fe209cb336f44a0719e53e3b9354aa8
SHA1c37a59ba00521c78d81f0e7cf2713b41593e12a3
SHA25619102a9ce99b067f69ec9b53844aa2e29fbed3d53efbb06e24501ee70af60db1
SHA5126e872ee319e1900fa8ab9b257ec3ee62cc2578476bfc2770090255706f5ea685a5034a1c7b857a088547e130c5cc2b35d65aed54df6965a5274e019293065c09
-
Filesize
600B
MD5f774bfa64d6e8d4694d7c8c39b563e02
SHA1af44587cd236d9fffcc0f5a302493fabdce96f0f
SHA256691a095190bfd025708c8f6716a1d0dc5a34c15bcc7ad260f4a12d5adf0d57d2
SHA5127d9ab8d9f65ff2af70269e33365056a0f73dbe9e99d8773fa4d74777195bec7fe8d48a2fc034433c78fbc0cc5371e3bebb101b6f81d85a09fb8dec4089fa4e13
-
Filesize
996B
MD55a68e9f80fa6b61d733e547141824cf6
SHA15b733fa978ed26101fb80fae6e36c9288baa8d91
SHA2564427b3e842bc091a94f9da5649bcf2d8d9bdd839acfd995f1c47a1a3c0900ce9
SHA512ab4039f42aafdcf1eb3e9dc78530747b6c650bf3f379cf9ed862e52714e2b03a881ee360776543c3a1f72baa98f6e8f567ecebb41331c4b704a3fd3d31f3282b
-
Filesize
29KB
MD51149c1bd71248a9d170e4568fb08df30
SHA16f77f183d65709901f476c5d6eebaed060a495f9
SHA256c2dcf387cb4d218f50463338291e7db38afbdab9aab88fc54e7f9283df1792d1
SHA5129e6eac8facb23b38552d37c9f3cb24098f871d2885ecb3630fcd0199c5600b12a42f095f9fbeb90e5632496491d46fd987660cdda695e92dc386bd482d3ff459
-
Filesize
100KB
MD5340f18faddf54d738f6e56fe3d8b1d54
SHA1bb247a2f8db305906d558c0c665cc7fd7f86ff67
SHA2564613dcf13e53312b483bfebb7866b9e1111c434beabd1b19a03721ab7a2ec572
SHA512e47e375ec6c8cd07411da44cec52c35c1c28e3fce9d09acf390371ea6b1c456e1d43f87d7b5de6f8ba9b233d11caf25cfd5b4890f356b510688286322d7cab74
-
Filesize
136KB
MD5449cf714ddba0f68cb17bc7f9698949b
SHA13639bfa3d1563f9a4e2caad9a21074e87b3bfa73
SHA2563c3c398934492f2073aa3a725bff53909ef1bd1a7df82a7467a66d712df12010
SHA5128a08aef0b537395f2503790c7eee4c28986c4fd76670d05018004b3c77011fa4b9d8d3d791ec65ccf6a638f47f007666ea708957776772d5ab6f6d5cae64c81f
-
Filesize
282KB
MD52c24a5f9f31ac5a0d3830187617cf6dc
SHA1e71116ab32e0dfa7495f0562c86f232df7202991
SHA256007e9c74a2ee70d46460c91a3c36aa08602bb51a792e89f2d89a358ecbac94c6
SHA512f59a98a728c0d923443d10b2419b6a9bb5ac613949f26fa923240cc2162c93bc462e65f46f46000a1120065bf344b32ddba0f674cfc8007dd1d7591f4cb19b04
-
Filesize
277KB
MD500b72668c42555c6d9e3cee383730fc0
SHA1509a7c39baf2b9a46813c641cca687b37e244d5a
SHA256baaacce5c3f18154d4925ec6568ccf66f4ab9ee5477bd0faf44f08d9397641dd
SHA5121bfa5cd6081a5e8556b452cf4741831da829fcc9e2b51c77c92a4fdacfa1b934d14bc049f8185be09b1447664f55956f69e7fd16a868c9655eb32f9b9ef02e78
-
Filesize
38KB
MD572de2dadaf875e2fd7614e100419033c
SHA15f17c5330e91a42daa9ff24c4aa602bd1a72bf6e
SHA256c44993768a4dc5a58ddbfc9cb05ce2a7d3a0a56be45643d70a72bcf811b6c381
SHA512e2520a53326a7d3b056e65d0cf60e9d823ffb34ca026cdddc7ea3a714f8396c53c37e13a887fc86a7dd7076c97fdfad53c3f5a68342ebc1bdec948c76bda8df3
-
Filesize
320KB
MD53d2e9afd2acf0898d5200ca8e37ca885
SHA1208d1239b1e4a872babfae881c3a0ca8bd2c4cbf
SHA256f771f615224f2f7ff390de4ccb9a385647e5955cbf26c06489373a5ad8d970d1
SHA512d3da0b6bcd118331d5e00640bbabd1fe31d3cfdcf8685557d2e7ad7e25416a0683c826dcf25e166f249b2b98aa3d955eaaa64b6d3e7df44d310b00143b4e1799
-
Filesize
320KB
MD5ca2acc28a24d14c7e282bd1c689229d0
SHA1c253b9ce5fa1db5bd8a02a49af44a751331e624c
SHA256bd67e3974c9108c7f2bd1cb266f6c3aad420fc63860fd653d0198e26927e2c25
SHA512007c6df499080b538deeffa552d09e0cddba64c6494fe98d6eaf883bd39180d4d9fba0bf08f7d650b256bd54fa52deafc415865dd69b00426452470a173ab2d2
-
Filesize
2KB
MD53a7482ba479bf81871823c500396d7f4
SHA14bfe4b0745895cce782cc0a90a8cfe9ba1cc3ca0
SHA25693fd7ce6c6fc5480976b1053b6fe569c589ff5e32ed7731074b827a220b7877e
SHA5124841c45264b44e15a96a438fe6c6ab94b56fa59f67b09f75b2c74850af88df7f5b9b2071d490eb1da4132cfe190f2ab716d8d86e9f80e87d1663bc48213f7cf3