Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20250211-en -
resource tags
arch:x64arch:x86image:win10v2004-20250211-enlocale:en-usos:windows10-2004-x64system -
submitted
14/02/2025, 01:38
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_f29d5c214d1622dd9e6c65996c977f49.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
JaffaCakes118_f29d5c214d1622dd9e6c65996c977f49.exe
Resource
win10v2004-20250211-en
General
-
Target
JaffaCakes118_f29d5c214d1622dd9e6c65996c977f49.exe
-
Size
856KB
-
MD5
f29d5c214d1622dd9e6c65996c977f49
-
SHA1
351501e74e937677ea36e0ee6f9bb0c0aa4f8b38
-
SHA256
41e8e0e2c8852b21ececb4640336fef5e0c149462efac9ab63b2c16748c3eedb
-
SHA512
94c4b6a60a81ff2d44c92b83c7700f04d1bfdced04ebbe19bf0315e8eade78e069fd3b266a9e9b43a447a417dde56ea155efc547cee616f7a6b0f8f3180d5c96
-
SSDEEP
12288:xhNC6uHZO3sjBKPeOMencvemgLtnVaEb86IthTjDQ5DmjqYs:1K0Oecve9tPIZTjPjM
Malware Config
Signatures
-
Blackshades
Blackshades is a remote access trojan with various capabilities.
-
Blackshades family
-
Blackshades payload 17 IoCs
resource yara_rule behavioral2/memory/3548-6-0x0000000000400000-0x0000000000473000-memory.dmp family_blackshades behavioral2/memory/3548-12-0x0000000000400000-0x0000000000473000-memory.dmp family_blackshades behavioral2/memory/3548-13-0x0000000000400000-0x0000000000473000-memory.dmp family_blackshades behavioral2/memory/3548-14-0x0000000000400000-0x0000000000473000-memory.dmp family_blackshades behavioral2/memory/3548-21-0x0000000000400000-0x0000000000473000-memory.dmp family_blackshades behavioral2/memory/3548-25-0x0000000000400000-0x0000000000473000-memory.dmp family_blackshades behavioral2/memory/3548-29-0x0000000000400000-0x0000000000473000-memory.dmp family_blackshades behavioral2/memory/3548-32-0x0000000000400000-0x0000000000473000-memory.dmp family_blackshades behavioral2/memory/3548-35-0x0000000000400000-0x0000000000473000-memory.dmp family_blackshades behavioral2/memory/3548-40-0x0000000000400000-0x0000000000473000-memory.dmp family_blackshades behavioral2/memory/3548-43-0x0000000000400000-0x0000000000473000-memory.dmp family_blackshades behavioral2/memory/3548-46-0x0000000000400000-0x0000000000473000-memory.dmp family_blackshades behavioral2/memory/3548-53-0x0000000000400000-0x0000000000473000-memory.dmp family_blackshades behavioral2/memory/3548-56-0x0000000000400000-0x0000000000473000-memory.dmp family_blackshades behavioral2/memory/3548-60-0x0000000000400000-0x0000000000473000-memory.dmp family_blackshades behavioral2/memory/3548-73-0x0000000000400000-0x0000000000473000-memory.dmp family_blackshades behavioral2/memory/3548-136-0x0000000000400000-0x0000000000473000-memory.dmp family_blackshades -
Modifies firewall policy service 3 TTPs 10 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\svchost.exe = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f29d5c214d1622dd9e6c65996c977f49.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_f29d5c214d1622dd9e6c65996c977f49.exe:*:Enabled:Windows Messanger" reg.exe -
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run JaffaCakes118_f29d5c214d1622dd9e6c65996c977f49.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\Adobe = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe" JaffaCakes118_f29d5c214d1622dd9e6c65996c977f49.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 11 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\java\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe" JaffaCakes118_f29d5c214d1622dd9e6c65996c977f49.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE} setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\ = "Microsoft Edge" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\StubPath = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\Installer\\setup.exe\" --configure-user-settings --verbose-logging --system-level --msedge --channel=stable" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\Localized Name = "Microsoft Edge" setup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\IsInstalled = "1" setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\java JaffaCakes118_f29d5c214d1622dd9e6c65996c977f49.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\java\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe" JaffaCakes118_f29d5c214d1622dd9e6c65996c977f49.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\Version = "43,0,0,0" setup.exe Key created \REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\java JaffaCakes118_f29d5c214d1622dd9e6c65996c977f49.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components setup.exe -
Downloads MZ/PE file 1 IoCs
flow pid Process 56 2808 Process not Found -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE 10 IoCs
pid Process 3272 setup.exe 4236 setup.exe 216 setup.exe 184 setup.exe 4888 setup.exe 2168 setup.exe 1784 setup.exe 1056 setup.exe 4488 setup.exe 1344 setup.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe" JaffaCakes118_f29d5c214d1622dd9e6c65996c977f49.exe Set value (str) \REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Adobe = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe" JaffaCakes118_f29d5c214d1622dd9e6c65996c977f49.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Installs/modifies Browser Helper Object 2 TTPs 8 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\NoExplorer = "1" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\NoExplorer = "1" setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ setup.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Microsoft Edge.lnk setup.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2144 set thread context of 3548 2144 JaffaCakes118_f29d5c214d1622dd9e6c65996c977f49.exe 88 -
resource yara_rule behavioral2/memory/3548-2-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral2/memory/3548-4-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral2/memory/3548-6-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral2/memory/3548-12-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral2/memory/3548-13-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral2/memory/3548-14-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral2/memory/3548-21-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral2/memory/3548-25-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral2/memory/3548-29-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral2/memory/3548-32-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral2/memory/3548-35-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral2/memory/3548-40-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral2/memory/3548-43-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral2/memory/3548-46-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral2/memory/3548-53-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral2/memory/3548-56-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral2/memory/3548-60-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral2/memory/3548-73-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral2/memory/3548-136-0x0000000000400000-0x0000000000473000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\libEGL.dll setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\cy.pak setup.exe File opened for modification C:\Program Files\MsEdgeCrashpad\settings.dat setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\identity_proxy\dev.identity_helper.exe.manifest setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\fi.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\v8_context_snapshot.bin setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\fr-CA.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\gd.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Installer\msedge_7z.data setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\identity_proxy\dev.identity_helper.exe.manifest setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\ro.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\msedge_100_percent.pak setup.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\delegatedWebFeatures.sccd setup.exe File opened for modification C:\Program Files\MsEdgeCrashpad\throttle_store.dat setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\edge_game_assist\VERSION setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\MEIPreload\preloaded_data.pb setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\pa.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\as.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\it.pak setup.exe File opened for modification C:\Program Files\MsEdgeCrashpad\settings.dat setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\dxcompiler.dll setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\km.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\wns_push_client.dll setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\ta.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\hu.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\sr-Latn-RS.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\sr.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\notification_helper.exe setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\msvcp140_codecvt_ids.dll setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\WidevineCdm\manifest.json setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\dual_engine_adapter_x64.dll setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\msedge_pwa_launcher.exe setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\identity_proxy\win10\identity_helper.Sparse.Internal.msix setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\resources.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\ar.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\icudtl.dat setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\ka.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\ug.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\AdSelectionAttestationsPreloaded\ad-selection-attestations.dat setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\PdfPreview\PdfPreviewHandler.dll setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\vulkan-1.dll setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\msedge_proxy.exe setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\ga.pak setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\identity_proxy\canary.identity_helper.exe.manifest setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\identity_proxy\win11\identity_helper.Sparse.Internal.msix setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\mt.pak setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\MEIPreload\preloaded_data.pb setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\nn.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\sl.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\tt.pak setup.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\db0e091e-4ce1-4b07-880d-cc829ace5dd0.tmp setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\1784_13383970839473096_1784.pma setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\ja.pak setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Trust Protection Lists\manifest.json setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Trust Protection Lists\Mu\Other setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\bg.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\msedge_200_percent.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\onnxruntime.dll setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\id.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\ne.pak setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\es.pak setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\ms.pak setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Trust Protection Lists\Sigma\Analytics setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\msedge.dll setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_f29d5c214d1622dd9e6c65996c977f49.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_f29d5c214d1622dd9e6c65996c977f49.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 4848 MicrosoftEdgeUpdate.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppName = "ie_to_edge_stub.exe" setup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\Policy = "3" setup.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ProtocolExecute setup.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge setup.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main setup.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main\EnterpriseMode setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\ = "IEToEdge Handler" setup.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EdgeIntegration\AdapterLocations setup.exe Key created \REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000\Software\Microsoft\Internet Explorer\GPU wwahost.exe Key created \REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000\SOFTWARE\Microsoft\Internet Explorer\GPU wwahost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29} setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppPath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\BHO" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppPath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\BHO" setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy setup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\Policy = "3" setup.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppName = "ie_to_edge_stub.exe" setup.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute setup.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EdgeIntegration setup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\EdgeIntegration\AdapterLocations\C:\Program Files (x86)\Microsoft\Edge\Application = "1" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\EnterpriseMode\MSEdgePath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application" setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29} setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\ = "IEToEdge Handler" setup.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge setup.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge\InstallerPinned = "0" setup.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO\ = "IEToEdgeBHO Class" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO\CurVer\ = "ie_to_edge_bho.IEToEdgeBHO.1" setup.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\TypeLib setup.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B} setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\TypeLib\Version = "1.0" setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO.1\CLSID\ setup.exe Key created \REGISTRY\MACHINE\Software\Classes\MSEdgePDF\shell\runas\command setup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Explorer\DOMStorage\office.com\ = "0" wwahost.exe Key created \REGISTRY\MACHINE\Software\Classes\.html\OpenWithProgids setup.exe Key created \REGISTRY\MACHINE\Software\Classes\.shtml\OpenWithProgids setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\InProcServer32 setup.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\microsoft-edge\shell\open\command setup.exe Key created \REGISTRY\MACHINE\Software\Classes\MSEdgeHTM setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeMHT\ = "Microsoft Edge MHT Document" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C9C2B807-7731-4F34-81B7-44FF7779522B}\1.0\0\win64\ = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\elevation_service.exe" setup.exe Key created \REGISTRY\MACHINE\Software\Classes\MSEdgePDF setup.exe Key created \REGISTRY\MACHINE\Software\Classes\MSEdgePDF\shell\runas setup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\EnablePreviewHandler = "1" setup.exe Key created \REGISTRY\MACHINE\Software\Classes\MSEdgeMHT\shell\runas\command setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mhtml\OpenWithProgIds\MSEdgeMHT setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Programmable\ setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO\CurVer\ setup.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{B54934CD-71A6-4698-BDC2-AFEA5B86504C}\InprocServer32 setup.exe Key created \REGISTRY\MACHINE\Software\Classes\MSEdgePDF\DefaultIcon setup.exe Key created \REGISTRY\MACHINE\Software\Classes\MSEdgePDF\shell setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithProgIds\MSEdgeHTM setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithProgIds\MSEdgeMHT setup.exe Key created \REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Settings\Cache\Content wwahost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Implemented Categories setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\AppID = "{6d2b5079-2f0b-48dd-ab7f-97cec514d30b}" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\microsoft-edge\shell\open\command\ = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" \"%1\"" setup.exe Key created \REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Settings\Cache\Cookies wwahost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}\ setup.exe Key created \REGISTRY\MACHINE\Software\Classes\MSEdgePDF\shell\open\command setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.html\OpenWithProgIds\MSEdgeHTM setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B54934CD-71A6-4698-BDC2-AFEA5B86504C}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\EBWebView\\x64\\EmbeddedBrowserWebView.dll" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\shell\runas\command\ = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --do-not-de-elevate --single-argument %1" setup.exe Key created \REGISTRY\MACHINE\Software\Classes\MSEdgePDF\Application setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO" setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E} setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\InProcServer32\ThreadingModel = "Apartment" setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ProgID\ setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/pdf\Extension = ".pdf" setup.exe Key created \REGISTRY\MACHINE\Software\Classes\.svg\OpenWithProgids setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\ie_to_edge_bho.dll\ setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\ie_to_edge_bho.dll\AppID = "{31575964-95F7-414B-85E4-0E9A93699E13}" setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Implemented Categories\ setup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" wwahost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\InProcServer32\ThreadingModel = "Apartment" setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\microsoft-edge\shell\open\command setup.exe Key created \REGISTRY\MACHINE\Software\Classes\.htm setup.exe Key created \REGISTRY\MACHINE\Software\Classes\MSEdgeMHT\shell\runas setup.exe Key created \REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Explorer\EdpDomStorage\office.com wwahost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\PdfPreview\\PdfPreviewHandler.dll" setup.exe Key created \REGISTRY\MACHINE\Software\Classes\MSEdgeHTM\shell setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.xht\OpenWithProgIds\MSEdgeHTM setup.exe Key created \REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Settings\Cache wwahost.exe Key created \REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Settings\Cache\History wwahost.exe Key created \REGISTRY\MACHINE\Software\Classes\AppID\{1FCBE96C-1697-43AF-9140-2897C7C69767} setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{1FCBE96C-1697-43AF-9140-2897C7C69767}\LocalService = "MicrosoftEdgeElevationService" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{31575964-95F7-414B-85E4-0E9A93699E13}\ = "ie_to_edge_bho" setup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Settings\Cache\History\CacheVersion = "1" wwahost.exe Key created \REGISTRY\MACHINE\Software\Classes\.webp setup.exe -
Modifies registry key 1 TTPs 4 IoCs
pid Process 2032 reg.exe 4504 reg.exe 2472 reg.exe 3444 reg.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 4888 setup.exe 4888 setup.exe 2104 LocalBridge.exe 2104 LocalBridge.exe 2104 LocalBridge.exe 2104 LocalBridge.exe 2104 LocalBridge.exe 2104 LocalBridge.exe -
Suspicious use of AdjustPrivilegeToken 40 IoCs
description pid Process Token: 1 3548 JaffaCakes118_f29d5c214d1622dd9e6c65996c977f49.exe Token: SeCreateTokenPrivilege 3548 JaffaCakes118_f29d5c214d1622dd9e6c65996c977f49.exe Token: SeAssignPrimaryTokenPrivilege 3548 JaffaCakes118_f29d5c214d1622dd9e6c65996c977f49.exe Token: SeLockMemoryPrivilege 3548 JaffaCakes118_f29d5c214d1622dd9e6c65996c977f49.exe Token: SeIncreaseQuotaPrivilege 3548 JaffaCakes118_f29d5c214d1622dd9e6c65996c977f49.exe Token: SeMachineAccountPrivilege 3548 JaffaCakes118_f29d5c214d1622dd9e6c65996c977f49.exe Token: SeTcbPrivilege 3548 JaffaCakes118_f29d5c214d1622dd9e6c65996c977f49.exe Token: SeSecurityPrivilege 3548 JaffaCakes118_f29d5c214d1622dd9e6c65996c977f49.exe Token: SeTakeOwnershipPrivilege 3548 JaffaCakes118_f29d5c214d1622dd9e6c65996c977f49.exe Token: SeLoadDriverPrivilege 3548 JaffaCakes118_f29d5c214d1622dd9e6c65996c977f49.exe Token: SeSystemProfilePrivilege 3548 JaffaCakes118_f29d5c214d1622dd9e6c65996c977f49.exe Token: SeSystemtimePrivilege 3548 JaffaCakes118_f29d5c214d1622dd9e6c65996c977f49.exe Token: SeProfSingleProcessPrivilege 3548 JaffaCakes118_f29d5c214d1622dd9e6c65996c977f49.exe Token: SeIncBasePriorityPrivilege 3548 JaffaCakes118_f29d5c214d1622dd9e6c65996c977f49.exe Token: SeCreatePagefilePrivilege 3548 JaffaCakes118_f29d5c214d1622dd9e6c65996c977f49.exe Token: SeCreatePermanentPrivilege 3548 JaffaCakes118_f29d5c214d1622dd9e6c65996c977f49.exe Token: SeBackupPrivilege 3548 JaffaCakes118_f29d5c214d1622dd9e6c65996c977f49.exe Token: SeRestorePrivilege 3548 JaffaCakes118_f29d5c214d1622dd9e6c65996c977f49.exe Token: SeShutdownPrivilege 3548 JaffaCakes118_f29d5c214d1622dd9e6c65996c977f49.exe Token: SeDebugPrivilege 3548 JaffaCakes118_f29d5c214d1622dd9e6c65996c977f49.exe Token: SeAuditPrivilege 3548 JaffaCakes118_f29d5c214d1622dd9e6c65996c977f49.exe Token: SeSystemEnvironmentPrivilege 3548 JaffaCakes118_f29d5c214d1622dd9e6c65996c977f49.exe Token: SeChangeNotifyPrivilege 3548 JaffaCakes118_f29d5c214d1622dd9e6c65996c977f49.exe Token: SeRemoteShutdownPrivilege 3548 JaffaCakes118_f29d5c214d1622dd9e6c65996c977f49.exe Token: SeUndockPrivilege 3548 JaffaCakes118_f29d5c214d1622dd9e6c65996c977f49.exe Token: SeSyncAgentPrivilege 3548 JaffaCakes118_f29d5c214d1622dd9e6c65996c977f49.exe Token: SeEnableDelegationPrivilege 3548 JaffaCakes118_f29d5c214d1622dd9e6c65996c977f49.exe Token: SeManageVolumePrivilege 3548 JaffaCakes118_f29d5c214d1622dd9e6c65996c977f49.exe Token: SeImpersonatePrivilege 3548 JaffaCakes118_f29d5c214d1622dd9e6c65996c977f49.exe Token: SeCreateGlobalPrivilege 3548 JaffaCakes118_f29d5c214d1622dd9e6c65996c977f49.exe Token: 31 3548 JaffaCakes118_f29d5c214d1622dd9e6c65996c977f49.exe Token: 32 3548 JaffaCakes118_f29d5c214d1622dd9e6c65996c977f49.exe Token: 33 3548 JaffaCakes118_f29d5c214d1622dd9e6c65996c977f49.exe Token: 34 3548 JaffaCakes118_f29d5c214d1622dd9e6c65996c977f49.exe Token: 35 3548 JaffaCakes118_f29d5c214d1622dd9e6c65996c977f49.exe Token: SeDebugPrivilege 3548 JaffaCakes118_f29d5c214d1622dd9e6c65996c977f49.exe Token: 33 3272 setup.exe Token: SeIncBasePriorityPrivilege 3272 setup.exe Token: SeDebugPrivilege 3156 wwahost.exe Token: SeDebugPrivilege 3156 wwahost.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 2144 JaffaCakes118_f29d5c214d1622dd9e6c65996c977f49.exe 3548 JaffaCakes118_f29d5c214d1622dd9e6c65996c977f49.exe 3548 JaffaCakes118_f29d5c214d1622dd9e6c65996c977f49.exe 3548 JaffaCakes118_f29d5c214d1622dd9e6c65996c977f49.exe 3156 wwahost.exe -
Suspicious use of WriteProcessMemory 52 IoCs
description pid Process procid_target PID 2144 wrote to memory of 3548 2144 JaffaCakes118_f29d5c214d1622dd9e6c65996c977f49.exe 88 PID 2144 wrote to memory of 3548 2144 JaffaCakes118_f29d5c214d1622dd9e6c65996c977f49.exe 88 PID 2144 wrote to memory of 3548 2144 JaffaCakes118_f29d5c214d1622dd9e6c65996c977f49.exe 88 PID 2144 wrote to memory of 3548 2144 JaffaCakes118_f29d5c214d1622dd9e6c65996c977f49.exe 88 PID 2144 wrote to memory of 3548 2144 JaffaCakes118_f29d5c214d1622dd9e6c65996c977f49.exe 88 PID 2144 wrote to memory of 3548 2144 JaffaCakes118_f29d5c214d1622dd9e6c65996c977f49.exe 88 PID 2144 wrote to memory of 3548 2144 JaffaCakes118_f29d5c214d1622dd9e6c65996c977f49.exe 88 PID 2144 wrote to memory of 3548 2144 JaffaCakes118_f29d5c214d1622dd9e6c65996c977f49.exe 88 PID 3548 wrote to memory of 4948 3548 JaffaCakes118_f29d5c214d1622dd9e6c65996c977f49.exe 90 PID 3548 wrote to memory of 4948 3548 JaffaCakes118_f29d5c214d1622dd9e6c65996c977f49.exe 90 PID 3548 wrote to memory of 4948 3548 JaffaCakes118_f29d5c214d1622dd9e6c65996c977f49.exe 90 PID 3548 wrote to memory of 3704 3548 JaffaCakes118_f29d5c214d1622dd9e6c65996c977f49.exe 91 PID 3548 wrote to memory of 3704 3548 JaffaCakes118_f29d5c214d1622dd9e6c65996c977f49.exe 91 PID 3548 wrote to memory of 3704 3548 JaffaCakes118_f29d5c214d1622dd9e6c65996c977f49.exe 91 PID 3548 wrote to memory of 5024 3548 JaffaCakes118_f29d5c214d1622dd9e6c65996c977f49.exe 92 PID 3548 wrote to memory of 5024 3548 JaffaCakes118_f29d5c214d1622dd9e6c65996c977f49.exe 92 PID 3548 wrote to memory of 5024 3548 JaffaCakes118_f29d5c214d1622dd9e6c65996c977f49.exe 92 PID 3548 wrote to memory of 5008 3548 JaffaCakes118_f29d5c214d1622dd9e6c65996c977f49.exe 93 PID 3548 wrote to memory of 5008 3548 JaffaCakes118_f29d5c214d1622dd9e6c65996c977f49.exe 93 PID 3548 wrote to memory of 5008 3548 JaffaCakes118_f29d5c214d1622dd9e6c65996c977f49.exe 93 PID 4948 wrote to memory of 2032 4948 cmd.exe 98 PID 4948 wrote to memory of 2032 4948 cmd.exe 98 PID 4948 wrote to memory of 2032 4948 cmd.exe 98 PID 5024 wrote to memory of 4504 5024 cmd.exe 99 PID 5024 wrote to memory of 4504 5024 cmd.exe 99 PID 5024 wrote to memory of 4504 5024 cmd.exe 99 PID 5008 wrote to memory of 2472 5008 cmd.exe 100 PID 5008 wrote to memory of 2472 5008 cmd.exe 100 PID 5008 wrote to memory of 2472 5008 cmd.exe 100 PID 3704 wrote to memory of 3444 3704 cmd.exe 101 PID 3704 wrote to memory of 3444 3704 cmd.exe 101 PID 3704 wrote to memory of 3444 3704 cmd.exe 101 PID 2608 wrote to memory of 3272 2608 MicrosoftEdge_X64_133.0.3065.59.exe 110 PID 2608 wrote to memory of 3272 2608 MicrosoftEdge_X64_133.0.3065.59.exe 110 PID 3272 wrote to memory of 4236 3272 setup.exe 111 PID 3272 wrote to memory of 4236 3272 setup.exe 111 PID 3272 wrote to memory of 216 3272 setup.exe 112 PID 3272 wrote to memory of 216 3272 setup.exe 112 PID 216 wrote to memory of 184 216 setup.exe 113 PID 216 wrote to memory of 184 216 setup.exe 113 PID 3272 wrote to memory of 4888 3272 setup.exe 114 PID 3272 wrote to memory of 4888 3272 setup.exe 114 PID 3272 wrote to memory of 2168 3272 setup.exe 115 PID 3272 wrote to memory of 2168 3272 setup.exe 115 PID 3272 wrote to memory of 1784 3272 setup.exe 116 PID 3272 wrote to memory of 1784 3272 setup.exe 116 PID 2168 wrote to memory of 1056 2168 setup.exe 117 PID 2168 wrote to memory of 1056 2168 setup.exe 117 PID 4888 wrote to memory of 4488 4888 setup.exe 118 PID 4888 wrote to memory of 4488 4888 setup.exe 118 PID 1784 wrote to memory of 1344 1784 setup.exe 119 PID 1784 wrote to memory of 1344 1784 setup.exe 119 -
System policy modification 1 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\ setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} = "1" setup.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f29d5c214d1622dd9e6c65996c977f49.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f29d5c214d1622dd9e6c65996c977f49.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f29d5c214d1622dd9e6c65996c977f49.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f29d5c214d1622dd9e6c65996c977f49.exe2⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3548 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4948 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2032
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f29d5c214d1622dd9e6c65996c977f49.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f29d5c214d1622dd9e6c65996c977f49.exe:*:Enabled:Windows Messanger" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3704 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f29d5c214d1622dd9e6c65996c977f49.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f29d5c214d1622dd9e6c65996c977f49.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:3444
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5024 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:4504
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\svchost.exe:*:Enabled:Windows Messanger" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5008 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\svchost.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2472
-
-
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7REY3OTI5M0YtQ0JBQi00RUNFLTgzQ0EtRDlGNkRGQTY1QkQ4fSIgdXNlcmlkPSJ7RDVEQTY4RDQtNUQ1NS00MjNBLUFBNUQtODIzQ0E1OTBEODJEfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7MEZDMjRDQUYtNEVCQi00Nzc4LUE5NDMtOEEzRDU5RDYwNTY4fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIyIiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODM0MTAiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1NTUzNjg2NzAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MTM3NTg0MjUwIi8-PC9hcHA-PC9yZXF1ZXN0Pg1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:4848
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{986364B3-E216-4CF4-8DAA-341623DD6587}\MicrosoftEdge_X64_133.0.3065.59.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{986364B3-E216-4CF4-8DAA-341623DD6587}\MicrosoftEdge_X64_133.0.3065.59.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable1⤵
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{986364B3-E216-4CF4-8DAA-341623DD6587}\EDGEMITMP_B3D0A.tmp\setup.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{986364B3-E216-4CF4-8DAA-341623DD6587}\EDGEMITMP_B3D0A.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{986364B3-E216-4CF4-8DAA-341623DD6587}\MicrosoftEdge_X64_133.0.3065.59.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable2⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3272 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{986364B3-E216-4CF4-8DAA-341623DD6587}\EDGEMITMP_B3D0A.tmp\setup.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{986364B3-E216-4CF4-8DAA-341623DD6587}\EDGEMITMP_B3D0A.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{986364B3-E216-4CF4-8DAA-341623DD6587}\EDGEMITMP_B3D0A.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff7c0c26a68,0x7ff7c0c26a74,0x7ff7c0c26a803⤵
- Executes dropped EXE
PID:4236
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{986364B3-E216-4CF4-8DAA-341623DD6587}\EDGEMITMP_B3D0A.tmp\setup.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{986364B3-E216-4CF4-8DAA-341623DD6587}\EDGEMITMP_B3D0A.tmp\setup.exe" --msedge --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:216 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{986364B3-E216-4CF4-8DAA-341623DD6587}\EDGEMITMP_B3D0A.tmp\setup.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{986364B3-E216-4CF4-8DAA-341623DD6587}\EDGEMITMP_B3D0A.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{986364B3-E216-4CF4-8DAA-341623DD6587}\EDGEMITMP_B3D0A.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff7c0c26a68,0x7ff7c0c26a74,0x7ff7c0c26a804⤵
- Executes dropped EXE
PID:184
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --msedge --channel=stable --register-package-identity --verbose-logging --system-level3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4888 -
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff78e5a6a68,0x7ff78e5a6a74,0x7ff78e5a6a804⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4488
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --msedge --channel=stable --remove-deprecated-packages --verbose-logging --system-level3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff78e5a6a68,0x7ff78e5a6a74,0x7ff78e5a6a804⤵
- Executes dropped EXE
PID:1056
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --msedge --channel=stable --update-game-assist-package --verbose-logging --system-level3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff78e5a6a68,0x7ff78e5a6a74,0x7ff78e5a6a804⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1344
-
-
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k AppReadiness -p -s AppReadiness1⤵PID:2096
-
C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe"C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe" /InvokerPRAID: Microsoft.MicrosoftOfficeHub prelaunch1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2104
-
C:\Windows\system32\wwahost.exe"C:\Windows\system32\wwahost.exe" -ServerName:Microsoft.MicrosoftOfficeHub.wwa1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3156
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Browser Extensions
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Component Object Model Hijacking
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Component Object Model Hijacking
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
8Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{986364B3-E216-4CF4-8DAA-341623DD6587}\EDGEMITMP_B3D0A.tmp\setup.exe
Filesize6.8MB
MD51b3e9c59f9c7a134ec630ada1eb76a39
SHA1a7e831d392e99f3d37847dcc561dd2e017065439
SHA256ce78ccfb0c9cdb06ea61116bc57e50690650b6b5cf37c1aebfb30c19458ee4ae
SHA512c0e50410dc92d80ff7bc854907774fc551564e078a8d38ca6421f15cea50282c25efac4f357b52b066c4371f9b8d4900fa8122dd80ab06ecbd851c6e049f7a3e
-
Filesize
3.9MB
MD5ad5f7dc7ca3e67dce70c0a89c04519e0
SHA1a10b03234627ca8f3f8034cd5637cda1b8246d83
SHA256663fe0f4e090583e6aa5204b9a80b7a76f677259066e56a7345aebc6bc3e7d31
SHA512ad5490e9865caa454c47ec2e96364b9c566b553e64801da60c295acd570017747be1aff6f22ca6c20c6eee6f6d05a058af72569fd6e656f66e48010978c7fd51
-
Filesize
104KB
MD533f021a1ee621e528ec2a53b3f6d2e13
SHA12c791c9e820f9e3280c4a19942d8a81c770bba09
SHA256957e15e21d87a5bdf351d2569a4bbccc9fb656d48fb8c239daa3f0ed3999fe70
SHA51283facae5f79ac4303b22c836a94a5fc7a8f41287585ebc854a58314e97fb6b99dc882e375556ac94e42e6cddd3a17a0ee52a55f724f3c05ce630af427e9ba7f4
-
Filesize
103KB
MD5a3bcb0696d0a1cf3122ef7332585871d
SHA188031386f3b0e0dbb1cdc263baa39bcd14b4974e
SHA2566c206f79d315a08246ba22c44fb0b37c00529d4c801955f529adc52c74c571ca
SHA512ad4034bca7a085085cf392a61c49361386410b4b23dc6194dcfcfcb9da682e3aef0f7ec9585b2b690dac670da9ccce53132f039f166d9291ff4e4cf5e66f7b76
-
Filesize
73KB
MD540c7cf24497a9a9472c3188efcea0f14
SHA1debfdfca3b50718df625ef268616b5ccaf174bc6
SHA256f186c0671d690a2f87e6302cb689834666bcb23a443c456040dca11446d5c43a
SHA5122c511d02150bd07e9c6ed1ee863b5a527f80174e63ef9edab17966d76a03fbd2fd2123758220eff4d76417439542bd0bec8316d0bf4cce7f8a15e55eeb81a988