Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
06/04/2024, 15:12
Static task
static1
Behavioral task
behavioral1
Sample
e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe
-
Size
512KB
-
MD5
e2d18966d4665fb34cbbccad4c87e2cc
-
SHA1
249e4de741f006cb0d755e37b587f8cf3d638745
-
SHA256
b7736ffd44d69a16213a96e771fae8d39546a2240b788971edeefe145d382268
-
SHA512
1138c643e40e8428ef177d169491b02e872c145887eb3d89a316c8e082bd0eee48cbce3b05e05b67650599790b6cc959a1f83b6fd174cb573141341e7b4aed2f
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj69:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5Q
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" wdzafhirec.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" wdzafhirec.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" wdzafhirec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" wdzafhirec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" wdzafhirec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" wdzafhirec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" wdzafhirec.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" wdzafhirec.exe -
Executes dropped EXE 5 IoCs
pid Process 2968 wdzafhirec.exe 2516 gwoyshgmbfuudpa.exe 2524 guptyhlf.exe 2600 yrinmiokclrnd.exe 2380 guptyhlf.exe -
Loads dropped DLL 5 IoCs
pid Process 1400 e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe 1400 e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe 1400 e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe 1400 e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe 2968 wdzafhirec.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" wdzafhirec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" wdzafhirec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" wdzafhirec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" wdzafhirec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" wdzafhirec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" wdzafhirec.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\pfvmxvft = "gwoyshgmbfuudpa.exe" gwoyshgmbfuudpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "yrinmiokclrnd.exe" gwoyshgmbfuudpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ngxrrflg = "wdzafhirec.exe" gwoyshgmbfuudpa.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\b: guptyhlf.exe File opened (read-only) \??\x: guptyhlf.exe File opened (read-only) \??\p: guptyhlf.exe File opened (read-only) \??\w: guptyhlf.exe File opened (read-only) \??\j: guptyhlf.exe File opened (read-only) \??\r: guptyhlf.exe File opened (read-only) \??\e: guptyhlf.exe File opened (read-only) \??\l: guptyhlf.exe File opened (read-only) \??\t: guptyhlf.exe File opened (read-only) \??\l: wdzafhirec.exe File opened (read-only) \??\n: wdzafhirec.exe File opened (read-only) \??\l: guptyhlf.exe File opened (read-only) \??\s: wdzafhirec.exe File opened (read-only) \??\n: guptyhlf.exe File opened (read-only) \??\i: guptyhlf.exe File opened (read-only) \??\s: guptyhlf.exe File opened (read-only) \??\z: guptyhlf.exe File opened (read-only) \??\k: wdzafhirec.exe File opened (read-only) \??\m: guptyhlf.exe File opened (read-only) \??\y: guptyhlf.exe File opened (read-only) \??\m: guptyhlf.exe File opened (read-only) \??\h: guptyhlf.exe File opened (read-only) \??\t: guptyhlf.exe File opened (read-only) \??\z: guptyhlf.exe File opened (read-only) \??\g: guptyhlf.exe File opened (read-only) \??\b: wdzafhirec.exe File opened (read-only) \??\g: wdzafhirec.exe File opened (read-only) \??\z: wdzafhirec.exe File opened (read-only) \??\a: wdzafhirec.exe File opened (read-only) \??\j: wdzafhirec.exe File opened (read-only) \??\r: wdzafhirec.exe File opened (read-only) \??\t: wdzafhirec.exe File opened (read-only) \??\v: guptyhlf.exe File opened (read-only) \??\h: guptyhlf.exe File opened (read-only) \??\o: guptyhlf.exe File opened (read-only) \??\r: guptyhlf.exe File opened (read-only) \??\v: guptyhlf.exe File opened (read-only) \??\k: guptyhlf.exe File opened (read-only) \??\q: guptyhlf.exe File opened (read-only) \??\s: guptyhlf.exe File opened (read-only) \??\u: guptyhlf.exe File opened (read-only) \??\i: wdzafhirec.exe File opened (read-only) \??\o: wdzafhirec.exe File opened (read-only) \??\v: wdzafhirec.exe File opened (read-only) \??\n: guptyhlf.exe File opened (read-only) \??\a: guptyhlf.exe File opened (read-only) \??\b: guptyhlf.exe File opened (read-only) \??\i: guptyhlf.exe File opened (read-only) \??\p: guptyhlf.exe File opened (read-only) \??\q: guptyhlf.exe File opened (read-only) \??\m: wdzafhirec.exe File opened (read-only) \??\x: guptyhlf.exe File opened (read-only) \??\w: guptyhlf.exe File opened (read-only) \??\a: guptyhlf.exe File opened (read-only) \??\k: guptyhlf.exe File opened (read-only) \??\y: guptyhlf.exe File opened (read-only) \??\e: wdzafhirec.exe File opened (read-only) \??\u: wdzafhirec.exe File opened (read-only) \??\x: wdzafhirec.exe File opened (read-only) \??\e: guptyhlf.exe File opened (read-only) \??\j: guptyhlf.exe File opened (read-only) \??\q: wdzafhirec.exe File opened (read-only) \??\w: wdzafhirec.exe File opened (read-only) \??\h: wdzafhirec.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" wdzafhirec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" wdzafhirec.exe -
AutoIT Executable 8 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/1400-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral1/files/0x0029000000015c2f-9.dat autoit_exe behavioral1/files/0x000c00000001224e-17.dat autoit_exe behavioral1/files/0x000b00000001560a-25.dat autoit_exe behavioral1/files/0x0007000000015c7c-36.dat autoit_exe behavioral1/files/0x00050000000192c9-66.dat autoit_exe behavioral1/files/0x00050000000192f4-72.dat autoit_exe behavioral1/files/0x000500000001931b-75.dat autoit_exe -
Drops file in System32 directory 9 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\wdzafhirec.exe e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe File created C:\Windows\SysWOW64\gwoyshgmbfuudpa.exe e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\gwoyshgmbfuudpa.exe e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe File created C:\Windows\SysWOW64\guptyhlf.exe e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\guptyhlf.exe e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\yrinmiokclrnd.exe e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe File created C:\Windows\SysWOW64\wdzafhirec.exe e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe File created C:\Windows\SysWOW64\yrinmiokclrnd.exe e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll wdzafhirec.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal guptyhlf.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe guptyhlf.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe guptyhlf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe guptyhlf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe guptyhlf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal guptyhlf.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe guptyhlf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal guptyhlf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe guptyhlf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal guptyhlf.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe guptyhlf.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe guptyhlf.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe guptyhlf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe guptyhlf.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe guptyhlf.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE File opened for modification C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\mydoc.rtf e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Office loads VBA resources, possible macro or embedded object present
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc wdzafhirec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "193FC60C14E4DAB6B9CC7FE2EDE337CD" e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" wdzafhirec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs wdzafhirec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB5B02F44EE389F52BEBAA13299D7B9" e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2500 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1400 e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe 1400 e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe 1400 e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe 1400 e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe 1400 e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe 1400 e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe 1400 e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe 1400 e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe 2516 gwoyshgmbfuudpa.exe 2516 gwoyshgmbfuudpa.exe 2516 gwoyshgmbfuudpa.exe 2516 gwoyshgmbfuudpa.exe 2516 gwoyshgmbfuudpa.exe 2968 wdzafhirec.exe 2968 wdzafhirec.exe 2968 wdzafhirec.exe 2968 wdzafhirec.exe 2968 wdzafhirec.exe 2600 yrinmiokclrnd.exe 2600 yrinmiokclrnd.exe 2600 yrinmiokclrnd.exe 2600 yrinmiokclrnd.exe 2600 yrinmiokclrnd.exe 2600 yrinmiokclrnd.exe 2524 guptyhlf.exe 2524 guptyhlf.exe 2524 guptyhlf.exe 2524 guptyhlf.exe 2516 gwoyshgmbfuudpa.exe 2380 guptyhlf.exe 2380 guptyhlf.exe 2380 guptyhlf.exe 2380 guptyhlf.exe 2516 gwoyshgmbfuudpa.exe 2600 yrinmiokclrnd.exe 2600 yrinmiokclrnd.exe 2516 gwoyshgmbfuudpa.exe 2600 yrinmiokclrnd.exe 2600 yrinmiokclrnd.exe 2516 gwoyshgmbfuudpa.exe 2600 yrinmiokclrnd.exe 2600 yrinmiokclrnd.exe 2516 gwoyshgmbfuudpa.exe 2600 yrinmiokclrnd.exe 2600 yrinmiokclrnd.exe 2516 gwoyshgmbfuudpa.exe 2600 yrinmiokclrnd.exe 2600 yrinmiokclrnd.exe 2516 gwoyshgmbfuudpa.exe 2600 yrinmiokclrnd.exe 2600 yrinmiokclrnd.exe 2516 gwoyshgmbfuudpa.exe 2600 yrinmiokclrnd.exe 2600 yrinmiokclrnd.exe 2516 gwoyshgmbfuudpa.exe 2600 yrinmiokclrnd.exe 2600 yrinmiokclrnd.exe 2516 gwoyshgmbfuudpa.exe 2600 yrinmiokclrnd.exe 2600 yrinmiokclrnd.exe 2516 gwoyshgmbfuudpa.exe 2600 yrinmiokclrnd.exe 2600 yrinmiokclrnd.exe 2516 gwoyshgmbfuudpa.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 1400 e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe 1400 e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe 1400 e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe 2516 gwoyshgmbfuudpa.exe 2516 gwoyshgmbfuudpa.exe 2516 gwoyshgmbfuudpa.exe 2968 wdzafhirec.exe 2524 guptyhlf.exe 2968 wdzafhirec.exe 2524 guptyhlf.exe 2968 wdzafhirec.exe 2524 guptyhlf.exe 2600 yrinmiokclrnd.exe 2600 yrinmiokclrnd.exe 2600 yrinmiokclrnd.exe 2380 guptyhlf.exe 2380 guptyhlf.exe 2380 guptyhlf.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 1400 e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe 1400 e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe 1400 e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe 2516 gwoyshgmbfuudpa.exe 2516 gwoyshgmbfuudpa.exe 2516 gwoyshgmbfuudpa.exe 2968 wdzafhirec.exe 2524 guptyhlf.exe 2968 wdzafhirec.exe 2524 guptyhlf.exe 2968 wdzafhirec.exe 2524 guptyhlf.exe 2600 yrinmiokclrnd.exe 2600 yrinmiokclrnd.exe 2600 yrinmiokclrnd.exe 2380 guptyhlf.exe 2380 guptyhlf.exe 2380 guptyhlf.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2500 WINWORD.EXE 2500 WINWORD.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 1400 wrote to memory of 2968 1400 e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe 28 PID 1400 wrote to memory of 2968 1400 e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe 28 PID 1400 wrote to memory of 2968 1400 e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe 28 PID 1400 wrote to memory of 2968 1400 e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe 28 PID 1400 wrote to memory of 2516 1400 e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe 29 PID 1400 wrote to memory of 2516 1400 e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe 29 PID 1400 wrote to memory of 2516 1400 e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe 29 PID 1400 wrote to memory of 2516 1400 e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe 29 PID 1400 wrote to memory of 2524 1400 e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe 30 PID 1400 wrote to memory of 2524 1400 e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe 30 PID 1400 wrote to memory of 2524 1400 e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe 30 PID 1400 wrote to memory of 2524 1400 e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe 30 PID 1400 wrote to memory of 2600 1400 e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe 31 PID 1400 wrote to memory of 2600 1400 e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe 31 PID 1400 wrote to memory of 2600 1400 e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe 31 PID 1400 wrote to memory of 2600 1400 e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe 31 PID 1400 wrote to memory of 2500 1400 e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe 32 PID 1400 wrote to memory of 2500 1400 e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe 32 PID 1400 wrote to memory of 2500 1400 e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe 32 PID 1400 wrote to memory of 2500 1400 e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe 32 PID 2968 wrote to memory of 2380 2968 wdzafhirec.exe 33 PID 2968 wrote to memory of 2380 2968 wdzafhirec.exe 33 PID 2968 wrote to memory of 2380 2968 wdzafhirec.exe 33 PID 2968 wrote to memory of 2380 2968 wdzafhirec.exe 33 PID 2500 wrote to memory of 1984 2500 WINWORD.EXE 36 PID 2500 wrote to memory of 1984 2500 WINWORD.EXE 36 PID 2500 wrote to memory of 1984 2500 WINWORD.EXE 36 PID 2500 wrote to memory of 1984 2500 WINWORD.EXE 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2d18966d4665fb34cbbccad4c87e2cc_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1400 -
C:\Windows\SysWOW64\wdzafhirec.exewdzafhirec.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\guptyhlf.exeC:\Windows\system32\guptyhlf.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2380
-
-
-
C:\Windows\SysWOW64\gwoyshgmbfuudpa.exegwoyshgmbfuudpa.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2516
-
-
C:\Windows\SysWOW64\guptyhlf.exeguptyhlf.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2524
-
-
C:\Windows\SysWOW64\yrinmiokclrnd.exeyrinmiokclrnd.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2600
-
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:1984
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
7Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD502f7b2a324ee06d3eec0a6f4c0a0dc20
SHA1ab849f6a33b7f453282a176660960766f7d715b8
SHA256eea7e965e20a5f7f7f4965a21915e07bdc19b70699fdd2599ccfa08755d2e330
SHA512f110c746812bcc9e50bbbbd198dc34b8c447f89d4076660ff25eab70e8a91640c8d48152036ef87c8ec33a55c028bd3c93236489f371e5cce7054061ed46b40a
-
Filesize
512KB
MD5b72b95f6b53cc365eaf11d883361d95e
SHA1501b1e95b04e24577936764645b22bac3de11888
SHA256962f5607a82ef6f7b41a3c9bd253169f67c8b1d3337fe1e5e3a1958b6e90c94a
SHA5121f9a0cc1db685fe061c73d8b7c7bb794f3335b43a59440190958464ce719ff874c3e53744321be256fdb75c3a9c90c0a8644a1131b5879da7dc09733ebbafd49
-
Filesize
20KB
MD5fe95b7fa3b95bc0f00ba276d0ba0ed36
SHA1a99dd1a2557d7141b2f435f1850fec04a4adc478
SHA2566deeb1ecd6f72202a48f858103442b1e9f7e0b874d35d612eef79d0b6b4d98b1
SHA5124c7c26b247dd22cd184e7b9e731d087e0f3ad79797b0e1eec54b66b3118715b571002a5fc9b81539f1950990698f686ef39ab19a90fdc717c12b64552a1ad06e
-
Filesize
512KB
MD514be3be406211e62b07e71fdfcd5a14f
SHA1e6fcf195edb39e44313a595ac63cdd049cf9f787
SHA256ba2d18b447014f588aee71023f5d063e18c5d4a6e2b987ef0a376e3d0a624844
SHA512498e82409125e39bd56c2f5109be9d5e2f29e9c8ca235ec9a623b111cfdf7da0a6df3a312de2d124901026f5c36daffab982183b95ee5460e11d53b4e753b5c6
-
Filesize
512KB
MD5fc33f1da2086eb188d7bf8d2afad5b8e
SHA12db383b7092bd1f9f46093be59a1f9cc34f5a2ac
SHA256b6dd17a048b6949cb1eab09072dc19e4c6fae6e6765f87ff93a304a1524f193f
SHA5128963efc0ca5a9de9f8613fb22052a30e75a306e9179ab60f3c9a0de2d5308676e84a3a0f7dd00dda12ed3dad6c588d82a6d951a44989c973ac86d178ef2978f4
-
Filesize
512KB
MD5307cc4cefebc047d37b6d4bec2c35449
SHA1f1dda92c9d80fd493cca1b48e7144b98f76ead29
SHA2567d3b4fe7a64a95588fc9f8302434ca3d93ed4d535889c3fd278ae9d21ed2006d
SHA5123201e2ccd5879ac5b2c45d652d9fb69fe2fa9ae4679e4c6e8f8a78354af860c54da8a89464e364b9e9c4f42f7ec02270a5e01f1b3b90531a3b94b679bdfbe531
-
Filesize
512KB
MD56d469cb184053f14eb58fb3b283d73cb
SHA1bc4f271249319ce4089139f4120c328440313db6
SHA2560dcbe8a47928b912da5218108172ac3780c420e289f5f05102d60015d4fe1f6d
SHA51298e9404ea5352d35d4ce4e88f133ae2044df2f3994e82fb3c3c7dde99772e09492089aa980ca0835d39410a8e267cca26ad2804f05a7b132e24794c38c9569db
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5433a9574d81060d584a539df6541c1e1
SHA1cf71fe1d409fd96d322c0e0be442ed7f6f5373a2
SHA2568b62a7d367e2aca0b17e91fd04eecf00e8bbbd37acfb62bab60fe7cfb7f60a35
SHA512a0af7f67e39c6724b6108d89bf1c0fa41a20132b4c390bbe4e768ac7ab6e8af0b32570cadb4799ab6857f4d7eb161966a18b4af78379179d373167308c57cda2