Analysis
-
max time kernel
152s -
max time network
134s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
07-04-2024 16:37
Static task
static1
Behavioral task
behavioral1
Sample
e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe
Resource
win10v2004-20231215-en
General
-
Target
e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe
-
Size
512KB
-
MD5
e55fdbfbab5a2d31ae484ae950d93920
-
SHA1
6d08f719353b8d01c6abe393839d6102f7e59b7b
-
SHA256
fb46af467e44e6c24e3cccf407daeb4c03e657829205345c2b77a6954ec87b7e
-
SHA512
34884f4e79670950df8c7f3ac7367feb6a1db3c1d2b24de4117132c333db1dfeffe454322af55afdb2b4824c78e18617966e185067ba544f4ff69e2b26299ac0
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6N:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5w
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
nbawubglfv.exedescription ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" nbawubglfv.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
nbawubglfv.exedescription ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" nbawubglfv.exe -
Processes:
nbawubglfv.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" nbawubglfv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" nbawubglfv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" nbawubglfv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" nbawubglfv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" nbawubglfv.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
nbawubglfv.exedescription ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" nbawubglfv.exe -
Executes dropped EXE 5 IoCs
Processes:
nbawubglfv.exeiysblbpxuvzxtns.exeolutbftt.exeebjltikyerlrc.exeolutbftt.exepid Process 2644 nbawubglfv.exe 2796 iysblbpxuvzxtns.exe 2532 olutbftt.exe 2896 ebjltikyerlrc.exe 2428 olutbftt.exe -
Loads dropped DLL 5 IoCs
Processes:
e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exenbawubglfv.exepid Process 2980 e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe 2980 e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe 2980 e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe 2980 e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe 2644 nbawubglfv.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
nbawubglfv.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" nbawubglfv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" nbawubglfv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" nbawubglfv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" nbawubglfv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" nbawubglfv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" nbawubglfv.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
iysblbpxuvzxtns.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\iclempqz = "nbawubglfv.exe" iysblbpxuvzxtns.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\voapdkzz = "iysblbpxuvzxtns.exe" iysblbpxuvzxtns.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "ebjltikyerlrc.exe" iysblbpxuvzxtns.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
olutbftt.exenbawubglfv.exeolutbftt.exedescription ioc Process File opened (read-only) \??\o: olutbftt.exe File opened (read-only) \??\x: nbawubglfv.exe File opened (read-only) \??\z: nbawubglfv.exe File opened (read-only) \??\h: olutbftt.exe File opened (read-only) \??\u: olutbftt.exe File opened (read-only) \??\v: olutbftt.exe File opened (read-only) \??\j: olutbftt.exe File opened (read-only) \??\e: nbawubglfv.exe File opened (read-only) \??\g: nbawubglfv.exe File opened (read-only) \??\j: nbawubglfv.exe File opened (read-only) \??\v: olutbftt.exe File opened (read-only) \??\e: olutbftt.exe File opened (read-only) \??\w: olutbftt.exe File opened (read-only) \??\n: nbawubglfv.exe File opened (read-only) \??\j: olutbftt.exe File opened (read-only) \??\w: olutbftt.exe File opened (read-only) \??\z: olutbftt.exe File opened (read-only) \??\l: olutbftt.exe File opened (read-only) \??\o: nbawubglfv.exe File opened (read-only) \??\o: olutbftt.exe File opened (read-only) \??\p: olutbftt.exe File opened (read-only) \??\r: olutbftt.exe File opened (read-only) \??\v: nbawubglfv.exe File opened (read-only) \??\l: olutbftt.exe File opened (read-only) \??\b: olutbftt.exe File opened (read-only) \??\x: olutbftt.exe File opened (read-only) \??\i: nbawubglfv.exe File opened (read-only) \??\a: olutbftt.exe File opened (read-only) \??\y: nbawubglfv.exe File opened (read-only) \??\y: olutbftt.exe File opened (read-only) \??\q: olutbftt.exe File opened (read-only) \??\h: nbawubglfv.exe File opened (read-only) \??\l: nbawubglfv.exe File opened (read-only) \??\i: olutbftt.exe File opened (read-only) \??\s: olutbftt.exe File opened (read-only) \??\k: nbawubglfv.exe File opened (read-only) \??\b: olutbftt.exe File opened (read-only) \??\g: olutbftt.exe File opened (read-only) \??\k: olutbftt.exe File opened (read-only) \??\p: nbawubglfv.exe File opened (read-only) \??\t: olutbftt.exe File opened (read-only) \??\t: nbawubglfv.exe File opened (read-only) \??\w: nbawubglfv.exe File opened (read-only) \??\e: olutbftt.exe File opened (read-only) \??\g: olutbftt.exe File opened (read-only) \??\i: olutbftt.exe File opened (read-only) \??\k: olutbftt.exe File opened (read-only) \??\r: nbawubglfv.exe File opened (read-only) \??\s: nbawubglfv.exe File opened (read-only) \??\z: olutbftt.exe File opened (read-only) \??\u: olutbftt.exe File opened (read-only) \??\a: olutbftt.exe File opened (read-only) \??\h: olutbftt.exe File opened (read-only) \??\n: olutbftt.exe File opened (read-only) \??\x: olutbftt.exe File opened (read-only) \??\y: olutbftt.exe File opened (read-only) \??\u: nbawubglfv.exe File opened (read-only) \??\m: olutbftt.exe File opened (read-only) \??\m: olutbftt.exe File opened (read-only) \??\b: nbawubglfv.exe File opened (read-only) \??\r: olutbftt.exe File opened (read-only) \??\t: olutbftt.exe File opened (read-only) \??\a: nbawubglfv.exe File opened (read-only) \??\q: olutbftt.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
nbawubglfv.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" nbawubglfv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" nbawubglfv.exe -
AutoIT Executable 7 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral1/memory/2980-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral1/files/0x000d0000000122e2-5.dat autoit_exe behavioral1/files/0x00060000000120e7-17.dat autoit_exe behavioral1/files/0x0035000000015c29-28.dat autoit_exe behavioral1/files/0x0008000000015c76-34.dat autoit_exe behavioral1/files/0x0005000000019311-73.dat autoit_exe behavioral1/files/0x0005000000019337-76.dat autoit_exe -
Drops file in System32 directory 9 IoCs
Processes:
e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exenbawubglfv.exedescription ioc Process File created C:\Windows\SysWOW64\nbawubglfv.exe e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe File created C:\Windows\SysWOW64\olutbftt.exe e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll nbawubglfv.exe File opened for modification C:\Windows\SysWOW64\nbawubglfv.exe e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe File created C:\Windows\SysWOW64\iysblbpxuvzxtns.exe e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\iysblbpxuvzxtns.exe e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\olutbftt.exe e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe File created C:\Windows\SysWOW64\ebjltikyerlrc.exe e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ebjltikyerlrc.exe e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe -
Drops file in Program Files directory 14 IoCs
Processes:
olutbftt.exeolutbftt.exedescription ioc Process File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe olutbftt.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal olutbftt.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe olutbftt.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe olutbftt.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe olutbftt.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal olutbftt.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal olutbftt.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe olutbftt.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal olutbftt.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe olutbftt.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe olutbftt.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe olutbftt.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe olutbftt.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe olutbftt.exe -
Drops file in Windows directory 5 IoCs
Processes:
e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exeWINWORD.EXEdescription ioc Process File opened for modification C:\Windows\mydoc.rtf e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE File opened for modification C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Office loads VBA resources, possible macro or embedded object present
-
Processes:
WINWORD.EXEdescription ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exenbawubglfv.exeWINWORD.EXEdescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABCF9BDFE11F1E0837C3B43819B3E99B38A038B42620248E2CA42EE09A9" e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf nbawubglfv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" nbawubglfv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33342C7A9C5782586D4276D270212CAB7DF165DF" e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC4B15F4492389F53CCBAD433EAD4BB" e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EF4FFFC482A851D903CD72E7DE5BCE4E137584567346245D7EE" e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc nbawubglfv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh nbawubglfv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid Process 2936 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exenbawubglfv.exeiysblbpxuvzxtns.exeolutbftt.exeebjltikyerlrc.exeolutbftt.exepid Process 2980 e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe 2980 e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe 2980 e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe 2980 e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe 2980 e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe 2980 e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe 2980 e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe 2644 nbawubglfv.exe 2644 nbawubglfv.exe 2644 nbawubglfv.exe 2644 nbawubglfv.exe 2644 nbawubglfv.exe 2980 e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe 2796 iysblbpxuvzxtns.exe 2796 iysblbpxuvzxtns.exe 2796 iysblbpxuvzxtns.exe 2796 iysblbpxuvzxtns.exe 2796 iysblbpxuvzxtns.exe 2532 olutbftt.exe 2532 olutbftt.exe 2532 olutbftt.exe 2532 olutbftt.exe 2896 ebjltikyerlrc.exe 2896 ebjltikyerlrc.exe 2896 ebjltikyerlrc.exe 2896 ebjltikyerlrc.exe 2896 ebjltikyerlrc.exe 2896 ebjltikyerlrc.exe 2428 olutbftt.exe 2428 olutbftt.exe 2428 olutbftt.exe 2428 olutbftt.exe 2796 iysblbpxuvzxtns.exe 2896 ebjltikyerlrc.exe 2896 ebjltikyerlrc.exe 2796 iysblbpxuvzxtns.exe 2796 iysblbpxuvzxtns.exe 2896 ebjltikyerlrc.exe 2896 ebjltikyerlrc.exe 2796 iysblbpxuvzxtns.exe 2896 ebjltikyerlrc.exe 2896 ebjltikyerlrc.exe 2796 iysblbpxuvzxtns.exe 2896 ebjltikyerlrc.exe 2896 ebjltikyerlrc.exe 2796 iysblbpxuvzxtns.exe 2896 ebjltikyerlrc.exe 2896 ebjltikyerlrc.exe 2796 iysblbpxuvzxtns.exe 2896 ebjltikyerlrc.exe 2896 ebjltikyerlrc.exe 2796 iysblbpxuvzxtns.exe 2896 ebjltikyerlrc.exe 2896 ebjltikyerlrc.exe 2796 iysblbpxuvzxtns.exe 2896 ebjltikyerlrc.exe 2896 ebjltikyerlrc.exe 2796 iysblbpxuvzxtns.exe 2896 ebjltikyerlrc.exe 2896 ebjltikyerlrc.exe 2796 iysblbpxuvzxtns.exe 2896 ebjltikyerlrc.exe 2896 ebjltikyerlrc.exe 2796 iysblbpxuvzxtns.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
Processes:
e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exenbawubglfv.exeiysblbpxuvzxtns.exeolutbftt.exeebjltikyerlrc.exeolutbftt.exepid Process 2980 e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe 2980 e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe 2980 e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe 2644 nbawubglfv.exe 2644 nbawubglfv.exe 2644 nbawubglfv.exe 2796 iysblbpxuvzxtns.exe 2796 iysblbpxuvzxtns.exe 2796 iysblbpxuvzxtns.exe 2532 olutbftt.exe 2532 olutbftt.exe 2532 olutbftt.exe 2896 ebjltikyerlrc.exe 2896 ebjltikyerlrc.exe 2896 ebjltikyerlrc.exe 2428 olutbftt.exe 2428 olutbftt.exe 2428 olutbftt.exe -
Suspicious use of SendNotifyMessage 18 IoCs
Processes:
e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exenbawubglfv.exeiysblbpxuvzxtns.exeolutbftt.exeebjltikyerlrc.exeolutbftt.exepid Process 2980 e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe 2980 e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe 2980 e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe 2644 nbawubglfv.exe 2644 nbawubglfv.exe 2644 nbawubglfv.exe 2796 iysblbpxuvzxtns.exe 2796 iysblbpxuvzxtns.exe 2796 iysblbpxuvzxtns.exe 2532 olutbftt.exe 2532 olutbftt.exe 2532 olutbftt.exe 2896 ebjltikyerlrc.exe 2896 ebjltikyerlrc.exe 2896 ebjltikyerlrc.exe 2428 olutbftt.exe 2428 olutbftt.exe 2428 olutbftt.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid Process 2936 WINWORD.EXE 2936 WINWORD.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exenbawubglfv.exeWINWORD.EXEdescription pid Process procid_target PID 2980 wrote to memory of 2644 2980 e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe 28 PID 2980 wrote to memory of 2644 2980 e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe 28 PID 2980 wrote to memory of 2644 2980 e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe 28 PID 2980 wrote to memory of 2644 2980 e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe 28 PID 2980 wrote to memory of 2796 2980 e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe 29 PID 2980 wrote to memory of 2796 2980 e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe 29 PID 2980 wrote to memory of 2796 2980 e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe 29 PID 2980 wrote to memory of 2796 2980 e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe 29 PID 2980 wrote to memory of 2532 2980 e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe 30 PID 2980 wrote to memory of 2532 2980 e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe 30 PID 2980 wrote to memory of 2532 2980 e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe 30 PID 2980 wrote to memory of 2532 2980 e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe 30 PID 2980 wrote to memory of 2896 2980 e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe 31 PID 2980 wrote to memory of 2896 2980 e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe 31 PID 2980 wrote to memory of 2896 2980 e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe 31 PID 2980 wrote to memory of 2896 2980 e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe 31 PID 2644 wrote to memory of 2428 2644 nbawubglfv.exe 32 PID 2644 wrote to memory of 2428 2644 nbawubglfv.exe 32 PID 2644 wrote to memory of 2428 2644 nbawubglfv.exe 32 PID 2644 wrote to memory of 2428 2644 nbawubglfv.exe 32 PID 2980 wrote to memory of 2936 2980 e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe 33 PID 2980 wrote to memory of 2936 2980 e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe 33 PID 2980 wrote to memory of 2936 2980 e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe 33 PID 2980 wrote to memory of 2936 2980 e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe 33 PID 2936 wrote to memory of 568 2936 WINWORD.EXE 37 PID 2936 wrote to memory of 568 2936 WINWORD.EXE 37 PID 2936 wrote to memory of 568 2936 WINWORD.EXE 37 PID 2936 wrote to memory of 568 2936 WINWORD.EXE 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e55fdbfbab5a2d31ae484ae950d93920_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\SysWOW64\nbawubglfv.exenbawubglfv.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\olutbftt.exeC:\Windows\system32\olutbftt.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2428
-
-
-
C:\Windows\SysWOW64\iysblbpxuvzxtns.exeiysblbpxuvzxtns.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2796
-
-
C:\Windows\SysWOW64\olutbftt.exeolutbftt.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2532
-
-
C:\Windows\SysWOW64\ebjltikyerlrc.exeebjltikyerlrc.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2896
-
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:568
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
7Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD550452b8c733bf1d6b1c3c907d3d79b13
SHA18bf1e0c7eecdf3ff56fbb43234f3aa2158f23deb
SHA256183eba6637040530521a045c1a37cb85eaf0cc331c4f2a2e3e5e506477855507
SHA512fb9ea72dae70bf083bbfbd4adf12b5040e505800f872c61cde14e1dec3fb994732b7c0edbfd5f3010863adba4988c310ba1a08c87550e3bcd122e77a872d1d94
-
Filesize
20KB
MD5b37a299bb41577f12b72cb0f2df36e7b
SHA1078f5a2bc4b0f9340c84801e5754acad6dcf7fab
SHA256721b6ff69bbb5ac68c875fee8264687f99286aa5fa1b2a58f7603970680c6b6b
SHA512f4b338178f3ecbcc166df51fd99467aa8bfac14dc9cd0feb747c0f9b26bfe1cdcedd93017f3b1d3f91c149d38eb51392249e0eb90a5cc79fd7b450387c250067
-
Filesize
512KB
MD52f5d7361d714fcb5fbac18c0d91f46e7
SHA154332c8aff1943edaf1420ec34db5248571cc512
SHA2569d0b670a1b46abbc0f7a505d3636fcea055261e4e0c89ffef38d04a414421360
SHA512e7030a781500a49cc1430e167b0bd5dea17f8baa8cfedcca422cd31027625930c7df41ea0f418408fe5ba6152b2aea3aedf9b8cad8a437a2c22d3522a21bc572
-
Filesize
512KB
MD5095576075e4fc245601e91a20a205ca8
SHA15a8f92b0ccaaa8575ce13a7bc85d9b1033e20500
SHA256df09ef797c80d16971327c74ea0a44a573cf853d04a0824fb286f01a395c2b36
SHA5123d822d29cc0c513bdffd506aefd3bf1736cefcf20dc366d93a026550ada7a79a51c27f84dde5d28d76dc60cc43fdfee357258536915fdd7d4ae7775ebcaa620f
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5c32c6a8646bd14e22e35bc82b9fcc145
SHA1a3fe45e2062a2e94e92d761acc7f53ab7df50a61
SHA256c2637a03142c93941f1c2f7274e041d8c7a2a3784059af4a3c6ce7e01990c80a
SHA5128a5ab29e689569d8a7c291e2fc48d1c8914ded53d508a31080c7dc6d42817eabf9906ae4cd3067d822aed34427638162ee95ff49be29d546ccd65ff74cef9ffa
-
Filesize
512KB
MD5df12443936e65b5eb6f7d8c11062d83e
SHA15455181df0058dc94cd2934361a078823aa53a10
SHA2568e2724c69be5a89afc186877fccbf14cd135fc375215289eb906d063e7232133
SHA512e69091d0dbba17c91d477d0d72ff14e2cbdaf020fed90e3556b9f79a3f0d4d1f4c1bb642879e240c8f0c1adb3334686cb8811f6d0c57a7e5c8cda83a9a564eb9
-
Filesize
512KB
MD50f10b314d2b84364cc9b79de099ce9cf
SHA1f30e64f832f12f0de822601bb4a10bdc8f1e8271
SHA25681bd42c4f8bae14510613fba0158c8c159d6db8d51a5093da4210fc543f822ec
SHA512585c18b11a665d26c5aa442e3d2550f48210bdf87aa9987feadf74ff7072125fe7e9eea8125a698cf54c099f87ad6141a8c463bd8051e2971853c1dac4d80c08