Analysis
-
max time kernel
149s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
16-05-2024 10:41
Static task
static1
Behavioral task
behavioral1
Sample
4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe
-
Size
512KB
-
MD5
4aabb8cf3e1c596f9948b6da31989213
-
SHA1
5e9c5d7ecef0692af7789b4aab6a0af89c5322f9
-
SHA256
7214770870e8f3a372e48a8c3d89d35c685e65d9be4f0bc8a7adb7ff010ad246
-
SHA512
3b097e31fb59c4e52cb338b19e6c3acb7796c8745c74a8f55cd899fbfb0d544bbfecab7ccd90183a84e588f83474f027b6fee785c47a4318aa309e6712d4e05d
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj64:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5h
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
tzjajdzxsu.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" tzjajdzxsu.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
tzjajdzxsu.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" tzjajdzxsu.exe -
Processes:
tzjajdzxsu.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" tzjajdzxsu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" tzjajdzxsu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" tzjajdzxsu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" tzjajdzxsu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" tzjajdzxsu.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
tzjajdzxsu.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" tzjajdzxsu.exe -
Executes dropped EXE 5 IoCs
Processes:
tzjajdzxsu.exeessmrpihhafingu.exesqyconul.exehiiabtxgfauka.exesqyconul.exepid process 1580 tzjajdzxsu.exe 2036 essmrpihhafingu.exe 2544 sqyconul.exe 2652 hiiabtxgfauka.exe 2724 sqyconul.exe -
Loads dropped DLL 5 IoCs
Processes:
4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exetzjajdzxsu.exepid process 2972 4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe 2972 4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe 2972 4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe 2972 4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe 1580 tzjajdzxsu.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
tzjajdzxsu.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" tzjajdzxsu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" tzjajdzxsu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" tzjajdzxsu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" tzjajdzxsu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" tzjajdzxsu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" tzjajdzxsu.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
essmrpihhafingu.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ampqjpss = "tzjajdzxsu.exe" essmrpihhafingu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\bcimvpne = "essmrpihhafingu.exe" essmrpihhafingu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "hiiabtxgfauka.exe" essmrpihhafingu.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
sqyconul.exesqyconul.exetzjajdzxsu.exedescription ioc process File opened (read-only) \??\l: sqyconul.exe File opened (read-only) \??\k: sqyconul.exe File opened (read-only) \??\y: sqyconul.exe File opened (read-only) \??\m: sqyconul.exe File opened (read-only) \??\a: tzjajdzxsu.exe File opened (read-only) \??\b: sqyconul.exe File opened (read-only) \??\x: sqyconul.exe File opened (read-only) \??\i: sqyconul.exe File opened (read-only) \??\t: sqyconul.exe File opened (read-only) \??\k: tzjajdzxsu.exe File opened (read-only) \??\t: tzjajdzxsu.exe File opened (read-only) \??\u: tzjajdzxsu.exe File opened (read-only) \??\h: sqyconul.exe File opened (read-only) \??\t: sqyconul.exe File opened (read-only) \??\a: sqyconul.exe File opened (read-only) \??\e: sqyconul.exe File opened (read-only) \??\j: sqyconul.exe File opened (read-only) \??\y: sqyconul.exe File opened (read-only) \??\m: sqyconul.exe File opened (read-only) \??\q: sqyconul.exe File opened (read-only) \??\b: sqyconul.exe File opened (read-only) \??\z: sqyconul.exe File opened (read-only) \??\y: tzjajdzxsu.exe File opened (read-only) \??\z: sqyconul.exe File opened (read-only) \??\u: sqyconul.exe File opened (read-only) \??\b: tzjajdzxsu.exe File opened (read-only) \??\n: tzjajdzxsu.exe File opened (read-only) \??\a: sqyconul.exe File opened (read-only) \??\p: sqyconul.exe File opened (read-only) \??\g: sqyconul.exe File opened (read-only) \??\k: sqyconul.exe File opened (read-only) \??\e: tzjajdzxsu.exe File opened (read-only) \??\i: tzjajdzxsu.exe File opened (read-only) \??\s: tzjajdzxsu.exe File opened (read-only) \??\v: tzjajdzxsu.exe File opened (read-only) \??\o: sqyconul.exe File opened (read-only) \??\w: tzjajdzxsu.exe File opened (read-only) \??\n: sqyconul.exe File opened (read-only) \??\l: tzjajdzxsu.exe File opened (read-only) \??\w: sqyconul.exe File opened (read-only) \??\n: sqyconul.exe File opened (read-only) \??\o: tzjajdzxsu.exe File opened (read-only) \??\r: tzjajdzxsu.exe File opened (read-only) \??\l: sqyconul.exe File opened (read-only) \??\v: sqyconul.exe File opened (read-only) \??\x: sqyconul.exe File opened (read-only) \??\p: tzjajdzxsu.exe File opened (read-only) \??\q: tzjajdzxsu.exe File opened (read-only) \??\z: tzjajdzxsu.exe File opened (read-only) \??\r: sqyconul.exe File opened (read-only) \??\v: sqyconul.exe File opened (read-only) \??\h: sqyconul.exe File opened (read-only) \??\m: tzjajdzxsu.exe File opened (read-only) \??\x: tzjajdzxsu.exe File opened (read-only) \??\e: sqyconul.exe File opened (read-only) \??\o: sqyconul.exe File opened (read-only) \??\s: sqyconul.exe File opened (read-only) \??\p: sqyconul.exe File opened (read-only) \??\r: sqyconul.exe File opened (read-only) \??\s: sqyconul.exe File opened (read-only) \??\u: sqyconul.exe File opened (read-only) \??\q: sqyconul.exe File opened (read-only) \??\g: tzjajdzxsu.exe File opened (read-only) \??\j: sqyconul.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
tzjajdzxsu.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" tzjajdzxsu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" tzjajdzxsu.exe -
AutoIT Executable 9 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral1/memory/2972-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe C:\Windows\SysWOW64\essmrpihhafingu.exe autoit_exe \Windows\SysWOW64\tzjajdzxsu.exe autoit_exe \Windows\SysWOW64\essmrpihhafingu.exe autoit_exe \Windows\SysWOW64\sqyconul.exe autoit_exe \Windows\SysWOW64\hiiabtxgfauka.exe autoit_exe C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe autoit_exe C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe autoit_exe C:\Users\Admin\Documents\PopTest.doc.exe autoit_exe -
Drops file in System32 directory 9 IoCs
Processes:
4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exetzjajdzxsu.exedescription ioc process File created C:\Windows\SysWOW64\essmrpihhafingu.exe 4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\sqyconul.exe 4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe File created C:\Windows\SysWOW64\tzjajdzxsu.exe 4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\essmrpihhafingu.exe 4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe File created C:\Windows\SysWOW64\sqyconul.exe 4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe File created C:\Windows\SysWOW64\hiiabtxgfauka.exe 4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\hiiabtxgfauka.exe 4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll tzjajdzxsu.exe File opened for modification C:\Windows\SysWOW64\tzjajdzxsu.exe 4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe -
Drops file in Program Files directory 14 IoCs
Processes:
sqyconul.exesqyconul.exedescription ioc process File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe sqyconul.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe sqyconul.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal sqyconul.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe sqyconul.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe sqyconul.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe sqyconul.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe sqyconul.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal sqyconul.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe sqyconul.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal sqyconul.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe sqyconul.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe sqyconul.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe sqyconul.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal sqyconul.exe -
Drops file in Windows directory 5 IoCs
Processes:
4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exeWINWORD.EXEdescription ioc process File opened for modification C:\Windows\mydoc.rtf 4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE File opened for modification C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Office loads VBA resources, possible macro or embedded object present
-
Processes:
WINWORD.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXE4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exetzjajdzxsu.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB1B02B44E7399A53B8BADC33E9D7CA" 4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" tzjajdzxsu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EF9FF8E482985699141D6587E9DBD95E134594666426335D7EC" 4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" tzjajdzxsu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32472D0D9C2383276A3676D477552DD67CF665DC" 4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" tzjajdzxsu.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" tzjajdzxsu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 2952 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exetzjajdzxsu.exesqyconul.exeessmrpihhafingu.exesqyconul.exehiiabtxgfauka.exepid process 2972 4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe 2972 4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe 2972 4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe 2972 4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe 2972 4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe 2972 4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe 2972 4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe 2972 4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe 1580 tzjajdzxsu.exe 1580 tzjajdzxsu.exe 1580 tzjajdzxsu.exe 1580 tzjajdzxsu.exe 1580 tzjajdzxsu.exe 2544 sqyconul.exe 2544 sqyconul.exe 2544 sqyconul.exe 2544 sqyconul.exe 2036 essmrpihhafingu.exe 2036 essmrpihhafingu.exe 2036 essmrpihhafingu.exe 2036 essmrpihhafingu.exe 2036 essmrpihhafingu.exe 2724 sqyconul.exe 2724 sqyconul.exe 2724 sqyconul.exe 2724 sqyconul.exe 2652 hiiabtxgfauka.exe 2652 hiiabtxgfauka.exe 2652 hiiabtxgfauka.exe 2652 hiiabtxgfauka.exe 2652 hiiabtxgfauka.exe 2652 hiiabtxgfauka.exe 2036 essmrpihhafingu.exe 2652 hiiabtxgfauka.exe 2652 hiiabtxgfauka.exe 2036 essmrpihhafingu.exe 2036 essmrpihhafingu.exe 2652 hiiabtxgfauka.exe 2652 hiiabtxgfauka.exe 2036 essmrpihhafingu.exe 2652 hiiabtxgfauka.exe 2652 hiiabtxgfauka.exe 2036 essmrpihhafingu.exe 2652 hiiabtxgfauka.exe 2652 hiiabtxgfauka.exe 2036 essmrpihhafingu.exe 2652 hiiabtxgfauka.exe 2652 hiiabtxgfauka.exe 2036 essmrpihhafingu.exe 2652 hiiabtxgfauka.exe 2652 hiiabtxgfauka.exe 2036 essmrpihhafingu.exe 2652 hiiabtxgfauka.exe 2652 hiiabtxgfauka.exe 2036 essmrpihhafingu.exe 2652 hiiabtxgfauka.exe 2652 hiiabtxgfauka.exe 2036 essmrpihhafingu.exe 2652 hiiabtxgfauka.exe 2652 hiiabtxgfauka.exe 2036 essmrpihhafingu.exe 2652 hiiabtxgfauka.exe 2652 hiiabtxgfauka.exe 2036 essmrpihhafingu.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
Processes:
4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exetzjajdzxsu.exeessmrpihhafingu.exesqyconul.exehiiabtxgfauka.exesqyconul.exepid process 2972 4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe 2972 4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe 2972 4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe 1580 tzjajdzxsu.exe 1580 tzjajdzxsu.exe 1580 tzjajdzxsu.exe 2036 essmrpihhafingu.exe 2544 sqyconul.exe 2544 sqyconul.exe 2036 essmrpihhafingu.exe 2544 sqyconul.exe 2036 essmrpihhafingu.exe 2652 hiiabtxgfauka.exe 2652 hiiabtxgfauka.exe 2652 hiiabtxgfauka.exe 2724 sqyconul.exe 2724 sqyconul.exe 2724 sqyconul.exe -
Suspicious use of SendNotifyMessage 18 IoCs
Processes:
4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exetzjajdzxsu.exeessmrpihhafingu.exesqyconul.exehiiabtxgfauka.exesqyconul.exepid process 2972 4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe 2972 4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe 2972 4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe 1580 tzjajdzxsu.exe 1580 tzjajdzxsu.exe 1580 tzjajdzxsu.exe 2036 essmrpihhafingu.exe 2544 sqyconul.exe 2544 sqyconul.exe 2036 essmrpihhafingu.exe 2544 sqyconul.exe 2036 essmrpihhafingu.exe 2652 hiiabtxgfauka.exe 2652 hiiabtxgfauka.exe 2652 hiiabtxgfauka.exe 2724 sqyconul.exe 2724 sqyconul.exe 2724 sqyconul.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 2952 WINWORD.EXE 2952 WINWORD.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exetzjajdzxsu.exeWINWORD.EXEdescription pid process target process PID 2972 wrote to memory of 1580 2972 4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe tzjajdzxsu.exe PID 2972 wrote to memory of 1580 2972 4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe tzjajdzxsu.exe PID 2972 wrote to memory of 1580 2972 4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe tzjajdzxsu.exe PID 2972 wrote to memory of 1580 2972 4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe tzjajdzxsu.exe PID 2972 wrote to memory of 2036 2972 4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe essmrpihhafingu.exe PID 2972 wrote to memory of 2036 2972 4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe essmrpihhafingu.exe PID 2972 wrote to memory of 2036 2972 4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe essmrpihhafingu.exe PID 2972 wrote to memory of 2036 2972 4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe essmrpihhafingu.exe PID 2972 wrote to memory of 2544 2972 4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe sqyconul.exe PID 2972 wrote to memory of 2544 2972 4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe sqyconul.exe PID 2972 wrote to memory of 2544 2972 4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe sqyconul.exe PID 2972 wrote to memory of 2544 2972 4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe sqyconul.exe PID 2972 wrote to memory of 2652 2972 4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe hiiabtxgfauka.exe PID 2972 wrote to memory of 2652 2972 4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe hiiabtxgfauka.exe PID 2972 wrote to memory of 2652 2972 4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe hiiabtxgfauka.exe PID 2972 wrote to memory of 2652 2972 4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe hiiabtxgfauka.exe PID 1580 wrote to memory of 2724 1580 tzjajdzxsu.exe sqyconul.exe PID 1580 wrote to memory of 2724 1580 tzjajdzxsu.exe sqyconul.exe PID 1580 wrote to memory of 2724 1580 tzjajdzxsu.exe sqyconul.exe PID 1580 wrote to memory of 2724 1580 tzjajdzxsu.exe sqyconul.exe PID 2972 wrote to memory of 2952 2972 4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe WINWORD.EXE PID 2972 wrote to memory of 2952 2972 4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe WINWORD.EXE PID 2972 wrote to memory of 2952 2972 4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe WINWORD.EXE PID 2972 wrote to memory of 2952 2972 4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe WINWORD.EXE PID 2952 wrote to memory of 2336 2952 WINWORD.EXE splwow64.exe PID 2952 wrote to memory of 2336 2952 WINWORD.EXE splwow64.exe PID 2952 wrote to memory of 2336 2952 WINWORD.EXE splwow64.exe PID 2952 wrote to memory of 2336 2952 WINWORD.EXE splwow64.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\tzjajdzxsu.exetzjajdzxsu.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Windows\SysWOW64\sqyconul.exeC:\Windows\system32\sqyconul.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2724 -
C:\Windows\SysWOW64\essmrpihhafingu.exeessmrpihhafingu.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2036 -
C:\Windows\SysWOW64\sqyconul.exesqyconul.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2544 -
C:\Windows\SysWOW64\hiiabtxgfauka.exehiiabtxgfauka.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2652 -
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:2336
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
7Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD555e02394a4d611a7ea6f3cb2ce8d5218
SHA11b1a72ddf02ba96dd89447996189b9b59bc89c1e
SHA2563119bc76e6d00a80fb5671b03f084b4490980b20c9f1511b8ac47579dd662cb6
SHA512fef252980045721ee357a17588062bcd91dbc8af8d72b003b343df263d143bfc895ebc60feef73597ea94857e1604f54c604f994e337f7c55a90089511b75595
-
Filesize
512KB
MD56da9527d9ebd4dcc86695fd7f5b8491f
SHA157eb97d64e832ed98ccbd0845e15886f56f0bfe5
SHA256ffd04ebaf37648184eb647ad489b441bacf1263ff695dcfa23372bf0e1754ac5
SHA5123e261f0674061ef4e1d74a6aa68d181d723e1b03410d956a702711bc08766a0a39c4a7d21c7083deb6faeae72f77cf46d61edb5b8e9a39207185cfa091a2df1b
-
Filesize
20KB
MD5e3cabf925999f02e77e981dc62bac0c6
SHA1142913e88c355b2cfdbf5d313cb3600990b97a59
SHA2569c8d3ad51c1b63a27fd4adf15791d03b006f400b84f6cd3dab3f333007a0ceea
SHA512afa1d3a96c77749b9ae00855da0734c519370d7e1d9c22e79a8c84f74575d6e3ad99a4c422c07452d4b7d2ced84a444b2fd040ee28b3cdfa3f6699da2b6b0191
-
Filesize
512KB
MD58591bc4827299f35aa766813c7148882
SHA13eff2b1b33fb25f5a465153d343c05a67873a7fd
SHA25662336a2009bc55164b886ec18bb9d378f7f49f86f211ebcb34bf39202f084206
SHA51200e9b9a58ff5011d4002f05af9e940c09083a719dc9a0ad29de824cb4f56129724bdf6757e29093df843056a92c7955a0047c3b00d0af3226e65c782765e743d
-
Filesize
512KB
MD54aabb8cf3e1c596f9948b6da31989213
SHA15e9c5d7ecef0692af7789b4aab6a0af89c5322f9
SHA2567214770870e8f3a372e48a8c3d89d35c685e65d9be4f0bc8a7adb7ff010ad246
SHA5123b097e31fb59c4e52cb338b19e6c3acb7796c8745c74a8f55cd899fbfb0d544bbfecab7ccd90183a84e588f83474f027b6fee785c47a4318aa309e6712d4e05d
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5f304679324f51d93d6fc3d3ec175e67e
SHA143ef87a21dbc4cdb47e97fc7689131652a66bcd0
SHA2569f8b10428218d0720477f2bc90c76b13456e6455337283dfe6f47729822f0787
SHA512bd83de1d98f5dea3b9ba171fa97c1a79009f7cc0aa128052624e252718296c923f89983cc18d1c31252c352748b3f484627087c03c1b6994f7bf4ea1847c5762
-
Filesize
512KB
MD57d56c11c78a413b973aaba6ec124b54d
SHA134318911c116cf2351ec81bcc83324f40910201a
SHA256829b20a3afae05fc6f9ba7d3cd5f95f6cb477caef727f5a57ddd27c1e3c17fba
SHA51271732ccc6d6c36cf9f722b9b83c16687fd812f1f52f150597133a1bb8134e52a5a34ef574c8f3c6cb2789e67ea467c0c25961b88bdf928ae31503601df7ee71e
-
Filesize
512KB
MD5f7e75bf41fc6b01ce38fca593184c20e
SHA1b3bcb64bc1d84070778aa0c47c327b6932ceedd1
SHA256453b0324f21dedf53715d2e0534d3a8c4156f8af6a9771db51127cc106fb03b8
SHA51211d015dde8a6ea2a7a9df140fccc4fa6a444b70bdd62b38b4be9bd949af283aed347e0dfe0227b81352716ed240615f805adcb6916f394a56c343a04235785b6
-
Filesize
512KB
MD5709842db14904f25820c294d9994e467
SHA1135140b42f32887fd9958d17444d742fb7e582d5
SHA256eb8000a67e5a688475ee129f9d9178415c4d29a5e1df780e3fbaea97574b32f1
SHA512e9ee71eec1f0591d9ebea7741e6a893a1a473cc487d051b3f73467479557f9a5e43a47dd9cc0fbea44cdbf1c7b4cf97a1b4ece296dc4c3e56de2a7f7acf9ff86