Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
26/05/2024, 03:52
Static task
static1
Behavioral task
behavioral1
Sample
743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe
-
Size
512KB
-
MD5
743eff7ff42d1cf8bb783735577868a7
-
SHA1
1d2f37382b24080b3af19e0a0b7decb0b04dbdab
-
SHA256
06507fdc6deba0ca9301fbe30ce8d9c450215a1cac9e4f0817e1fdc47000be06
-
SHA512
a454da802db3e3145b9bfcd9f9858d653ffb2d6c91e3f809b28aaae1793a009e3928ac48b606e81d978ff613c3b7010aea66d15a036ae303fe01d9fff6e3e85b
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj67:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5s
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" yykvwtqmpm.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" yykvwtqmpm.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" yykvwtqmpm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" yykvwtqmpm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" yykvwtqmpm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" yykvwtqmpm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" yykvwtqmpm.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" yykvwtqmpm.exe -
Modifies Installed Components in the registry 2 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Executes dropped EXE 5 IoCs
pid Process 2696 yykvwtqmpm.exe 2368 ldugrbbpleokuvb.exe 2708 jqgqpltb.exe 2744 bmpcqrdsbrrff.exe 2840 jqgqpltb.exe -
Loads dropped DLL 5 IoCs
pid Process 2916 743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe 2916 743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe 2916 743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe 2916 743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe 2696 yykvwtqmpm.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" yykvwtqmpm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" yykvwtqmpm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" yykvwtqmpm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" yykvwtqmpm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" yykvwtqmpm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" yykvwtqmpm.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\fvpigpjr = "yykvwtqmpm.exe" ldugrbbpleokuvb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\tjmnnmvz = "ldugrbbpleokuvb.exe" ldugrbbpleokuvb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "bmpcqrdsbrrff.exe" ldugrbbpleokuvb.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\p: jqgqpltb.exe File opened (read-only) \??\w: jqgqpltb.exe File opened (read-only) \??\l: yykvwtqmpm.exe File opened (read-only) \??\w: yykvwtqmpm.exe File opened (read-only) \??\h: jqgqpltb.exe File opened (read-only) \??\u: jqgqpltb.exe File opened (read-only) \??\z: jqgqpltb.exe File opened (read-only) \??\r: jqgqpltb.exe File opened (read-only) \??\m: jqgqpltb.exe File opened (read-only) \??\q: jqgqpltb.exe File opened (read-only) \??\y: jqgqpltb.exe File opened (read-only) \??\r: yykvwtqmpm.exe File opened (read-only) \??\s: yykvwtqmpm.exe File opened (read-only) \??\l: jqgqpltb.exe File opened (read-only) \??\t: jqgqpltb.exe File opened (read-only) \??\b: jqgqpltb.exe File opened (read-only) \??\a: yykvwtqmpm.exe File opened (read-only) \??\h: yykvwtqmpm.exe File opened (read-only) \??\x: yykvwtqmpm.exe File opened (read-only) \??\b: jqgqpltb.exe File opened (read-only) \??\k: jqgqpltb.exe File opened (read-only) \??\x: jqgqpltb.exe File opened (read-only) \??\i: yykvwtqmpm.exe File opened (read-only) \??\y: jqgqpltb.exe File opened (read-only) \??\v: jqgqpltb.exe File opened (read-only) \??\n: yykvwtqmpm.exe File opened (read-only) \??\u: yykvwtqmpm.exe File opened (read-only) \??\x: jqgqpltb.exe File opened (read-only) \??\l: jqgqpltb.exe File opened (read-only) \??\s: jqgqpltb.exe File opened (read-only) \??\p: yykvwtqmpm.exe File opened (read-only) \??\v: yykvwtqmpm.exe File opened (read-only) \??\z: yykvwtqmpm.exe File opened (read-only) \??\j: jqgqpltb.exe File opened (read-only) \??\o: jqgqpltb.exe File opened (read-only) \??\i: jqgqpltb.exe File opened (read-only) \??\j: jqgqpltb.exe File opened (read-only) \??\o: jqgqpltb.exe File opened (read-only) \??\n: jqgqpltb.exe File opened (read-only) \??\h: jqgqpltb.exe File opened (read-only) \??\e: yykvwtqmpm.exe File opened (read-only) \??\g: yykvwtqmpm.exe File opened (read-only) \??\q: yykvwtqmpm.exe File opened (read-only) \??\m: jqgqpltb.exe File opened (read-only) \??\p: jqgqpltb.exe File opened (read-only) \??\g: jqgqpltb.exe File opened (read-only) \??\y: yykvwtqmpm.exe File opened (read-only) \??\i: jqgqpltb.exe File opened (read-only) \??\e: jqgqpltb.exe File opened (read-only) \??\g: jqgqpltb.exe File opened (read-only) \??\a: jqgqpltb.exe File opened (read-only) \??\e: jqgqpltb.exe File opened (read-only) \??\n: jqgqpltb.exe File opened (read-only) \??\k: yykvwtqmpm.exe File opened (read-only) \??\o: yykvwtqmpm.exe File opened (read-only) \??\a: jqgqpltb.exe File opened (read-only) \??\q: jqgqpltb.exe File opened (read-only) \??\u: jqgqpltb.exe File opened (read-only) \??\r: jqgqpltb.exe File opened (read-only) \??\j: yykvwtqmpm.exe File opened (read-only) \??\t: yykvwtqmpm.exe File opened (read-only) \??\s: jqgqpltb.exe File opened (read-only) \??\v: jqgqpltb.exe File opened (read-only) \??\z: jqgqpltb.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" yykvwtqmpm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" yykvwtqmpm.exe -
AutoIT Executable 8 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/2916-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral1/files/0x0037000000016133-5.dat autoit_exe behavioral1/files/0x000e00000001214d-17.dat autoit_exe behavioral1/files/0x00070000000165d4-29.dat autoit_exe behavioral1/files/0x0007000000016824-33.dat autoit_exe behavioral1/files/0x00020000000001bf-49.dat autoit_exe behavioral1/files/0x0002000000003d1e-55.dat autoit_exe behavioral1/files/0x0006000000017568-84.dat autoit_exe -
Drops file in System32 directory 9 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\jqgqpltb.exe 743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe File created C:\Windows\SysWOW64\bmpcqrdsbrrff.exe 743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\bmpcqrdsbrrff.exe 743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll yykvwtqmpm.exe File created C:\Windows\SysWOW64\ldugrbbpleokuvb.exe 743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ldugrbbpleokuvb.exe 743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe File created C:\Windows\SysWOW64\jqgqpltb.exe 743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe File created C:\Windows\SysWOW64\yykvwtqmpm.exe 743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\yykvwtqmpm.exe 743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe -
Drops file in Program Files directory 28 IoCs
description ioc Process File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe jqgqpltb.exe File opened for modification C:\Program Files\ExitRequest.doc.exe jqgqpltb.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe jqgqpltb.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal jqgqpltb.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe jqgqpltb.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe jqgqpltb.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal jqgqpltb.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe jqgqpltb.exe File opened for modification \??\c:\Program Files\CompareHide.doc.exe jqgqpltb.exe File opened for modification \??\c:\Program Files\ExitRequest.doc.exe jqgqpltb.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe jqgqpltb.exe File opened for modification C:\Program Files\ExitRequest.doc.exe jqgqpltb.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe jqgqpltb.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe jqgqpltb.exe File created \??\c:\Program Files\CompareHide.doc.exe jqgqpltb.exe File opened for modification \??\c:\Program Files\CompareHide.doc.exe jqgqpltb.exe File opened for modification \??\c:\Program Files\ExitRequest.doc.exe jqgqpltb.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal jqgqpltb.exe File opened for modification C:\Program Files\CompareHide.doc.exe jqgqpltb.exe File opened for modification C:\Program Files\CompareHide.nal jqgqpltb.exe File created \??\c:\Program Files\ExitRequest.doc.exe jqgqpltb.exe File opened for modification C:\Program Files\CompareHide.doc.exe jqgqpltb.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe jqgqpltb.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe jqgqpltb.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal jqgqpltb.exe File opened for modification C:\Program Files\CompareHide.nal jqgqpltb.exe File opened for modification C:\Program Files\ExitRequest.nal jqgqpltb.exe File opened for modification C:\Program Files\ExitRequest.nal jqgqpltb.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf 743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Office loads VBA resources, possible macro or embedded object present
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE -
Modifies registry class 64 IoCs
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs yykvwtqmpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg yykvwtqmpm.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat yykvwtqmpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" yykvwtqmpm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_Classes\Local Settings explorer.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" yykvwtqmpm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1944C67B1594DAB5B8CA7CE9ECE337BC" 743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2684 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2916 743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe 2916 743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe 2916 743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe 2916 743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe 2916 743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe 2916 743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe 2916 743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe 2916 743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe 2696 yykvwtqmpm.exe 2696 yykvwtqmpm.exe 2696 yykvwtqmpm.exe 2696 yykvwtqmpm.exe 2696 yykvwtqmpm.exe 2368 ldugrbbpleokuvb.exe 2368 ldugrbbpleokuvb.exe 2368 ldugrbbpleokuvb.exe 2368 ldugrbbpleokuvb.exe 2368 ldugrbbpleokuvb.exe 2708 jqgqpltb.exe 2708 jqgqpltb.exe 2708 jqgqpltb.exe 2708 jqgqpltb.exe 2744 bmpcqrdsbrrff.exe 2744 bmpcqrdsbrrff.exe 2744 bmpcqrdsbrrff.exe 2744 bmpcqrdsbrrff.exe 2744 bmpcqrdsbrrff.exe 2744 bmpcqrdsbrrff.exe 2840 jqgqpltb.exe 2840 jqgqpltb.exe 2840 jqgqpltb.exe 2840 jqgqpltb.exe 2368 ldugrbbpleokuvb.exe 2744 bmpcqrdsbrrff.exe 2744 bmpcqrdsbrrff.exe 2368 ldugrbbpleokuvb.exe 2368 ldugrbbpleokuvb.exe 2744 bmpcqrdsbrrff.exe 2744 bmpcqrdsbrrff.exe 2368 ldugrbbpleokuvb.exe 2744 bmpcqrdsbrrff.exe 2744 bmpcqrdsbrrff.exe 2368 ldugrbbpleokuvb.exe 2744 bmpcqrdsbrrff.exe 2744 bmpcqrdsbrrff.exe 2368 ldugrbbpleokuvb.exe 2744 bmpcqrdsbrrff.exe 2744 bmpcqrdsbrrff.exe 2368 ldugrbbpleokuvb.exe 2744 bmpcqrdsbrrff.exe 2744 bmpcqrdsbrrff.exe 2368 ldugrbbpleokuvb.exe 2744 bmpcqrdsbrrff.exe 2744 bmpcqrdsbrrff.exe 2368 ldugrbbpleokuvb.exe 2744 bmpcqrdsbrrff.exe 2744 bmpcqrdsbrrff.exe 2368 ldugrbbpleokuvb.exe 2744 bmpcqrdsbrrff.exe 2744 bmpcqrdsbrrff.exe 2368 ldugrbbpleokuvb.exe 2744 bmpcqrdsbrrff.exe 2744 bmpcqrdsbrrff.exe 2368 ldugrbbpleokuvb.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeShutdownPrivilege 1684 explorer.exe Token: SeShutdownPrivilege 1684 explorer.exe Token: SeShutdownPrivilege 1684 explorer.exe Token: SeShutdownPrivilege 1684 explorer.exe Token: SeShutdownPrivilege 1684 explorer.exe Token: SeShutdownPrivilege 1684 explorer.exe Token: SeShutdownPrivilege 1684 explorer.exe Token: SeShutdownPrivilege 1684 explorer.exe Token: SeShutdownPrivilege 1684 explorer.exe Token: SeShutdownPrivilege 1684 explorer.exe Token: SeShutdownPrivilege 1684 explorer.exe Token: SeShutdownPrivilege 1684 explorer.exe -
Suspicious use of FindShellTrayWindow 47 IoCs
pid Process 2916 743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe 2916 743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe 2916 743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe 2696 yykvwtqmpm.exe 2696 yykvwtqmpm.exe 2696 yykvwtqmpm.exe 2368 ldugrbbpleokuvb.exe 2368 ldugrbbpleokuvb.exe 2368 ldugrbbpleokuvb.exe 2708 jqgqpltb.exe 2708 jqgqpltb.exe 2708 jqgqpltb.exe 2744 bmpcqrdsbrrff.exe 2744 bmpcqrdsbrrff.exe 2744 bmpcqrdsbrrff.exe 2840 jqgqpltb.exe 2840 jqgqpltb.exe 2840 jqgqpltb.exe 1684 explorer.exe 1684 explorer.exe 1684 explorer.exe 1684 explorer.exe 1684 explorer.exe 1684 explorer.exe 1684 explorer.exe 1684 explorer.exe 1684 explorer.exe 1684 explorer.exe 1684 explorer.exe 1684 explorer.exe 1684 explorer.exe 1684 explorer.exe 1684 explorer.exe 1684 explorer.exe 1684 explorer.exe 1684 explorer.exe 1684 explorer.exe 1684 explorer.exe 1684 explorer.exe 1684 explorer.exe 1684 explorer.exe 1684 explorer.exe 1684 explorer.exe 1684 explorer.exe 1684 explorer.exe 1684 explorer.exe 1684 explorer.exe -
Suspicious use of SendNotifyMessage 34 IoCs
pid Process 2916 743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe 2916 743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe 2916 743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe 2696 yykvwtqmpm.exe 2696 yykvwtqmpm.exe 2696 yykvwtqmpm.exe 2368 ldugrbbpleokuvb.exe 2368 ldugrbbpleokuvb.exe 2368 ldugrbbpleokuvb.exe 2708 jqgqpltb.exe 2708 jqgqpltb.exe 2708 jqgqpltb.exe 2744 bmpcqrdsbrrff.exe 2744 bmpcqrdsbrrff.exe 2744 bmpcqrdsbrrff.exe 1684 explorer.exe 1684 explorer.exe 1684 explorer.exe 1684 explorer.exe 1684 explorer.exe 1684 explorer.exe 1684 explorer.exe 1684 explorer.exe 1684 explorer.exe 1684 explorer.exe 1684 explorer.exe 1684 explorer.exe 1684 explorer.exe 1684 explorer.exe 1684 explorer.exe 1684 explorer.exe 1684 explorer.exe 1684 explorer.exe 1684 explorer.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2684 WINWORD.EXE 2684 WINWORD.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2916 wrote to memory of 2696 2916 743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe 28 PID 2916 wrote to memory of 2696 2916 743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe 28 PID 2916 wrote to memory of 2696 2916 743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe 28 PID 2916 wrote to memory of 2696 2916 743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe 28 PID 2916 wrote to memory of 2368 2916 743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe 29 PID 2916 wrote to memory of 2368 2916 743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe 29 PID 2916 wrote to memory of 2368 2916 743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe 29 PID 2916 wrote to memory of 2368 2916 743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe 29 PID 2916 wrote to memory of 2708 2916 743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe 30 PID 2916 wrote to memory of 2708 2916 743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe 30 PID 2916 wrote to memory of 2708 2916 743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe 30 PID 2916 wrote to memory of 2708 2916 743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe 30 PID 2916 wrote to memory of 2744 2916 743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe 31 PID 2916 wrote to memory of 2744 2916 743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe 31 PID 2916 wrote to memory of 2744 2916 743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe 31 PID 2916 wrote to memory of 2744 2916 743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe 31 PID 2696 wrote to memory of 2840 2696 yykvwtqmpm.exe 32 PID 2696 wrote to memory of 2840 2696 yykvwtqmpm.exe 32 PID 2696 wrote to memory of 2840 2696 yykvwtqmpm.exe 32 PID 2696 wrote to memory of 2840 2696 yykvwtqmpm.exe 32 PID 2916 wrote to memory of 2684 2916 743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe 33 PID 2916 wrote to memory of 2684 2916 743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe 33 PID 2916 wrote to memory of 2684 2916 743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe 33 PID 2916 wrote to memory of 2684 2916 743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe 33 PID 2684 wrote to memory of 2304 2684 WINWORD.EXE 38 PID 2684 wrote to memory of 2304 2684 WINWORD.EXE 38 PID 2684 wrote to memory of 2304 2684 WINWORD.EXE 38 PID 2684 wrote to memory of 2304 2684 WINWORD.EXE 38 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\743eff7ff42d1cf8bb783735577868a7_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\yykvwtqmpm.exeyykvwtqmpm.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\jqgqpltb.exeC:\Windows\system32\jqgqpltb.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2840
-
-
-
C:\Windows\SysWOW64\ldugrbbpleokuvb.exeldugrbbpleokuvb.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2368
-
-
C:\Windows\SysWOW64\jqgqpltb.exejqgqpltb.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2708
-
-
C:\Windows\SysWOW64\bmpcqrdsbrrff.exebmpcqrdsbrrff.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2744
-
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:2304
-
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1684
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
8Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5f77cdeebd708c029af0eb847a87497fd
SHA12629306063b7f9cb290cace36687d863d024da96
SHA256f022a70bfc17d0a69a60cd8cc6a040fe1e916ea23d9b094f02da42cbf1ba138f
SHA51237242958bc76ecf46ee8491bc65cd8e6b58073ddb6e3b95fea687e4ce886fbc99c877b9be821520e0d8e8a4781c22d8538c3aa640f2129c25e4682cc2c070487
-
Filesize
512KB
MD537c30d46194ff7c0f5deb026b4c3350f
SHA1f6f22bc3409ad12941b9614afac7ec8fd9509b28
SHA2569fff469c201bb4565a8fa72bc15ab71133ff06d83f673bee6c9af87ca9d8e128
SHA51277aea98d543717cd52851d87cf2646fdb15c0cc05e5b5e01e6ed70667f748da8a555169e66af411901d2062182daffeb399ca4cbef1cc616d5f9c8fee39b8f4e
-
Filesize
512KB
MD543935bf0c1876f53c29f52191dc52c50
SHA12d626979dfba245093fb6032f4e72ca0be53eb06
SHA256ad262a9e6cd9b7f17ea90dd26c812603bf8b99cd803a6f23c8b7c502958c3570
SHA512d757081a845af82695466a08b6504aaf36fe5604defdc2e97230db51cc49d33ef700fd541f9b74c8531f110d40bbd57457a9bc27d495c033db1122299ce8bae5
-
Filesize
68B
MD5b831a0d16c9c0b1700967e6727756a24
SHA17b698f7ffb91210ee3c52dd809f54355fa9d4bf3
SHA25692067afeef70ee667d711e41fabe6c0e8ff5a10d042768e4dd9893cd623f13d1
SHA5127ec6993e6cb2ca1afe203eb51149de8fa0e623dab7896931e1949bc1c0aea64894bdb319af8d731e4f355552f280d870d6513b23cb69ccc55ccfaa13d0a23b5d
-
Filesize
512KB
MD5933724af37659b994e491c64fcb85008
SHA19122cc856f535a74cfb17758f50214746c4c5e78
SHA256bc76f39c538afaf76b2bd60c62bdab26ceaca25a2ce923a23e893e199e2bc73e
SHA512058ffcb3de3cbe087cc6ef5197e46cb7e2c326742effd22f0ef4f7fa04975623257c2f0a4b027d788a20b70ddcf8aa4369687a6f8b19c1fff649ace4019afc42
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD576e9b082ec3b54765811c4bd8e041fe4
SHA113e05990a1e67dc41115aa54390288ffe9146fd5
SHA256a8f60c4494039569cb9e1b9dd9ca4158a72d8208223a8310472e80ce6f901dea
SHA5124898172b2a61a68a350a520f507528530445f528746e5ad5e7737cf9912c4580f0c7723015d30befa50b90fd83555caa176da1fe2a3323309354bbe0a940cf24
-
Filesize
512KB
MD5c60b6ca198c9d1ca5bc9be50dfbcb26f
SHA1347277b9fbaefd6607ac05d51c3fb14fa7754ab2
SHA2564313895a0ca72bb0f8e6eed5ee4e41adf749d130224b1b587af3ee7ffe1fb09b
SHA51240d2c93b590fad40a434015ca22453be628201cc505c1d10e7c41e2ae661a1668115beac4c019e0a3d22095488b6059e62a579d8e6b5303d8380062d6d8a63b8
-
Filesize
512KB
MD5aab838709981285a4f60afc3efc5e027
SHA12e372f0d83ff6f344a891350bfb76f2c3b4c470a
SHA25614b4b50e762007a45746477f6ee7f5e071981540fc42f411d7dfe3c8452b4aab
SHA512dfe320a4c04c0f52159b2d2f3119a596dd549e65cb0d7020075672050a010ad54a688fefc1bea9e02f02d37c54cf7108e34ad913adc66083d2d89a09f36d8e49