Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
13-06-2024 00:12
Static task
static1
Behavioral task
behavioral1
Sample
a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe
-
Size
512KB
-
MD5
a316428effee4f96edee4b7601cfc78c
-
SHA1
62c62a83b191db7672a7aa45235c8446335b6e30
-
SHA256
3c6d66ea64e12029bda1fa7c1f9432980342dff406af07f91c12156c4e27220b
-
SHA512
601302185a305d95dddb19aba0dc7f3b34b6028db5d8c0ee32efcad8c1962942f6a49a8587557eb8b20e54279670f8b0f7118411ff38b99ecd5a2443953db831
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6I:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5d
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
nzsdxjqkoy.exedescription ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" nzsdxjqkoy.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
nzsdxjqkoy.exedescription ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" nzsdxjqkoy.exe -
Processes:
nzsdxjqkoy.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" nzsdxjqkoy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" nzsdxjqkoy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" nzsdxjqkoy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" nzsdxjqkoy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" nzsdxjqkoy.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
nzsdxjqkoy.exedescription ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" nzsdxjqkoy.exe -
Executes dropped EXE 5 IoCs
Processes:
nzsdxjqkoy.exeovmytroaudrcrgd.exeifisuamf.exeyzvzjvkwflgwr.exeifisuamf.exepid Process 2036 nzsdxjqkoy.exe 2572 ovmytroaudrcrgd.exe 2672 ifisuamf.exe 2664 yzvzjvkwflgwr.exe 2868 ifisuamf.exe -
Loads dropped DLL 5 IoCs
Processes:
a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exenzsdxjqkoy.exepid Process 2548 a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe 2548 a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe 2548 a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe 2548 a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe 2036 nzsdxjqkoy.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
nzsdxjqkoy.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" nzsdxjqkoy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" nzsdxjqkoy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" nzsdxjqkoy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" nzsdxjqkoy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" nzsdxjqkoy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" nzsdxjqkoy.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
ovmytroaudrcrgd.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\okzkyjgm = "nzsdxjqkoy.exe" ovmytroaudrcrgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\lgwsxcsb = "ovmytroaudrcrgd.exe" ovmytroaudrcrgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "yzvzjvkwflgwr.exe" ovmytroaudrcrgd.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
nzsdxjqkoy.exeifisuamf.exeifisuamf.exedescription ioc Process File opened (read-only) \??\h: nzsdxjqkoy.exe File opened (read-only) \??\m: nzsdxjqkoy.exe File opened (read-only) \??\u: nzsdxjqkoy.exe File opened (read-only) \??\w: ifisuamf.exe File opened (read-only) \??\z: ifisuamf.exe File opened (read-only) \??\b: nzsdxjqkoy.exe File opened (read-only) \??\n: ifisuamf.exe File opened (read-only) \??\z: ifisuamf.exe File opened (read-only) \??\l: ifisuamf.exe File opened (read-only) \??\i: nzsdxjqkoy.exe File opened (read-only) \??\r: nzsdxjqkoy.exe File opened (read-only) \??\w: nzsdxjqkoy.exe File opened (read-only) \??\l: ifisuamf.exe File opened (read-only) \??\k: ifisuamf.exe File opened (read-only) \??\s: ifisuamf.exe File opened (read-only) \??\g: nzsdxjqkoy.exe File opened (read-only) \??\u: ifisuamf.exe File opened (read-only) \??\o: nzsdxjqkoy.exe File opened (read-only) \??\j: ifisuamf.exe File opened (read-only) \??\r: ifisuamf.exe File opened (read-only) \??\t: ifisuamf.exe File opened (read-only) \??\i: ifisuamf.exe File opened (read-only) \??\m: ifisuamf.exe File opened (read-only) \??\a: nzsdxjqkoy.exe File opened (read-only) \??\x: nzsdxjqkoy.exe File opened (read-only) \??\z: nzsdxjqkoy.exe File opened (read-only) \??\v: nzsdxjqkoy.exe File opened (read-only) \??\o: ifisuamf.exe File opened (read-only) \??\r: ifisuamf.exe File opened (read-only) \??\q: nzsdxjqkoy.exe File opened (read-only) \??\o: ifisuamf.exe File opened (read-only) \??\q: ifisuamf.exe File opened (read-only) \??\s: ifisuamf.exe File opened (read-only) \??\k: nzsdxjqkoy.exe File opened (read-only) \??\p: nzsdxjqkoy.exe File opened (read-only) \??\a: ifisuamf.exe File opened (read-only) \??\j: nzsdxjqkoy.exe File opened (read-only) \??\b: ifisuamf.exe File opened (read-only) \??\g: ifisuamf.exe File opened (read-only) \??\p: ifisuamf.exe File opened (read-only) \??\v: ifisuamf.exe File opened (read-only) \??\e: nzsdxjqkoy.exe File opened (read-only) \??\y: nzsdxjqkoy.exe File opened (read-only) \??\m: ifisuamf.exe File opened (read-only) \??\w: ifisuamf.exe File opened (read-only) \??\e: ifisuamf.exe File opened (read-only) \??\h: ifisuamf.exe File opened (read-only) \??\x: ifisuamf.exe File opened (read-only) \??\l: nzsdxjqkoy.exe File opened (read-only) \??\h: ifisuamf.exe File opened (read-only) \??\y: ifisuamf.exe File opened (read-only) \??\b: ifisuamf.exe File opened (read-only) \??\s: nzsdxjqkoy.exe File opened (read-only) \??\v: ifisuamf.exe File opened (read-only) \??\t: ifisuamf.exe File opened (read-only) \??\g: ifisuamf.exe File opened (read-only) \??\y: ifisuamf.exe File opened (read-only) \??\t: nzsdxjqkoy.exe File opened (read-only) \??\e: ifisuamf.exe File opened (read-only) \??\k: ifisuamf.exe File opened (read-only) \??\u: ifisuamf.exe File opened (read-only) \??\a: ifisuamf.exe File opened (read-only) \??\j: ifisuamf.exe File opened (read-only) \??\q: ifisuamf.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
nzsdxjqkoy.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" nzsdxjqkoy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" nzsdxjqkoy.exe -
AutoIT Executable 7 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral1/memory/2548-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral1/files/0x0009000000016a29-5.dat autoit_exe behavioral1/files/0x000a000000015f7a-17.dat autoit_exe behavioral1/files/0x0008000000016c04-27.dat autoit_exe behavioral1/files/0x0007000000016c51-33.dat autoit_exe behavioral1/files/0x0006000000017422-72.dat autoit_exe behavioral1/files/0x00060000000174a5-78.dat autoit_exe -
Drops file in System32 directory 9 IoCs
Processes:
a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exenzsdxjqkoy.exedescription ioc Process File opened for modification C:\Windows\SysWOW64\nzsdxjqkoy.exe a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe File created C:\Windows\SysWOW64\ovmytroaudrcrgd.exe a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ovmytroaudrcrgd.exe a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe File created C:\Windows\SysWOW64\ifisuamf.exe a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ifisuamf.exe a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll nzsdxjqkoy.exe File created C:\Windows\SysWOW64\nzsdxjqkoy.exe a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe File created C:\Windows\SysWOW64\yzvzjvkwflgwr.exe a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\yzvzjvkwflgwr.exe a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe -
Drops file in Program Files directory 14 IoCs
Processes:
ifisuamf.exeifisuamf.exedescription ioc Process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe ifisuamf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe ifisuamf.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe ifisuamf.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe ifisuamf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe ifisuamf.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe ifisuamf.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe ifisuamf.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe ifisuamf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal ifisuamf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal ifisuamf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe ifisuamf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal ifisuamf.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe ifisuamf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal ifisuamf.exe -
Drops file in Windows directory 5 IoCs
Processes:
a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exeWINWORD.EXEdescription ioc Process File opened for modification C:\Windows\mydoc.rtf a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE File opened for modification C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Office loads VBA resources, possible macro or embedded object present
-
Processes:
WINWORD.EXEdescription ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEa316428effee4f96edee4b7601cfc78c_JaffaCakes118.exenzsdxjqkoy.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33342D0D9D5183206D3476A177272CAE7D8165AB" a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" nzsdxjqkoy.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" nzsdxjqkoy.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" nzsdxjqkoy.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc nzsdxjqkoy.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf nzsdxjqkoy.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs nzsdxjqkoy.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid Process 1940 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exenzsdxjqkoy.exeifisuamf.exeovmytroaudrcrgd.exeyzvzjvkwflgwr.exeifisuamf.exepid Process 2548 a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe 2548 a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe 2548 a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe 2548 a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe 2548 a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe 2548 a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe 2548 a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe 2548 a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe 2036 nzsdxjqkoy.exe 2036 nzsdxjqkoy.exe 2036 nzsdxjqkoy.exe 2036 nzsdxjqkoy.exe 2036 nzsdxjqkoy.exe 2672 ifisuamf.exe 2672 ifisuamf.exe 2672 ifisuamf.exe 2672 ifisuamf.exe 2572 ovmytroaudrcrgd.exe 2572 ovmytroaudrcrgd.exe 2572 ovmytroaudrcrgd.exe 2572 ovmytroaudrcrgd.exe 2572 ovmytroaudrcrgd.exe 2664 yzvzjvkwflgwr.exe 2664 yzvzjvkwflgwr.exe 2664 yzvzjvkwflgwr.exe 2664 yzvzjvkwflgwr.exe 2664 yzvzjvkwflgwr.exe 2664 yzvzjvkwflgwr.exe 2868 ifisuamf.exe 2868 ifisuamf.exe 2868 ifisuamf.exe 2868 ifisuamf.exe 2572 ovmytroaudrcrgd.exe 2664 yzvzjvkwflgwr.exe 2664 yzvzjvkwflgwr.exe 2572 ovmytroaudrcrgd.exe 2572 ovmytroaudrcrgd.exe 2664 yzvzjvkwflgwr.exe 2664 yzvzjvkwflgwr.exe 2572 ovmytroaudrcrgd.exe 2664 yzvzjvkwflgwr.exe 2664 yzvzjvkwflgwr.exe 2572 ovmytroaudrcrgd.exe 2664 yzvzjvkwflgwr.exe 2664 yzvzjvkwflgwr.exe 2572 ovmytroaudrcrgd.exe 2664 yzvzjvkwflgwr.exe 2664 yzvzjvkwflgwr.exe 2572 ovmytroaudrcrgd.exe 2664 yzvzjvkwflgwr.exe 2664 yzvzjvkwflgwr.exe 2572 ovmytroaudrcrgd.exe 2664 yzvzjvkwflgwr.exe 2664 yzvzjvkwflgwr.exe 2572 ovmytroaudrcrgd.exe 2664 yzvzjvkwflgwr.exe 2664 yzvzjvkwflgwr.exe 2572 ovmytroaudrcrgd.exe 2664 yzvzjvkwflgwr.exe 2664 yzvzjvkwflgwr.exe 2572 ovmytroaudrcrgd.exe 2664 yzvzjvkwflgwr.exe 2664 yzvzjvkwflgwr.exe 2572 ovmytroaudrcrgd.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
Processes:
a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exenzsdxjqkoy.exeifisuamf.exeovmytroaudrcrgd.exeyzvzjvkwflgwr.exeifisuamf.exepid Process 2548 a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe 2548 a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe 2548 a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe 2036 nzsdxjqkoy.exe 2036 nzsdxjqkoy.exe 2036 nzsdxjqkoy.exe 2672 ifisuamf.exe 2672 ifisuamf.exe 2672 ifisuamf.exe 2572 ovmytroaudrcrgd.exe 2572 ovmytroaudrcrgd.exe 2572 ovmytroaudrcrgd.exe 2664 yzvzjvkwflgwr.exe 2664 yzvzjvkwflgwr.exe 2664 yzvzjvkwflgwr.exe 2868 ifisuamf.exe 2868 ifisuamf.exe 2868 ifisuamf.exe -
Suspicious use of SendNotifyMessage 18 IoCs
Processes:
a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exenzsdxjqkoy.exeifisuamf.exeovmytroaudrcrgd.exeyzvzjvkwflgwr.exeifisuamf.exepid Process 2548 a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe 2548 a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe 2548 a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe 2036 nzsdxjqkoy.exe 2036 nzsdxjqkoy.exe 2036 nzsdxjqkoy.exe 2672 ifisuamf.exe 2672 ifisuamf.exe 2672 ifisuamf.exe 2572 ovmytroaudrcrgd.exe 2572 ovmytroaudrcrgd.exe 2572 ovmytroaudrcrgd.exe 2664 yzvzjvkwflgwr.exe 2664 yzvzjvkwflgwr.exe 2664 yzvzjvkwflgwr.exe 2868 ifisuamf.exe 2868 ifisuamf.exe 2868 ifisuamf.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid Process 1940 WINWORD.EXE 1940 WINWORD.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exenzsdxjqkoy.exeWINWORD.EXEdescription pid Process procid_target PID 2548 wrote to memory of 2036 2548 a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe 28 PID 2548 wrote to memory of 2036 2548 a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe 28 PID 2548 wrote to memory of 2036 2548 a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe 28 PID 2548 wrote to memory of 2036 2548 a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe 28 PID 2548 wrote to memory of 2572 2548 a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe 29 PID 2548 wrote to memory of 2572 2548 a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe 29 PID 2548 wrote to memory of 2572 2548 a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe 29 PID 2548 wrote to memory of 2572 2548 a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe 29 PID 2548 wrote to memory of 2672 2548 a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe 30 PID 2548 wrote to memory of 2672 2548 a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe 30 PID 2548 wrote to memory of 2672 2548 a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe 30 PID 2548 wrote to memory of 2672 2548 a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe 30 PID 2548 wrote to memory of 2664 2548 a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe 31 PID 2548 wrote to memory of 2664 2548 a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe 31 PID 2548 wrote to memory of 2664 2548 a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe 31 PID 2548 wrote to memory of 2664 2548 a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe 31 PID 2036 wrote to memory of 2868 2036 nzsdxjqkoy.exe 32 PID 2036 wrote to memory of 2868 2036 nzsdxjqkoy.exe 32 PID 2036 wrote to memory of 2868 2036 nzsdxjqkoy.exe 32 PID 2036 wrote to memory of 2868 2036 nzsdxjqkoy.exe 32 PID 2548 wrote to memory of 1940 2548 a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe 33 PID 2548 wrote to memory of 1940 2548 a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe 33 PID 2548 wrote to memory of 1940 2548 a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe 33 PID 2548 wrote to memory of 1940 2548 a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe 33 PID 1940 wrote to memory of 3048 1940 WINWORD.EXE 36 PID 1940 wrote to memory of 3048 1940 WINWORD.EXE 36 PID 1940 wrote to memory of 3048 1940 WINWORD.EXE 36 PID 1940 wrote to memory of 3048 1940 WINWORD.EXE 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\nzsdxjqkoy.exenzsdxjqkoy.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\SysWOW64\ifisuamf.exeC:\Windows\system32\ifisuamf.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2868
-
-
-
C:\Windows\SysWOW64\ovmytroaudrcrgd.exeovmytroaudrcrgd.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2572
-
-
C:\Windows\SysWOW64\ifisuamf.exeifisuamf.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2672
-
-
C:\Windows\SysWOW64\yzvzjvkwflgwr.exeyzvzjvkwflgwr.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2664
-
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:3048
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
7Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
68B
MD54aa671ad497fc5111055a5cd73ed00f7
SHA1cb07b411329fc10b812a00e529780b6423499e28
SHA256b5c2d14c06ec67d8aef21a76a152d01ca4f01ce3f84c4842030dcbd00c5f10ef
SHA512eea59c86be5eb784263378651bff550fb1cd158f48b121e4438826bfbf2129bf13cb61914fe3e60a953922164d7314e2b582f08fb7e9664482f37ee056b9ccd8
-
Filesize
20KB
MD590bbcf3df1b84d185f084893abcb4f92
SHA1c0aa89e283b0979626fb9d0cf5591156f2e1156e
SHA256231a48e7cca45f48501239d02aa14bf62f8b0e214233b6dfb4d0ca3950318ee6
SHA512af60930ded213aa422f819992c7699febf0835e866e99b2c517ea94c64992a2dae4251af8c1086f3884b4d7a2b9234e2ed8fb4b603e478b3fa27e1e4605688b6
-
Filesize
512KB
MD58cb6be392ad66e135dccb3a2128456e4
SHA17bd0dd7eb4a3c6284c68336e39f8725b999973a9
SHA2567d8987f350302ae626d5cf394d441fdf576db6595b3b9f8e14a75c42a88728e2
SHA51212481962cd77a5ab7e20e84965a94009e109fb5194a555902e734eb2a74f96a0ca0170e58c4b51a33038e16e4520c7be92dc8625206ec6bb3b653f607b400354
-
Filesize
512KB
MD5fbef3dc31de85d893ca08cb3bb00d8aa
SHA15cda2ac5040261fa5d66171a33733abad4ffd06a
SHA256e436cc9545b805ae104651b8370460bc9573fd2f2fb04ef99383c5b14b3c8703
SHA512e3e28eefcb4527d465bd520265bffff1414ebdad917402f80c662a2d85cca72784db500c70a4f83ba35575085752186c4bee5bfdbdce78f51a4690e09ad753de
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5b911d8ab8be19d5fac9850dfd0233707
SHA1dcf1e9ce89d782914bef56f0b88b67b2c53d0969
SHA256d155dbbadf581210af551ed55277b67d57930e5f6cdb48a2938df0a62898d241
SHA5123725312fc8a744d7d0d36fabb479135aabb5ca83351c1222c8e386ef45bcf76cd3ec484925fab99ade07adf6bafd39408b588ca34f3f60002a62d2199cc3456d
-
Filesize
512KB
MD57999e71fac19f5d5ebb894724e963f23
SHA1839d8c01d036c90ceef99debffbcad590a35b184
SHA25659c49a0f571fe3528fbd5f2b712ec759b4883c16034aec9ca5629e712f27af42
SHA5122a068943e9ef87101e6b00c3514972cba5c7f5b5c0019d93c5547d09bbb387c66db480446e29815e7c07e29b706861ae83b12c1a45a1125b4dafe6ff2c28d441
-
Filesize
512KB
MD59c2174fdf2ceb236b002416f793b2195
SHA1241c0fe9c947d4a2499dc7a034ef199f1082f8ff
SHA256b6cf2b7bf06b9c5413f56b1a7989134d49e0c3f4ec7c7f9bd02c8e2a7cb2bb12
SHA512900c5ad5cdd26e5d7d910335656282b3d50a3c78610ac4805c209d7fe84fc70a0481cd698c384f93083c15f39b9ea5570ffd1182d6e83c070a713efd29597f57
-
Filesize
512KB
MD50a6fa2a135a9a4aba4e3e824ff06b092
SHA190e2e2ef79f534278f2512f539cf4bc6b3ca904d
SHA25608fe18d3dba4229f6b0619d8531191fa660818d66e65c44757cad920c758b08c
SHA512939a69f1bbd8191fc70bfabf90d2a2709486825ce9e4b8b205301142352b682ebe1358d1197de5d7e72a25a84c2523b0803d71015aef12416b0218655325f955