Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
14-06-2024 05:10
Static task
static1
Behavioral task
behavioral1
Sample
a81b54183962d320b915383292f0f750_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
a81b54183962d320b915383292f0f750_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
a81b54183962d320b915383292f0f750_JaffaCakes118.exe
-
Size
512KB
-
MD5
a81b54183962d320b915383292f0f750
-
SHA1
cc2c84c9f066dde2366ab449105447a8cae78344
-
SHA256
f73a49608e21884caf0716fdfe24f2df54c105e30906971a5ecee65da5c9e869
-
SHA512
e2431728209cd5974f9e6353870400e7ed84b4b5450734b8416a9162e052b2d6957c3599516161e08a07d47da2e1ac9a4d42cf6ca87f6f32d343eb4da4e4a5fb
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6g:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5x
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
dvxnsgsmlh.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" dvxnsgsmlh.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
dvxnsgsmlh.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" dvxnsgsmlh.exe -
Processes:
dvxnsgsmlh.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" dvxnsgsmlh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" dvxnsgsmlh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" dvxnsgsmlh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" dvxnsgsmlh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" dvxnsgsmlh.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
dvxnsgsmlh.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" dvxnsgsmlh.exe -
Executes dropped EXE 5 IoCs
Processes:
dvxnsgsmlh.exeddesmzanjwpiaey.exeogzbujjx.exedajnsgqydykma.exeogzbujjx.exepid process 2452 dvxnsgsmlh.exe 2368 ddesmzanjwpiaey.exe 2816 ogzbujjx.exe 2820 dajnsgqydykma.exe 2964 ogzbujjx.exe -
Loads dropped DLL 5 IoCs
Processes:
a81b54183962d320b915383292f0f750_JaffaCakes118.exedvxnsgsmlh.exepid process 3052 a81b54183962d320b915383292f0f750_JaffaCakes118.exe 3052 a81b54183962d320b915383292f0f750_JaffaCakes118.exe 3052 a81b54183962d320b915383292f0f750_JaffaCakes118.exe 3052 a81b54183962d320b915383292f0f750_JaffaCakes118.exe 2452 dvxnsgsmlh.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
dvxnsgsmlh.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" dvxnsgsmlh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" dvxnsgsmlh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" dvxnsgsmlh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" dvxnsgsmlh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" dvxnsgsmlh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" dvxnsgsmlh.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
ddesmzanjwpiaey.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\bbyxzgts = "dvxnsgsmlh.exe" ddesmzanjwpiaey.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icwicyfl = "ddesmzanjwpiaey.exe" ddesmzanjwpiaey.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "dajnsgqydykma.exe" ddesmzanjwpiaey.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
ogzbujjx.exeogzbujjx.exedvxnsgsmlh.exedescription ioc process File opened (read-only) \??\m: ogzbujjx.exe File opened (read-only) \??\q: ogzbujjx.exe File opened (read-only) \??\b: ogzbujjx.exe File opened (read-only) \??\i: dvxnsgsmlh.exe File opened (read-only) \??\e: ogzbujjx.exe File opened (read-only) \??\h: ogzbujjx.exe File opened (read-only) \??\k: ogzbujjx.exe File opened (read-only) \??\g: ogzbujjx.exe File opened (read-only) \??\w: ogzbujjx.exe File opened (read-only) \??\s: ogzbujjx.exe File opened (read-only) \??\b: dvxnsgsmlh.exe File opened (read-only) \??\m: dvxnsgsmlh.exe File opened (read-only) \??\o: dvxnsgsmlh.exe File opened (read-only) \??\q: dvxnsgsmlh.exe File opened (read-only) \??\o: ogzbujjx.exe File opened (read-only) \??\l: ogzbujjx.exe File opened (read-only) \??\n: ogzbujjx.exe File opened (read-only) \??\g: dvxnsgsmlh.exe File opened (read-only) \??\k: dvxnsgsmlh.exe File opened (read-only) \??\t: dvxnsgsmlh.exe File opened (read-only) \??\y: dvxnsgsmlh.exe File opened (read-only) \??\b: ogzbujjx.exe File opened (read-only) \??\w: ogzbujjx.exe File opened (read-only) \??\o: ogzbujjx.exe File opened (read-only) \??\j: dvxnsgsmlh.exe File opened (read-only) \??\w: dvxnsgsmlh.exe File opened (read-only) \??\s: ogzbujjx.exe File opened (read-only) \??\j: ogzbujjx.exe File opened (read-only) \??\n: ogzbujjx.exe File opened (read-only) \??\t: ogzbujjx.exe File opened (read-only) \??\y: ogzbujjx.exe File opened (read-only) \??\z: ogzbujjx.exe File opened (read-only) \??\h: dvxnsgsmlh.exe File opened (read-only) \??\s: dvxnsgsmlh.exe File opened (read-only) \??\j: ogzbujjx.exe File opened (read-only) \??\a: ogzbujjx.exe File opened (read-only) \??\i: ogzbujjx.exe File opened (read-only) \??\a: dvxnsgsmlh.exe File opened (read-only) \??\l: dvxnsgsmlh.exe File opened (read-only) \??\v: ogzbujjx.exe File opened (read-only) \??\z: ogzbujjx.exe File opened (read-only) \??\x: ogzbujjx.exe File opened (read-only) \??\v: dvxnsgsmlh.exe File opened (read-only) \??\l: ogzbujjx.exe File opened (read-only) \??\q: ogzbujjx.exe File opened (read-only) \??\x: dvxnsgsmlh.exe File opened (read-only) \??\z: dvxnsgsmlh.exe File opened (read-only) \??\r: ogzbujjx.exe File opened (read-only) \??\r: dvxnsgsmlh.exe File opened (read-only) \??\e: ogzbujjx.exe File opened (read-only) \??\k: ogzbujjx.exe File opened (read-only) \??\e: dvxnsgsmlh.exe File opened (read-only) \??\n: dvxnsgsmlh.exe File opened (read-only) \??\p: ogzbujjx.exe File opened (read-only) \??\g: ogzbujjx.exe File opened (read-only) \??\m: ogzbujjx.exe File opened (read-only) \??\u: ogzbujjx.exe File opened (read-only) \??\v: ogzbujjx.exe File opened (read-only) \??\p: dvxnsgsmlh.exe File opened (read-only) \??\a: ogzbujjx.exe File opened (read-only) \??\i: ogzbujjx.exe File opened (read-only) \??\x: ogzbujjx.exe File opened (read-only) \??\u: dvxnsgsmlh.exe File opened (read-only) \??\t: ogzbujjx.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
dvxnsgsmlh.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" dvxnsgsmlh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" dvxnsgsmlh.exe -
AutoIT Executable 7 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral1/memory/3052-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe C:\Windows\SysWOW64\ddesmzanjwpiaey.exe autoit_exe \Windows\SysWOW64\dvxnsgsmlh.exe autoit_exe \Windows\SysWOW64\ogzbujjx.exe autoit_exe C:\Windows\SysWOW64\dajnsgqydykma.exe autoit_exe C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe autoit_exe C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe autoit_exe -
Drops file in System32 directory 9 IoCs
Processes:
a81b54183962d320b915383292f0f750_JaffaCakes118.exedvxnsgsmlh.exedescription ioc process File created C:\Windows\SysWOW64\dvxnsgsmlh.exe a81b54183962d320b915383292f0f750_JaffaCakes118.exe File created C:\Windows\SysWOW64\ddesmzanjwpiaey.exe a81b54183962d320b915383292f0f750_JaffaCakes118.exe File created C:\Windows\SysWOW64\ogzbujjx.exe a81b54183962d320b915383292f0f750_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ogzbujjx.exe a81b54183962d320b915383292f0f750_JaffaCakes118.exe File created C:\Windows\SysWOW64\dajnsgqydykma.exe a81b54183962d320b915383292f0f750_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\dvxnsgsmlh.exe a81b54183962d320b915383292f0f750_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ddesmzanjwpiaey.exe a81b54183962d320b915383292f0f750_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\dajnsgqydykma.exe a81b54183962d320b915383292f0f750_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll dvxnsgsmlh.exe -
Drops file in Program Files directory 15 IoCs
Processes:
ogzbujjx.exeogzbujjx.exedescription ioc process File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe ogzbujjx.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe ogzbujjx.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe ogzbujjx.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal ogzbujjx.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe ogzbujjx.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe ogzbujjx.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe ogzbujjx.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal ogzbujjx.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe ogzbujjx.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal ogzbujjx.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe ogzbujjx.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe ogzbujjx.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal ogzbujjx.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe ogzbujjx.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe ogzbujjx.exe -
Drops file in Windows directory 5 IoCs
Processes:
a81b54183962d320b915383292f0f750_JaffaCakes118.exeWINWORD.EXEdescription ioc process File opened for modification C:\Windows\mydoc.rtf a81b54183962d320b915383292f0f750_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE File opened for modification C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Office loads VBA resources, possible macro or embedded object present
-
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEa81b54183962d320b915383292f0f750_JaffaCakes118.exedvxnsgsmlh.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6AC8FAB0F913F2E3837D3A4B869A39E6B0FC03884268034BE1CF429E09A3" a81b54183962d320b915383292f0f750_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc dvxnsgsmlh.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F36BB7FF6D22D0D17AD0A98B7D9010" a81b54183962d320b915383292f0f750_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" dvxnsgsmlh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" dvxnsgsmlh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat dvxnsgsmlh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg dvxnsgsmlh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 2736 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
a81b54183962d320b915383292f0f750_JaffaCakes118.exedvxnsgsmlh.exeddesmzanjwpiaey.exedajnsgqydykma.exeogzbujjx.exeogzbujjx.exepid process 3052 a81b54183962d320b915383292f0f750_JaffaCakes118.exe 3052 a81b54183962d320b915383292f0f750_JaffaCakes118.exe 3052 a81b54183962d320b915383292f0f750_JaffaCakes118.exe 3052 a81b54183962d320b915383292f0f750_JaffaCakes118.exe 3052 a81b54183962d320b915383292f0f750_JaffaCakes118.exe 3052 a81b54183962d320b915383292f0f750_JaffaCakes118.exe 3052 a81b54183962d320b915383292f0f750_JaffaCakes118.exe 3052 a81b54183962d320b915383292f0f750_JaffaCakes118.exe 2452 dvxnsgsmlh.exe 2452 dvxnsgsmlh.exe 2452 dvxnsgsmlh.exe 2452 dvxnsgsmlh.exe 2452 dvxnsgsmlh.exe 2368 ddesmzanjwpiaey.exe 2368 ddesmzanjwpiaey.exe 2368 ddesmzanjwpiaey.exe 2368 ddesmzanjwpiaey.exe 2368 ddesmzanjwpiaey.exe 2820 dajnsgqydykma.exe 2820 dajnsgqydykma.exe 2820 dajnsgqydykma.exe 2820 dajnsgqydykma.exe 2820 dajnsgqydykma.exe 2820 dajnsgqydykma.exe 2816 ogzbujjx.exe 2816 ogzbujjx.exe 2816 ogzbujjx.exe 2816 ogzbujjx.exe 2964 ogzbujjx.exe 2964 ogzbujjx.exe 2964 ogzbujjx.exe 2964 ogzbujjx.exe 2368 ddesmzanjwpiaey.exe 2820 dajnsgqydykma.exe 2820 dajnsgqydykma.exe 2368 ddesmzanjwpiaey.exe 2368 ddesmzanjwpiaey.exe 2820 dajnsgqydykma.exe 2820 dajnsgqydykma.exe 2368 ddesmzanjwpiaey.exe 2820 dajnsgqydykma.exe 2820 dajnsgqydykma.exe 2368 ddesmzanjwpiaey.exe 2820 dajnsgqydykma.exe 2820 dajnsgqydykma.exe 2368 ddesmzanjwpiaey.exe 2820 dajnsgqydykma.exe 2820 dajnsgqydykma.exe 2368 ddesmzanjwpiaey.exe 2820 dajnsgqydykma.exe 2820 dajnsgqydykma.exe 2368 ddesmzanjwpiaey.exe 2820 dajnsgqydykma.exe 2820 dajnsgqydykma.exe 2368 ddesmzanjwpiaey.exe 2820 dajnsgqydykma.exe 2820 dajnsgqydykma.exe 2368 ddesmzanjwpiaey.exe 2820 dajnsgqydykma.exe 2820 dajnsgqydykma.exe 2368 ddesmzanjwpiaey.exe 2820 dajnsgqydykma.exe 2820 dajnsgqydykma.exe 2368 ddesmzanjwpiaey.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
Processes:
a81b54183962d320b915383292f0f750_JaffaCakes118.exedvxnsgsmlh.exeddesmzanjwpiaey.exedajnsgqydykma.exeogzbujjx.exeogzbujjx.exepid process 3052 a81b54183962d320b915383292f0f750_JaffaCakes118.exe 3052 a81b54183962d320b915383292f0f750_JaffaCakes118.exe 3052 a81b54183962d320b915383292f0f750_JaffaCakes118.exe 2452 dvxnsgsmlh.exe 2452 dvxnsgsmlh.exe 2452 dvxnsgsmlh.exe 2368 ddesmzanjwpiaey.exe 2368 ddesmzanjwpiaey.exe 2368 ddesmzanjwpiaey.exe 2820 dajnsgqydykma.exe 2816 ogzbujjx.exe 2816 ogzbujjx.exe 2820 dajnsgqydykma.exe 2816 ogzbujjx.exe 2820 dajnsgqydykma.exe 2964 ogzbujjx.exe 2964 ogzbujjx.exe 2964 ogzbujjx.exe -
Suspicious use of SendNotifyMessage 18 IoCs
Processes:
a81b54183962d320b915383292f0f750_JaffaCakes118.exedvxnsgsmlh.exeddesmzanjwpiaey.exedajnsgqydykma.exeogzbujjx.exeogzbujjx.exepid process 3052 a81b54183962d320b915383292f0f750_JaffaCakes118.exe 3052 a81b54183962d320b915383292f0f750_JaffaCakes118.exe 3052 a81b54183962d320b915383292f0f750_JaffaCakes118.exe 2452 dvxnsgsmlh.exe 2452 dvxnsgsmlh.exe 2452 dvxnsgsmlh.exe 2368 ddesmzanjwpiaey.exe 2368 ddesmzanjwpiaey.exe 2368 ddesmzanjwpiaey.exe 2820 dajnsgqydykma.exe 2816 ogzbujjx.exe 2816 ogzbujjx.exe 2820 dajnsgqydykma.exe 2816 ogzbujjx.exe 2820 dajnsgqydykma.exe 2964 ogzbujjx.exe 2964 ogzbujjx.exe 2964 ogzbujjx.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 2736 WINWORD.EXE 2736 WINWORD.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
a81b54183962d320b915383292f0f750_JaffaCakes118.exedvxnsgsmlh.exeWINWORD.EXEdescription pid process target process PID 3052 wrote to memory of 2452 3052 a81b54183962d320b915383292f0f750_JaffaCakes118.exe dvxnsgsmlh.exe PID 3052 wrote to memory of 2452 3052 a81b54183962d320b915383292f0f750_JaffaCakes118.exe dvxnsgsmlh.exe PID 3052 wrote to memory of 2452 3052 a81b54183962d320b915383292f0f750_JaffaCakes118.exe dvxnsgsmlh.exe PID 3052 wrote to memory of 2452 3052 a81b54183962d320b915383292f0f750_JaffaCakes118.exe dvxnsgsmlh.exe PID 3052 wrote to memory of 2368 3052 a81b54183962d320b915383292f0f750_JaffaCakes118.exe ddesmzanjwpiaey.exe PID 3052 wrote to memory of 2368 3052 a81b54183962d320b915383292f0f750_JaffaCakes118.exe ddesmzanjwpiaey.exe PID 3052 wrote to memory of 2368 3052 a81b54183962d320b915383292f0f750_JaffaCakes118.exe ddesmzanjwpiaey.exe PID 3052 wrote to memory of 2368 3052 a81b54183962d320b915383292f0f750_JaffaCakes118.exe ddesmzanjwpiaey.exe PID 3052 wrote to memory of 2816 3052 a81b54183962d320b915383292f0f750_JaffaCakes118.exe ogzbujjx.exe PID 3052 wrote to memory of 2816 3052 a81b54183962d320b915383292f0f750_JaffaCakes118.exe ogzbujjx.exe PID 3052 wrote to memory of 2816 3052 a81b54183962d320b915383292f0f750_JaffaCakes118.exe ogzbujjx.exe PID 3052 wrote to memory of 2816 3052 a81b54183962d320b915383292f0f750_JaffaCakes118.exe ogzbujjx.exe PID 3052 wrote to memory of 2820 3052 a81b54183962d320b915383292f0f750_JaffaCakes118.exe dajnsgqydykma.exe PID 3052 wrote to memory of 2820 3052 a81b54183962d320b915383292f0f750_JaffaCakes118.exe dajnsgqydykma.exe PID 3052 wrote to memory of 2820 3052 a81b54183962d320b915383292f0f750_JaffaCakes118.exe dajnsgqydykma.exe PID 3052 wrote to memory of 2820 3052 a81b54183962d320b915383292f0f750_JaffaCakes118.exe dajnsgqydykma.exe PID 2452 wrote to memory of 2964 2452 dvxnsgsmlh.exe ogzbujjx.exe PID 2452 wrote to memory of 2964 2452 dvxnsgsmlh.exe ogzbujjx.exe PID 2452 wrote to memory of 2964 2452 dvxnsgsmlh.exe ogzbujjx.exe PID 2452 wrote to memory of 2964 2452 dvxnsgsmlh.exe ogzbujjx.exe PID 3052 wrote to memory of 2736 3052 a81b54183962d320b915383292f0f750_JaffaCakes118.exe WINWORD.EXE PID 3052 wrote to memory of 2736 3052 a81b54183962d320b915383292f0f750_JaffaCakes118.exe WINWORD.EXE PID 3052 wrote to memory of 2736 3052 a81b54183962d320b915383292f0f750_JaffaCakes118.exe WINWORD.EXE PID 3052 wrote to memory of 2736 3052 a81b54183962d320b915383292f0f750_JaffaCakes118.exe WINWORD.EXE PID 2736 wrote to memory of 2892 2736 WINWORD.EXE splwow64.exe PID 2736 wrote to memory of 2892 2736 WINWORD.EXE splwow64.exe PID 2736 wrote to memory of 2892 2736 WINWORD.EXE splwow64.exe PID 2736 wrote to memory of 2892 2736 WINWORD.EXE splwow64.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a81b54183962d320b915383292f0f750_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a81b54183962d320b915383292f0f750_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\dvxnsgsmlh.exedvxnsgsmlh.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\SysWOW64\ogzbujjx.exeC:\Windows\system32\ogzbujjx.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2964
-
-
-
C:\Windows\SysWOW64\ddesmzanjwpiaey.exeddesmzanjwpiaey.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2368
-
-
C:\Windows\SysWOW64\ogzbujjx.exeogzbujjx.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2816
-
-
C:\Windows\SysWOW64\dajnsgqydykma.exedajnsgqydykma.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2820
-
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:2892
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
7Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5d45a2927096c3aed6e76cf12e1cf38d5
SHA197c17e71daa2940d319c4dfd6c601403661809de
SHA256c045a34620f5c885935c72e0b5e0f6e6da8ae76d93895db66782977e88a2218d
SHA51243fa8d9d7a4625ee9030da24894d7e6e67e3c8e404096046e64de207f86414e14e50f23708b5291709a6e1006f3fae2702aca7add2deb3af7d3ca63be6b663b8
-
Filesize
512KB
MD5a06d6a87cb182aa76c37b2aac97ac856
SHA107ed1d4ae2d2b4e4820451974e8fae9513f97f09
SHA2560473f0c325ec4757c380f7477041041a4e83edf68b0a1145fb5bdf3ba7d3998a
SHA512c08315e7d422f9aa6c3ea7a99b3fe10890ec7a9f9ec57726eb614adc40db89a0a76c4d19f028aa7176ca2c575b2f253f84bd866d21dc725a070109419eb4324f
-
Filesize
64B
MD5c926ba39a643f83c53888eee74b96320
SHA12bad2e32ab12d4552ca916d84cf6e0f016cc99dc
SHA25627ab99c0b4149309d8c3c65446ec6f2b68e176fc7ece2e70f890024f8d3a4735
SHA512b345b28a88a32e27269c60283852ebf3486897d1be4414508ba1e974d17d57748854a67a02f0bac0f71fc6b3d35847539ad548c316b03f0222318fcfc4b90374
-
Filesize
20KB
MD5c1e2993b97c610bd21284e08cd219264
SHA1cd61d8ddba7cde15f28d307472062098349eda8e
SHA2565967b6932e899adab7ee834e860d0c3b9d6be26fb46465b8eb7214ec4d1b1649
SHA512831102ba60d0c18de440ea5009df97671fb38441bbc0567d7bbc55529d1eaa09fd45d1fa3d588ea9409e034d6f5e2c5003a570c5c4d62dd60288e0435e3036c3
-
Filesize
512KB
MD5772dbb34b62767db6fa9a8805c37d431
SHA1003591d11bee7351a1b154cfedfde293e2320f57
SHA256ea0c33806c2629ce5bf5b6582bfa16393bf9dd8101b1bf82241cc1cb0cac9eee
SHA512a4f4125114561bd8b4c2e275e725cef7e65780c8baafe2d5ee79b9996ec9ce35730e14695e3f7f50c17f8c11b5b499624df9751b727ab8c4385f82ef78c9d17e
-
Filesize
512KB
MD51ffd9f5613a6eb41657c522a1fcb870d
SHA1787b43b2b61b92fd9d78dfe57a9f866047c83d82
SHA256702b1781fb58d26477678878ac1ece4cc046d5a7fb778731c47a08a2162b06fc
SHA51249af1f9a17a56b153f9178219588ed7998b706c4eada6d5b6f1eef46462b401912f129675c72efdd06b0b16dc874b87946d0c8e4d4f1272b7b39ea14050d4d00
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5fb46b48ff584bc4c38f14d4f5421bf2b
SHA17f9343c8688ee6387978e84a257097149eb0805c
SHA2568c2826f6962a313929ba27d38a191edb11d6cfefaefe8582816d88257b65b1c4
SHA512992ac7a213c7b6432723e3a4f052ca65abe42b2f07615e13daa3b01fe2ffc8acf4aa9a1eb0c90ed22b610ed7e6592a8d37ad86d330cb9186c67869312324c693
-
Filesize
512KB
MD5fc1937a83b2c273df3c8dcc87ef8006e
SHA116e517167ef46e1bb3a4fbcec8368272913889d3
SHA2560fdcc5b9215834f3abe0d4efeb55c8624cfc6800c49a503594daca4022f751af
SHA51286e6a5fe28a0d72735d7d38a44245090e147f90a684ab29724e3844285cb7217bbed35b958ba2e06f69a41a4fd2f0c791bb9153b06b849a0ca7c2af27e21889a