Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
17/06/2024, 12:13
Static task
static1
Behavioral task
behavioral1
Sample
b88f3160a897a6b88c253bc964821ef5_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
b88f3160a897a6b88c253bc964821ef5_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
b88f3160a897a6b88c253bc964821ef5_JaffaCakes118.exe
-
Size
512KB
-
MD5
b88f3160a897a6b88c253bc964821ef5
-
SHA1
b32e26c0460852055d2999cf52a3f90a03c8e6d8
-
SHA256
049c0d29eec24d6ec5ab2fe67ba97837eed35b0a5414a56d78a4f37024bc12d5
-
SHA512
18c81fc85bf1b5de5db59f6f60573b57ecb8b344f923fdf0f84a0179a70c15b15eeab89d55a1d78c6949136a462cfce730898488f557f4880567970c73b2baf7
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6h:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5C
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" nuidyfwuiu.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" nuidyfwuiu.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" nuidyfwuiu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" nuidyfwuiu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" nuidyfwuiu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" nuidyfwuiu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" nuidyfwuiu.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" nuidyfwuiu.exe -
Executes dropped EXE 5 IoCs
pid Process 2576 nuidyfwuiu.exe 2624 riedoubqaimvzdt.exe 2668 pwisvenp.exe 2852 gftrtavrcktda.exe 2604 pwisvenp.exe -
Loads dropped DLL 5 IoCs
pid Process 2908 b88f3160a897a6b88c253bc964821ef5_JaffaCakes118.exe 2908 b88f3160a897a6b88c253bc964821ef5_JaffaCakes118.exe 2908 b88f3160a897a6b88c253bc964821ef5_JaffaCakes118.exe 2908 b88f3160a897a6b88c253bc964821ef5_JaffaCakes118.exe 2576 nuidyfwuiu.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" nuidyfwuiu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" nuidyfwuiu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" nuidyfwuiu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" nuidyfwuiu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" nuidyfwuiu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" nuidyfwuiu.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\plsponpe = "nuidyfwuiu.exe" riedoubqaimvzdt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\hfiyzntt = "riedoubqaimvzdt.exe" riedoubqaimvzdt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "gftrtavrcktda.exe" riedoubqaimvzdt.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\b: pwisvenp.exe File opened (read-only) \??\u: pwisvenp.exe File opened (read-only) \??\s: nuidyfwuiu.exe File opened (read-only) \??\k: pwisvenp.exe File opened (read-only) \??\j: nuidyfwuiu.exe File opened (read-only) \??\i: pwisvenp.exe File opened (read-only) \??\i: nuidyfwuiu.exe File opened (read-only) \??\y: nuidyfwuiu.exe File opened (read-only) \??\e: pwisvenp.exe File opened (read-only) \??\k: pwisvenp.exe File opened (read-only) \??\y: pwisvenp.exe File opened (read-only) \??\w: nuidyfwuiu.exe File opened (read-only) \??\t: pwisvenp.exe File opened (read-only) \??\z: pwisvenp.exe File opened (read-only) \??\h: nuidyfwuiu.exe File opened (read-only) \??\q: nuidyfwuiu.exe File opened (read-only) \??\k: nuidyfwuiu.exe File opened (read-only) \??\n: nuidyfwuiu.exe File opened (read-only) \??\u: nuidyfwuiu.exe File opened (read-only) \??\e: pwisvenp.exe File opened (read-only) \??\g: pwisvenp.exe File opened (read-only) \??\m: pwisvenp.exe File opened (read-only) \??\b: nuidyfwuiu.exe File opened (read-only) \??\e: nuidyfwuiu.exe File opened (read-only) \??\r: nuidyfwuiu.exe File opened (read-only) \??\t: nuidyfwuiu.exe File opened (read-only) \??\v: nuidyfwuiu.exe File opened (read-only) \??\j: pwisvenp.exe File opened (read-only) \??\q: pwisvenp.exe File opened (read-only) \??\j: pwisvenp.exe File opened (read-only) \??\m: pwisvenp.exe File opened (read-only) \??\a: nuidyfwuiu.exe File opened (read-only) \??\g: nuidyfwuiu.exe File opened (read-only) \??\z: nuidyfwuiu.exe File opened (read-only) \??\o: pwisvenp.exe File opened (read-only) \??\u: pwisvenp.exe File opened (read-only) \??\r: pwisvenp.exe File opened (read-only) \??\v: pwisvenp.exe File opened (read-only) \??\w: pwisvenp.exe File opened (read-only) \??\h: pwisvenp.exe File opened (read-only) \??\w: pwisvenp.exe File opened (read-only) \??\l: pwisvenp.exe File opened (read-only) \??\n: pwisvenp.exe File opened (read-only) \??\s: pwisvenp.exe File opened (read-only) \??\p: pwisvenp.exe File opened (read-only) \??\l: nuidyfwuiu.exe File opened (read-only) \??\p: nuidyfwuiu.exe File opened (read-only) \??\a: pwisvenp.exe File opened (read-only) \??\l: pwisvenp.exe File opened (read-only) \??\h: pwisvenp.exe File opened (read-only) \??\o: pwisvenp.exe File opened (read-only) \??\p: pwisvenp.exe File opened (read-only) \??\q: pwisvenp.exe File opened (read-only) \??\n: pwisvenp.exe File opened (read-only) \??\t: pwisvenp.exe File opened (read-only) \??\y: pwisvenp.exe File opened (read-only) \??\z: pwisvenp.exe File opened (read-only) \??\a: pwisvenp.exe File opened (read-only) \??\m: nuidyfwuiu.exe File opened (read-only) \??\o: nuidyfwuiu.exe File opened (read-only) \??\v: pwisvenp.exe File opened (read-only) \??\r: pwisvenp.exe File opened (read-only) \??\g: pwisvenp.exe File opened (read-only) \??\x: pwisvenp.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" nuidyfwuiu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" nuidyfwuiu.exe -
AutoIT Executable 8 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/2908-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral1/files/0x0035000000016d61-5.dat autoit_exe behavioral1/files/0x000a00000001227e-17.dat autoit_exe behavioral1/files/0x0007000000016dda-33.dat autoit_exe behavioral1/files/0x0007000000016dde-38.dat autoit_exe behavioral1/files/0x0005000000019433-64.dat autoit_exe behavioral1/files/0x000500000001943e-70.dat autoit_exe behavioral1/files/0x0005000000019457-76.dat autoit_exe -
Drops file in System32 directory 9 IoCs
description ioc Process File created C:\Windows\SysWOW64\nuidyfwuiu.exe b88f3160a897a6b88c253bc964821ef5_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\nuidyfwuiu.exe b88f3160a897a6b88c253bc964821ef5_JaffaCakes118.exe File created C:\Windows\SysWOW64\riedoubqaimvzdt.exe b88f3160a897a6b88c253bc964821ef5_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\riedoubqaimvzdt.exe b88f3160a897a6b88c253bc964821ef5_JaffaCakes118.exe File created C:\Windows\SysWOW64\pwisvenp.exe b88f3160a897a6b88c253bc964821ef5_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\pwisvenp.exe b88f3160a897a6b88c253bc964821ef5_JaffaCakes118.exe File created C:\Windows\SysWOW64\gftrtavrcktda.exe b88f3160a897a6b88c253bc964821ef5_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\gftrtavrcktda.exe b88f3160a897a6b88c253bc964821ef5_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll nuidyfwuiu.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe pwisvenp.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe pwisvenp.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe pwisvenp.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe pwisvenp.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe pwisvenp.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe pwisvenp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal pwisvenp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe pwisvenp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe pwisvenp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal pwisvenp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe pwisvenp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe pwisvenp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal pwisvenp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal pwisvenp.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf b88f3160a897a6b88c253bc964821ef5_JaffaCakes118.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE File opened for modification C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Office loads VBA resources, possible macro or embedded object present
-
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat nuidyfwuiu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E8FFFF84F5F8213903CD75F7E93BCEFE131593566436343D7EC" b88f3160a897a6b88c253bc964821ef5_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1848C60C1590DBB2B9CE7C93ECE537CD" b88f3160a897a6b88c253bc964821ef5_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" nuidyfwuiu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BCEFABDF913F1E2837F3A4486993E90B08E02FD4365023FE2C4429D09D5" b88f3160a897a6b88c253bc964821ef5_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2472 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2908 b88f3160a897a6b88c253bc964821ef5_JaffaCakes118.exe 2908 b88f3160a897a6b88c253bc964821ef5_JaffaCakes118.exe 2908 b88f3160a897a6b88c253bc964821ef5_JaffaCakes118.exe 2908 b88f3160a897a6b88c253bc964821ef5_JaffaCakes118.exe 2908 b88f3160a897a6b88c253bc964821ef5_JaffaCakes118.exe 2908 b88f3160a897a6b88c253bc964821ef5_JaffaCakes118.exe 2908 b88f3160a897a6b88c253bc964821ef5_JaffaCakes118.exe 2908 b88f3160a897a6b88c253bc964821ef5_JaffaCakes118.exe 2624 riedoubqaimvzdt.exe 2624 riedoubqaimvzdt.exe 2624 riedoubqaimvzdt.exe 2624 riedoubqaimvzdt.exe 2624 riedoubqaimvzdt.exe 2576 nuidyfwuiu.exe 2576 nuidyfwuiu.exe 2576 nuidyfwuiu.exe 2576 nuidyfwuiu.exe 2576 nuidyfwuiu.exe 2668 pwisvenp.exe 2668 pwisvenp.exe 2668 pwisvenp.exe 2668 pwisvenp.exe 2852 gftrtavrcktda.exe 2852 gftrtavrcktda.exe 2852 gftrtavrcktda.exe 2852 gftrtavrcktda.exe 2852 gftrtavrcktda.exe 2852 gftrtavrcktda.exe 2604 pwisvenp.exe 2604 pwisvenp.exe 2604 pwisvenp.exe 2604 pwisvenp.exe 2624 riedoubqaimvzdt.exe 2852 gftrtavrcktda.exe 2852 gftrtavrcktda.exe 2624 riedoubqaimvzdt.exe 2624 riedoubqaimvzdt.exe 2852 gftrtavrcktda.exe 2852 gftrtavrcktda.exe 2624 riedoubqaimvzdt.exe 2852 gftrtavrcktda.exe 2852 gftrtavrcktda.exe 2624 riedoubqaimvzdt.exe 2852 gftrtavrcktda.exe 2852 gftrtavrcktda.exe 2624 riedoubqaimvzdt.exe 2852 gftrtavrcktda.exe 2852 gftrtavrcktda.exe 2624 riedoubqaimvzdt.exe 2852 gftrtavrcktda.exe 2852 gftrtavrcktda.exe 2624 riedoubqaimvzdt.exe 2852 gftrtavrcktda.exe 2852 gftrtavrcktda.exe 2624 riedoubqaimvzdt.exe 2852 gftrtavrcktda.exe 2852 gftrtavrcktda.exe 2624 riedoubqaimvzdt.exe 2852 gftrtavrcktda.exe 2852 gftrtavrcktda.exe 2624 riedoubqaimvzdt.exe 2852 gftrtavrcktda.exe 2852 gftrtavrcktda.exe 2624 riedoubqaimvzdt.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 2908 b88f3160a897a6b88c253bc964821ef5_JaffaCakes118.exe 2908 b88f3160a897a6b88c253bc964821ef5_JaffaCakes118.exe 2908 b88f3160a897a6b88c253bc964821ef5_JaffaCakes118.exe 2576 nuidyfwuiu.exe 2668 pwisvenp.exe 2624 riedoubqaimvzdt.exe 2624 riedoubqaimvzdt.exe 2624 riedoubqaimvzdt.exe 2576 nuidyfwuiu.exe 2668 pwisvenp.exe 2576 nuidyfwuiu.exe 2668 pwisvenp.exe 2852 gftrtavrcktda.exe 2852 gftrtavrcktda.exe 2852 gftrtavrcktda.exe 2604 pwisvenp.exe 2604 pwisvenp.exe 2604 pwisvenp.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 2908 b88f3160a897a6b88c253bc964821ef5_JaffaCakes118.exe 2908 b88f3160a897a6b88c253bc964821ef5_JaffaCakes118.exe 2908 b88f3160a897a6b88c253bc964821ef5_JaffaCakes118.exe 2576 nuidyfwuiu.exe 2668 pwisvenp.exe 2624 riedoubqaimvzdt.exe 2624 riedoubqaimvzdt.exe 2624 riedoubqaimvzdt.exe 2576 nuidyfwuiu.exe 2668 pwisvenp.exe 2576 nuidyfwuiu.exe 2668 pwisvenp.exe 2852 gftrtavrcktda.exe 2852 gftrtavrcktda.exe 2852 gftrtavrcktda.exe 2604 pwisvenp.exe 2604 pwisvenp.exe 2604 pwisvenp.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2472 WINWORD.EXE 2472 WINWORD.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2908 wrote to memory of 2576 2908 b88f3160a897a6b88c253bc964821ef5_JaffaCakes118.exe 28 PID 2908 wrote to memory of 2576 2908 b88f3160a897a6b88c253bc964821ef5_JaffaCakes118.exe 28 PID 2908 wrote to memory of 2576 2908 b88f3160a897a6b88c253bc964821ef5_JaffaCakes118.exe 28 PID 2908 wrote to memory of 2576 2908 b88f3160a897a6b88c253bc964821ef5_JaffaCakes118.exe 28 PID 2908 wrote to memory of 2624 2908 b88f3160a897a6b88c253bc964821ef5_JaffaCakes118.exe 29 PID 2908 wrote to memory of 2624 2908 b88f3160a897a6b88c253bc964821ef5_JaffaCakes118.exe 29 PID 2908 wrote to memory of 2624 2908 b88f3160a897a6b88c253bc964821ef5_JaffaCakes118.exe 29 PID 2908 wrote to memory of 2624 2908 b88f3160a897a6b88c253bc964821ef5_JaffaCakes118.exe 29 PID 2908 wrote to memory of 2668 2908 b88f3160a897a6b88c253bc964821ef5_JaffaCakes118.exe 30 PID 2908 wrote to memory of 2668 2908 b88f3160a897a6b88c253bc964821ef5_JaffaCakes118.exe 30 PID 2908 wrote to memory of 2668 2908 b88f3160a897a6b88c253bc964821ef5_JaffaCakes118.exe 30 PID 2908 wrote to memory of 2668 2908 b88f3160a897a6b88c253bc964821ef5_JaffaCakes118.exe 30 PID 2908 wrote to memory of 2852 2908 b88f3160a897a6b88c253bc964821ef5_JaffaCakes118.exe 31 PID 2908 wrote to memory of 2852 2908 b88f3160a897a6b88c253bc964821ef5_JaffaCakes118.exe 31 PID 2908 wrote to memory of 2852 2908 b88f3160a897a6b88c253bc964821ef5_JaffaCakes118.exe 31 PID 2908 wrote to memory of 2852 2908 b88f3160a897a6b88c253bc964821ef5_JaffaCakes118.exe 31 PID 2576 wrote to memory of 2604 2576 nuidyfwuiu.exe 32 PID 2576 wrote to memory of 2604 2576 nuidyfwuiu.exe 32 PID 2576 wrote to memory of 2604 2576 nuidyfwuiu.exe 32 PID 2576 wrote to memory of 2604 2576 nuidyfwuiu.exe 32 PID 2908 wrote to memory of 2472 2908 b88f3160a897a6b88c253bc964821ef5_JaffaCakes118.exe 33 PID 2908 wrote to memory of 2472 2908 b88f3160a897a6b88c253bc964821ef5_JaffaCakes118.exe 33 PID 2908 wrote to memory of 2472 2908 b88f3160a897a6b88c253bc964821ef5_JaffaCakes118.exe 33 PID 2908 wrote to memory of 2472 2908 b88f3160a897a6b88c253bc964821ef5_JaffaCakes118.exe 33 PID 2472 wrote to memory of 332 2472 WINWORD.EXE 37 PID 2472 wrote to memory of 332 2472 WINWORD.EXE 37 PID 2472 wrote to memory of 332 2472 WINWORD.EXE 37 PID 2472 wrote to memory of 332 2472 WINWORD.EXE 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\b88f3160a897a6b88c253bc964821ef5_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b88f3160a897a6b88c253bc964821ef5_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\nuidyfwuiu.exenuidyfwuiu.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\pwisvenp.exeC:\Windows\system32\pwisvenp.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2604
-
-
-
C:\Windows\SysWOW64\riedoubqaimvzdt.exeriedoubqaimvzdt.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2624
-
-
C:\Windows\SysWOW64\pwisvenp.exepwisvenp.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2668
-
-
C:\Windows\SysWOW64\gftrtavrcktda.exegftrtavrcktda.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2852
-
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:332
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
7Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5f652cd09dd2a8ffda87f1a8b3b8948d0
SHA1caaa397658fa1c1d266b0f49b266756c958f549b
SHA25602446a5214b5528350bbca1ae2988b2a44dccc4907f0cadb86b4ae326f9c75e5
SHA51266cfbcf3db41a38fd14f56136f39b646c93bb006f7cfbd54c1fba7d3ea19af1c4ff172e0cf217aed8a3a49dcb97543a0a88e2d2645f814003505cdbb2005e37a
-
Filesize
512KB
MD52fb1ef62364f75a8b43b4c705540811a
SHA1f10f553bc34c2715b30f53f98b4e65489c50d444
SHA2561d673afc3f10a5e47247d4151b051656d94e107c89a400009d1d09b04ed80df1
SHA512bd39c0ae28649f17d3cb59f6f81762ad2982da6152d8cba4612888239db33cc36b2ee9b9aaac0455c93facc2efaebcf542d857be9d6da9b36788f996be6b9559
-
Filesize
20KB
MD5a9f34c01822be798bb29fbc616422691
SHA1873309fff077e2d168a992c6e2e34e0367b9c5a5
SHA256db0a41530b95e231fc664e5031e28aded3978bc6811b55d1d84a2a29a887e09b
SHA512c06e23529b015ef87aea9cc9270790efa3f4f3065052755f2e940e8cfd4fc552befadbbfda71d6a3d540b869d875e9d34f60dd19ab75665d4bdd3fb5d39023ef
-
Filesize
512KB
MD56f9650aa2e41a3251e0da534256bab9a
SHA164588a6fcdf3bd470d4913f2fdc9f02b915ce5bf
SHA256a0d31c3e01e2e351051b269002565aae33a66ccfe9a549fd808458b08a42ee5d
SHA512bd0d44bd1e4a90a70c97d958188116fdfa9bc60d9e25f07ead020ab3343bc89b9f0bc4812d6eca5a9d983f754aedacbeaf1a8702937e0332662697eada59915a
-
Filesize
512KB
MD50512f27a7064e323410de0dc14a5fc67
SHA1ec1edb4b56a24e51051fb7d49b9d127b30f28bba
SHA2565a366cd3d2339ef1806d83138430f5c536d87ce497416b98bdab7f88570274e4
SHA512d633bf5e113775ff5d87959ea9798297c8cb41610d45c0514caffe1bb24f7143c917fc70fdb7c1e32e1c478df8f267076c246ac4873e60e8d129b562b6c21207
-
Filesize
512KB
MD55cd82f16712d7825d6390466679ed097
SHA1763834adc4e5cfef1c7c1e13082e5057de4bc17c
SHA256024d6cc22741dcf718dc8a04c9f36f6ed5c27d2c9f484cbbb6270fbead2d1db4
SHA512de60cd20c91a3e4ac55d91ccaf67b4aa4b42e1f43841e49c909f25dcabb742e073fd9971b146197b2050c768ab2762cb22557d7bfa705ddfb0dcd99368847e03
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5d559cd63b1f9fc5fbd8c4eba1196aa9a
SHA1f5765f1fea9ab334dd74331aa482031997dd25dd
SHA2568a8a1cd544e030cd2608d88e1773cea75ee23f999e9100bf5e4645b2cf985545
SHA512bf29377549e8eb5465ee52755fc7f3a98d923fa672e56fdf02b76da8504c43706d19acf4afeffa19858608ee808d69f4d5e0c0aa322666006095e78c0455a469
-
Filesize
512KB
MD5b9faa8aa4caa062f1a7d397dbe7f14f2
SHA14d749599b1b29eee2d82c7c63af399db37973e4a
SHA256d65b391045d2276bd746a1d993983f416f80c2867a3e3496e3b133d22d142338
SHA512a55da0448055d6b83cb7f02f6e1a6700ba314a059bba1edb173c73d8697a955ce3b4bb20be91872ac927d8bcfbe814d76fd88dc5c963d43563058cbaa270285a