Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
06-07-2024 09:11
Behavioral task
behavioral1
Sample
2801a9f7eefec55c2810a9626aa0c79b_JaffaCakes118.exe
Resource
win7-20240704-en
windows7-x64
28 signatures
150 seconds
General
-
Target
2801a9f7eefec55c2810a9626aa0c79b_JaffaCakes118.exe
-
Size
255KB
-
MD5
2801a9f7eefec55c2810a9626aa0c79b
-
SHA1
ec0e50add3e56067b559eae40ed00fac56a82d3c
-
SHA256
3887eff4b889764edab703166968e61f5c510d736513858fa7367e9a8f17a36c
-
SHA512
86ef40c89d6e2aab275ee28e639553cd7595dfc42470576f63b568a7187e6809d48040f933edfa7770d74ed19fce2f4948090e0c4dd81c32985abb4f911ac589
-
SSDEEP
3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJa:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIn
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" wcwvweuhxu.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" wcwvweuhxu.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" wcwvweuhxu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" wcwvweuhxu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" wcwvweuhxu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" wcwvweuhxu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" wcwvweuhxu.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" wcwvweuhxu.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\International\Geo\Nation 2801a9f7eefec55c2810a9626aa0c79b_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 536 wcwvweuhxu.exe 3188 sadblbdvroqfcoj.exe 3076 idjsfine.exe 4876 wbzgubcjphfdx.exe 4144 idjsfine.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/memory/3608-0-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0009000000023522-5.dat upx behavioral2/files/0x0007000000023523-26.dat upx behavioral2/files/0x0009000000023515-19.dat upx behavioral2/memory/4876-32-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3076-31-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3188-30-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0007000000023524-28.dat upx behavioral2/memory/3608-35-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4144-44-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x000800000002350c-68.dat upx behavioral2/memory/3188-77-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4144-80-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4876-79-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3076-78-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/536-76-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x000800000002353e-99.dat upx behavioral2/files/0x000800000002353e-103.dat upx behavioral2/memory/536-105-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/536-109-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4876-108-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3076-107-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3188-106-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4144-110-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4144-111-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4876-115-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3076-114-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3188-113-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/536-112-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4144-116-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/536-117-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4876-120-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3076-119-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3188-118-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4144-121-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4144-124-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3076-125-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/536-126-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3188-127-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4876-128-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/536-129-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3188-130-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4876-131-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/536-135-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4876-137-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3188-136-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/536-138-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4876-140-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3188-139-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/536-141-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4876-143-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3188-142-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/536-157-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4876-159-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3188-158-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/536-168-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3188-169-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4876-170-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/536-171-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4876-173-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3188-172-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3188-175-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4876-176-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/536-174-0x0000000000400000-0x00000000004A0000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" wcwvweuhxu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" wcwvweuhxu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" wcwvweuhxu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" wcwvweuhxu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" wcwvweuhxu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" wcwvweuhxu.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qqlsoxwp = "wcwvweuhxu.exe" sadblbdvroqfcoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oewyzcqi = "sadblbdvroqfcoj.exe" sadblbdvroqfcoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "wbzgubcjphfdx.exe" sadblbdvroqfcoj.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\k: idjsfine.exe File opened (read-only) \??\o: idjsfine.exe File opened (read-only) \??\o: wcwvweuhxu.exe File opened (read-only) \??\x: wcwvweuhxu.exe File opened (read-only) \??\w: idjsfine.exe File opened (read-only) \??\s: idjsfine.exe File opened (read-only) \??\e: idjsfine.exe File opened (read-only) \??\s: idjsfine.exe File opened (read-only) \??\m: wcwvweuhxu.exe File opened (read-only) \??\u: wcwvweuhxu.exe File opened (read-only) \??\i: idjsfine.exe File opened (read-only) \??\h: wcwvweuhxu.exe File opened (read-only) \??\k: idjsfine.exe File opened (read-only) \??\m: idjsfine.exe File opened (read-only) \??\v: idjsfine.exe File opened (read-only) \??\j: wcwvweuhxu.exe File opened (read-only) \??\r: wcwvweuhxu.exe File opened (read-only) \??\p: idjsfine.exe File opened (read-only) \??\b: idjsfine.exe File opened (read-only) \??\x: idjsfine.exe File opened (read-only) \??\n: wcwvweuhxu.exe File opened (read-only) \??\q: wcwvweuhxu.exe File opened (read-only) \??\z: wcwvweuhxu.exe File opened (read-only) \??\n: idjsfine.exe File opened (read-only) \??\k: wcwvweuhxu.exe File opened (read-only) \??\o: idjsfine.exe File opened (read-only) \??\g: idjsfine.exe File opened (read-only) \??\a: idjsfine.exe File opened (read-only) \??\g: idjsfine.exe File opened (read-only) \??\p: idjsfine.exe File opened (read-only) \??\r: idjsfine.exe File opened (read-only) \??\e: idjsfine.exe File opened (read-only) \??\m: idjsfine.exe File opened (read-only) \??\z: idjsfine.exe File opened (read-only) \??\e: wcwvweuhxu.exe File opened (read-only) \??\s: wcwvweuhxu.exe File opened (read-only) \??\l: idjsfine.exe File opened (read-only) \??\g: wcwvweuhxu.exe File opened (read-only) \??\l: wcwvweuhxu.exe File opened (read-only) \??\a: idjsfine.exe File opened (read-only) \??\h: idjsfine.exe File opened (read-only) \??\l: idjsfine.exe File opened (read-only) \??\t: idjsfine.exe File opened (read-only) \??\x: idjsfine.exe File opened (read-only) \??\w: idjsfine.exe File opened (read-only) \??\y: idjsfine.exe File opened (read-only) \??\j: idjsfine.exe File opened (read-only) \??\b: wcwvweuhxu.exe File opened (read-only) \??\w: wcwvweuhxu.exe File opened (read-only) \??\j: idjsfine.exe File opened (read-only) \??\q: idjsfine.exe File opened (read-only) \??\h: idjsfine.exe File opened (read-only) \??\t: idjsfine.exe File opened (read-only) \??\y: idjsfine.exe File opened (read-only) \??\i: wcwvweuhxu.exe File opened (read-only) \??\v: wcwvweuhxu.exe File opened (read-only) \??\r: idjsfine.exe File opened (read-only) \??\b: idjsfine.exe File opened (read-only) \??\n: idjsfine.exe File opened (read-only) \??\u: idjsfine.exe File opened (read-only) \??\i: idjsfine.exe File opened (read-only) \??\u: idjsfine.exe File opened (read-only) \??\a: wcwvweuhxu.exe File opened (read-only) \??\p: wcwvweuhxu.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" wcwvweuhxu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" wcwvweuhxu.exe -
AutoIT Executable 57 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/4876-32-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3076-31-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3608-35-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4144-44-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3188-77-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4144-80-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4876-79-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3076-78-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/536-76-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/536-105-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/536-109-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4876-108-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3076-107-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3188-106-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4144-110-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4144-111-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4876-115-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3076-114-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3188-113-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/536-112-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4144-116-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/536-117-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4876-120-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3076-119-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3188-118-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4144-121-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4144-124-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3076-125-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/536-126-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3188-127-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4876-128-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/536-129-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3188-130-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4876-131-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/536-135-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4876-137-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3188-136-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/536-138-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4876-140-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3188-139-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/536-141-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4876-143-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3188-142-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/536-157-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4876-159-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3188-158-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/536-168-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3188-169-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4876-170-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/536-171-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4876-173-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3188-172-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3188-175-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4876-176-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/536-174-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/536-177-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3188-178-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File created C:\Windows\SysWOW64\idjsfine.exe 2801a9f7eefec55c2810a9626aa0c79b_JaffaCakes118.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe idjsfine.exe File created C:\Windows\SysWOW64\wcwvweuhxu.exe 2801a9f7eefec55c2810a9626aa0c79b_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\wcwvweuhxu.exe 2801a9f7eefec55c2810a9626aa0c79b_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\idjsfine.exe 2801a9f7eefec55c2810a9626aa0c79b_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll wcwvweuhxu.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe idjsfine.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe idjsfine.exe File created C:\Windows\SysWOW64\sadblbdvroqfcoj.exe 2801a9f7eefec55c2810a9626aa0c79b_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\sadblbdvroqfcoj.exe 2801a9f7eefec55c2810a9626aa0c79b_JaffaCakes118.exe File created C:\Windows\SysWOW64\wbzgubcjphfdx.exe 2801a9f7eefec55c2810a9626aa0c79b_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\wbzgubcjphfdx.exe 2801a9f7eefec55c2810a9626aa0c79b_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe idjsfine.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe idjsfine.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe idjsfine.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe idjsfine.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe idjsfine.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal idjsfine.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe idjsfine.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe idjsfine.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe idjsfine.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal idjsfine.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal idjsfine.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe idjsfine.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe idjsfine.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal idjsfine.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe idjsfine.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe idjsfine.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe idjsfine.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe idjsfine.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe idjsfine.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe idjsfine.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe idjsfine.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe idjsfine.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe idjsfine.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe idjsfine.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe idjsfine.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe idjsfine.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe idjsfine.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe idjsfine.exe File opened for modification C:\Windows\mydoc.rtf 2801a9f7eefec55c2810a9626aa0c79b_JaffaCakes118.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe idjsfine.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe idjsfine.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe idjsfine.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BCDFACCF910F1E0837C3B43869F3E97B38D02FB4269033FE1CD42EF08A0" 2801a9f7eefec55c2810a9626aa0c79b_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184FC67414E5DBB2B9CE7CE7EC9F34B9" 2801a9f7eefec55c2810a9626aa0c79b_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000_Classes\Local Settings 2801a9f7eefec55c2810a9626aa0c79b_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat wcwvweuhxu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC2B12E47E4389A53C8BAA2329BD7B8" 2801a9f7eefec55c2810a9626aa0c79b_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F068B4FE6822DBD27FD1A68B7E906A" 2801a9f7eefec55c2810a9626aa0c79b_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" wcwvweuhxu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" wcwvweuhxu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" wcwvweuhxu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F8FFFFC4F2A856F903DD75A7D96BDE7E632593067416343D69C" 2801a9f7eefec55c2810a9626aa0c79b_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh wcwvweuhxu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" wcwvweuhxu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs wcwvweuhxu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg wcwvweuhxu.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 2801a9f7eefec55c2810a9626aa0c79b_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32442C7B9D5582596D4476D577232CD67C8665DC" 2801a9f7eefec55c2810a9626aa0c79b_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" wcwvweuhxu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc wcwvweuhxu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf wcwvweuhxu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" wcwvweuhxu.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 1260 WINWORD.EXE 1260 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3608 2801a9f7eefec55c2810a9626aa0c79b_JaffaCakes118.exe 3608 2801a9f7eefec55c2810a9626aa0c79b_JaffaCakes118.exe 3608 2801a9f7eefec55c2810a9626aa0c79b_JaffaCakes118.exe 3608 2801a9f7eefec55c2810a9626aa0c79b_JaffaCakes118.exe 3608 2801a9f7eefec55c2810a9626aa0c79b_JaffaCakes118.exe 3608 2801a9f7eefec55c2810a9626aa0c79b_JaffaCakes118.exe 3608 2801a9f7eefec55c2810a9626aa0c79b_JaffaCakes118.exe 3608 2801a9f7eefec55c2810a9626aa0c79b_JaffaCakes118.exe 3608 2801a9f7eefec55c2810a9626aa0c79b_JaffaCakes118.exe 3608 2801a9f7eefec55c2810a9626aa0c79b_JaffaCakes118.exe 3608 2801a9f7eefec55c2810a9626aa0c79b_JaffaCakes118.exe 3608 2801a9f7eefec55c2810a9626aa0c79b_JaffaCakes118.exe 3608 2801a9f7eefec55c2810a9626aa0c79b_JaffaCakes118.exe 3608 2801a9f7eefec55c2810a9626aa0c79b_JaffaCakes118.exe 3608 2801a9f7eefec55c2810a9626aa0c79b_JaffaCakes118.exe 3608 2801a9f7eefec55c2810a9626aa0c79b_JaffaCakes118.exe 3188 sadblbdvroqfcoj.exe 3188 sadblbdvroqfcoj.exe 3188 sadblbdvroqfcoj.exe 3188 sadblbdvroqfcoj.exe 3188 sadblbdvroqfcoj.exe 3188 sadblbdvroqfcoj.exe 3188 sadblbdvroqfcoj.exe 3188 sadblbdvroqfcoj.exe 3188 sadblbdvroqfcoj.exe 3188 sadblbdvroqfcoj.exe 3076 idjsfine.exe 3076 idjsfine.exe 3076 idjsfine.exe 3076 idjsfine.exe 3076 idjsfine.exe 3076 idjsfine.exe 3076 idjsfine.exe 3076 idjsfine.exe 4876 wbzgubcjphfdx.exe 4876 wbzgubcjphfdx.exe 4876 wbzgubcjphfdx.exe 4876 wbzgubcjphfdx.exe 4876 wbzgubcjphfdx.exe 4876 wbzgubcjphfdx.exe 4876 wbzgubcjphfdx.exe 4876 wbzgubcjphfdx.exe 4876 wbzgubcjphfdx.exe 4876 wbzgubcjphfdx.exe 4876 wbzgubcjphfdx.exe 4876 wbzgubcjphfdx.exe 536 wcwvweuhxu.exe 536 wcwvweuhxu.exe 536 wcwvweuhxu.exe 536 wcwvweuhxu.exe 536 wcwvweuhxu.exe 536 wcwvweuhxu.exe 536 wcwvweuhxu.exe 536 wcwvweuhxu.exe 536 wcwvweuhxu.exe 536 wcwvweuhxu.exe 3188 sadblbdvroqfcoj.exe 3188 sadblbdvroqfcoj.exe 4876 wbzgubcjphfdx.exe 4876 wbzgubcjphfdx.exe 4876 wbzgubcjphfdx.exe 4876 wbzgubcjphfdx.exe 4144 idjsfine.exe 4144 idjsfine.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 3608 2801a9f7eefec55c2810a9626aa0c79b_JaffaCakes118.exe 3608 2801a9f7eefec55c2810a9626aa0c79b_JaffaCakes118.exe 3608 2801a9f7eefec55c2810a9626aa0c79b_JaffaCakes118.exe 3188 sadblbdvroqfcoj.exe 3188 sadblbdvroqfcoj.exe 3188 sadblbdvroqfcoj.exe 3076 idjsfine.exe 3076 idjsfine.exe 3076 idjsfine.exe 4876 wbzgubcjphfdx.exe 536 wcwvweuhxu.exe 4876 wbzgubcjphfdx.exe 536 wcwvweuhxu.exe 4876 wbzgubcjphfdx.exe 536 wcwvweuhxu.exe 4144 idjsfine.exe 4144 idjsfine.exe 4144 idjsfine.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 3608 2801a9f7eefec55c2810a9626aa0c79b_JaffaCakes118.exe 3608 2801a9f7eefec55c2810a9626aa0c79b_JaffaCakes118.exe 3608 2801a9f7eefec55c2810a9626aa0c79b_JaffaCakes118.exe 3188 sadblbdvroqfcoj.exe 3188 sadblbdvroqfcoj.exe 3188 sadblbdvroqfcoj.exe 3076 idjsfine.exe 3076 idjsfine.exe 3076 idjsfine.exe 4876 wbzgubcjphfdx.exe 536 wcwvweuhxu.exe 4876 wbzgubcjphfdx.exe 536 wcwvweuhxu.exe 4876 wbzgubcjphfdx.exe 536 wcwvweuhxu.exe 4144 idjsfine.exe 4144 idjsfine.exe 4144 idjsfine.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 1260 WINWORD.EXE 1260 WINWORD.EXE 1260 WINWORD.EXE 1260 WINWORD.EXE 1260 WINWORD.EXE 1260 WINWORD.EXE 1260 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 3608 wrote to memory of 536 3608 2801a9f7eefec55c2810a9626aa0c79b_JaffaCakes118.exe 85 PID 3608 wrote to memory of 536 3608 2801a9f7eefec55c2810a9626aa0c79b_JaffaCakes118.exe 85 PID 3608 wrote to memory of 536 3608 2801a9f7eefec55c2810a9626aa0c79b_JaffaCakes118.exe 85 PID 3608 wrote to memory of 3188 3608 2801a9f7eefec55c2810a9626aa0c79b_JaffaCakes118.exe 86 PID 3608 wrote to memory of 3188 3608 2801a9f7eefec55c2810a9626aa0c79b_JaffaCakes118.exe 86 PID 3608 wrote to memory of 3188 3608 2801a9f7eefec55c2810a9626aa0c79b_JaffaCakes118.exe 86 PID 3608 wrote to memory of 3076 3608 2801a9f7eefec55c2810a9626aa0c79b_JaffaCakes118.exe 87 PID 3608 wrote to memory of 3076 3608 2801a9f7eefec55c2810a9626aa0c79b_JaffaCakes118.exe 87 PID 3608 wrote to memory of 3076 3608 2801a9f7eefec55c2810a9626aa0c79b_JaffaCakes118.exe 87 PID 3608 wrote to memory of 4876 3608 2801a9f7eefec55c2810a9626aa0c79b_JaffaCakes118.exe 88 PID 3608 wrote to memory of 4876 3608 2801a9f7eefec55c2810a9626aa0c79b_JaffaCakes118.exe 88 PID 3608 wrote to memory of 4876 3608 2801a9f7eefec55c2810a9626aa0c79b_JaffaCakes118.exe 88 PID 3608 wrote to memory of 1260 3608 2801a9f7eefec55c2810a9626aa0c79b_JaffaCakes118.exe 89 PID 3608 wrote to memory of 1260 3608 2801a9f7eefec55c2810a9626aa0c79b_JaffaCakes118.exe 89 PID 536 wrote to memory of 4144 536 wcwvweuhxu.exe 91 PID 536 wrote to memory of 4144 536 wcwvweuhxu.exe 91 PID 536 wrote to memory of 4144 536 wcwvweuhxu.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\2801a9f7eefec55c2810a9626aa0c79b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2801a9f7eefec55c2810a9626aa0c79b_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3608 -
C:\Windows\SysWOW64\wcwvweuhxu.exewcwvweuhxu.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Windows\SysWOW64\idjsfine.exeC:\Windows\system32\idjsfine.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4144
-
-
-
C:\Windows\SysWOW64\sadblbdvroqfcoj.exesadblbdvroqfcoj.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3188
-
-
C:\Windows\SysWOW64\idjsfine.exeidjsfine.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3076
-
-
C:\Windows\SysWOW64\wbzgubcjphfdx.exewbzgubcjphfdx.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4876
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1260
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
255KB
MD5b5b5dc4bdb4a5486049b732bba163d3d
SHA1ea4fca092dee5429ba881822a38899e6060a026e
SHA25665827c65c84cf33199d2e200fb1de97e8943b079288d22760ae6038e46d4d209
SHA5125befe0b8e272d1befe9eca4b9729f9b31052b81173b8fd95905ae462a7f91e1f1b062db9972dba39b9ef12b5bef49ee83ba8f23f29e8bc3a5ebe90d436ef97a1
-
Filesize
383B
MD57ea1fe541eece4f7151f251df6bce687
SHA107be68ff92530c225e6ebb420fc16cfaf541c9e2
SHA2566c835a4d4c3c812e8efdd5bbb08bbdd26ce80e29934765deb5b72e0c12bbd982
SHA51267c4abc4462e231f2746fd873f080a46a2e270a2a4c9a62ca0ad971004c7707988dc627f7b4e2bcfab0ed528e473733e78765608d0aae42b6295eda860c662e5
-
Filesize
16B
MD5d29962abc88624befc0135579ae485ec
SHA1e40a6458296ec6a2427bcb280572d023a9862b31
SHA256a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866
SHA5124311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize1KB
MD57fea36f1ed0a7de3cc15e23a7c3ef8eb
SHA1be18fccaa0451678b8e8992ae4c967699a56a947
SHA256226c61b8ae4c9a74c3a899d2821a2a0a781072cff8c9c2e99d3b7e1d297de480
SHA512bec137167c6a1129eaa17887df0e4a2d3ebb988a106e4c1e05b98f1ccba19f23eae38576808d0e2c7333b4a70e4d07189062e50c1312ab6d46a3e01aca68446f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize1KB
MD528e62b922281d6fba9d99996870c4a3f
SHA1b40ef5ad62b2c83cbe247df075d766a027f96460
SHA25611efb3ff5b8efdbd6ff4e4b683451294716489c300878c1ce8b86da4bbb075b2
SHA512420b9005ec880154c843d591efed00e5ee0afe107a486c4453751a32e6e53833fa2979982a0f8ea616556778d17c636b5a0d5b437bfb37fe6e1dc4df694350ad
-
Filesize
255KB
MD57c7ad5b2725791f3eccd23c885fe9e71
SHA104c0beb0d275214d3879fb1bef5415fdb6a743c3
SHA256f82d0a2bc41a4a2fdd8cb050d5a568cbd1e30a9aa30a5bd2e01ed090c3986234
SHA512b0b35f62da68b28d6d6db13d5bd459d7c778f956bc078ef2630ed43dfb9e5c74db161f8e018e01fcc7fb348b625d812a17c4fb365f63d4a6d1e829a5a0d9bb63
-
Filesize
255KB
MD5f0bba3b5ff5d614078f9c3fcf3f17283
SHA1ae9920a8fe23016e7fc9de4a0d829639b79cd89a
SHA2564f73ccd6859465d0dbcaabce6b7e7dbffd8cc38aa14b536999dc477457e87db5
SHA512ee7f858f8dc3bdf731bb1e532399bec24f55e7dd2c46e1aaf77259bf6d1f80df7eaafebe9465a910fb493a24ff61819840034415d73f18c58995b47b9da0e59f
-
Filesize
255KB
MD5a83034fb5fb113542c40370208d4d2ad
SHA1e6e77fe0ecd45afa7f716b0da8bbdab91d3e1d73
SHA2563f3854dbba218fe3a24baf4b20fa090dd55e2749fccec6ab42cf13178ef39bb3
SHA512aa682f790f9b07a9fc2e869733d8b87b54b0797849b7560398f0b5ca7053ffed7e1c53b11018e9e5b7447bee30083f68fc92b8ed0954a105bf17b07454172748
-
Filesize
255KB
MD552942e8db7cd2f4c7b827df1b99d094e
SHA165508fe86100ed961615bf00a14e24239ced077a
SHA256dd612911a249f4e249a563539439ad01b4678abb0ea4dc9f6e6cea6c886e429d
SHA51234738d970c3c6120635fcc6f3c1631018ea44317f2a9dcfc4d46141298d5b7ee60ffddccc24621b73f6ff11fb4f51540733ec2d655092441c7a3e1238a5aa3f5
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
255KB
MD5aad09df73eee46f66277a32932012cee
SHA123e137e1b0ec6551ec256c0af81a1c14ec1a030d
SHA25603ed77fc4f19487ffa3a3f5c3990bf3584400f5f17d6b47a8f2c7f24b5d6e1f1
SHA512859238a78fff7fea2baa8cf505329655183c7fce96a6f4ec9c4e6f328879a5df44f9d080868be32a8906a33d9bdd8154f52639a71706e2ff2718917f65a58cba
-
Filesize
255KB
MD5f696a10129674ea1e406e519061e0993
SHA1c0d6b12a67fd6ff57f1cdeeac96f7f26b546351e
SHA256dd861e50039a168a74e04660b1bd3ff5c16765417f0e256f823806f9ad2f0cae
SHA512232e5664a9909531ca96a071d4efcf360d2c068543b08d9dbe26764f10458f2acf4af66635c9328f71351a5108f4ab6861bfbdadf477f2531b0f41bfb36905a7