Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
22/07/2024, 15:36
Behavioral task
behavioral1
Sample
63c31534cdc96cc4b341e926a266c818_JaffaCakes118.exe
Resource
win7-20240708-en
windows7-x64
25 signatures
150 seconds
General
-
Target
63c31534cdc96cc4b341e926a266c818_JaffaCakes118.exe
-
Size
255KB
-
MD5
63c31534cdc96cc4b341e926a266c818
-
SHA1
7da3c9c3394753afd247b167bac39d7afb01070d
-
SHA256
9e88d3386dcb22458eac5c79eec4a2618750e30282ab74be805ed8b5021f38c0
-
SHA512
2e7ec63cfd36261abdecd8865cb901ee6dcb19e59c44288bdabb0d9d53540cf25d03d045c3a8cd2b8a275eb510f93b6b89bbf8f5b2c93915ed0a7946b599e335
-
SSDEEP
3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJ4:1xlZam+akqx6YQJXcNlEHUIQeE3mmBI5
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" czprviqyro.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" czprviqyro.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" czprviqyro.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" czprviqyro.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" czprviqyro.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" czprviqyro.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" czprviqyro.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" czprviqyro.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation 63c31534cdc96cc4b341e926a266c818_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 1116 czprviqyro.exe 4432 hafiejynudwfjip.exe 4348 qlygybxk.exe 2032 ybajfibcrhmsf.exe 2116 qlygybxk.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/memory/3356-0-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x00070000000234c0-5.dat upx behavioral2/files/0x00080000000234bc-20.dat upx behavioral2/files/0x00070000000234c1-29.dat upx behavioral2/files/0x00070000000234c2-31.dat upx behavioral2/memory/2032-33-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4348-32-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4432-27-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1116-26-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3356-36-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x00070000000234d1-69.dat upx behavioral2/files/0x00070000000234d2-75.dat upx behavioral2/memory/4348-89-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2032-90-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2116-91-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4432-88-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1116-87-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4348-226-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4432-230-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1116-229-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2116-228-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2032-227-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4432-225-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x000c0000000234f8-232.dat upx behavioral2/files/0x000c0000000234f8-237.dat upx behavioral2/memory/2116-239-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2032-243-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4348-242-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4432-241-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1116-240-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2116-244-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1116-245-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4432-246-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4348-247-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2032-248-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2116-249-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1116-250-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4348-252-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4432-251-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2032-253-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2116-254-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1116-258-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4348-260-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2116-262-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2032-261-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4432-259-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2116-266-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4348-265-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1116-267-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2032-269-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4432-268-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4432-271-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2032-272-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1116-270-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1116-273-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4432-274-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2032-275-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1116-297-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2032-299-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4432-298-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4432-301-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1116-300-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2032-302-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2032-305-0x0000000000400000-0x00000000004A0000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" czprviqyro.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" czprviqyro.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" czprviqyro.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" czprviqyro.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" czprviqyro.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" czprviqyro.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "ybajfibcrhmsf.exe" hafiejynudwfjip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\utowjxzd = "czprviqyro.exe" hafiejynudwfjip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\frvgurhe = "hafiejynudwfjip.exe" hafiejynudwfjip.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\e: qlygybxk.exe File opened (read-only) \??\z: czprviqyro.exe File opened (read-only) \??\e: qlygybxk.exe File opened (read-only) \??\r: qlygybxk.exe File opened (read-only) \??\s: qlygybxk.exe File opened (read-only) \??\w: qlygybxk.exe File opened (read-only) \??\e: czprviqyro.exe File opened (read-only) \??\h: czprviqyro.exe File opened (read-only) \??\i: czprviqyro.exe File opened (read-only) \??\l: qlygybxk.exe File opened (read-only) \??\a: qlygybxk.exe File opened (read-only) \??\t: qlygybxk.exe File opened (read-only) \??\u: qlygybxk.exe File opened (read-only) \??\y: qlygybxk.exe File opened (read-only) \??\g: qlygybxk.exe File opened (read-only) \??\w: qlygybxk.exe File opened (read-only) \??\z: qlygybxk.exe File opened (read-only) \??\p: czprviqyro.exe File opened (read-only) \??\k: qlygybxk.exe File opened (read-only) \??\x: qlygybxk.exe File opened (read-only) \??\a: qlygybxk.exe File opened (read-only) \??\p: qlygybxk.exe File opened (read-only) \??\y: qlygybxk.exe File opened (read-only) \??\x: czprviqyro.exe File opened (read-only) \??\j: qlygybxk.exe File opened (read-only) \??\h: qlygybxk.exe File opened (read-only) \??\j: qlygybxk.exe File opened (read-only) \??\n: czprviqyro.exe File opened (read-only) \??\o: czprviqyro.exe File opened (read-only) \??\t: qlygybxk.exe File opened (read-only) \??\q: czprviqyro.exe File opened (read-only) \??\z: qlygybxk.exe File opened (read-only) \??\v: czprviqyro.exe File opened (read-only) \??\o: qlygybxk.exe File opened (read-only) \??\v: qlygybxk.exe File opened (read-only) \??\s: qlygybxk.exe File opened (read-only) \??\l: czprviqyro.exe File opened (read-only) \??\m: czprviqyro.exe File opened (read-only) \??\r: czprviqyro.exe File opened (read-only) \??\b: qlygybxk.exe File opened (read-only) \??\g: czprviqyro.exe File opened (read-only) \??\p: qlygybxk.exe File opened (read-only) \??\l: qlygybxk.exe File opened (read-only) \??\m: qlygybxk.exe File opened (read-only) \??\s: czprviqyro.exe File opened (read-only) \??\i: qlygybxk.exe File opened (read-only) \??\v: qlygybxk.exe File opened (read-only) \??\w: czprviqyro.exe File opened (read-only) \??\n: qlygybxk.exe File opened (read-only) \??\i: qlygybxk.exe File opened (read-only) \??\m: qlygybxk.exe File opened (read-only) \??\q: qlygybxk.exe File opened (read-only) \??\n: qlygybxk.exe File opened (read-only) \??\r: qlygybxk.exe File opened (read-only) \??\b: czprviqyro.exe File opened (read-only) \??\b: qlygybxk.exe File opened (read-only) \??\h: qlygybxk.exe File opened (read-only) \??\k: czprviqyro.exe File opened (read-only) \??\t: czprviqyro.exe File opened (read-only) \??\u: czprviqyro.exe File opened (read-only) \??\g: qlygybxk.exe File opened (read-only) \??\q: qlygybxk.exe File opened (read-only) \??\u: qlygybxk.exe File opened (read-only) \??\x: qlygybxk.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" czprviqyro.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" czprviqyro.exe -
AutoIT Executable 57 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/2032-33-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4348-32-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4432-27-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3356-36-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4348-89-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2032-90-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2116-91-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4432-88-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1116-87-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4348-226-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4432-230-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1116-229-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2116-228-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2032-227-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4432-225-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2116-239-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2032-243-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4348-242-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4432-241-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1116-240-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2116-244-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1116-245-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4432-246-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4348-247-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2032-248-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2116-249-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1116-250-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4348-252-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4432-251-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2032-253-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2116-254-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1116-258-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4348-260-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2116-262-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2032-261-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4432-259-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2116-266-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4348-265-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1116-267-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2032-269-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4432-268-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4432-271-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2032-272-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1116-270-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1116-273-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4432-274-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2032-275-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1116-297-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2032-299-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4432-298-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4432-301-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1116-300-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2032-302-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2032-305-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4432-304-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1116-303-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1116-306-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe -
Drops file in System32 directory 12 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\hafiejynudwfjip.exe 63c31534cdc96cc4b341e926a266c818_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ybajfibcrhmsf.exe 63c31534cdc96cc4b341e926a266c818_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe qlygybxk.exe File created C:\Windows\SysWOW64\czprviqyro.exe 63c31534cdc96cc4b341e926a266c818_JaffaCakes118.exe File created C:\Windows\SysWOW64\hafiejynudwfjip.exe 63c31534cdc96cc4b341e926a266c818_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\qlygybxk.exe 63c31534cdc96cc4b341e926a266c818_JaffaCakes118.exe File created C:\Windows\SysWOW64\ybajfibcrhmsf.exe 63c31534cdc96cc4b341e926a266c818_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll czprviqyro.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe qlygybxk.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe qlygybxk.exe File opened for modification C:\Windows\SysWOW64\czprviqyro.exe 63c31534cdc96cc4b341e926a266c818_JaffaCakes118.exe File created C:\Windows\SysWOW64\qlygybxk.exe 63c31534cdc96cc4b341e926a266c818_JaffaCakes118.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe qlygybxk.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal qlygybxk.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe qlygybxk.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe qlygybxk.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe qlygybxk.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe qlygybxk.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe qlygybxk.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal qlygybxk.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe qlygybxk.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal qlygybxk.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe qlygybxk.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe qlygybxk.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe qlygybxk.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal qlygybxk.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe qlygybxk.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe qlygybxk.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe qlygybxk.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe qlygybxk.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe qlygybxk.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe qlygybxk.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe qlygybxk.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe qlygybxk.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe qlygybxk.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe qlygybxk.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe qlygybxk.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe qlygybxk.exe File opened for modification C:\Windows\mydoc.rtf 63c31534cdc96cc4b341e926a266c818_JaffaCakes118.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe qlygybxk.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe qlygybxk.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe qlygybxk.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe qlygybxk.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh czprviqyro.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" czprviqyro.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F468B1FE6B22DFD27AD1A68B089111" 63c31534cdc96cc4b341e926a266c818_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc czprviqyro.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" czprviqyro.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" czprviqyro.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2ECAB15F44E7399E52BEBAD0339DD7CD" 63c31534cdc96cc4b341e926a266c818_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" czprviqyro.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" czprviqyro.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABDFACCF96BF19083753B4B81EB39E6B38A02F04216033FE1C442E909D1" 63c31534cdc96cc4b341e926a266c818_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33402D0D9D5082226D4376A077272DD77CF564D6" 63c31534cdc96cc4b341e926a266c818_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7FF8FFFC4858851B9145D72E7D97BDEEE630593067336246D7E9" 63c31534cdc96cc4b341e926a266c818_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "183DC70814E4DAC7B9C17FE6ED9634CC" 63c31534cdc96cc4b341e926a266c818_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings 63c31534cdc96cc4b341e926a266c818_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat czprviqyro.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" czprviqyro.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf czprviqyro.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 63c31534cdc96cc4b341e926a266c818_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg czprviqyro.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs czprviqyro.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 2512 WINWORD.EXE 2512 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3356 63c31534cdc96cc4b341e926a266c818_JaffaCakes118.exe 3356 63c31534cdc96cc4b341e926a266c818_JaffaCakes118.exe 3356 63c31534cdc96cc4b341e926a266c818_JaffaCakes118.exe 3356 63c31534cdc96cc4b341e926a266c818_JaffaCakes118.exe 3356 63c31534cdc96cc4b341e926a266c818_JaffaCakes118.exe 3356 63c31534cdc96cc4b341e926a266c818_JaffaCakes118.exe 3356 63c31534cdc96cc4b341e926a266c818_JaffaCakes118.exe 3356 63c31534cdc96cc4b341e926a266c818_JaffaCakes118.exe 3356 63c31534cdc96cc4b341e926a266c818_JaffaCakes118.exe 3356 63c31534cdc96cc4b341e926a266c818_JaffaCakes118.exe 3356 63c31534cdc96cc4b341e926a266c818_JaffaCakes118.exe 3356 63c31534cdc96cc4b341e926a266c818_JaffaCakes118.exe 3356 63c31534cdc96cc4b341e926a266c818_JaffaCakes118.exe 3356 63c31534cdc96cc4b341e926a266c818_JaffaCakes118.exe 3356 63c31534cdc96cc4b341e926a266c818_JaffaCakes118.exe 3356 63c31534cdc96cc4b341e926a266c818_JaffaCakes118.exe 4432 hafiejynudwfjip.exe 4432 hafiejynudwfjip.exe 4432 hafiejynudwfjip.exe 4432 hafiejynudwfjip.exe 4432 hafiejynudwfjip.exe 4432 hafiejynudwfjip.exe 4432 hafiejynudwfjip.exe 4432 hafiejynudwfjip.exe 4432 hafiejynudwfjip.exe 4432 hafiejynudwfjip.exe 1116 czprviqyro.exe 1116 czprviqyro.exe 1116 czprviqyro.exe 1116 czprviqyro.exe 1116 czprviqyro.exe 1116 czprviqyro.exe 1116 czprviqyro.exe 1116 czprviqyro.exe 1116 czprviqyro.exe 1116 czprviqyro.exe 4348 qlygybxk.exe 4348 qlygybxk.exe 4348 qlygybxk.exe 4348 qlygybxk.exe 4348 qlygybxk.exe 4348 qlygybxk.exe 4348 qlygybxk.exe 4348 qlygybxk.exe 2032 ybajfibcrhmsf.exe 2032 ybajfibcrhmsf.exe 2032 ybajfibcrhmsf.exe 2032 ybajfibcrhmsf.exe 2032 ybajfibcrhmsf.exe 2032 ybajfibcrhmsf.exe 2032 ybajfibcrhmsf.exe 2032 ybajfibcrhmsf.exe 2032 ybajfibcrhmsf.exe 2032 ybajfibcrhmsf.exe 2032 ybajfibcrhmsf.exe 2032 ybajfibcrhmsf.exe 4432 hafiejynudwfjip.exe 4432 hafiejynudwfjip.exe 2032 ybajfibcrhmsf.exe 2032 ybajfibcrhmsf.exe 2032 ybajfibcrhmsf.exe 2032 ybajfibcrhmsf.exe 4432 hafiejynudwfjip.exe 4432 hafiejynudwfjip.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 3356 63c31534cdc96cc4b341e926a266c818_JaffaCakes118.exe 3356 63c31534cdc96cc4b341e926a266c818_JaffaCakes118.exe 3356 63c31534cdc96cc4b341e926a266c818_JaffaCakes118.exe 4432 hafiejynudwfjip.exe 4432 hafiejynudwfjip.exe 4432 hafiejynudwfjip.exe 1116 czprviqyro.exe 1116 czprviqyro.exe 1116 czprviqyro.exe 4348 qlygybxk.exe 2032 ybajfibcrhmsf.exe 4348 qlygybxk.exe 2032 ybajfibcrhmsf.exe 4348 qlygybxk.exe 2032 ybajfibcrhmsf.exe 2116 qlygybxk.exe 2116 qlygybxk.exe 2116 qlygybxk.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 3356 63c31534cdc96cc4b341e926a266c818_JaffaCakes118.exe 3356 63c31534cdc96cc4b341e926a266c818_JaffaCakes118.exe 3356 63c31534cdc96cc4b341e926a266c818_JaffaCakes118.exe 4432 hafiejynudwfjip.exe 4432 hafiejynudwfjip.exe 4432 hafiejynudwfjip.exe 1116 czprviqyro.exe 1116 czprviqyro.exe 1116 czprviqyro.exe 4348 qlygybxk.exe 2032 ybajfibcrhmsf.exe 4348 qlygybxk.exe 2032 ybajfibcrhmsf.exe 4348 qlygybxk.exe 2032 ybajfibcrhmsf.exe 2116 qlygybxk.exe 2116 qlygybxk.exe 2116 qlygybxk.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 2512 WINWORD.EXE 2512 WINWORD.EXE 2512 WINWORD.EXE 2512 WINWORD.EXE 2512 WINWORD.EXE 2512 WINWORD.EXE 2512 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 3356 wrote to memory of 1116 3356 63c31534cdc96cc4b341e926a266c818_JaffaCakes118.exe 85 PID 3356 wrote to memory of 1116 3356 63c31534cdc96cc4b341e926a266c818_JaffaCakes118.exe 85 PID 3356 wrote to memory of 1116 3356 63c31534cdc96cc4b341e926a266c818_JaffaCakes118.exe 85 PID 3356 wrote to memory of 4432 3356 63c31534cdc96cc4b341e926a266c818_JaffaCakes118.exe 86 PID 3356 wrote to memory of 4432 3356 63c31534cdc96cc4b341e926a266c818_JaffaCakes118.exe 86 PID 3356 wrote to memory of 4432 3356 63c31534cdc96cc4b341e926a266c818_JaffaCakes118.exe 86 PID 3356 wrote to memory of 4348 3356 63c31534cdc96cc4b341e926a266c818_JaffaCakes118.exe 87 PID 3356 wrote to memory of 4348 3356 63c31534cdc96cc4b341e926a266c818_JaffaCakes118.exe 87 PID 3356 wrote to memory of 4348 3356 63c31534cdc96cc4b341e926a266c818_JaffaCakes118.exe 87 PID 3356 wrote to memory of 2032 3356 63c31534cdc96cc4b341e926a266c818_JaffaCakes118.exe 88 PID 3356 wrote to memory of 2032 3356 63c31534cdc96cc4b341e926a266c818_JaffaCakes118.exe 88 PID 3356 wrote to memory of 2032 3356 63c31534cdc96cc4b341e926a266c818_JaffaCakes118.exe 88 PID 3356 wrote to memory of 2512 3356 63c31534cdc96cc4b341e926a266c818_JaffaCakes118.exe 90 PID 3356 wrote to memory of 2512 3356 63c31534cdc96cc4b341e926a266c818_JaffaCakes118.exe 90 PID 1116 wrote to memory of 2116 1116 czprviqyro.exe 92 PID 1116 wrote to memory of 2116 1116 czprviqyro.exe 92 PID 1116 wrote to memory of 2116 1116 czprviqyro.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\63c31534cdc96cc4b341e926a266c818_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\63c31534cdc96cc4b341e926a266c818_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3356 -
C:\Windows\SysWOW64\czprviqyro.execzprviqyro.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1116 -
C:\Windows\SysWOW64\qlygybxk.exeC:\Windows\system32\qlygybxk.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2116
-
-
-
C:\Windows\SysWOW64\hafiejynudwfjip.exehafiejynudwfjip.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4432
-
-
C:\Windows\SysWOW64\qlygybxk.exeqlygybxk.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4348
-
-
C:\Windows\SysWOW64\ybajfibcrhmsf.exeybajfibcrhmsf.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2032
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2512
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
255KB
MD58568fdabed7c550aa1ee56c4c2027d48
SHA1ebc083d042b2b71510eae2919416b46c3d861897
SHA256a93891d8d3d668c02a1e31a3eebe392e2e87bab041764ad390dc5463e2f77356
SHA512375a644d88f5b6e2d6d738d0569c1e585af80105a3c9e65d29f799fd3ed75b9e76fb31574016820f061870ff8560dc6230bd7a94f3dee23500b225531dc3559c
-
Filesize
255KB
MD58905c1d08b27657678cf0be9dc4c6fa8
SHA1759b742b888917edb93c74e1ab0565df0fbe568d
SHA256f6b23dc3e26b025732ffa48bf644db65c8c3ce0fe5c5335ae46c6ed14e629b45
SHA512d656e39bbe698ca6be237526323ddf9370686c22a88ee446191d39a91a6d071409a884e0b9a5122f8a0b98cd5d363c41fbacf2b8194bfb8735324debe64b8c20
-
Filesize
263KB
MD5ff0e07eff1333cdf9fc2523d323dd654
SHA177a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA2563f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d
-
Filesize
430B
MD5842011f4dcc9d3ed835ee3ad87d38fc6
SHA1b7f9ba87577401042357769a041f2f753ef47477
SHA256d9fbd34cc4ffa0c0116f70af1d6c95656a1e0145d8cf1dc086371e4468c2c08f
SHA512ad2993b67cd132a1f448861eadb4d398645055edea657e13bb828c7d5fab3408b4724b12cbf8dda529b86a0948081932d3fc3969f82568e5901cc483291d6a65
-
Filesize
16B
MD5d29962abc88624befc0135579ae485ec
SHA1e40a6458296ec6a2427bcb280572d023a9862b31
SHA256a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866
SHA5124311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize1KB
MD5c376886178dbd7c6c0a8868d091288d4
SHA182a675b3d44842fd907f52fe94a1686565922045
SHA256d7ac98785b77c96ddcc90ba7cb662dd49d106433d633be7c2cb9049da85c6403
SHA512f1f0e5527180e7b503b99694877e69edb8008cb37b9ffdb803b542df1453b63b766b5c72b5fcba07d590b68d61d10cd3e7b1219ab0821ff83d30e175ff497b50
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize2KB
MD57fc1aed2401e7cce653b66f25fcdb85c
SHA176a48b5f67e16f97d45740b0b8642c633daa602b
SHA25687f655acd9dd50d7c66c801d7e8e32ef138c2e88ac7ad6902c1c2e0dc2501f39
SHA5121bc5f3f6e7d18b582ccbb3f49bcca544449d1c6a638c12160d359c35532d968ec4e04e1887555480678dbd752be546bbfbb6e3868d9d4d2d1f80ecc965351e98
-
Filesize
255KB
MD50ede563940b0ea8746f3fba8c9c9168e
SHA13ece1c62604150e9cfb36d8aae00f836ee9ba7ca
SHA256db4ffa72cd92e2e44dd2bc1822bd64dd93dc50a967cfdae9953b360bc286ae82
SHA51226201f87add31fc3180fe39099be8a41f231d833225fb56cb528bb9845953b8361d158951ddd9dd07bd66549ae92a61525d22e7a081d6ea260608d1498f272e0
-
Filesize
255KB
MD580e8f641507d784c990ec71ed9430a7b
SHA11138545c27a064f10f5fad4d7c8b7f186068bc92
SHA2568def7163507e839a43172b1330818c8cc4a778118dbb21c47b1f123022a3faf1
SHA5122b0bf907b6d2fefededb2b8f7008e965bbe04646be03df930b2adbb515765d31be968dd5e86d2039e8acdc1bbf4e7ef4e9ff7c48e377dbbb896eb76ee577af12
-
Filesize
255KB
MD5531bd829b92bc6a7d97ff44c98c3bf5a
SHA1abca543872e8b18892649d0ae8c3035daf4256dc
SHA256ab0527f113e143559187631eca0b71ced264ce8185b798ae9836c68a835c75d8
SHA5125ff20c2cc5ad38e156a1725b8009e7015b8298e8abea938fe3547bc4c1401f787e0fe26ae13cc70284cfe96069c8ef02c52dc03a675a250f0c57077fc2ebb20d
-
Filesize
255KB
MD5423dc977ef1c06d7527df068dd1ff3c7
SHA17e2da6995f818420b3f7bb023eb3a9ef6dd626c3
SHA256fd1561bf1252a9e336f2756ad703570451f67de7d637144b53b7eb3e29c65794
SHA512247f09be689feb4b1874e2ad3fe685741cd2ea17346bd50ce3091560e77fc114352fd573d57cd3e20e944329382619af79ca7979de3550a30080d3114264c8ef
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
255KB
MD5ce9dd08a77eb70968319ccdf7fc30624
SHA1ef158d879402505b4fa73918edda11c91a18c14d
SHA25679ba6e7a3023fb65272b37fc32ed4810628b60858690092fcb6b2dd830a20371
SHA51265d36a6f9163c828d8e1a257a37c0de15d76ba5654ba232e5a99034709d1716983e118b77c108fc3df97f6ade41a419b29af3a3e6a193a025f5d909b1ec96a4f
-
Filesize
255KB
MD553ae5f2de8e86e321d2324cc558cd4ca
SHA1dd6df929e789fcad16350d44d879b0c58c26855d
SHA256e3c7c808c975643e7c0adbd90714e2de607c0e5c1caa69fa87c9f8a425c29b2b
SHA51202ae9987a20caefa7b00342893870bd75c5b6a38523045e890f460956862741625a6fe9aa7afa2d1cde2b13e6511806a2c29915bfd041a5b9eabc1840a0844dc