Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
137s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
18/01/2025, 13:19
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_aae012354e85221816f8134e9c132a2d.exe
Resource
win7-20240903-en
General
-
Target
JaffaCakes118_aae012354e85221816f8134e9c132a2d.exe
-
Size
17.4MB
-
MD5
aae012354e85221816f8134e9c132a2d
-
SHA1
bc9d12afad76bc94406f60b1c2d2218c0e42ae43
-
SHA256
10dbd9fb6bd529abd0de6b9d4333eea2953616dc2f2c350802b1b8f158d7efdd
-
SHA512
6b470bc7289d5a1185df6f90b2fe59fb658525214e9f21a6353d4386879717a7be4f585bd2a51fcd2a65e0393cc72e9a25ae8f73df119c6027ca70898e7f472f
-
SSDEEP
393216:C7QNic/q/5Eo9+T91Vk8eV5AUDznzVdbPjEoLprZ:C7c/C5ES+Tu8ePtDzn/Pj9tZ
Malware Config
Signatures
-
Cycbot family
-
Detects Cycbot payload 7 IoCs
Cycbot is a backdoor and trojan written in C++.
resource yara_rule behavioral1/memory/2596-463-0x0000000000400000-0x0000000000469000-memory.dmp family_cycbot behavioral1/memory/2728-551-0x0000000000400000-0x0000000000469000-memory.dmp family_cycbot behavioral1/memory/2596-715-0x0000000000400000-0x0000000000469000-memory.dmp family_cycbot behavioral1/memory/1728-726-0x0000000000400000-0x0000000000469000-memory.dmp family_cycbot behavioral1/memory/2596-946-0x0000000000400000-0x0000000000469000-memory.dmp family_cycbot behavioral1/memory/2596-964-0x0000000000400000-0x0000000000469000-memory.dmp family_cycbot behavioral1/memory/2596-1417-0x0000000000400000-0x0000000000469000-memory.dmp family_cycbot -
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "3" setupSkypeSetup_5.8.0.154.exe -
Pony family
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Disables taskbar notifications via registry modification
-
Executes dropped EXE 4 IoCs
pid Process 2596 setupSkypeSetup_5.8.0.154.exe 2728 setupSkypeSetup_5.8.0.154.exe 1728 setupSkypeSetup_5.8.0.154.exe 2792 6DD0.tmp -
Loads dropped DLL 14 IoCs
pid Process 2708 JaffaCakes118_aae012354e85221816f8134e9c132a2d.exe 2596 setupSkypeSetup_5.8.0.154.exe 2596 setupSkypeSetup_5.8.0.154.exe 2596 setupSkypeSetup_5.8.0.154.exe 2596 setupSkypeSetup_5.8.0.154.exe 2728 setupSkypeSetup_5.8.0.154.exe 2728 setupSkypeSetup_5.8.0.154.exe 2728 setupSkypeSetup_5.8.0.154.exe 2596 setupSkypeSetup_5.8.0.154.exe 1728 setupSkypeSetup_5.8.0.154.exe 1728 setupSkypeSetup_5.8.0.154.exe 1728 setupSkypeSetup_5.8.0.154.exe 2596 setupSkypeSetup_5.8.0.154.exe 2596 setupSkypeSetup_5.8.0.154.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\F72.exe = "C:\\Program Files (x86)\\LP\\D4F6\\F72.exe" setupSkypeSetup_5.8.0.154.exe -
Blocklisted process makes network request 4 IoCs
flow pid Process 6 2584 msiexec.exe 11 2584 msiexec.exe 16 2584 msiexec.exe 20 2584 msiexec.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe -
resource yara_rule behavioral1/memory/2596-463-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/2728-551-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/2596-715-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/1728-726-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/2596-946-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/2596-964-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/2596-1417-0x0000000000400000-0x0000000000469000-memory.dmp upx -
Drops file in Program Files directory 5 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\LP\D4F6\6DD0.tmp setupSkypeSetup_5.8.0.154.exe File opened for modification C:\Program Files (x86)\Skype Technologies S.A\Skype\Uninstall.exe JaffaCakes118_aae012354e85221816f8134e9c132a2d.exe File created C:\Program Files (x86)\Skype Technologies S.A\Skype\Uninstall.ini JaffaCakes118_aae012354e85221816f8134e9c132a2d.exe File created C:\Program Files (x86)\LP\D4F6\F72.exe setupSkypeSetup_5.8.0.154.exe File opened for modification C:\Program Files (x86)\LP\D4F6\F72.exe setupSkypeSetup_5.8.0.154.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language setupSkypeSetup_5.8.0.154.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language setupSkypeSetup_5.8.0.154.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6DD0.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_aae012354e85221816f8134e9c132a2d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language setupSkypeSetup_5.8.0.154.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 008e5791ab69db01 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{CD497861-D59E-11EF-B954-F2DF7204BD4F} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009acf8576cd119348ba4955755bb60d7e00000000020000000000106600000001000020000000f0245f8ba77fe428f735e1440f5c5b78d2701966019e52cfbcac60edf4ef6727000000000e800000000200002000000094f47b63930e027bba4487f09419c0f8b245bd8e2e6fec1b2dc956c1cd71825b2000000048a5dba36f980de35842f29a30838b2004f0c763cd92b42374ac1e568b552b7a40000000ee0c20d02a3f9dad6cf59b30deaeb1438212dd893d0139b5f5a84493c4909b1a3a72a2548e41251d120d35a5f90ead4fada2e20b0b297be8b192643a6d5096d2 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "443368218" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009acf8576cd119348ba4955755bb60d7e0000000002000000000010660000000100002000000049a8281d4a80db657a836cc0412d75efae425939423692cb5613ba3921d6bda8000000000e8000000002000020000000e285620978c94122a9fefea81a740f9656bb7bb4990f9aad05ffd2197208c1d190000000eb3385e304227026924de7b1148b32fa796a18e273e6fad79c0eceeb3cd0263e5da67f75da5d6f910b8a8a8583eae233ee6dd391e3211478bedf100a521db6290711b6b522c1b2bbf3f846beb4717bd891c73c8da1f7ebfac53c07c0829df56722845d87a90c11089643b8736cd6c16cbc4ebe692147177ae11c231987aa115daa184df889f90a7ff93e63f411c03cf8400000000c26216435ee071109968f16f2800a056a3e2b8e70ab38c3b4975e74585765c46a49fbecc50ddcc6ad00c4cf2f6c386499fbd71b907c5f84d9bc9421baba04fd iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 2596 setupSkypeSetup_5.8.0.154.exe 2596 setupSkypeSetup_5.8.0.154.exe 2596 setupSkypeSetup_5.8.0.154.exe 2596 setupSkypeSetup_5.8.0.154.exe 2596 setupSkypeSetup_5.8.0.154.exe 2596 setupSkypeSetup_5.8.0.154.exe 2596 setupSkypeSetup_5.8.0.154.exe 2596 setupSkypeSetup_5.8.0.154.exe 2596 setupSkypeSetup_5.8.0.154.exe 2596 setupSkypeSetup_5.8.0.154.exe 2596 setupSkypeSetup_5.8.0.154.exe 2596 setupSkypeSetup_5.8.0.154.exe 2596 setupSkypeSetup_5.8.0.154.exe 2596 setupSkypeSetup_5.8.0.154.exe -
Suspicious use of AdjustPrivilegeToken 55 IoCs
description pid Process Token: SeShutdownPrivilege 2584 msiexec.exe Token: SeIncreaseQuotaPrivilege 2584 msiexec.exe Token: SeRestorePrivilege 1136 msiexec.exe Token: SeTakeOwnershipPrivilege 1136 msiexec.exe Token: SeSecurityPrivilege 1136 msiexec.exe Token: SeCreateTokenPrivilege 2584 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2584 msiexec.exe Token: SeLockMemoryPrivilege 2584 msiexec.exe Token: SeIncreaseQuotaPrivilege 2584 msiexec.exe Token: SeMachineAccountPrivilege 2584 msiexec.exe Token: SeTcbPrivilege 2584 msiexec.exe Token: SeSecurityPrivilege 2584 msiexec.exe Token: SeTakeOwnershipPrivilege 2584 msiexec.exe Token: SeLoadDriverPrivilege 2584 msiexec.exe Token: SeSystemProfilePrivilege 2584 msiexec.exe Token: SeSystemtimePrivilege 2584 msiexec.exe Token: SeProfSingleProcessPrivilege 2584 msiexec.exe Token: SeIncBasePriorityPrivilege 2584 msiexec.exe Token: SeCreatePagefilePrivilege 2584 msiexec.exe Token: SeCreatePermanentPrivilege 2584 msiexec.exe Token: SeBackupPrivilege 2584 msiexec.exe Token: SeRestorePrivilege 2584 msiexec.exe Token: SeShutdownPrivilege 2584 msiexec.exe Token: SeDebugPrivilege 2584 msiexec.exe Token: SeAuditPrivilege 2584 msiexec.exe Token: SeSystemEnvironmentPrivilege 2584 msiexec.exe Token: SeChangeNotifyPrivilege 2584 msiexec.exe Token: SeRemoteShutdownPrivilege 2584 msiexec.exe Token: SeUndockPrivilege 2584 msiexec.exe Token: SeSyncAgentPrivilege 2584 msiexec.exe Token: SeEnableDelegationPrivilege 2584 msiexec.exe Token: SeManageVolumePrivilege 2584 msiexec.exe Token: SeImpersonatePrivilege 2584 msiexec.exe Token: SeCreateGlobalPrivilege 2584 msiexec.exe Token: SeBackupPrivilege 1756 vssvc.exe Token: SeRestorePrivilege 1756 vssvc.exe Token: SeAuditPrivilege 1756 vssvc.exe Token: SeBackupPrivilege 1136 msiexec.exe Token: SeRestorePrivilege 1136 msiexec.exe Token: SeRestorePrivilege 1484 msiexec.exe Token: SeTakeOwnershipPrivilege 1484 msiexec.exe Token: SeSecurityPrivilege 1484 msiexec.exe Token: SeShutdownPrivilege 2336 explorer.exe Token: SeShutdownPrivilege 2336 explorer.exe Token: SeShutdownPrivilege 2336 explorer.exe Token: SeShutdownPrivilege 2336 explorer.exe Token: SeShutdownPrivilege 2336 explorer.exe Token: SeShutdownPrivilege 2336 explorer.exe Token: SeShutdownPrivilege 2336 explorer.exe Token: SeShutdownPrivilege 2336 explorer.exe Token: SeShutdownPrivilege 2336 explorer.exe Token: SeShutdownPrivilege 2336 explorer.exe Token: SeShutdownPrivilege 2336 explorer.exe Token: SeShutdownPrivilege 2336 explorer.exe Token: SeShutdownPrivilege 2336 explorer.exe -
Suspicious use of FindShellTrayWindow 36 IoCs
pid Process 2584 msiexec.exe 2696 iexplore.exe 2584 msiexec.exe 2336 explorer.exe 2336 explorer.exe 2336 explorer.exe 2336 explorer.exe 2336 explorer.exe 2336 explorer.exe 2336 explorer.exe 2336 explorer.exe 2336 explorer.exe 2336 explorer.exe 2336 explorer.exe 2336 explorer.exe 2336 explorer.exe 2336 explorer.exe 2336 explorer.exe 2336 explorer.exe 2336 explorer.exe 2336 explorer.exe 2336 explorer.exe 2336 explorer.exe 2336 explorer.exe 2336 explorer.exe 2336 explorer.exe 2336 explorer.exe 2336 explorer.exe 2336 explorer.exe 2336 explorer.exe 2336 explorer.exe 2336 explorer.exe 2336 explorer.exe 2336 explorer.exe 2336 explorer.exe 2696 iexplore.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 2336 explorer.exe 2336 explorer.exe 2336 explorer.exe 2336 explorer.exe 2336 explorer.exe 2336 explorer.exe 2336 explorer.exe 2336 explorer.exe 2336 explorer.exe 2336 explorer.exe 2336 explorer.exe 2336 explorer.exe 2336 explorer.exe 2336 explorer.exe 2336 explorer.exe 2336 explorer.exe 2336 explorer.exe 2336 explorer.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2696 iexplore.exe 2696 iexplore.exe 2612 IEXPLORE.EXE 2612 IEXPLORE.EXE 2612 IEXPLORE.EXE 2612 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 46 IoCs
description pid Process procid_target PID 2708 wrote to memory of 2596 2708 JaffaCakes118_aae012354e85221816f8134e9c132a2d.exe 31 PID 2708 wrote to memory of 2596 2708 JaffaCakes118_aae012354e85221816f8134e9c132a2d.exe 31 PID 2708 wrote to memory of 2596 2708 JaffaCakes118_aae012354e85221816f8134e9c132a2d.exe 31 PID 2708 wrote to memory of 2596 2708 JaffaCakes118_aae012354e85221816f8134e9c132a2d.exe 31 PID 2708 wrote to memory of 2596 2708 JaffaCakes118_aae012354e85221816f8134e9c132a2d.exe 31 PID 2708 wrote to memory of 2596 2708 JaffaCakes118_aae012354e85221816f8134e9c132a2d.exe 31 PID 2708 wrote to memory of 2596 2708 JaffaCakes118_aae012354e85221816f8134e9c132a2d.exe 31 PID 2708 wrote to memory of 2584 2708 JaffaCakes118_aae012354e85221816f8134e9c132a2d.exe 32 PID 2708 wrote to memory of 2584 2708 JaffaCakes118_aae012354e85221816f8134e9c132a2d.exe 32 PID 2708 wrote to memory of 2584 2708 JaffaCakes118_aae012354e85221816f8134e9c132a2d.exe 32 PID 2708 wrote to memory of 2584 2708 JaffaCakes118_aae012354e85221816f8134e9c132a2d.exe 32 PID 2708 wrote to memory of 2584 2708 JaffaCakes118_aae012354e85221816f8134e9c132a2d.exe 32 PID 2708 wrote to memory of 2584 2708 JaffaCakes118_aae012354e85221816f8134e9c132a2d.exe 32 PID 2708 wrote to memory of 2584 2708 JaffaCakes118_aae012354e85221816f8134e9c132a2d.exe 32 PID 2708 wrote to memory of 2696 2708 JaffaCakes118_aae012354e85221816f8134e9c132a2d.exe 33 PID 2708 wrote to memory of 2696 2708 JaffaCakes118_aae012354e85221816f8134e9c132a2d.exe 33 PID 2708 wrote to memory of 2696 2708 JaffaCakes118_aae012354e85221816f8134e9c132a2d.exe 33 PID 2708 wrote to memory of 2696 2708 JaffaCakes118_aae012354e85221816f8134e9c132a2d.exe 33 PID 2696 wrote to memory of 2612 2696 iexplore.exe 34 PID 2696 wrote to memory of 2612 2696 iexplore.exe 34 PID 2696 wrote to memory of 2612 2696 iexplore.exe 34 PID 2696 wrote to memory of 2612 2696 iexplore.exe 34 PID 1136 wrote to memory of 2712 1136 msiexec.exe 38 PID 1136 wrote to memory of 2712 1136 msiexec.exe 38 PID 1136 wrote to memory of 2712 1136 msiexec.exe 38 PID 2596 wrote to memory of 2728 2596 setupSkypeSetup_5.8.0.154.exe 41 PID 2596 wrote to memory of 2728 2596 setupSkypeSetup_5.8.0.154.exe 41 PID 2596 wrote to memory of 2728 2596 setupSkypeSetup_5.8.0.154.exe 41 PID 2596 wrote to memory of 2728 2596 setupSkypeSetup_5.8.0.154.exe 41 PID 2596 wrote to memory of 2728 2596 setupSkypeSetup_5.8.0.154.exe 41 PID 2596 wrote to memory of 2728 2596 setupSkypeSetup_5.8.0.154.exe 41 PID 2596 wrote to memory of 2728 2596 setupSkypeSetup_5.8.0.154.exe 41 PID 2596 wrote to memory of 1728 2596 setupSkypeSetup_5.8.0.154.exe 43 PID 2596 wrote to memory of 1728 2596 setupSkypeSetup_5.8.0.154.exe 43 PID 2596 wrote to memory of 1728 2596 setupSkypeSetup_5.8.0.154.exe 43 PID 2596 wrote to memory of 1728 2596 setupSkypeSetup_5.8.0.154.exe 43 PID 2596 wrote to memory of 1728 2596 setupSkypeSetup_5.8.0.154.exe 43 PID 2596 wrote to memory of 1728 2596 setupSkypeSetup_5.8.0.154.exe 43 PID 2596 wrote to memory of 1728 2596 setupSkypeSetup_5.8.0.154.exe 43 PID 2596 wrote to memory of 2792 2596 setupSkypeSetup_5.8.0.154.exe 45 PID 2596 wrote to memory of 2792 2596 setupSkypeSetup_5.8.0.154.exe 45 PID 2596 wrote to memory of 2792 2596 setupSkypeSetup_5.8.0.154.exe 45 PID 2596 wrote to memory of 2792 2596 setupSkypeSetup_5.8.0.154.exe 45 PID 2596 wrote to memory of 2792 2596 setupSkypeSetup_5.8.0.154.exe 45 PID 2596 wrote to memory of 2792 2596 setupSkypeSetup_5.8.0.154.exe 45 PID 2596 wrote to memory of 2792 2596 setupSkypeSetup_5.8.0.154.exe 45 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer setupSkypeSetup_5.8.0.154.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" setupSkypeSetup_5.8.0.154.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_aae012354e85221816f8134e9c132a2d.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_aae012354e85221816f8134e9c132a2d.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Users\Admin\AppData\Local\Temp\setupSkypeSetup_5.8.0.154.exe"C:\Users\Admin\AppData\Local\Temp\setupSkypeSetup_5.8.0.154.exe"2⤵
- Modifies security service
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2596 -
C:\Users\Admin\AppData\Local\Temp\setupSkypeSetup_5.8.0.154.exeC:\Users\Admin\AppData\Local\Temp\setupSkypeSetup_5.8.0.154.exe startC:\Users\Admin\AppData\Roaming\62007\04BD4.exe%C:\Users\Admin\AppData\Roaming\620073⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2728
-
-
C:\Users\Admin\AppData\Local\Temp\setupSkypeSetup_5.8.0.154.exeC:\Users\Admin\AppData\Local\Temp\setupSkypeSetup_5.8.0.154.exe startC:\Program Files (x86)\07417\lvvm.exe%C:\Program Files (x86)\074173⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1728
-
-
C:\Program Files (x86)\LP\D4F6\6DD0.tmp"C:\Program Files (x86)\LP\D4F6\6DD0.tmp"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2792
-
-
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\SkypeSetup_5.8.0.154.msi"2⤵
- Blocklisted process makes network request
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2584
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://www.blitzdownloads.com/id/2496/2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2696 CREDAT:275457 /prefetch:23⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2612
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1136 -s 8722⤵PID:2712
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1756
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1484
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2336
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
914B
MD5e4a68ac854ac5242460afd72481b2a44
SHA1df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA5125622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
Filesize252B
MD59004fcbcbf0cb8138db0e9cc1103a991
SHA153f57e8dadb0ce013de299cd26d40d8aaf464f7e
SHA2565fd289bc41e45d229bf0465f323c658d0e80dec433e2ce4f12eb69ae715278d5
SHA5129aee8411eb9b5bcea38007a9dfd62a74b3903f84d181d130dae56febded6e9289d3e130af7f6156cee147e428c46325469c7bf820d45b9f60c4f9782d6d3720b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5de13efda530bc7b2934307e035d426ff
SHA18acc21c7db526005bee91a652a7a800506c1967d
SHA256622c6ff3341b4c81f31ef079df850289377eb18d3e6abf5cefdee54bb1304b55
SHA5127ece52ac5eff38d3e7ca97d5033bd627d8bdce90682ecf8a8e1adb574ae2cbd4ccad8c789154860ab61f9176363719152eb8c9953f3a7c0528f26c58befb6568
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55ee05b17fb9169bdffc7ad0ab2cb6737
SHA175dbc760a0d72a00bdc022ddf9b5d67bd364850e
SHA2568d68919b44d6d2e46059f289097ea96fdd17597f51f9946f05db91d5062fca4b
SHA512dac7777470fd3357449a10e73fbfd9618c6d45e86327ef91a6c343c8b3f8cb472ba978ea76d64b82178ddb89efa0c12b28f0bc31461d81bde92b3c0a1a5b8c9e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a0a9a2d4b6f2fb17a39b5a933b788bf8
SHA1b76e37906d56784b83dd0bdc3541e65cbddf6001
SHA2564983dc344d3684baf08d12bf5dbfbe4c76f639609fc210746fd024052b00246e
SHA5121c57ffaf97801682bfd20821d85eefd5386850cbf65de8337cc7a4be0fe2d5dbb56c0b08eb64fa155776c65c83c0335457bef9f45d1c212004e6bd33434e6b24
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5bc4168089dc961c26ef6940fbed62909
SHA1d0334dff0ef27d56a6b0b1eacaae19ca3002ae62
SHA2562de2992a75fe92c29c3f97cc8ab3ec6ec48a214172ee6d96aa1af2dd294a9770
SHA5129f50ce969cf7c0e335de5ef45a49f3e6b429a93ac250cdeaf0115ecf65c92f7e89a26ef7f32265d7bf0865480e3de40e1ccf95461ff7c293f1d71064e590f1aa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5af2dc756d102ae809b73d1b1272e6543
SHA18b06d5db88626216faa22415791d61db6daccd09
SHA2561fcd468a37b0bb44cf3ef166a710e11a97129619dc02b8455df7bb7968e9a265
SHA51232d5e80b506650356826b30d67dde41b7c859e45d60155209e096a7e719dafcf7c861e63a99487048ed6370c52bcfed329b2978eab721115ecb7f0042b152634
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a58e33d0f3a3e0f184721dfdf1f9e478
SHA121b9273820062921dbab7e6e6498e955db7649b2
SHA2568ebebe225750638009c8be5999385b97d3031b72854cbbdd15ecee1847fd5a3d
SHA512d1d032023cd0e11cdca453b0ee11bd64faefebea85676e9ceac677185f42aa4fc4ed0ae17735df39340c4b6cde9b3eb155607451040cb309274afde5d0f901b3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f242882c72819c33b1aeb059763d2bc2
SHA1982fc6c3561bdb84fdbab1b637731461cfe73c4f
SHA25648233ce29730471b23271ac34644a65e58202d52b25495fb9ca174ff30a2d17c
SHA512f743923ea28587303163bb2c07c5a75f6fe405ef3723d2b00d9c5c525c02454a3dade9a5bce62668a1cbee670be33f26a3a97855db757c5ba1dbf4c66490d94a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5de4f66e5dc31bd5f0d71e7dceaf21ed2
SHA17d873459e5ce639ac50daedf6cf4139dc4990042
SHA2567b01a17ffb84c38390f11f17eb407ab05b6ea9b6fec57996b045267bff7b6368
SHA51270d1a941a8ed26165d6e11d034c5a23309b65894778d773207a959c5a29fcdd0cb0a5bd39f87ea1e31e1743a0c4d8550af3266778479d8b5e7eae313744ccfdc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD580d5a79ca223f29b4f17a76eaba8986d
SHA147cfacb88e5a23fd2f6da3fc4df669c616fa6db3
SHA256b13fac7fb77b68c04f6d5deea9b0715b1be0317b5d733965b23f59f28037b51c
SHA512c987ed18d8b844041da1949e6f7d46b87eb532ef794dace1d40720c641b7e1de262d81713e5fbd273e227019fa064e857588dd5be81f3d42aa7629ca4b997016
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD587873639ea7b2c28fd1bb4148a2d4e56
SHA126e2212a6e677dc38fbaffbb88de6b5e9d2f42ff
SHA25685cf21425cd45f3ee588981552a7db95ce4d8744138bca2c1e948da8d6884898
SHA5128383298adf22da45f92b60ba0e506a72c3c3a53c242614466d03f18e65adb0c1dafd7ae6deb7d0d63c65f73f60b301c3c188b0cccf3e369eac7f415cd8ba14c2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52deb5251883628ef8b1b390464641a04
SHA1a2ee19cea8626dcb9c3f91d952b46ec5126d632a
SHA2562bbb9212f7793fe070fc2af70bbe4139adb2e1be5e743afe1848ed3124616f2f
SHA5127b449439c8eb1b5f38a8e712e9f6ec718ef611a33de0b0794040e81eb187d3c09fe53edfe3929c94a7d0a546ceb7b00722540a7e6d0c3cf9c752966ae2118fba
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e21573c03373c6ddc706c7617d694a98
SHA1369d047fb2eea00157ba3198de8a824d73632170
SHA256aafc00cc2c4e9f0435c302dd372603c789eafc35c2d63192f384073a317bb408
SHA51230b8c9b240f06cbeede78cad8bf2244cb559ae825913164627bfd03efdb0db492fb42c533055934a8885a0a6e6921dceed2145b21948e938fb228612518f2229
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD592bd38b404f974942898e1d0d9d1b3ff
SHA136b210b48d1de383321ec77148b047048b5dd1f3
SHA256cef10cfa3e023a72f22f6a4183c562a486f02025404cd2b69ab9b5d1764b6225
SHA51212cafaf204142051b51e80f2233cfc926b43cffd703fdf392ba5af908392e10bc23da02b768e2444a1ed8549508db2843af5719f422c6f446f10e8c5dcdceb7c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD521ec8b27e63d4a9f7b729f988cd07d1e
SHA1ad17fe23e814d7ffec3c1098d17a93a0d3ed471e
SHA25681f82cd80f115d68ee9fb95d53e40de6b8215908539c23c574088371a0e2ceff
SHA5125736a57190bbb17949528d1cb165e0b1c0c5d382952f8647dfd5408bf1a6c5f88753c3b46ebadcbe7fd5db910ec91aa280c27fae671fb1288eba0d5cae1b2e84
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50c70ed4b44b776798ac28a50585a6051
SHA1abe3b621d4ae295c143816c3ab1902834fb7847f
SHA2564b93958f16ad5f6dc683bb0846f35574854e98895e0f749bfb0d172f35716e7f
SHA51251854ba308a003cf15b00b339085e18b2b43f0dd473b49f95f48397b21a98ffe7514654e26fc412d755cf852b7954f002f447d3c5a420b236972f732cb528139
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD538b5264c953ece62e672b8381c8bc1da
SHA1e189120c18aa17e414960c7eedfaae7d9147e526
SHA2569af1009ec1f48e7c768ffbfbdc339c1a46aa7ac06d24cdfb50941e345fe0b568
SHA512eb35d6d2a787c98149d34236b0df726ff6b689f6e6814fc334821e0b10a11dce69c41e98a2c2ad4ea871283bb479661215850061b57961c60fc5ceaf47f31421
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5878a8a5a8f04ad5065163df2b100f98b
SHA1939d8aec954921a357ed121e58a55be44dafc298
SHA2568f79438d2f4c7f5ff95562bd506ce2747d69681ccce3589f700829247558ddea
SHA5126f5157420c82b99d8fc3e9550e569da7c91fa5798aa8667aa0fc41ddcf1a2a6693112a239b95a1436b2d4c1097a624834b6ed26239a7b793390eea98b66cab89
-
Filesize
1.2MB
MD5fabaa7a02490fb5b29896c33affd141d
SHA10762eb29809fdc80b49e2cc72f104f6ae6150440
SHA256d7114f98c67e2fa91f1d34b05653b393bcf99f50b7bfbe3bdf5d92b53a01cdcf
SHA51211e2378e496140972240862c24bf236996e44c8cb4aac3bde7a32e8e50b382fb71112e925eb5142ff56aa223c1301fc1b07a75a29d0ab92c015c1a9ae881dc1f
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
18.1MB
MD58e72248904118a4a18c394c7194c79ba
SHA12e2b0a7f9ce0005261e862a872a16c7c361616fa
SHA256636fbe6c6c60e74f717ef687594fe84307f3afba044bcec4b9d27ca1cc3db7d7
SHA512fa8d98b503860fe6d3f5df15e33efaae706457202d289e6aa503c3f1a93293476fb92deccc683950d37fe2918bf43355e249f5b7af1aff6d8b1ac84ea03958f8
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
275KB
MD5af3cd15fb4a6641dda8ed0b6d3195ab4
SHA124684f9178f9a8b39c8b7e347847d73099bfeabb
SHA2562e64c20cd86b8f8f6b083774d1bdcdf82bbacb19890e692eed47f8dd1764e792
SHA512885edf4e1aba373a81b50e28ec4b3027286a093d93f6d8988b6f0fc015ed429802d96fc6a914966af7df6ac9effebf08843a59ccc1cb615e84228dccfd13c167
-
Filesize
600B
MD5857f83d60c5ef9eef9b79cfb609bcfb0
SHA134f0376512f84a0af7c716df7e641d86aea3fa09
SHA2566735c7000a430903f0c6194bd5dd48d04ccd443b12a04d46e29a8af8eb556dd0
SHA512938ece13e08ca4c00da617f91782d8fb4e45d7ce0d72748b56aff6d1be19288c5993b9c3d465d7377edd133dbfc95897c4ca33b520a646629b6a11e4100fa022
-
Filesize
996B
MD51a33d2094ad218a23fb159c2de453fe8
SHA1b8c6b6da581e9909686ed08812d6e8d1298f7a60
SHA25613323daa490be1008ff3dae819538b5381f1895dccecb634df73b89b65891ccd
SHA512daabf71210be7c1a2cc5928c1362623bcd9085b283c553d8d9da3a88b9f4b883ec5e02ba1e4f266267250bb35c310720493a5d02e691be3151e22391a288941a
-
Filesize
97KB
MD57ed57812afe5eb758136beab427c5b8e
SHA1da347ebe4068a2d7c33ae732272ff2acad2f5279
SHA2567e9f6353251602f7b674ed3717464181593920f688a3dbd0bfbae8218878d6a5
SHA512568b895d92ae48dc9e43f1a4170a1d18cf73dac553ebe520d58e4cf2dad11c7d14a01aadae9384d64d4a7d34a0359a065a1710a3ed53c2eb803d4752b4e8b7fb