Analysis
-
max time kernel
128s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
16-06-2024 15:59
Behavioral task
behavioral1
Sample
b45afd5799f415ef925645e741a8e2e1_JaffaCakes118.exe
Resource
win7-20240508-en
General
-
Target
b45afd5799f415ef925645e741a8e2e1_JaffaCakes118.exe
-
Size
2.2MB
-
MD5
b45afd5799f415ef925645e741a8e2e1
-
SHA1
870520ec6cce10193c753b002227d81f0496bd93
-
SHA256
1eeb3ae16d0a3fee2306ce192995dda5af2f94d20ac8c6c1b242f5b613adbb84
-
SHA512
3fcbd0a3197a25d7cba8c2a0eaeb75b267e206b1ce81cd1d38251936002080d28a7bd8ac6348afd6cd713bb9f9cd4ff16756d85b6b5cea08f800e674524054a7
-
SSDEEP
24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZT:0UzeyQMS4DqodCnoe+iitjWwwf
Malware Config
Extracted
pony
http://don.service-master.eu/gate.php
-
payload_url
http://don.service-master.eu/shit.exe
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b45afd5799f415ef925645e741a8e2e1_JaffaCakes118.exe b45afd5799f415ef925645e741a8e2e1_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b45afd5799f415ef925645e741a8e2e1_JaffaCakes118.exe b45afd5799f415ef925645e741a8e2e1_JaffaCakes118.exe -
Executes dropped EXE 64 IoCs
pid Process 408 explorer.exe 4416 explorer.exe 4296 spoolsv.exe 4596 spoolsv.exe 768 spoolsv.exe 5020 spoolsv.exe 4576 spoolsv.exe 2888 spoolsv.exe 4152 spoolsv.exe 1336 spoolsv.exe 4820 spoolsv.exe 3300 spoolsv.exe 4532 spoolsv.exe 3028 spoolsv.exe 1624 spoolsv.exe 2428 spoolsv.exe 1804 spoolsv.exe 740 spoolsv.exe 5056 spoolsv.exe 372 spoolsv.exe 4448 spoolsv.exe 4684 spoolsv.exe 448 spoolsv.exe 2144 spoolsv.exe 532 spoolsv.exe 840 spoolsv.exe 3596 spoolsv.exe 1640 spoolsv.exe 4992 spoolsv.exe 3080 spoolsv.exe 3152 spoolsv.exe 4904 spoolsv.exe 3608 spoolsv.exe 4432 spoolsv.exe 3488 spoolsv.exe 2624 spoolsv.exe 5048 spoolsv.exe 2620 explorer.exe 1968 spoolsv.exe 2276 spoolsv.exe 4900 spoolsv.exe 4872 spoolsv.exe 3688 spoolsv.exe 4504 spoolsv.exe 4484 spoolsv.exe 1868 explorer.exe 3968 spoolsv.exe 4832 spoolsv.exe 4636 spoolsv.exe 4044 spoolsv.exe 3024 spoolsv.exe 4444 spoolsv.exe 4356 explorer.exe 1356 spoolsv.exe 4964 spoolsv.exe 4120 spoolsv.exe 2756 spoolsv.exe 3948 spoolsv.exe 1712 spoolsv.exe 4164 explorer.exe 824 spoolsv.exe 4608 spoolsv.exe 1216 spoolsv.exe 3308 spoolsv.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe -
Suspicious use of SetThreadContext 43 IoCs
description pid Process procid_target PID 1688 set thread context of 2336 1688 b45afd5799f415ef925645e741a8e2e1_JaffaCakes118.exe 87 PID 408 set thread context of 4416 408 explorer.exe 92 PID 4296 set thread context of 5048 4296 spoolsv.exe 127 PID 4596 set thread context of 1968 4596 spoolsv.exe 129 PID 768 set thread context of 2276 768 spoolsv.exe 130 PID 5020 set thread context of 4900 5020 spoolsv.exe 131 PID 4576 set thread context of 4872 4576 spoolsv.exe 132 PID 2888 set thread context of 3688 2888 spoolsv.exe 133 PID 4152 set thread context of 4504 4152 spoolsv.exe 134 PID 1336 set thread context of 3968 1336 spoolsv.exe 137 PID 4820 set thread context of 4832 4820 spoolsv.exe 138 PID 3300 set thread context of 4636 3300 spoolsv.exe 139 PID 4532 set thread context of 4044 4532 spoolsv.exe 140 PID 3028 set thread context of 4444 3028 spoolsv.exe 142 PID 1624 set thread context of 1356 1624 spoolsv.exe 144 PID 2428 set thread context of 4964 2428 spoolsv.exe 145 PID 1804 set thread context of 4120 1804 spoolsv.exe 146 PID 740 set thread context of 2756 740 spoolsv.exe 147 PID 5056 set thread context of 1712 5056 spoolsv.exe 149 PID 372 set thread context of 824 372 spoolsv.exe 151 PID 4448 set thread context of 4608 4448 spoolsv.exe 152 PID 4684 set thread context of 1216 4684 spoolsv.exe 153 PID 448 set thread context of 3308 448 spoolsv.exe 154 PID 2144 set thread context of 4520 2144 spoolsv.exe 156 PID 532 set thread context of 4524 532 spoolsv.exe 158 PID 840 set thread context of 4780 840 spoolsv.exe 159 PID 3596 set thread context of 1252 3596 spoolsv.exe 160 PID 1640 set thread context of 1528 1640 spoolsv.exe 162 PID 4992 set thread context of 2900 4992 spoolsv.exe 163 PID 3080 set thread context of 2328 3080 spoolsv.exe 165 PID 3152 set thread context of 1728 3152 spoolsv.exe 166 PID 4904 set thread context of 916 4904 spoolsv.exe 168 PID 3608 set thread context of 3312 3608 spoolsv.exe 169 PID 4432 set thread context of 1796 4432 spoolsv.exe 171 PID 3488 set thread context of 1800 3488 spoolsv.exe 174 PID 2620 set thread context of 3112 2620 explorer.exe 180 PID 2624 set thread context of 2860 2624 spoolsv.exe 182 PID 4484 set thread context of 1808 4484 spoolsv.exe 186 PID 1868 set thread context of 3964 1868 explorer.exe 188 PID 4356 set thread context of 4492 4356 explorer.exe 193 PID 3024 set thread context of 2512 3024 spoolsv.exe 194 PID 3948 set thread context of 4852 3948 spoolsv.exe 199 PID 4164 set thread context of 4988 4164 explorer.exe 201 -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini b45afd5799f415ef925645e741a8e2e1_JaffaCakes118.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification \??\c:\windows\system\explorer.exe b45afd5799f415ef925645e741a8e2e1_JaffaCakes118.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2336 b45afd5799f415ef925645e741a8e2e1_JaffaCakes118.exe 2336 b45afd5799f415ef925645e741a8e2e1_JaffaCakes118.exe 4416 explorer.exe 4416 explorer.exe 4416 explorer.exe 4416 explorer.exe 4416 explorer.exe 4416 explorer.exe 4416 explorer.exe 4416 explorer.exe 4416 explorer.exe 4416 explorer.exe 4416 explorer.exe 4416 explorer.exe 4416 explorer.exe 4416 explorer.exe 4416 explorer.exe 4416 explorer.exe 4416 explorer.exe 4416 explorer.exe 4416 explorer.exe 4416 explorer.exe 4416 explorer.exe 4416 explorer.exe 4416 explorer.exe 4416 explorer.exe 4416 explorer.exe 4416 explorer.exe 4416 explorer.exe 4416 explorer.exe 4416 explorer.exe 4416 explorer.exe 4416 explorer.exe 4416 explorer.exe 4416 explorer.exe 4416 explorer.exe 4416 explorer.exe 4416 explorer.exe 4416 explorer.exe 4416 explorer.exe 4416 explorer.exe 4416 explorer.exe 4416 explorer.exe 4416 explorer.exe 4416 explorer.exe 4416 explorer.exe 4416 explorer.exe 4416 explorer.exe 4416 explorer.exe 4416 explorer.exe 4416 explorer.exe 4416 explorer.exe 4416 explorer.exe 4416 explorer.exe 4416 explorer.exe 4416 explorer.exe 4416 explorer.exe 4416 explorer.exe 4416 explorer.exe 4416 explorer.exe 4416 explorer.exe 4416 explorer.exe 4416 explorer.exe 4416 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4416 explorer.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 2336 b45afd5799f415ef925645e741a8e2e1_JaffaCakes118.exe 2336 b45afd5799f415ef925645e741a8e2e1_JaffaCakes118.exe 4416 explorer.exe 4416 explorer.exe 4416 explorer.exe 4416 explorer.exe 5048 spoolsv.exe 5048 spoolsv.exe 1968 spoolsv.exe 1968 spoolsv.exe 2276 spoolsv.exe 2276 spoolsv.exe 4900 spoolsv.exe 4900 spoolsv.exe 4872 spoolsv.exe 4872 spoolsv.exe 3688 spoolsv.exe 3688 spoolsv.exe 4504 spoolsv.exe 4504 spoolsv.exe 3968 spoolsv.exe 3968 spoolsv.exe 4832 spoolsv.exe 4832 spoolsv.exe 4636 spoolsv.exe 4636 spoolsv.exe 4044 spoolsv.exe 4044 spoolsv.exe 4444 spoolsv.exe 4444 spoolsv.exe 1356 spoolsv.exe 1356 spoolsv.exe 4964 spoolsv.exe 4964 spoolsv.exe 4120 spoolsv.exe 4120 spoolsv.exe 2756 spoolsv.exe 2756 spoolsv.exe 1712 spoolsv.exe 1712 spoolsv.exe 824 spoolsv.exe 824 spoolsv.exe 4608 spoolsv.exe 4608 spoolsv.exe 1216 spoolsv.exe 1216 spoolsv.exe 3308 spoolsv.exe 3308 spoolsv.exe 4520 spoolsv.exe 4520 spoolsv.exe 4524 spoolsv.exe 4524 spoolsv.exe 4780 spoolsv.exe 4780 spoolsv.exe 1252 spoolsv.exe 1252 spoolsv.exe 1528 spoolsv.exe 1528 spoolsv.exe 2900 spoolsv.exe 2900 spoolsv.exe 2328 spoolsv.exe 2328 spoolsv.exe 1728 spoolsv.exe 1728 spoolsv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1688 wrote to memory of 4216 1688 b45afd5799f415ef925645e741a8e2e1_JaffaCakes118.exe 82 PID 1688 wrote to memory of 4216 1688 b45afd5799f415ef925645e741a8e2e1_JaffaCakes118.exe 82 PID 1688 wrote to memory of 2336 1688 b45afd5799f415ef925645e741a8e2e1_JaffaCakes118.exe 87 PID 1688 wrote to memory of 2336 1688 b45afd5799f415ef925645e741a8e2e1_JaffaCakes118.exe 87 PID 1688 wrote to memory of 2336 1688 b45afd5799f415ef925645e741a8e2e1_JaffaCakes118.exe 87 PID 1688 wrote to memory of 2336 1688 b45afd5799f415ef925645e741a8e2e1_JaffaCakes118.exe 87 PID 1688 wrote to memory of 2336 1688 b45afd5799f415ef925645e741a8e2e1_JaffaCakes118.exe 87 PID 2336 wrote to memory of 408 2336 b45afd5799f415ef925645e741a8e2e1_JaffaCakes118.exe 88 PID 2336 wrote to memory of 408 2336 b45afd5799f415ef925645e741a8e2e1_JaffaCakes118.exe 88 PID 2336 wrote to memory of 408 2336 b45afd5799f415ef925645e741a8e2e1_JaffaCakes118.exe 88 PID 408 wrote to memory of 4416 408 explorer.exe 92 PID 408 wrote to memory of 4416 408 explorer.exe 92 PID 408 wrote to memory of 4416 408 explorer.exe 92 PID 408 wrote to memory of 4416 408 explorer.exe 92 PID 408 wrote to memory of 4416 408 explorer.exe 92 PID 4416 wrote to memory of 4296 4416 explorer.exe 93 PID 4416 wrote to memory of 4296 4416 explorer.exe 93 PID 4416 wrote to memory of 4296 4416 explorer.exe 93 PID 4416 wrote to memory of 4596 4416 explorer.exe 94 PID 4416 wrote to memory of 4596 4416 explorer.exe 94 PID 4416 wrote to memory of 4596 4416 explorer.exe 94 PID 4416 wrote to memory of 768 4416 explorer.exe 95 PID 4416 wrote to memory of 768 4416 explorer.exe 95 PID 4416 wrote to memory of 768 4416 explorer.exe 95 PID 4416 wrote to memory of 5020 4416 explorer.exe 96 PID 4416 wrote to memory of 5020 4416 explorer.exe 96 PID 4416 wrote to memory of 5020 4416 explorer.exe 96 PID 4416 wrote to memory of 4576 4416 explorer.exe 97 PID 4416 wrote to memory of 4576 4416 explorer.exe 97 PID 4416 wrote to memory of 4576 4416 explorer.exe 97 PID 4416 wrote to memory of 2888 4416 explorer.exe 98 PID 4416 wrote to memory of 2888 4416 explorer.exe 98 PID 4416 wrote to memory of 2888 4416 explorer.exe 98 PID 4416 wrote to memory of 4152 4416 explorer.exe 99 PID 4416 wrote to memory of 4152 4416 explorer.exe 99 PID 4416 wrote to memory of 4152 4416 explorer.exe 99 PID 4416 wrote to memory of 1336 4416 explorer.exe 100 PID 4416 wrote to memory of 1336 4416 explorer.exe 100 PID 4416 wrote to memory of 1336 4416 explorer.exe 100 PID 4416 wrote to memory of 4820 4416 explorer.exe 101 PID 4416 wrote to memory of 4820 4416 explorer.exe 101 PID 4416 wrote to memory of 4820 4416 explorer.exe 101 PID 4416 wrote to memory of 3300 4416 explorer.exe 102 PID 4416 wrote to memory of 3300 4416 explorer.exe 102 PID 4416 wrote to memory of 3300 4416 explorer.exe 102 PID 4416 wrote to memory of 4532 4416 explorer.exe 103 PID 4416 wrote to memory of 4532 4416 explorer.exe 103 PID 4416 wrote to memory of 4532 4416 explorer.exe 103 PID 4416 wrote to memory of 3028 4416 explorer.exe 104 PID 4416 wrote to memory of 3028 4416 explorer.exe 104 PID 4416 wrote to memory of 3028 4416 explorer.exe 104 PID 4416 wrote to memory of 1624 4416 explorer.exe 105 PID 4416 wrote to memory of 1624 4416 explorer.exe 105 PID 4416 wrote to memory of 1624 4416 explorer.exe 105 PID 4416 wrote to memory of 2428 4416 explorer.exe 106 PID 4416 wrote to memory of 2428 4416 explorer.exe 106 PID 4416 wrote to memory of 2428 4416 explorer.exe 106 PID 4416 wrote to memory of 1804 4416 explorer.exe 107 PID 4416 wrote to memory of 1804 4416 explorer.exe 107 PID 4416 wrote to memory of 1804 4416 explorer.exe 107 PID 4416 wrote to memory of 740 4416 explorer.exe 108 PID 4416 wrote to memory of 740 4416 explorer.exe 108 PID 4416 wrote to memory of 740 4416 explorer.exe 108 PID 4416 wrote to memory of 5056 4416 explorer.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\b45afd5799f415ef925645e741a8e2e1_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b45afd5799f415ef925645e741a8e2e1_JaffaCakes118.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:4216
-
-
C:\Users\Admin\AppData\Local\Temp\b45afd5799f415ef925645e741a8e2e1_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b45afd5799f415ef925645e741a8e2e1_JaffaCakes118.exe"2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2336 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:408 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4416 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4296 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5048 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2620 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:3112
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4596 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1968
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:768 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2276
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5020 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4900
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4576 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4872
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2888 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3688
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4152 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4504 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1868 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:3964
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1336 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3968
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4820 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4832
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3300 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4636
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4532 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4044
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3028 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4444 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4356 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:4492
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1624 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1356
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2428 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4964
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1804 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4120
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:740 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2756
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5056 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1712 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4164 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:4988
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:372 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:824
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4448 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4608
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4684 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1216
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:448 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3308
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2144 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:4520 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:208 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:1516
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:532 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:4524
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:840 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:4780
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3596 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:1252
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1640 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:1528
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4992 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:2900 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:2640 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:3392
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3080 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:2328
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3152 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:1728
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4904 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:916
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3608 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3312
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:5116 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:3912
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4432 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1796
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3488 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1800
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:2840 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:700
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2624 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2860
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:3352
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:2892
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4484 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1808
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:2116
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:3620
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3024 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2512
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:1480
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3948 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4852
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:3040
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:5096
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2184
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:2368
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:1968 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3976
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:1580
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:1108 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4860
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:1864
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:3656 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1976
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:1120 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3008
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:3856 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1360
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4468 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4428
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4556 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4116
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4184
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2968
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4424 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4252
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:4460
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:2612 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3844
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:2388 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2004
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:4404
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:1856 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2876
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4232 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3804
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:744 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:624
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:3124
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4360
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4452
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:1676
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:1048
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4536
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2424
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4000
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:316
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:556
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4896
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4516
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:3276
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:1364
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4004
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:3048
-
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:4016
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
74B
MD56687785d6a31cdf9a5f80acb3abc459b
SHA11ddda26cc18189770eaaa4a9e78cc4abe4fe39c9
SHA2563b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b
SHA5125fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962
-
Filesize
2.2MB
MD5faff343b3bffbf521ac8fdbb748a9b35
SHA13bc36bca9b88bec844cdbe85cddbb362afd35cb2
SHA25624c159a5a86f71a6db1cd5dee892f9d93a3411bc5542a4dbd43626ace28cec9a
SHA512237cbc1011f8053566cbdfb5456d2040e7c83ef53c2d289e73801d7212d58b7e18cbf737185ddb085873fefc35faafb3f1e0d20cbd00e8b268719c4bfa137aba
-
Filesize
2.2MB
MD53a4aefc7636b9311d50da70ae5d225fa
SHA132103fc12233a6a11a2168c27c2ce71f86cc4ad7
SHA2564867478395c5380da2d9bf7488746a95479c2d2d63b88b8fdb07651c7869161b
SHA512bdf68a335d072a3a185498f7615da33f372fb3f5822a96589da34f8f184b990ed0a22f9d5da9e81b082d601812c25684aa069279242b94e18fa2dff2e037ec0b