Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
16-06-2024 18:15
Behavioral task
behavioral1
Sample
b4836c4a2594cc5fcbe350d56ebcb14a_JaffaCakes118.exe
Resource
win7-20240611-en
General
-
Target
b4836c4a2594cc5fcbe350d56ebcb14a_JaffaCakes118.exe
-
Size
2.2MB
-
MD5
b4836c4a2594cc5fcbe350d56ebcb14a
-
SHA1
2adf3511c590c8e8396ac2228766e29781d1f201
-
SHA256
353a3da4a3aa9fa77a87b0b24c30f760a265c3c8f55dd0179015266118267372
-
SHA512
11a2714ff75791360ac07692e7fb10bb462616bd81c2aae86a71a3107d0f797f7a4a44426ffdf80a8c679c14d97b8db7194cbd382fcfb900fcc228ae3fa0368b
-
SSDEEP
24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZA:0UzeyQMS4DqodCnoe+iitjWwwc
Malware Config
Extracted
pony
http://don.service-master.eu/gate.php
-
payload_url
http://don.service-master.eu/shit.exe
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b4836c4a2594cc5fcbe350d56ebcb14a_JaffaCakes118.exe b4836c4a2594cc5fcbe350d56ebcb14a_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b4836c4a2594cc5fcbe350d56ebcb14a_JaffaCakes118.exe b4836c4a2594cc5fcbe350d56ebcb14a_JaffaCakes118.exe -
Executes dropped EXE 64 IoCs
pid Process 4724 explorer.exe 1952 explorer.exe 8 spoolsv.exe 2424 spoolsv.exe 4960 spoolsv.exe 3480 spoolsv.exe 4688 spoolsv.exe 4912 spoolsv.exe 4672 spoolsv.exe 3468 spoolsv.exe 1836 spoolsv.exe 2536 spoolsv.exe 1264 spoolsv.exe 1920 spoolsv.exe 1188 spoolsv.exe 1252 spoolsv.exe 2972 spoolsv.exe 3912 spoolsv.exe 4516 spoolsv.exe 2896 spoolsv.exe 3972 spoolsv.exe 892 spoolsv.exe 2068 spoolsv.exe 2380 spoolsv.exe 1916 spoolsv.exe 3572 spoolsv.exe 4352 spoolsv.exe 2452 spoolsv.exe 1800 spoolsv.exe 2436 spoolsv.exe 2364 spoolsv.exe 4712 spoolsv.exe 1124 spoolsv.exe 2512 explorer.exe 3988 spoolsv.exe 1384 spoolsv.exe 2204 spoolsv.exe 1412 spoolsv.exe 1336 spoolsv.exe 2256 spoolsv.exe 1028 explorer.exe 1596 spoolsv.exe 208 spoolsv.exe 4644 spoolsv.exe 1168 spoolsv.exe 3208 spoolsv.exe 3836 spoolsv.exe 4112 spoolsv.exe 1884 explorer.exe 3280 spoolsv.exe 1556 spoolsv.exe 404 spoolsv.exe 2904 spoolsv.exe 3164 spoolsv.exe 924 spoolsv.exe 1044 spoolsv.exe 4048 explorer.exe 468 spoolsv.exe 2788 spoolsv.exe 4576 spoolsv.exe 376 spoolsv.exe 2544 spoolsv.exe 2188 spoolsv.exe 4996 spoolsv.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe -
Suspicious use of SetThreadContext 56 IoCs
description pid Process procid_target PID 2348 set thread context of 3580 2348 b4836c4a2594cc5fcbe350d56ebcb14a_JaffaCakes118.exe 87 PID 4724 set thread context of 1952 4724 explorer.exe 96 PID 8 set thread context of 1124 8 spoolsv.exe 127 PID 2424 set thread context of 3988 2424 spoolsv.exe 129 PID 4960 set thread context of 2204 4960 spoolsv.exe 131 PID 3480 set thread context of 1412 3480 spoolsv.exe 132 PID 4912 set thread context of 2256 4912 spoolsv.exe 134 PID 4672 set thread context of 1596 4672 spoolsv.exe 136 PID 3468 set thread context of 208 3468 spoolsv.exe 137 PID 1836 set thread context of 1168 1836 spoolsv.exe 139 PID 2536 set thread context of 3208 2536 spoolsv.exe 140 PID 1264 set thread context of 3836 1264 spoolsv.exe 141 PID 1920 set thread context of 4112 1920 spoolsv.exe 142 PID 1188 set thread context of 3280 1188 spoolsv.exe 144 PID 1252 set thread context of 1556 1252 spoolsv.exe 145 PID 2972 set thread context of 2904 2972 spoolsv.exe 147 PID 3912 set thread context of 3164 3912 spoolsv.exe 148 PID 4516 set thread context of 924 4516 spoolsv.exe 149 PID 2896 set thread context of 1044 2896 spoolsv.exe 150 PID 3972 set thread context of 2788 3972 spoolsv.exe 153 PID 892 set thread context of 4576 892 spoolsv.exe 154 PID 2068 set thread context of 376 2068 spoolsv.exe 155 PID 2380 set thread context of 2544 2380 spoolsv.exe 156 PID 1916 set thread context of 4996 1916 spoolsv.exe 158 PID 3572 set thread context of 3316 3572 spoolsv.exe 160 PID 4352 set thread context of 1984 4352 spoolsv.exe 161 PID 2452 set thread context of 2432 2452 spoolsv.exe 162 PID 1800 set thread context of 3604 1800 spoolsv.exe 164 PID 2436 set thread context of 4488 2436 spoolsv.exe 165 PID 2364 set thread context of 456 2364 spoolsv.exe 167 PID 4712 set thread context of 2944 4712 spoolsv.exe 170 PID 2512 set thread context of 3136 2512 explorer.exe 175 PID 1384 set thread context of 1036 1384 spoolsv.exe 179 PID 1028 set thread context of 4684 1028 explorer.exe 183 PID 4644 set thread context of 3708 4644 spoolsv.exe 187 PID 1884 set thread context of 5040 1884 explorer.exe 191 PID 404 set thread context of 3640 404 spoolsv.exe 192 PID 468 set thread context of 4840 468 spoolsv.exe 197 PID 4048 set thread context of 3552 4048 explorer.exe 199 PID 2188 set thread context of 2096 2188 spoolsv.exe 203 PID 1948 set thread context of 5092 1948 explorer.exe 206 PID 3764 set thread context of 528 3764 spoolsv.exe 208 PID 1576 set thread context of 3244 1576 explorer.exe 210 PID 4476 set thread context of 4076 4476 spoolsv.exe 211 PID 3344 set thread context of 2596 3344 spoolsv.exe 212 PID 3424 set thread context of 2620 3424 explorer.exe 213 PID 3304 set thread context of 3760 3304 spoolsv.exe 214 PID 3792 set thread context of 2260 3792 spoolsv.exe 216 PID 2568 set thread context of 3484 2568 spoolsv.exe 218 PID 4400 set thread context of 4868 4400 spoolsv.exe 219 PID 640 set thread context of 4784 640 spoolsv.exe 220 PID 3380 set thread context of 968 3380 spoolsv.exe 221 PID 5064 set thread context of 2928 5064 explorer.exe 222 PID 4304 set thread context of 180 4304 spoolsv.exe 223 PID 3804 set thread context of 1712 3804 spoolsv.exe 225 PID 4424 set thread context of 1136 4424 spoolsv.exe 226 -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\Parameters.ini b4836c4a2594cc5fcbe350d56ebcb14a_JaffaCakes118.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification \??\c:\windows\system\explorer.exe b4836c4a2594cc5fcbe350d56ebcb14a_JaffaCakes118.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3580 b4836c4a2594cc5fcbe350d56ebcb14a_JaffaCakes118.exe 3580 b4836c4a2594cc5fcbe350d56ebcb14a_JaffaCakes118.exe 1952 explorer.exe 1952 explorer.exe 1952 explorer.exe 1952 explorer.exe 1952 explorer.exe 1952 explorer.exe 1952 explorer.exe 1952 explorer.exe 1952 explorer.exe 1952 explorer.exe 1952 explorer.exe 1952 explorer.exe 1952 explorer.exe 1952 explorer.exe 1952 explorer.exe 1952 explorer.exe 1952 explorer.exe 1952 explorer.exe 1952 explorer.exe 1952 explorer.exe 1952 explorer.exe 1952 explorer.exe 1952 explorer.exe 1952 explorer.exe 1952 explorer.exe 1952 explorer.exe 1952 explorer.exe 1952 explorer.exe 1952 explorer.exe 1952 explorer.exe 1952 explorer.exe 1952 explorer.exe 1952 explorer.exe 1952 explorer.exe 1952 explorer.exe 1952 explorer.exe 1952 explorer.exe 1952 explorer.exe 1952 explorer.exe 1952 explorer.exe 1952 explorer.exe 1952 explorer.exe 1952 explorer.exe 1952 explorer.exe 1952 explorer.exe 1952 explorer.exe 1952 explorer.exe 1952 explorer.exe 1952 explorer.exe 1952 explorer.exe 1952 explorer.exe 1952 explorer.exe 1952 explorer.exe 1952 explorer.exe 1952 explorer.exe 1952 explorer.exe 1952 explorer.exe 1952 explorer.exe 1952 explorer.exe 1952 explorer.exe 1952 explorer.exe 1952 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1952 explorer.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 3580 b4836c4a2594cc5fcbe350d56ebcb14a_JaffaCakes118.exe 3580 b4836c4a2594cc5fcbe350d56ebcb14a_JaffaCakes118.exe 1952 explorer.exe 1952 explorer.exe 1952 explorer.exe 1952 explorer.exe 1124 spoolsv.exe 1124 spoolsv.exe 3988 spoolsv.exe 3988 spoolsv.exe 2204 spoolsv.exe 2204 spoolsv.exe 1412 spoolsv.exe 1412 spoolsv.exe 1336 spoolsv.exe 1336 spoolsv.exe 2256 spoolsv.exe 2256 spoolsv.exe 1596 spoolsv.exe 1596 spoolsv.exe 208 spoolsv.exe 208 spoolsv.exe 1168 spoolsv.exe 1168 spoolsv.exe 3208 spoolsv.exe 3208 spoolsv.exe 3836 spoolsv.exe 3836 spoolsv.exe 4112 spoolsv.exe 4112 spoolsv.exe 3280 spoolsv.exe 3280 spoolsv.exe 1556 spoolsv.exe 1556 spoolsv.exe 2904 spoolsv.exe 2904 spoolsv.exe 3164 spoolsv.exe 3164 spoolsv.exe 924 spoolsv.exe 924 spoolsv.exe 1044 spoolsv.exe 1044 spoolsv.exe 2788 spoolsv.exe 2788 spoolsv.exe 4576 spoolsv.exe 4576 spoolsv.exe 376 spoolsv.exe 376 spoolsv.exe 2544 spoolsv.exe 2544 spoolsv.exe 4996 spoolsv.exe 4996 spoolsv.exe 3316 spoolsv.exe 3316 spoolsv.exe 1984 spoolsv.exe 1984 spoolsv.exe 2432 spoolsv.exe 2432 spoolsv.exe 3604 spoolsv.exe 3604 spoolsv.exe 4488 spoolsv.exe 4488 spoolsv.exe 456 spoolsv.exe 456 spoolsv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2348 wrote to memory of 264 2348 b4836c4a2594cc5fcbe350d56ebcb14a_JaffaCakes118.exe 82 PID 2348 wrote to memory of 264 2348 b4836c4a2594cc5fcbe350d56ebcb14a_JaffaCakes118.exe 82 PID 2348 wrote to memory of 3580 2348 b4836c4a2594cc5fcbe350d56ebcb14a_JaffaCakes118.exe 87 PID 2348 wrote to memory of 3580 2348 b4836c4a2594cc5fcbe350d56ebcb14a_JaffaCakes118.exe 87 PID 2348 wrote to memory of 3580 2348 b4836c4a2594cc5fcbe350d56ebcb14a_JaffaCakes118.exe 87 PID 2348 wrote to memory of 3580 2348 b4836c4a2594cc5fcbe350d56ebcb14a_JaffaCakes118.exe 87 PID 2348 wrote to memory of 3580 2348 b4836c4a2594cc5fcbe350d56ebcb14a_JaffaCakes118.exe 87 PID 3580 wrote to memory of 4724 3580 b4836c4a2594cc5fcbe350d56ebcb14a_JaffaCakes118.exe 88 PID 3580 wrote to memory of 4724 3580 b4836c4a2594cc5fcbe350d56ebcb14a_JaffaCakes118.exe 88 PID 3580 wrote to memory of 4724 3580 b4836c4a2594cc5fcbe350d56ebcb14a_JaffaCakes118.exe 88 PID 4724 wrote to memory of 1952 4724 explorer.exe 96 PID 4724 wrote to memory of 1952 4724 explorer.exe 96 PID 4724 wrote to memory of 1952 4724 explorer.exe 96 PID 4724 wrote to memory of 1952 4724 explorer.exe 96 PID 4724 wrote to memory of 1952 4724 explorer.exe 96 PID 1952 wrote to memory of 8 1952 explorer.exe 97 PID 1952 wrote to memory of 8 1952 explorer.exe 97 PID 1952 wrote to memory of 8 1952 explorer.exe 97 PID 1952 wrote to memory of 2424 1952 explorer.exe 98 PID 1952 wrote to memory of 2424 1952 explorer.exe 98 PID 1952 wrote to memory of 2424 1952 explorer.exe 98 PID 1952 wrote to memory of 4960 1952 explorer.exe 99 PID 1952 wrote to memory of 4960 1952 explorer.exe 99 PID 1952 wrote to memory of 4960 1952 explorer.exe 99 PID 1952 wrote to memory of 3480 1952 explorer.exe 100 PID 1952 wrote to memory of 3480 1952 explorer.exe 100 PID 1952 wrote to memory of 3480 1952 explorer.exe 100 PID 1952 wrote to memory of 4688 1952 explorer.exe 101 PID 1952 wrote to memory of 4688 1952 explorer.exe 101 PID 1952 wrote to memory of 4688 1952 explorer.exe 101 PID 1952 wrote to memory of 4912 1952 explorer.exe 102 PID 1952 wrote to memory of 4912 1952 explorer.exe 102 PID 1952 wrote to memory of 4912 1952 explorer.exe 102 PID 1952 wrote to memory of 4672 1952 explorer.exe 103 PID 1952 wrote to memory of 4672 1952 explorer.exe 103 PID 1952 wrote to memory of 4672 1952 explorer.exe 103 PID 1952 wrote to memory of 3468 1952 explorer.exe 104 PID 1952 wrote to memory of 3468 1952 explorer.exe 104 PID 1952 wrote to memory of 3468 1952 explorer.exe 104 PID 1952 wrote to memory of 1836 1952 explorer.exe 105 PID 1952 wrote to memory of 1836 1952 explorer.exe 105 PID 1952 wrote to memory of 1836 1952 explorer.exe 105 PID 1952 wrote to memory of 2536 1952 explorer.exe 106 PID 1952 wrote to memory of 2536 1952 explorer.exe 106 PID 1952 wrote to memory of 2536 1952 explorer.exe 106 PID 1952 wrote to memory of 1264 1952 explorer.exe 107 PID 1952 wrote to memory of 1264 1952 explorer.exe 107 PID 1952 wrote to memory of 1264 1952 explorer.exe 107 PID 1952 wrote to memory of 1920 1952 explorer.exe 108 PID 1952 wrote to memory of 1920 1952 explorer.exe 108 PID 1952 wrote to memory of 1920 1952 explorer.exe 108 PID 1952 wrote to memory of 1188 1952 explorer.exe 109 PID 1952 wrote to memory of 1188 1952 explorer.exe 109 PID 1952 wrote to memory of 1188 1952 explorer.exe 109 PID 1952 wrote to memory of 1252 1952 explorer.exe 110 PID 1952 wrote to memory of 1252 1952 explorer.exe 110 PID 1952 wrote to memory of 1252 1952 explorer.exe 110 PID 1952 wrote to memory of 2972 1952 explorer.exe 111 PID 1952 wrote to memory of 2972 1952 explorer.exe 111 PID 1952 wrote to memory of 2972 1952 explorer.exe 111 PID 1952 wrote to memory of 3912 1952 explorer.exe 112 PID 1952 wrote to memory of 3912 1952 explorer.exe 112 PID 1952 wrote to memory of 3912 1952 explorer.exe 112 PID 1952 wrote to memory of 4516 1952 explorer.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\b4836c4a2594cc5fcbe350d56ebcb14a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b4836c4a2594cc5fcbe350d56ebcb14a_JaffaCakes118.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:264
-
-
C:\Users\Admin\AppData\Local\Temp\b4836c4a2594cc5fcbe350d56ebcb14a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b4836c4a2594cc5fcbe350d56ebcb14a_JaffaCakes118.exe"2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3580 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4724 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1952 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:8 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1124 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2512 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:3136
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2424 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3988
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4960 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2204
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3480 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1412
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
PID:4688 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1336
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4912 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2256 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1028 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:4684
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4672 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1596
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3468 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:208
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1836 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1168
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2536 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3208
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1264 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3836
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1920 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4112 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1884 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:5040
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1188 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3280
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1252 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1556
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2972 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2904
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3912 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3164
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4516 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:924
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2896 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1044 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4048 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:3552
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3972 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2788
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:892 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4576
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2068 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:376
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2380 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2544
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1916 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4996 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1948 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:5092
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3572 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:3316
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4352 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:1984
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2452 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:2432
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1800 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:3604
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2436 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:4488 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
PID:1576 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:3244
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2364 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:456
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4712 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2944
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3424 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:2620
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1384 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1036
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5064 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:2928
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4644 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3708
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:3916
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:404 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3640
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:656
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:468 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4840
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:1116
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2188 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2096
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:1812
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
PID:3764 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:528
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:2664
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4476 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4076
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3344 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2596
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3304 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3760
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3792 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2260
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:4780
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2568 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3484
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4400 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4868
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:640 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4784
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3380 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:968
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4304 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:180
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
PID:3804 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1712
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4424 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1136
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:3224
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:2088 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1076
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4624
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:3856
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:920
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:940
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:412
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4956
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:1396
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:3000
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:3216
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:3200
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:5116
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:1788
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:500
-
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:1452
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
74B
MD56687785d6a31cdf9a5f80acb3abc459b
SHA11ddda26cc18189770eaaa4a9e78cc4abe4fe39c9
SHA2563b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b
SHA5125fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962
-
Filesize
2.2MB
MD56bd643774ea7ba62a1f61a46a7c4836d
SHA144e059b1716ada3b57f6ce4a3dd9613e09b61bbb
SHA256de56c9db281ef4f59713b95d987a889294fd8402f1501facc66eb037c66dcd2a
SHA512daba2743142a59ce42fda27cf24c8882e2b6de8f08693f966a9730e549b072074b24f4c7ab8d4c7ceeb6017ddd9d010fdbcdba68d0c8ef89fc561e9ad57ff0f1
-
Filesize
2.2MB
MD584491531d89738db4930215a16ffe57c
SHA101ab542c9c222eb02581b0d6a9baf904382d4a90
SHA2566b8e892e34f6d25a4d9a01281d8fe5356551b19bef8b252d3d62482199b50c7c
SHA5127e3901681ac1a687d4f3161cbb6830eba314dbf54510103f6f9f834163863f3e0d1928fe6bf2ee23bf3242ae34b33a413103b2adeaea23b7f466526f48c63bc0