Overview
overview
10Static
static
10CraxsRat v...ny.dll
windows7-x64
1CraxsRat v...ny.dll
windows10-2004-x64
1CraxsRat v...ss.dll
windows7-x64
1CraxsRat v...ss.dll
windows10-2004-x64
1CraxsRat v...��.exe
windows7-x64
10CraxsRat v...��.exe
windows10-2004-x64
10CraxsRat v...rk.dll
windows7-x64
1CraxsRat v...rk.dll
windows10-2004-x64
1CraxsRat v...ys.dll
windows7-x64
1CraxsRat v...ys.dll
windows10-2004-x64
1CraxsRat v...PS.dll
windows7-x64
1CraxsRat v...PS.dll
windows10-2004-x64
1CraxsRat v...ms.dll
windows7-x64
1CraxsRat v...ms.dll
windows10-2004-x64
1CraxsRat v...pf.dll
windows7-x64
1CraxsRat v...pf.dll
windows10-2004-x64
1CraxsRat v...ts.dll
windows7-x64
1CraxsRat v...ts.dll
windows10-2004-x64
1CraxsRat v...io.dll
windows7-x64
1CraxsRat v...io.dll
windows10-2004-x64
1CraxsRat v...on.dll
windows7-x64
1CraxsRat v...on.dll
windows10-2004-x64
1CraxsRat v...le.dll
windows7-x64
1CraxsRat v...le.dll
windows10-2004-x64
1CraxsRat v...el.lnk
windows7-x64
3CraxsRat v...el.lnk
windows10-2004-x64
7CraxsRat v...rk.exe
windows7-x64
1CraxsRat v...rk.exe
windows10-2004-x64
1CraxsRat v...et.dll
windows7-x64
1CraxsRat v...et.dll
windows10-2004-x64
1CraxsRat v...xs.dll
windows7-x64
1CraxsRat v...xs.dll
windows10-2004-x64
1Analysis
-
max time kernel
147s -
max time network
160s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
29-11-2024 17:58
Behavioral task
behavioral1
Sample
CraxsRat v7.6/0Harmony.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
CraxsRat v7.6/0Harmony.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
CraxsRat v7.6/AntiBypass.dll
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
CraxsRat v7.6/AntiBypass.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
CraxsRat v7.6/CraxsRat v7.6.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
CraxsRat v7.6/CraxsRat v7.6.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
CraxsRat v7.6/DrakeUI.Framework.dll
Resource
win7-20240729-en
Behavioral task
behavioral8
Sample
CraxsRat v7.6/DrakeUI.Framework.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
CraxsRat v7.6/GeoIPCitys.dll
Resource
win7-20240708-en
Behavioral task
behavioral10
Sample
CraxsRat v7.6/GeoIPCitys.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
CraxsRat v7.6/LiveCharts.MAPS.dll
Resource
win7-20241023-en
Behavioral task
behavioral12
Sample
CraxsRat v7.6/LiveCharts.MAPS.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
CraxsRat v7.6/LiveCharts.WinForms.dll
Resource
win7-20241010-en
Behavioral task
behavioral14
Sample
CraxsRat v7.6/LiveCharts.WinForms.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
CraxsRat v7.6/LiveCharts.Wpf.dll
Resource
win7-20240729-en
Behavioral task
behavioral16
Sample
CraxsRat v7.6/LiveCharts.Wpf.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
CraxsRat v7.6/LiveCharts.dll
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
CraxsRat v7.6/LiveCharts.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
CraxsRat v7.6/NAudio.dll
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
CraxsRat v7.6/NAudio.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
CraxsRat v7.6/Newtonsoft.Json.dll
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
CraxsRat v7.6/Newtonsoft.Json.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
CraxsRat v7.6/System.IO.Compression.ZipFile.dll
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
CraxsRat v7.6/System.IO.Compression.ZipFile.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral25
Sample
CraxsRat v7.6/Telegram Channel.lnk
Resource
win7-20240903-en
Behavioral task
behavioral26
Sample
CraxsRat v7.6/Telegram Channel.lnk
Resource
win10v2004-20241007-en
Behavioral task
behavioral27
Sample
CraxsRat v7.6/VeryReal.Framework.exe
Resource
win7-20240729-en
Behavioral task
behavioral28
Sample
CraxsRat v7.6/VeryReal.Framework.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral29
Sample
CraxsRat v7.6/WinMM.Net.dll
Resource
win7-20240903-en
Behavioral task
behavioral30
Sample
CraxsRat v7.6/WinMM.Net.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral31
Sample
CraxsRat v7.6/craxs.dll
Resource
win7-20240903-en
Behavioral task
behavioral32
Sample
CraxsRat v7.6/craxs.dll
Resource
win10v2004-20241007-en
General
-
Target
CraxsRat v7.6/CraxsRat v7.6.exe
-
Size
65.1MB
-
MD5
272f7334e633d81757417aca3f7b9890
-
SHA1
290030d91d98910ee5674e0efd2c2af055a2c3da
-
SHA256
9c7b489b5139074e2fa6088e042a13eecaf781f0b7ff6d62c244159dc39c1f8c
-
SHA512
2540812d4870140805741eb46fd8059a53958bcc84878e5059046687633f59a85b67137ac5c40e07624046c2f7289506f700d4fd2c181b1f69f2738661f2e46c
-
SSDEEP
1572864:jmwRxPP7VydDyyFwjXsw8r8yosihxNcfDEvpTUWE8prCiSY:KwRxX8dyyFcsbohYfsprE8pHSY
Malware Config
Extracted
xworm
146.190.110.91:3389
-
Install_directory
%LocalAppData%
-
install_file
taskhostw.exe
-
telegram
https://api.telegram.org/bot7825054734:AAGZqFAN8E4lv2mzGaChvBqZKYsgV2POVt4/sendMessage?chat_id=6801210841
Signatures
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral5/files/0x000400000001dd5c-14.dat family_xworm behavioral5/memory/2488-15-0x0000000000240000-0x000000000025C000-memory.dmp family_xworm -
Xworm family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ CraxsRat v7.6.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1616 powershell.exe 2636 powershell.exe 1140 powershell.exe 2920 powershell.exe 2184 powershell.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion CraxsRat v7.6.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion CraxsRat v7.6.exe -
Drops startup file 3 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\taskhostw.lnk taskhostw.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe.lnk svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\taskhostw.lnk taskhostw.exe -
Executes dropped EXE 4 IoCs
pid Process 1992 CraxsRat v7.6.exe 2488 taskhostw.exe 2080 svchost.exe 1900 svchost.exe -
Loads dropped DLL 2 IoCs
pid Process 1992 CraxsRat v7.6.exe 2080 svchost.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
resource yara_rule behavioral5/memory/1992-29-0x00000000200E0000-0x000000002115C000-memory.dmp agile_net -
resource yara_rule behavioral5/files/0x000400000001dd66-18.dat themida behavioral5/memory/1992-21-0x0000000180000000-0x0000000181261000-memory.dmp themida behavioral5/memory/1992-27-0x0000000180000000-0x0000000181261000-memory.dmp themida behavioral5/memory/1992-26-0x0000000180000000-0x0000000181261000-memory.dmp themida behavioral5/memory/1992-25-0x0000000180000000-0x0000000181261000-memory.dmp themida behavioral5/memory/1992-24-0x0000000180000000-0x0000000181261000-memory.dmp themida behavioral5/memory/1992-52-0x0000000180000000-0x0000000181261000-memory.dmp themida behavioral5/memory/1992-67-0x0000000180000000-0x0000000181261000-memory.dmp themida behavioral5/memory/1992-97-0x0000000180000000-0x0000000181261000-memory.dmp themida behavioral5/memory/1992-99-0x0000000180000000-0x0000000181261000-memory.dmp themida behavioral5/memory/1992-145-0x0000000180000000-0x0000000181261000-memory.dmp themida -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA CraxsRat v7.6.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 1992 CraxsRat v7.6.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 1792 timeout.exe -
Modifies registry class 63 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.apk\DefaultIcon CraxsRat v7.6.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell CraxsRat v7.6.exe Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff CraxsRat v7.6.exe Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\0\MRUListEx = 00000000ffffffff CraxsRat v7.6.exe Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff CraxsRat v7.6.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 CraxsRat v7.6.exe Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\0\0\MRUListEx = 00000000ffffffff CraxsRat v7.6.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Pictures" CraxsRat v7.6.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupView = "0" CraxsRat v7.6.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 CraxsRat v7.6.exe Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 52003100000000002359ac29122041707044617461003c0008000400efbe2359ac292359ac292a000000eb0100000000020000000000000000000000000000004100700070004400610074006100000016000000 CraxsRat v7.6.exe Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\0 = 46003100000000007d594190102072657300340008000400efbe7d5940907d5941902a0000004f940100000005000000000000000000000000000000720065007300000012000000 CraxsRat v7.6.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell CraxsRat v7.6.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 CraxsRat v7.6.exe Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 = 4c003100000000007d594c9010204c6f63616c00380008000400efbe2359ac297d594c902a000000fe0100000000020000000000000000000000000000004c006f00630061006c00000014000000 CraxsRat v7.6.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\0\0\0\NodeSlot = "1" CraxsRat v7.6.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" CraxsRat v7.6.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 CraxsRat v7.6.exe Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 74003100000000002359ac291100557365727300600008000400efbeee3a851a2359ac292a000000e601000000000100000000000000000036000000000055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000 CraxsRat v7.6.exe Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4c0031000000000023590d30100041646d696e00380008000400efbe2359ac2923590d302a00000030000000000004000000000000000000000000000000410064006d0069006e00000014000000 CraxsRat v7.6.exe Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\MRUListEx = 00000000ffffffff CraxsRat v7.6.exe Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 CraxsRat v7.6.exe Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = 00000000ffffffff CraxsRat v7.6.exe Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0 = 4a003100000000007d597090102054656d700000360008000400efbe2359ac297d5970902a000000ff010000000002000000000000000000000000000000540065006d007000000014000000 CraxsRat v7.6.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\0 CraxsRat v7.6.exe Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 CraxsRat v7.6.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\0\0 CraxsRat v7.6.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\0\0\0 CraxsRat v7.6.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 CraxsRat v7.6.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0 CraxsRat v7.6.exe Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0 = 68003100000000007d59439010204352415853527e312e3600004e0008000400efbe7d5940907d5943902a0000003a6d0100000008000000000000000000000000000000430072006100780073005200610074002000760037002e0036000c200c200c2000001a000000 CraxsRat v7.6.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 CraxsRat v7.6.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}" CraxsRat v7.6.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239} CraxsRat v7.6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.apk\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CraxsRat v7.6\u200c\u200c\u200c\\res\\Icons\\apk.ico" CraxsRat v7.6.exe Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots CraxsRat v7.6.exe Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000 CraxsRat v7.6.exe Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff CraxsRat v7.6.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\LogicalViewMode = "3" CraxsRat v7.6.exe Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff CraxsRat v7.6.exe Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\0\0\0\MRUListEx = ffffffff CraxsRat v7.6.exe Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000050000001800000030f125b7ef471a10a5f102608c9eebac0a000000a0000000b474dbf787420341afbaf1b13dcd75cf64000000a000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000e0859ff2f94f6810ab9108002b27b3d90500000058000000 CraxsRat v7.6.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 CraxsRat v7.6.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags CraxsRat v7.6.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\FFlags = "1" CraxsRat v7.6.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU CraxsRat v7.6.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg CraxsRat v7.6.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupByKey:PID = "0" CraxsRat v7.6.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\FFlags = "1092616257" CraxsRat v7.6.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\IconSize = "96" CraxsRat v7.6.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupByDirection = "1" CraxsRat v7.6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.apk CraxsRat v7.6.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_Classes\Local Settings CraxsRat v7.6.exe Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff CraxsRat v7.6.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\Mode = "1" CraxsRat v7.6.exe Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff CraxsRat v7.6.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0 CraxsRat v7.6.exe Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\0\0 = 4c003100000000007d594190102049636f6e7300380008000400efbe7d5940907d5941902a000000c2d40100000004000000000000000000000000000000490063006f006e007300000014000000 CraxsRat v7.6.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" CraxsRat v7.6.exe Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 CraxsRat v7.6.exe Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\MRUListEx = 00000000ffffffff CraxsRat v7.6.exe Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\MRUListEx = 00000000ffffffff CraxsRat v7.6.exe Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\0\0\0 = 4a003100000000007d5941901020417070730000360008000400efbe7d5940907d5941902a000000e1d401000000040000000000000000000000000000004100700070007300000014000000 CraxsRat v7.6.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 CraxsRat v7.6.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 CraxsRat v7.6.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1176 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 2488 taskhostw.exe 1900 svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2636 powershell.exe 1140 powershell.exe 2920 powershell.exe 2184 powershell.exe 2488 taskhostw.exe 1616 powershell.exe 2488 taskhostw.exe 2488 taskhostw.exe 2488 taskhostw.exe 2488 taskhostw.exe 2488 taskhostw.exe 2488 taskhostw.exe 2488 taskhostw.exe 2488 taskhostw.exe 2488 taskhostw.exe 2488 taskhostw.exe 2488 taskhostw.exe 2488 taskhostw.exe 2488 taskhostw.exe 2488 taskhostw.exe 2488 taskhostw.exe 2488 taskhostw.exe 2488 taskhostw.exe 2488 taskhostw.exe 2488 taskhostw.exe 2488 taskhostw.exe 2488 taskhostw.exe 2488 taskhostw.exe 2488 taskhostw.exe 2488 taskhostw.exe 2488 taskhostw.exe 2488 taskhostw.exe 2488 taskhostw.exe 2488 taskhostw.exe 2488 taskhostw.exe 2488 taskhostw.exe 2488 taskhostw.exe 2488 taskhostw.exe 2488 taskhostw.exe 2488 taskhostw.exe 2488 taskhostw.exe 2488 taskhostw.exe 2488 taskhostw.exe 2488 taskhostw.exe 2488 taskhostw.exe 2488 taskhostw.exe 2488 taskhostw.exe 2488 taskhostw.exe 2488 taskhostw.exe 2488 taskhostw.exe 2488 taskhostw.exe 2488 taskhostw.exe 2488 taskhostw.exe 2488 taskhostw.exe 2488 taskhostw.exe 2488 taskhostw.exe 2488 taskhostw.exe 2488 taskhostw.exe 2488 taskhostw.exe 2488 taskhostw.exe 2488 taskhostw.exe 2488 taskhostw.exe 2488 taskhostw.exe 2488 taskhostw.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
description pid Process Token: SeDebugPrivilege 2488 taskhostw.exe Token: SeDebugPrivilege 2636 powershell.exe Token: SeDebugPrivilege 1140 powershell.exe Token: SeDebugPrivilege 2920 powershell.exe Token: SeDebugPrivilege 2184 powershell.exe Token: SeDebugPrivilege 1992 CraxsRat v7.6.exe Token: SeDebugPrivilege 2080 svchost.exe Token: SeDebugPrivilege 1616 powershell.exe Token: SeDebugPrivilege 1900 svchost.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 1992 CraxsRat v7.6.exe 1992 CraxsRat v7.6.exe 1992 CraxsRat v7.6.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 1992 CraxsRat v7.6.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2488 taskhostw.exe 1992 CraxsRat v7.6.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 2428 wrote to memory of 1992 2428 CraxsRat v7.6.exe 30 PID 2428 wrote to memory of 1992 2428 CraxsRat v7.6.exe 30 PID 2428 wrote to memory of 1992 2428 CraxsRat v7.6.exe 30 PID 2428 wrote to memory of 2488 2428 CraxsRat v7.6.exe 31 PID 2428 wrote to memory of 2488 2428 CraxsRat v7.6.exe 31 PID 2428 wrote to memory of 2488 2428 CraxsRat v7.6.exe 31 PID 2488 wrote to memory of 2636 2488 taskhostw.exe 32 PID 2488 wrote to memory of 2636 2488 taskhostw.exe 32 PID 2488 wrote to memory of 2636 2488 taskhostw.exe 32 PID 2488 wrote to memory of 1140 2488 taskhostw.exe 35 PID 2488 wrote to memory of 1140 2488 taskhostw.exe 35 PID 2488 wrote to memory of 1140 2488 taskhostw.exe 35 PID 2488 wrote to memory of 2920 2488 taskhostw.exe 37 PID 2488 wrote to memory of 2920 2488 taskhostw.exe 37 PID 2488 wrote to memory of 2920 2488 taskhostw.exe 37 PID 2488 wrote to memory of 2184 2488 taskhostw.exe 39 PID 2488 wrote to memory of 2184 2488 taskhostw.exe 39 PID 2488 wrote to memory of 2184 2488 taskhostw.exe 39 PID 2428 wrote to memory of 2080 2428 CraxsRat v7.6.exe 41 PID 2428 wrote to memory of 2080 2428 CraxsRat v7.6.exe 41 PID 2428 wrote to memory of 2080 2428 CraxsRat v7.6.exe 41 PID 2428 wrote to memory of 2080 2428 CraxsRat v7.6.exe 41 PID 2080 wrote to memory of 1616 2080 svchost.exe 43 PID 2080 wrote to memory of 1616 2080 svchost.exe 43 PID 2080 wrote to memory of 1616 2080 svchost.exe 43 PID 2080 wrote to memory of 1616 2080 svchost.exe 43 PID 2080 wrote to memory of 1176 2080 svchost.exe 44 PID 2080 wrote to memory of 1176 2080 svchost.exe 44 PID 2080 wrote to memory of 1176 2080 svchost.exe 44 PID 2080 wrote to memory of 1176 2080 svchost.exe 44 PID 2080 wrote to memory of 1900 2080 svchost.exe 47 PID 2080 wrote to memory of 1900 2080 svchost.exe 47 PID 2080 wrote to memory of 1900 2080 svchost.exe 47 PID 2080 wrote to memory of 1900 2080 svchost.exe 47 PID 2080 wrote to memory of 1844 2080 svchost.exe 48 PID 2080 wrote to memory of 1844 2080 svchost.exe 48 PID 2080 wrote to memory of 1844 2080 svchost.exe 48 PID 2080 wrote to memory of 1844 2080 svchost.exe 48 PID 1844 wrote to memory of 1792 1844 cmd.exe 50 PID 1844 wrote to memory of 1792 1844 cmd.exe 50 PID 1844 wrote to memory of 1792 1844 cmd.exe 50 PID 1844 wrote to memory of 1792 1844 cmd.exe 50
Processes
-
C:\Users\Admin\AppData\Local\Temp\CraxsRat v7.6\CraxsRat v7.6.exe"C:\Users\Admin\AppData\Local\Temp\CraxsRat v7.6\CraxsRat v7.6.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Users\Admin\AppData\Local\Temp\CraxsRat v7.6\CraxsRat v7.6.exe"C:\Users\Admin\AppData\Local\Temp\CraxsRat v7.6\CraxsRat v7.6.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1992
-
-
C:\Users\Admin\AppData\Roaming\taskhostw.exe"C:\Users\Admin\AppData\Roaming\taskhostw.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\taskhostw.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2636
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'taskhostw.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1140
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\taskhostw.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2920
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'taskhostw.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2184
-
-
-
C:\ProgramData\svchost.exe"C:\ProgramData\svchost.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Windows Services'3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1616
-
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /tn svchost.exe /tr "C:\Users\Admin\AppData\Local\Windows Services\svchost.exe" /st 18:07 /du 23:59 /sc daily /ri 1 /f3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1176
-
-
C:\Users\Admin\AppData\Local\Windows Services\svchost.exe"C:\Users\Admin\AppData\Local\Windows Services\svchost.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
PID:1900
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp4EDB.tmp.cmd""3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Windows\SysWOW64\timeout.exetimeout 64⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:1792
-
-
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Modify Registry
1Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
140B
MD5082eb9cb1a0fe3a65e9a0bf147859945
SHA18a6422e683bdf4365e8dd780e62dea3af10e6d92
SHA2568d45534dc5e11037e91be6faac113b5423a521bae8f92ba39fbc2d42c8f8bb68
SHA512b7084120e370f1369b8757c468abd90eefa85bedca1316b8bed38fa7ab46cb50a0de167c3b18751253a0548ba293af30e762aaf3fb5d7fc26715834833918e85
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5a428e546834eb1c3d36682a0ab4e9dc0
SHA19aeb00af87356b48c3dad0ad463a1dd231189736
SHA25653b18b5f0451d67ca8a404313097176d33d444219d49e81b10ccb1cb097b9f6c
SHA5127e57824b1fc799b8cc22f0ec09f55bbd57047aa415ea52756c53094eb0fecdb51a86eed44863c5f892227bbf5cc8180c556ef6241404a83a157c8dcbf15f001b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD589b33381ab132b18bba758b70286b434
SHA10a187d27bfd8b97ceff453096f884952039f7f76
SHA256d9be24201d458da05bbcaa2185fcaa9d0d4e4d2b425387e875ae361ab2f892c9
SHA51273a185d9cc9f9011300e5811f4d3fd9178441097b8cc3df4a60c3c35ad0e17f42604a57c959098cffee7a1c164d46dae14cce26b8a5b729215873e7bc591bdc4
-
Filesize
88KB
MD576b4f4d2ad4330e68394c65e6799036e
SHA12fa1d543314f6bb1223fbab3f13e8ace6350530c
SHA2566ec688d3a682ce3eee578703b7283cfec7af9bbd901cc40c1574104a2ba7b27f
SHA512f330c8edf20c429cba0eef521e9f44da7d93f3aa057aa5b278a8cf9af0f9f06a7e0beba5c141125ff7a3732ccd465845b6f1e5325f0704dbedf63f04a51d577f
-
Filesize
9.4MB
MD51536bbb84ce32cfcaf72dbcfd5949401
SHA11c6742ed78c708672e06f2c8a4c989bc5e5a838d
SHA256e3bcb8faecc22a443d41312b80e798a6358749d8b266a1bfc66ede45009e7b92
SHA512387dda2304d0da1ed732c3d4a8f49987e5998251634cd8b449dd4821a0f7834830d7caaea5a0616ed5810ac4595d8355645266856cc8ba1e4bfed50c874c755e