Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21-12-2024 18:46
Behavioral task
behavioral1
Sample
JaffaCakes118_6dd584fc700a6eb471099e0dcc35ea4aec45a5abb4bca19be7da2317e0598f15.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_6dd584fc700a6eb471099e0dcc35ea4aec45a5abb4bca19be7da2317e0598f15.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_6dd584fc700a6eb471099e0dcc35ea4aec45a5abb4bca19be7da2317e0598f15.exe
-
Size
1.3MB
-
MD5
718e3d0dc5c404d7118e97ac85d754f6
-
SHA1
a4ee7e06c49a3935a0192ace8abe2b849509fe2e
-
SHA256
6dd584fc700a6eb471099e0dcc35ea4aec45a5abb4bca19be7da2317e0598f15
-
SHA512
fce2a782de420252b00f02ff16f942216a65d86e90c328b79589bd90b4fe0b88951bd27622506a1ca221864ed273a620f9b0314c26754a1ce3f706f6686ca2ed
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2620 2592 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2932 2592 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2672 2592 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1916 2592 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2596 2592 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2660 2592 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2428 2592 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2752 2592 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 672 2592 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1560 2592 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1292 2592 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 332 2592 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1724 2592 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2764 2592 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2832 2592 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1896 2592 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 948 2592 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2804 2592 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x0008000000016d47-9.dat dcrat behavioral1/memory/2080-13-0x0000000000900000-0x0000000000A10000-memory.dmp dcrat behavioral1/memory/2276-41-0x0000000000DA0000-0x0000000000EB0000-memory.dmp dcrat behavioral1/memory/1052-192-0x00000000013D0000-0x00000000014E0000-memory.dmp dcrat behavioral1/memory/2724-371-0x0000000000330000-0x0000000000440000-memory.dmp dcrat behavioral1/memory/1636-431-0x0000000001040000-0x0000000001150000-memory.dmp dcrat behavioral1/memory/1472-610-0x00000000011B0000-0x00000000012C0000-memory.dmp dcrat behavioral1/memory/1548-730-0x00000000001D0000-0x00000000002E0000-memory.dmp dcrat behavioral1/memory/2624-791-0x00000000013A0000-0x00000000014B0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1924 powershell.exe 308 powershell.exe 1632 powershell.exe 1508 powershell.exe 1012 powershell.exe 1752 powershell.exe 2968 powershell.exe -
Executes dropped EXE 14 IoCs
pid Process 2080 DllCommonsvc.exe 2276 Idle.exe 2488 Idle.exe 1052 Idle.exe 1700 Idle.exe 2840 Idle.exe 2724 Idle.exe 1636 Idle.exe 876 Idle.exe 488 Idle.exe 1472 Idle.exe 2548 Idle.exe 1548 Idle.exe 2624 Idle.exe -
Loads dropped DLL 2 IoCs
pid Process 2516 cmd.exe 2516 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs
flow ioc 15 raw.githubusercontent.com 19 raw.githubusercontent.com 36 raw.githubusercontent.com 42 raw.githubusercontent.com 5 raw.githubusercontent.com 9 raw.githubusercontent.com 22 raw.githubusercontent.com 25 raw.githubusercontent.com 29 raw.githubusercontent.com 33 raw.githubusercontent.com 39 raw.githubusercontent.com 4 raw.githubusercontent.com 12 raw.githubusercontent.com -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft Analysis Services\lsm.exe DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Analysis Services\101b941d020240 DllCommonsvc.exe File created C:\Program Files\VideoLAN\VLC\locale\ug\Idle.exe DllCommonsvc.exe File created C:\Program Files\VideoLAN\VLC\locale\ug\6ccacd8608530f DllCommonsvc.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Downloaded Program Files\csrss.exe DllCommonsvc.exe File created C:\Windows\Downloaded Program Files\886983d96e3d3e DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_6dd584fc700a6eb471099e0dcc35ea4aec45a5abb4bca19be7da2317e0598f15.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2672 schtasks.exe 2660 schtasks.exe 672 schtasks.exe 1560 schtasks.exe 332 schtasks.exe 948 schtasks.exe 2932 schtasks.exe 2428 schtasks.exe 2752 schtasks.exe 1292 schtasks.exe 2832 schtasks.exe 2804 schtasks.exe 2620 schtasks.exe 1916 schtasks.exe 2596 schtasks.exe 1724 schtasks.exe 2764 schtasks.exe 1896 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
pid Process 2080 DllCommonsvc.exe 2080 DllCommonsvc.exe 2080 DllCommonsvc.exe 1632 powershell.exe 1924 powershell.exe 1012 powershell.exe 308 powershell.exe 1508 powershell.exe 1752 powershell.exe 2968 powershell.exe 2276 Idle.exe 2488 Idle.exe 1052 Idle.exe 1700 Idle.exe 2840 Idle.exe 2724 Idle.exe 1636 Idle.exe 876 Idle.exe 488 Idle.exe 1472 Idle.exe 2548 Idle.exe 1548 Idle.exe 2624 Idle.exe -
Suspicious use of AdjustPrivilegeToken 21 IoCs
description pid Process Token: SeDebugPrivilege 2080 DllCommonsvc.exe Token: SeDebugPrivilege 1632 powershell.exe Token: SeDebugPrivilege 1924 powershell.exe Token: SeDebugPrivilege 1012 powershell.exe Token: SeDebugPrivilege 308 powershell.exe Token: SeDebugPrivilege 1508 powershell.exe Token: SeDebugPrivilege 1752 powershell.exe Token: SeDebugPrivilege 2968 powershell.exe Token: SeDebugPrivilege 2276 Idle.exe Token: SeDebugPrivilege 2488 Idle.exe Token: SeDebugPrivilege 1052 Idle.exe Token: SeDebugPrivilege 1700 Idle.exe Token: SeDebugPrivilege 2840 Idle.exe Token: SeDebugPrivilege 2724 Idle.exe Token: SeDebugPrivilege 1636 Idle.exe Token: SeDebugPrivilege 876 Idle.exe Token: SeDebugPrivilege 488 Idle.exe Token: SeDebugPrivilege 1472 Idle.exe Token: SeDebugPrivilege 2548 Idle.exe Token: SeDebugPrivilege 1548 Idle.exe Token: SeDebugPrivilege 2624 Idle.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2124 wrote to memory of 2908 2124 JaffaCakes118_6dd584fc700a6eb471099e0dcc35ea4aec45a5abb4bca19be7da2317e0598f15.exe 30 PID 2124 wrote to memory of 2908 2124 JaffaCakes118_6dd584fc700a6eb471099e0dcc35ea4aec45a5abb4bca19be7da2317e0598f15.exe 30 PID 2124 wrote to memory of 2908 2124 JaffaCakes118_6dd584fc700a6eb471099e0dcc35ea4aec45a5abb4bca19be7da2317e0598f15.exe 30 PID 2124 wrote to memory of 2908 2124 JaffaCakes118_6dd584fc700a6eb471099e0dcc35ea4aec45a5abb4bca19be7da2317e0598f15.exe 30 PID 2908 wrote to memory of 2516 2908 WScript.exe 31 PID 2908 wrote to memory of 2516 2908 WScript.exe 31 PID 2908 wrote to memory of 2516 2908 WScript.exe 31 PID 2908 wrote to memory of 2516 2908 WScript.exe 31 PID 2516 wrote to memory of 2080 2516 cmd.exe 33 PID 2516 wrote to memory of 2080 2516 cmd.exe 33 PID 2516 wrote to memory of 2080 2516 cmd.exe 33 PID 2516 wrote to memory of 2080 2516 cmd.exe 33 PID 2080 wrote to memory of 1012 2080 DllCommonsvc.exe 53 PID 2080 wrote to memory of 1012 2080 DllCommonsvc.exe 53 PID 2080 wrote to memory of 1012 2080 DllCommonsvc.exe 53 PID 2080 wrote to memory of 1752 2080 DllCommonsvc.exe 54 PID 2080 wrote to memory of 1752 2080 DllCommonsvc.exe 54 PID 2080 wrote to memory of 1752 2080 DllCommonsvc.exe 54 PID 2080 wrote to memory of 2968 2080 DllCommonsvc.exe 56 PID 2080 wrote to memory of 2968 2080 DllCommonsvc.exe 56 PID 2080 wrote to memory of 2968 2080 DllCommonsvc.exe 56 PID 2080 wrote to memory of 1924 2080 DllCommonsvc.exe 57 PID 2080 wrote to memory of 1924 2080 DllCommonsvc.exe 57 PID 2080 wrote to memory of 1924 2080 DllCommonsvc.exe 57 PID 2080 wrote to memory of 308 2080 DllCommonsvc.exe 58 PID 2080 wrote to memory of 308 2080 DllCommonsvc.exe 58 PID 2080 wrote to memory of 308 2080 DllCommonsvc.exe 58 PID 2080 wrote to memory of 1632 2080 DllCommonsvc.exe 59 PID 2080 wrote to memory of 1632 2080 DllCommonsvc.exe 59 PID 2080 wrote to memory of 1632 2080 DllCommonsvc.exe 59 PID 2080 wrote to memory of 1508 2080 DllCommonsvc.exe 60 PID 2080 wrote to memory of 1508 2080 DllCommonsvc.exe 60 PID 2080 wrote to memory of 1508 2080 DllCommonsvc.exe 60 PID 2080 wrote to memory of 2276 2080 DllCommonsvc.exe 67 PID 2080 wrote to memory of 2276 2080 DllCommonsvc.exe 67 PID 2080 wrote to memory of 2276 2080 DllCommonsvc.exe 67 PID 2276 wrote to memory of 2728 2276 Idle.exe 68 PID 2276 wrote to memory of 2728 2276 Idle.exe 68 PID 2276 wrote to memory of 2728 2276 Idle.exe 68 PID 2728 wrote to memory of 2696 2728 cmd.exe 70 PID 2728 wrote to memory of 2696 2728 cmd.exe 70 PID 2728 wrote to memory of 2696 2728 cmd.exe 70 PID 2728 wrote to memory of 2488 2728 cmd.exe 72 PID 2728 wrote to memory of 2488 2728 cmd.exe 72 PID 2728 wrote to memory of 2488 2728 cmd.exe 72 PID 2488 wrote to memory of 2732 2488 Idle.exe 73 PID 2488 wrote to memory of 2732 2488 Idle.exe 73 PID 2488 wrote to memory of 2732 2488 Idle.exe 73 PID 2732 wrote to memory of 2076 2732 cmd.exe 75 PID 2732 wrote to memory of 2076 2732 cmd.exe 75 PID 2732 wrote to memory of 2076 2732 cmd.exe 75 PID 2732 wrote to memory of 1052 2732 cmd.exe 76 PID 2732 wrote to memory of 1052 2732 cmd.exe 76 PID 2732 wrote to memory of 1052 2732 cmd.exe 76 PID 1052 wrote to memory of 2284 1052 Idle.exe 77 PID 1052 wrote to memory of 2284 1052 Idle.exe 77 PID 1052 wrote to memory of 2284 1052 Idle.exe 77 PID 2284 wrote to memory of 448 2284 cmd.exe 79 PID 2284 wrote to memory of 448 2284 cmd.exe 79 PID 2284 wrote to memory of 448 2284 cmd.exe 79 PID 2284 wrote to memory of 1700 2284 cmd.exe 80 PID 2284 wrote to memory of 1700 2284 cmd.exe 80 PID 2284 wrote to memory of 1700 2284 cmd.exe 80 PID 1700 wrote to memory of 2908 1700 Idle.exe 81 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6dd584fc700a6eb471099e0dcc35ea4aec45a5abb4bca19be7da2317e0598f15.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6dd584fc700a6eb471099e0dcc35ea4aec45a5abb4bca19be7da2317e0598f15.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1012
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1752
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2968
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Downloaded Program Files\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1924
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:308
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Analysis Services\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1632
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\locale\ug\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1508
-
-
C:\Program Files\VideoLAN\VLC\locale\ug\Idle.exe"C:\Program Files\VideoLAN\VLC\locale\ug\Idle.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mQXsfud8LV.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:2696
-
-
C:\Program Files\VideoLAN\VLC\locale\ug\Idle.exe"C:\Program Files\VideoLAN\VLC\locale\ug\Idle.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Pbn0SniZDX.bat"8⤵
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:2076
-
-
C:\Program Files\VideoLAN\VLC\locale\ug\Idle.exe"C:\Program Files\VideoLAN\VLC\locale\ug\Idle.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vF7CrwxjwX.bat"10⤵
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:448
-
-
C:\Program Files\VideoLAN\VLC\locale\ug\Idle.exe"C:\Program Files\VideoLAN\VLC\locale\ug\Idle.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6n1oUPmZQq.bat"12⤵PID:2908
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:2888
-
-
C:\Program Files\VideoLAN\VLC\locale\ug\Idle.exe"C:\Program Files\VideoLAN\VLC\locale\ug\Idle.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2840 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1e6qhBZ49x.bat"14⤵PID:2072
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:2740
-
-
C:\Program Files\VideoLAN\VLC\locale\ug\Idle.exe"C:\Program Files\VideoLAN\VLC\locale\ug\Idle.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2724 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Wx0Tv0d3iA.bat"16⤵PID:604
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:2088
-
-
C:\Program Files\VideoLAN\VLC\locale\ug\Idle.exe"C:\Program Files\VideoLAN\VLC\locale\ug\Idle.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1636 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\c0ZYbu3Enn.bat"18⤵PID:1592
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:2664
-
-
C:\Program Files\VideoLAN\VLC\locale\ug\Idle.exe"C:\Program Files\VideoLAN\VLC\locale\ug\Idle.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:876 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bkUsYtfOrG.bat"20⤵PID:1616
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:1040
-
-
C:\Program Files\VideoLAN\VLC\locale\ug\Idle.exe"C:\Program Files\VideoLAN\VLC\locale\ug\Idle.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:488 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\15yWIDpGaf.bat"22⤵PID:1568
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:2648
-
-
C:\Program Files\VideoLAN\VLC\locale\ug\Idle.exe"C:\Program Files\VideoLAN\VLC\locale\ug\Idle.exe"23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1472 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NHYDEKme3A.bat"24⤵PID:2080
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:1764
-
-
C:\Program Files\VideoLAN\VLC\locale\ug\Idle.exe"C:\Program Files\VideoLAN\VLC\locale\ug\Idle.exe"25⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2548 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4oJokgKWVw.bat"26⤵PID:2856
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:227⤵PID:2944
-
-
C:\Program Files\VideoLAN\VLC\locale\ug\Idle.exe"C:\Program Files\VideoLAN\VLC\locale\ug\Idle.exe"27⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1548 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LdN2yJpTNi.bat"28⤵PID:2676
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:229⤵PID:2504
-
-
C:\Program Files\VideoLAN\VLC\locale\ug\Idle.exe"C:\Program Files\VideoLAN\VLC\locale\ug\Idle.exe"29⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2624
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\providercommon\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\Downloaded Program Files\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\Downloaded Program Files\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\providercommon\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1292
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:332
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files\VideoLAN\VLC\locale\ug\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\locale\ug\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:948
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files\VideoLAN\VLC\locale\ug\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD560505c769d8a015965153369d6418237
SHA1f9ac320a647756b2b2ca835dfd7699be7e3e258f
SHA256f97962135c5656c70400fefb744eed3d70899e40c576e7a42adcac6b0394088c
SHA5123ac29f732938193ba2e587a3be2214423d358f7a1cf56d3f6d88dc05bb76e7a96a1cc90acdc0c203c9ae1126d229f09261d6d32267cd31927e5574a6e12d3cb3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5153360963d526d5562b2bb173a09cd3e
SHA1980dfa142633d5eeaedeff86cfa620e70f6585ec
SHA256a05ca088b7791f845b157126286af2bbf617a5ee98ff63b61a7c2e4b5342ddad
SHA512f45c38956db397100a74b944b15197511e90bf642991e90436fb994563aa2c38f7fda59cf4a3a2118e6cf409c1d18b16bfd29b1844f589482af842f33dc92b84
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51c75a0b427fbcea1f77205a01d8e0962
SHA1fdbf8507fcb09ff149359f519bfbb2e2ac4dad57
SHA25637ae835c0c2bc1cf2775f07f455ab0df50be22edb90c33566fad3794e2a3cc87
SHA512056f794d76ee01dd28a2d0fa2dca9c11101fe61e6f676314bca2b71d75c4a69d087da0817e9ed2586f79008207c1c140a3f467045ff5aab7a0d618e4cd9cb09a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5bc27775dace419080cf9ace9a20d0eb3
SHA19efc0d4c91333be6cd02f92a906b9caccdc2af6a
SHA256d8183de07787c3c76059ac5f6921cbfbdbac3f0f74c10217d124a4e1a46f0582
SHA512ee152ab896ed32abffd5b605803860b08dd4d993a8c442f66dde8fc3cf7c26ffb55f64b15e140bd15991d4f421d70caee5c3c5868546bf578ac5dbc21254e274
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5fc9c93a0786a6e3e0e659c5977be2680
SHA113e7d959e11fe2b43dd5cf2ca46add3a2c1afd2e
SHA256cdb936bc04a461a7ac8c9388edc606d3edce0fe9deec47cf91d8f5bf7e710d1b
SHA5121c745186eefc9a27dd34815a8b7b0d37b4e37f68a1c6f3470a9fda1301027d0a6458491d267dbfda7ae69902a93eac5cd44015a93464098c65ac1fb701c3d95b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53143126807d2c3d932183d7ab4970895
SHA187c0c4c9c3729a522afcaabef5c45179e97c5773
SHA256450d7daa8645e51f18187860681778b33ee03be3752036f28af757260c3f4c7d
SHA51268ab5e5c059ee3d2b3667c0e9db1fa17c4509650bce06d2f6d9006bac3ba329c1300138fe4e2b85531274e688aa5a384671ac817751975b73a9a6fd5724442f2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ba315ba5ef7d94a7cf663038ea2d6ea7
SHA117a8fa21171d29f5618f3d30fd7cceb6e3057611
SHA2566681a655b1916081cacea6d90a20ea7c8e085128ee52691fb9e8fbafb169b560
SHA5120dd2895c1e7e3936d8ca6216c5f8affb74ca745994cb523146b1fad918778d004042f4306577e32ce79f8536a08f210294ae310ac75fed99a94f1d41c22336ab
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5405bfa0957281891f66fe528b01f6d53
SHA141909e2da369e89b7c56692dfb6cbdf1350aaf53
SHA2566ec58e30e641437084939a4e27569ed50c4e6b735b7c4a41b5ae1081bea2996b
SHA51285b98dbfb2ff064bb4336144956024311c83bf7827614a132a1595c23091a685e2db5424dd9abee7221b60b0b6504e1e77113fc54cd592fdb4131d2ca9060848
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD535fff023531e8d0f8aa714c5d7d29427
SHA1114afd29282004534674b77f902bdab593639feb
SHA256d9411ef82bab909b9cf78c54279e743d6af480c902622b7f26266917c00624f5
SHA512def108aaa36e56e25eb2f8b916b83280ecf84653aa74696cf80105cbfa73191fb0dde8470346dfc7c7f485fcf71099103b902ab0886d40edf4c50d2ebce50168
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5bfda1348bdaba919d05b11d47d9dd22b
SHA11728ed2f6edf26a0a068a334bed1841134b5a419
SHA256530d4fb5938d5d53c686dffc4c19587c8d917dd1416b445c82c2f7cfa47e8324
SHA5120f44ebb631b363b1f491b6f6d9fe7afcd65242873843d188f8f13449f68501df2b35c6fe8c1ce34127329390aec3fb14b8981f41723f407f27008ca22de1167c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD592332d46849a9b6d843041c8a70a5b90
SHA1f6db084911f833c0738bec2ec4349b69f37f8b71
SHA25679e7e9c753833e9a92d97bfebbaa7d5cf8a9bea33eece2c43ef2d4c713f5270a
SHA5129ff6178949a624f88b76b4cb96666bb19a17cf0a487dcda6b338cf09ceed3031f7a20e3dd69ddb0e29c531215e52874288db4183f1eb91fd915bf39c6582b3b2
-
Filesize
213B
MD56908662cafbee6d3cdb51fbc2e1084b7
SHA15761991bd3cc493e1cd7809af8ce7017c9d12bd4
SHA2561018d8ccbd93c8edd27fe823188aaad3972a4cbc9cab94d1676c582678e41e69
SHA512a50bff652121a84bf92c2ad4a3d438a50f1fcbe0fcb52830870708bd5d106606f422992f183d71fc32740e75d32cf9205ffcbc5b7509eab637fc5ec7b27d5e22
-
Filesize
213B
MD5382a893a30343e88f5e7e7090212843b
SHA15e164a6b8bb7691fd315e194edb8a6fb790c9454
SHA256ac40b17573853a044bc816db0ff196bf5e97e6352098445835c33fcf3ca7cf9b
SHA512ba318be07cfdee5d5610a106d01a74042dc662c1f3be9640c7fc9924d911b25703b3b5b07a5898eb7acceaeb07298c74a647b7ddeb9a8ef9774ce2b83f9c80e0
-
Filesize
213B
MD5fd914643d1116229ea1e6d8a465e1c9a
SHA171922476a84fd3680dfdc903767c35e3dd010020
SHA256d8f3a8ca8da2faca316f4729d0cc157bc9df5a5e073df4f7c5d347e92a8cff64
SHA51218e144c63664fedc6fab823231b6dedced408c65b725e3d97af366bbd5bff8e14d699dc171f98570bec2c7726e8fa8603af5827e4f1189c20ad1bd4526271904
-
Filesize
213B
MD554138fa746f47f74c3d31e89f65e358a
SHA1a47b1f9574cbd4e402d7fe1d25b0969ed4079e89
SHA25663d972f21fbb7bc60d064bb9874f76560c63b9871b9a11561782bd65bee30001
SHA51251ff43a05c2fedc0640da960fd7a1f4c6ef7686c4c5de5c673b7891606142369f2ac39fe83308503c9e060f44415a70af95ee7ac1f7c4b615f36d11d9bdbe626
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
213B
MD5e1fcab8d6b96253e9017bc277657fb25
SHA18faa6a161eb696d9076f7493284762cf828c0596
SHA256807eceb70fc04f0beff05730d94618a71e7f36f609ed4edea00064206c1b2703
SHA512299883448a12dd2ab462fd729373db83e0d35d6aa1137d36d7d628ae9e6b5f1f447e9bf98b8927b8db6649a7a114df564553208497b725ebf48b39a62f4c2cb0
-
Filesize
213B
MD549539393ef1a2a2faf95772baf6d47c4
SHA1d09aed97c805b8ce6a5699200c8ab17463e9ffce
SHA256d5ff938b85e107aa47975b6f981b3dce5c1a1374fb9682666de78ea8438aa5fe
SHA512773348dc15cdb9083979e475887495b038ae29294f3989f6a3128430a98733be9e35f2d1edfb1883cfdc411373bef16584e8b00c986d53916dd5a18dcef8bf47
-
Filesize
213B
MD526b5d347539caa533f1a5109ae35918d
SHA1852e72a93651474ee3c12eb7351ddd79106d2892
SHA2562fcdb2e038842ee9f13e2ca09754e77d191ddbd3c5ce96e254a85a5dc4d6095c
SHA512a0410326daba519baa22bb0d8b1b358e9cf6ab6c0f7e1f8c8295d3b6cfc5cf05a43b5ce9d480329c82f991bde4d500ab0808de151cc45a1fc358749c47120eca
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
213B
MD510dac95deb81c690dbf0c8f71f539dce
SHA1b4883fecef439f2aff31c3455c0ec237cc515922
SHA256e2403152a6c9f96ff059cc7a489d47a01cee842d54b7fbaaef34d6554eb02989
SHA512cf4a624962d53375f3926c2d37f123237995ad47e93e8a763fcbf6b83708a5d727828a37336462f7ee217d8216e74c2e198d8946347d37fd23e4ee8e7512f329
-
Filesize
213B
MD55d3cfe8591d9519e86fdb7c28ad40cbd
SHA1c0bb07980c3dce0d48deab19ed5a3febb8c910e2
SHA2564d238e420552d128130ecc73543caf269fd0b1e00f955e68fc2daf4acd0f5603
SHA512e26cc6809c79b51180fea6e400a067c2136cd929813b845b5f47ff609ce89963071b90a0e5593543336c70a9bfa0a43c80609c4f8a2635b46ca1b836b8556d46
-
Filesize
213B
MD5f124b9fdedf086e0e7aed6aabaf0c342
SHA1f10f5bef012317fb618dc3802c0af37d75bdeb4b
SHA256fce74e1d8325af19b9bc476339618e2507151d4d3518afcca72776b19b8a0946
SHA5121ad9aa98c64a3a2f913a7c2b0807e9ef084b76b80990fb91b6b155029f678a18fad9607c91226e57c2bd53ea3d87f3f12068316cd44f8fc0782af2245da4c523
-
Filesize
213B
MD5e862031a705de96749962546c0ccb0ff
SHA10afb7f38dca29d54dbab84df18127a413d40df29
SHA256a0c6c06d7f4722ec48c3dbc5a0f7190fc4fbed102ea0e31d7878c68e721e4ed3
SHA5122daf46ad77767594b48d766931cd4d0ab4589bad52ba7b8d4dcf144be21724afaf24e181b6e681ff149fc1b0ff155fe87c286fa9ac42c8fee8af8e8f02b59cc3
-
Filesize
213B
MD5dbceb58d9b647afe9d4fef9a232e4d67
SHA134c7c432b35529effd1587f3b8d4195107f049ad
SHA25634dafd8c4973a5babf9e8fbc2949a4ebccd9c9bdd9c5257112b3785a90ce9476
SHA512eb1e65bc8cd0bea00332fbb90ecf33ef0e4657dfb95b2d7321915561007a85c80cc0ff60eaeae1a66aae46fddd43fe4d91efef1f164d09f0b698a4b9cc1260cf
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\FBZYVPRHV46J525KTYHF.temp
Filesize7KB
MD58f3cc03d6961b8572bb6837441cf37ad
SHA1b6a3930a69bcc9e7f38820ed416475dd2085fbde
SHA256d7296b80b18c10dd1cffdd37b3f7f2539e8ac4ff80da2125e65ce72fc5061199
SHA5122b00664415f6976df9842ad300d67e1f7dba283db20ba6f5552b002455f60e1ea1fdeb0704033d1c0002fc53ff01875b1f9bbec355b6fedb92557bc062d90115
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394