Analysis
-
max time kernel
148s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
30/12/2024, 02:42
Behavioral task
behavioral1
Sample
JaffaCakes118_6d8f9429c033fca70e8e0700ba0d1d9d88df2ed8e10488abab08de303068aff7.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_6d8f9429c033fca70e8e0700ba0d1d9d88df2ed8e10488abab08de303068aff7.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_6d8f9429c033fca70e8e0700ba0d1d9d88df2ed8e10488abab08de303068aff7.exe
-
Size
1.3MB
-
MD5
5bfc410c52b9a8e9586447e35a2e0571
-
SHA1
36439d929ecb0cc75393a0137bfc9bd9bcac10ce
-
SHA256
6d8f9429c033fca70e8e0700ba0d1d9d88df2ed8e10488abab08de303068aff7
-
SHA512
32beff4980735ad8cff05f804f4242df20e14adaa13f3a897114ec87f819b5ab7d54d28a5683e14558d4c0569b1d0d7a89ba8b465a5bac9852cf205e4a3ecc21
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 24 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2344 2560 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2968 2560 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2980 2560 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2784 2560 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2952 2560 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2580 2560 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2136 2560 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 484 2560 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1796 2560 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1296 2560 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 780 2560 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1620 2560 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2352 2560 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2460 2560 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2788 2560 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2840 2560 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1828 2560 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1844 2560 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1148 2560 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2520 2560 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1076 2560 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2908 2560 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2128 2560 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2900 2560 schtasks.exe 35 -
resource yara_rule behavioral1/files/0x0007000000016cec-9.dat dcrat behavioral1/memory/2576-13-0x0000000000C90000-0x0000000000DA0000-memory.dmp dcrat behavioral1/memory/2020-45-0x0000000000220000-0x0000000000330000-memory.dmp dcrat behavioral1/memory/780-143-0x0000000000CA0000-0x0000000000DB0000-memory.dmp dcrat behavioral1/memory/3024-204-0x0000000000340000-0x0000000000450000-memory.dmp dcrat behavioral1/memory/760-265-0x0000000000180000-0x0000000000290000-memory.dmp dcrat behavioral1/memory/2936-326-0x0000000000A70000-0x0000000000B80000-memory.dmp dcrat behavioral1/memory/2860-386-0x0000000000D10000-0x0000000000E20000-memory.dmp dcrat behavioral1/memory/2004-446-0x00000000002D0000-0x00000000003E0000-memory.dmp dcrat behavioral1/memory/1520-507-0x0000000000C40000-0x0000000000D50000-memory.dmp dcrat behavioral1/memory/2000-567-0x0000000000100000-0x0000000000210000-memory.dmp dcrat behavioral1/memory/1208-628-0x0000000000BB0000-0x0000000000CC0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2328 powershell.exe 1632 powershell.exe 2152 powershell.exe 2376 powershell.exe 2896 powershell.exe 2224 powershell.exe 1728 powershell.exe 2140 powershell.exe 2240 powershell.exe -
Executes dropped EXE 12 IoCs
pid Process 2576 DllCommonsvc.exe 2020 smss.exe 780 smss.exe 3024 smss.exe 760 smss.exe 2936 smss.exe 2860 smss.exe 2004 smss.exe 1520 smss.exe 2000 smss.exe 1208 smss.exe 2120 smss.exe -
Loads dropped DLL 2 IoCs
pid Process 2688 cmd.exe 2688 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
flow ioc 25 raw.githubusercontent.com 31 raw.githubusercontent.com 35 raw.githubusercontent.com 15 raw.githubusercontent.com 18 raw.githubusercontent.com 22 raw.githubusercontent.com 28 raw.githubusercontent.com 4 raw.githubusercontent.com 5 raw.githubusercontent.com 9 raw.githubusercontent.com 12 raw.githubusercontent.com -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files\Windows NT\Accessories\de-DE\spoolsv.exe DllCommonsvc.exe File created C:\Program Files\Windows NT\Accessories\de-DE\f3b6ecef712a24 DllCommonsvc.exe File created C:\Program Files\Common Files\Services\smss.exe DllCommonsvc.exe File created C:\Program Files\Common Files\Services\69ddcba757bf72 DllCommonsvc.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\winsxs\amd64_microsoft-windows-help-gamesp.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_391951119116a53b\dwm.exe DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_6d8f9429c033fca70e8e0700ba0d1d9d88df2ed8e10488abab08de303068aff7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1076 schtasks.exe 2908 schtasks.exe 2344 schtasks.exe 1796 schtasks.exe 2520 schtasks.exe 2352 schtasks.exe 2788 schtasks.exe 1844 schtasks.exe 2128 schtasks.exe 2784 schtasks.exe 2580 schtasks.exe 1620 schtasks.exe 2460 schtasks.exe 1828 schtasks.exe 1148 schtasks.exe 2952 schtasks.exe 484 schtasks.exe 780 schtasks.exe 1296 schtasks.exe 2840 schtasks.exe 2900 schtasks.exe 2968 schtasks.exe 2980 schtasks.exe 2136 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
pid Process 2576 DllCommonsvc.exe 2576 DllCommonsvc.exe 2576 DllCommonsvc.exe 1728 powershell.exe 2152 powershell.exe 2896 powershell.exe 2376 powershell.exe 2240 powershell.exe 2224 powershell.exe 2328 powershell.exe 2140 powershell.exe 1632 powershell.exe 2020 smss.exe 780 smss.exe 3024 smss.exe 760 smss.exe 2936 smss.exe 2860 smss.exe 2004 smss.exe 1520 smss.exe 2000 smss.exe 1208 smss.exe 2120 smss.exe -
Suspicious use of AdjustPrivilegeToken 21 IoCs
description pid Process Token: SeDebugPrivilege 2576 DllCommonsvc.exe Token: SeDebugPrivilege 2020 smss.exe Token: SeDebugPrivilege 1728 powershell.exe Token: SeDebugPrivilege 2152 powershell.exe Token: SeDebugPrivilege 2896 powershell.exe Token: SeDebugPrivilege 2376 powershell.exe Token: SeDebugPrivilege 2240 powershell.exe Token: SeDebugPrivilege 2224 powershell.exe Token: SeDebugPrivilege 2328 powershell.exe Token: SeDebugPrivilege 2140 powershell.exe Token: SeDebugPrivilege 1632 powershell.exe Token: SeDebugPrivilege 780 smss.exe Token: SeDebugPrivilege 3024 smss.exe Token: SeDebugPrivilege 760 smss.exe Token: SeDebugPrivilege 2936 smss.exe Token: SeDebugPrivilege 2860 smss.exe Token: SeDebugPrivilege 2004 smss.exe Token: SeDebugPrivilege 1520 smss.exe Token: SeDebugPrivilege 2000 smss.exe Token: SeDebugPrivilege 1208 smss.exe Token: SeDebugPrivilege 2120 smss.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3024 wrote to memory of 2884 3024 JaffaCakes118_6d8f9429c033fca70e8e0700ba0d1d9d88df2ed8e10488abab08de303068aff7.exe 31 PID 3024 wrote to memory of 2884 3024 JaffaCakes118_6d8f9429c033fca70e8e0700ba0d1d9d88df2ed8e10488abab08de303068aff7.exe 31 PID 3024 wrote to memory of 2884 3024 JaffaCakes118_6d8f9429c033fca70e8e0700ba0d1d9d88df2ed8e10488abab08de303068aff7.exe 31 PID 3024 wrote to memory of 2884 3024 JaffaCakes118_6d8f9429c033fca70e8e0700ba0d1d9d88df2ed8e10488abab08de303068aff7.exe 31 PID 2884 wrote to memory of 2688 2884 WScript.exe 32 PID 2884 wrote to memory of 2688 2884 WScript.exe 32 PID 2884 wrote to memory of 2688 2884 WScript.exe 32 PID 2884 wrote to memory of 2688 2884 WScript.exe 32 PID 2688 wrote to memory of 2576 2688 cmd.exe 34 PID 2688 wrote to memory of 2576 2688 cmd.exe 34 PID 2688 wrote to memory of 2576 2688 cmd.exe 34 PID 2688 wrote to memory of 2576 2688 cmd.exe 34 PID 2576 wrote to memory of 2224 2576 DllCommonsvc.exe 60 PID 2576 wrote to memory of 2224 2576 DllCommonsvc.exe 60 PID 2576 wrote to memory of 2224 2576 DllCommonsvc.exe 60 PID 2576 wrote to memory of 1728 2576 DllCommonsvc.exe 61 PID 2576 wrote to memory of 1728 2576 DllCommonsvc.exe 61 PID 2576 wrote to memory of 1728 2576 DllCommonsvc.exe 61 PID 2576 wrote to memory of 2896 2576 DllCommonsvc.exe 62 PID 2576 wrote to memory of 2896 2576 DllCommonsvc.exe 62 PID 2576 wrote to memory of 2896 2576 DllCommonsvc.exe 62 PID 2576 wrote to memory of 2328 2576 DllCommonsvc.exe 63 PID 2576 wrote to memory of 2328 2576 DllCommonsvc.exe 63 PID 2576 wrote to memory of 2328 2576 DllCommonsvc.exe 63 PID 2576 wrote to memory of 1632 2576 DllCommonsvc.exe 64 PID 2576 wrote to memory of 1632 2576 DllCommonsvc.exe 64 PID 2576 wrote to memory of 1632 2576 DllCommonsvc.exe 64 PID 2576 wrote to memory of 2376 2576 DllCommonsvc.exe 65 PID 2576 wrote to memory of 2376 2576 DllCommonsvc.exe 65 PID 2576 wrote to memory of 2376 2576 DllCommonsvc.exe 65 PID 2576 wrote to memory of 2140 2576 DllCommonsvc.exe 66 PID 2576 wrote to memory of 2140 2576 DllCommonsvc.exe 66 PID 2576 wrote to memory of 2140 2576 DllCommonsvc.exe 66 PID 2576 wrote to memory of 2152 2576 DllCommonsvc.exe 67 PID 2576 wrote to memory of 2152 2576 DllCommonsvc.exe 67 PID 2576 wrote to memory of 2152 2576 DllCommonsvc.exe 67 PID 2576 wrote to memory of 2240 2576 DllCommonsvc.exe 69 PID 2576 wrote to memory of 2240 2576 DllCommonsvc.exe 69 PID 2576 wrote to memory of 2240 2576 DllCommonsvc.exe 69 PID 2576 wrote to memory of 2020 2576 DllCommonsvc.exe 78 PID 2576 wrote to memory of 2020 2576 DllCommonsvc.exe 78 PID 2576 wrote to memory of 2020 2576 DllCommonsvc.exe 78 PID 2020 wrote to memory of 1796 2020 smss.exe 79 PID 2020 wrote to memory of 1796 2020 smss.exe 79 PID 2020 wrote to memory of 1796 2020 smss.exe 79 PID 1796 wrote to memory of 1600 1796 cmd.exe 81 PID 1796 wrote to memory of 1600 1796 cmd.exe 81 PID 1796 wrote to memory of 1600 1796 cmd.exe 81 PID 1796 wrote to memory of 780 1796 cmd.exe 82 PID 1796 wrote to memory of 780 1796 cmd.exe 82 PID 1796 wrote to memory of 780 1796 cmd.exe 82 PID 780 wrote to memory of 2500 780 smss.exe 83 PID 780 wrote to memory of 2500 780 smss.exe 83 PID 780 wrote to memory of 2500 780 smss.exe 83 PID 2500 wrote to memory of 2184 2500 cmd.exe 85 PID 2500 wrote to memory of 2184 2500 cmd.exe 85 PID 2500 wrote to memory of 2184 2500 cmd.exe 85 PID 2500 wrote to memory of 3024 2500 cmd.exe 86 PID 2500 wrote to memory of 3024 2500 cmd.exe 86 PID 2500 wrote to memory of 3024 2500 cmd.exe 86 PID 3024 wrote to memory of 2400 3024 smss.exe 87 PID 3024 wrote to memory of 2400 3024 smss.exe 87 PID 3024 wrote to memory of 2400 3024 smss.exe 87 PID 2400 wrote to memory of 1868 2400 cmd.exe 89 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6d8f9429c033fca70e8e0700ba0d1d9d88df2ed8e10488abab08de303068aff7.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6d8f9429c033fca70e8e0700ba0d1d9d88df2ed8e10488abab08de303068aff7.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2224
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1728
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2896
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2328
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1632
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\Accessories\de-DE\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2376
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\Services\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2140
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2152
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2240
-
-
C:\Program Files\Common Files\Services\smss.exe"C:\Program Files\Common Files\Services\smss.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Z87Ce65nyU.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:1600
-
-
C:\Program Files\Common Files\Services\smss.exe"C:\Program Files\Common Files\Services\smss.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:780 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wKGJ2NUoAL.bat"8⤵
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:2184
-
-
C:\Program Files\Common Files\Services\smss.exe"C:\Program Files\Common Files\Services\smss.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\J2mXRZwkCj.bat"10⤵
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:1868
-
-
C:\Program Files\Common Files\Services\smss.exe"C:\Program Files\Common Files\Services\smss.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:760 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JGN3MoCgVZ.bat"12⤵PID:2528
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:2064
-
-
C:\Program Files\Common Files\Services\smss.exe"C:\Program Files\Common Files\Services\smss.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2936 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WSSqGJyhfL.bat"14⤵PID:1212
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:2252
-
-
C:\Program Files\Common Files\Services\smss.exe"C:\Program Files\Common Files\Services\smss.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2860 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZmgdUlucqh.bat"16⤵PID:2244
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:2716
-
-
C:\Program Files\Common Files\Services\smss.exe"C:\Program Files\Common Files\Services\smss.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2004 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wUI7DLfHyj.bat"18⤵PID:2056
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:376
-
-
C:\Program Files\Common Files\Services\smss.exe"C:\Program Files\Common Files\Services\smss.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1520 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XkJigN4PJf.bat"20⤵PID:348
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:2688
-
-
C:\Program Files\Common Files\Services\smss.exe"C:\Program Files\Common Files\Services\smss.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2000 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zlkj4ltLQI.bat"22⤵PID:1780
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:2504
-
-
C:\Program Files\Common Files\Services\smss.exe"C:\Program Files\Common Files\Services\smss.exe"23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1208 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sWmtPUST1G.bat"24⤵PID:2580
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:2388
-
-
C:\Program Files\Common Files\Services\smss.exe"C:\Program Files\Common Files\Services\smss.exe"25⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2120
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\providercommon\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2344
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\providercommon\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\providercommon\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1296
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows NT\Accessories\de-DE\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\de-DE\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2460
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows NT\Accessories\de-DE\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files\Common Files\Services\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Common Files\Services\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1828
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files\Common Files\Services\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1148
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2520
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1076
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\providercommon\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ea2cd3cca5fd73fb1bf9ca49f07d981d
SHA1f362030ebbcf4a29e9fd2df5d6fcf0a270a8566e
SHA2564e31b1fc65e36ab5c78d74e84eb836533b4d942ed94170bd602647094369034b
SHA51201e159e4f928e7d75f4acf57ce65a5e888bc8aa772f94dd5ec4fed726d6867c245f540a37829e2f9ef29cd3f54f0aa30a411a36eae091408c7241eafd980e405
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a2336accbec6808b0d937c5fe1ff2506
SHA138e343de081b2672b7d7feff55c8ad58441e5a96
SHA25661c387df824d61d23c8db46b3ecefdc0673ebc3b97f678d4e591611656790eae
SHA5125e96354a5027a94eec30a573a2c4cfa87e5a1dcd7efb030c8aa2628514d614c1ad1ebb0d5b9ee4dc52cf310e8e30ac307f25d7e0d224b3d674a4f0d2251bcfbf
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD569082d2d9d35970e45250e636f7d39ee
SHA123a05799c45eba27072fd46cd929e30c01871aa9
SHA25692215b0ce31f71a34b94dd98ba7335eec64af241f3e558092170fed25da2ef9f
SHA512b03417c42852f76c7743ab9f3cefaef7ab4893ac91e1bbd1c87995d81d12edc371abcf67f3d8da44425115c835bdeb744b81bbe0c8fc6af2b3bf2db6760197d3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5102f552309b246d7db33bcb57ce522b0
SHA132676b8e4db6ca2feb0114b1b209b8b0934f9d78
SHA256333165f69131c8d8e858f73f66effba00098f8fa30f63246908a7ac5ca07dfbb
SHA51211f841a42ac181123f1e0b504b3d794d0408efc6bfb39f6d24c6f91a1efb0e1f204452152a1d2c2911fcfe18015a5b67b03c5e65edcb8a68f283695f618cef6e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a2a30622d75a81d5d03fde107cbf70b6
SHA10e3aac0c75caabb54ae9340975431a4bfd5bee1f
SHA2561c0741edfa92e4dc2f0e9438425a6956efe51425498d75eecc159bc732c49599
SHA512e3933e2c5dd1aafbae3958058f394ded860c895c10f3282bf7f27a562cf0a170a555303d343199f21ef49d4728f3f1884a1d6dadb19906e1830ee91ca7779983
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51758b39a03a055d8b7506098c61b69a6
SHA1add0b55ffe6f4c508ea284cfd80eb1c7156dd69f
SHA256bd3548d594760dbe2fd3487dd6710b524bb8e641e73eb3d56726cf0e51800f54
SHA51246f9fe864353a0ff9b54f8a79693cae52bae0c44f93e94a6948530a0c126941f10a78055fb132ec104e814a9a181cd6515882b0668de1b0275d26681dff00e7f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD54246e7342ab8f882ab5091c105c1aa1a
SHA120f949a6662c498b93134168653285d9a063cf3a
SHA2569b3a984a81598a9b667c89df1eb940060329e908975614bf9eaf0fc5b5427be8
SHA5120317b35374e3254a82331d2ebb7303facf4a91bdcf7cb0427eaebf49befaffe6b96dc5466bff5720404e553a0105669b5703528abc4d2237a5470e3fe5ede501
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD563bca8993ef282705ec3892e2490f08c
SHA128abe39ffa617cd90177dc4c20649e422275e729
SHA2566bbe34d0874da5d8aec021a487abee1560bce08e81a71953b91a5063e228a0a8
SHA5128a0649a6c481f7e10bcf766e22888ff2185f103f58f5769653a8c9f172ac96ddca3226d59a36d4d9cfc8fb6f4bf966ce540b73b69b6b4613f78fe7f90fbdf96e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5dd3163f955d445d87124a2d7bb805413
SHA185946353e2cb64f7731eec8bfd95b1816d35badd
SHA2568c66c9918fbc3c6ffb127a23987b015b45c6bda2d71145027a3293c65cfaab43
SHA512bad52e9edc8434e43f9d3bb83a181ae5a2d175e61a51ad7c9566a8c89b942cb276d200fb0e6165a6620ed144b7aa835e6a65f3903c7721037d9458f8bacf19b5
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
212B
MD5a30978ec2e459fb04ab22e7604cc40a0
SHA1eeca7310e6c6c2c2f805b8e66e81ae278d93c8b8
SHA256d8408cb6b03c034acb413d948dae6d55159aa4ffefebdda0dd1effb1815b1c68
SHA512edc577ee1cdb8a3bd50f931a7cf871e40ae4f6d724f6f9945162473f6d463564d56b74e9cc8ee6b66a0a1a740ca91f788c8bff845d910d038b3d87fb125f9ee3
-
Filesize
212B
MD595531640ce85b16c1d892f54097ce39d
SHA11cecf33841913df148840cbd1c94ceae680b39f8
SHA2569b02da6ac5992a08b68c04d8857d4818cebd2b8e5757cab54f356a5da3529f2a
SHA512abc5777d722ac729f025f97a6c959fcfdb151bdbc2c5697ac9a37bfc7eb3fd4b77f945ec3716291c290f3348d6d2a2bd179db11b8e0b342ae14a486df414efcb
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
212B
MD5abc5f41868dd6592e9461667835eae0c
SHA1809d87187b1769c019422382b0b873e96e0fab80
SHA256acc2049d74d4781b44ad55047c4fd8e0aa01f02bd4593fd826de54bbaf3d9857
SHA5120384ea396a960a2acda0788f8525acc3b60279a8125e81e04bb3c2ba43be590de219cc5cbe1d78d9138892f7284fc3b831936a899ba81f470b82969fecd6594d
-
Filesize
212B
MD5818d52263b84cc7030cccb5c8e943a7a
SHA1c28918b85c1170ca7f7b50f4f9f562946bf42886
SHA256dcc6cab4f05fc5a236afa7bb71363f411b9a35366be9ee086bdd4b37f0e08932
SHA512b55193c9f6de3d1407d1f75f48e91ae5809b39a61b6453a23249097edc81030f833c458bc1cc77e0654eff470217c102800cf4c09d2b59521f78793a9be5ea8d
-
Filesize
212B
MD5023a6a873beb1365181a9bd8a25f5b92
SHA191fe108943f51b3888c57a0a35c490621d509ac2
SHA256b0393449f63b933b6c89900b4672a999f28d495c12496b3a2d655e4ce968b1e9
SHA5126d3703349f2513ffa1bcad28a2962239a24ae1fc82407dfd289d1cbd1c1e6aae997e1c8c667dc9683fe717d2493b8c80127879994494151ee2118178d001037a
-
Filesize
212B
MD58681b8c1c027d378033d5f7921cc0cc4
SHA142eb49e3d7d675871cf1d6ae8df96edd588fa95e
SHA2563827c9f99b1e89a80d43eaaa5a2be5782ed3009d169b2efc4c1642badbad930d
SHA5121ed497e828f465271d18f25aaddcf340047e76db3519e13b06e239e0018ea37bd6a5eced134f139f1bd7597d405d17fd1fc29961d04b4b12dca9e4306cb95bc9
-
Filesize
212B
MD5c89266f3cc2a397cd9c2f5dd289ce203
SHA152c1c469311c707ef9f92794723eaba3547c8dba
SHA25664959f014b62beccb192ccbbdf60277ce155764432e09c21d1db4809a59297b3
SHA512d966dcfdee27b9d23f3e5943f34eec435c93fec200c3d235baaffc40314da1d8f44d56729cf086bee01c9b8ceed9e27ddda521b82d8ac5d6cde50f379f9581c8
-
Filesize
212B
MD54c4d242c1362bf3608c370f226195afa
SHA1975890a9df8ecf9908dc465daadc9bc24e583649
SHA2569d192eb35b106faabf564a88d8b3853b243daf7609ff5fce82a1f29f3727686c
SHA51296d8d3f4ed07f065dfaf95399e9fb0897fcbf1d5f653a5e51ed3f3054c2a3b7d07196dc94d4b8869d979f99689709e600135533988a4ced8c8ef6ad34ec916ab
-
Filesize
212B
MD5f7d130d2a22418c8fa98b6fb02a31a25
SHA1139d8fc82afaf581e45672cf8e2c52a1476ed6e2
SHA256d1cf2fc5ee0b9bf889dafa24785968c90f37d4e405fc2f2e5bc79cdfaae1784d
SHA512abf52b718823aabe7f9056c7e179f89bfd9df76b290d581c739866d55d17a7746554b5bdc7159471a1d20a0aa75549b17627c301c31c78cbbb5c797baab77cc9
-
Filesize
212B
MD5a016008d01b2acdc51ab821ab5ac737e
SHA124ed95d14902418bbbba55fc8eecba41c09a8644
SHA2560a7ec7ace1e5c9214ad4293c79c63335790fd7f76a34a99301d5ec40d692f6b9
SHA5129f3139d50177b86a8fe56425498f6d5f222308984534c5154b77eb256a52a1d3828d2dfb4c5ca65ab37af7a6dc0df648a17d68d1ed9441f631c03e9ad4403b3b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5ef567b4e090c05d7116d46cdde4bdefc
SHA1eb4558d7abf2c71c4ef213a3c6233c2c9d33c68e
SHA256f9b0260d06ad10543401697733275b52bf8684f20043a6eff3f1cbe2da43afc1
SHA5123abb489e565e3998c454c0c588a397e08bbd75cedad773614548ca9fff4ebf9bcd37081dc9077e7a27c53fc606de6407dcb7ff46aeb2930e14f792ba2ac9eb03
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394