Analysis
-
max time kernel
149s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
30/12/2024, 02:27
Behavioral task
behavioral1
Sample
JaffaCakes118_6967526d2772ad9afaf9d37407a183989f72032e43469452d45647e2a281771f.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_6967526d2772ad9afaf9d37407a183989f72032e43469452d45647e2a281771f.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_6967526d2772ad9afaf9d37407a183989f72032e43469452d45647e2a281771f.exe
-
Size
1.3MB
-
MD5
34df7506e76ceeb4d9d568da789a4a45
-
SHA1
68b2e32ba9e0e438076f711bb50bc0ceb4e82b79
-
SHA256
6967526d2772ad9afaf9d37407a183989f72032e43469452d45647e2a281771f
-
SHA512
fe4d087bca3b893371688b2bbb5f7b1211b11cf6180c164dc728e115c87ff0bce7f913f7458f974d5ea540d0ba3e9bef84dc6ed3dcb4b95dcbda3ec7499ff1b9
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 21 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2936 2880 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2976 2880 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2660 2880 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2676 2880 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2636 2880 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2692 2880 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2932 2880 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2332 2880 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 560 2880 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1108 2880 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3020 2880 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2472 2880 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2688 2880 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2820 2880 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2824 2880 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2312 2880 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3016 2880 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2680 2880 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2488 2880 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1148 2880 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2256 2880 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x00070000000186fd-9.dat dcrat behavioral1/memory/2712-13-0x00000000010E0000-0x00000000011F0000-memory.dmp dcrat behavioral1/memory/872-80-0x0000000000CA0000-0x0000000000DB0000-memory.dmp dcrat behavioral1/memory/2820-140-0x0000000000E60000-0x0000000000F70000-memory.dmp dcrat behavioral1/memory/1872-200-0x0000000000EE0000-0x0000000000FF0000-memory.dmp dcrat behavioral1/memory/2164-260-0x0000000000110000-0x0000000000220000-memory.dmp dcrat behavioral1/memory/2328-320-0x0000000000820000-0x0000000000930000-memory.dmp dcrat behavioral1/memory/2096-380-0x00000000003A0000-0x00000000004B0000-memory.dmp dcrat behavioral1/memory/564-441-0x0000000000B50000-0x0000000000C60000-memory.dmp dcrat behavioral1/memory/2100-560-0x00000000013C0000-0x00000000014D0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2520 powershell.exe 2172 powershell.exe 2268 powershell.exe 1912 powershell.exe 1936 powershell.exe 2368 powershell.exe 2380 powershell.exe 2508 powershell.exe -
Executes dropped EXE 12 IoCs
pid Process 2712 DllCommonsvc.exe 872 dllhost.exe 2820 dllhost.exe 1872 dllhost.exe 2164 dllhost.exe 2328 dllhost.exe 2096 dllhost.exe 564 dllhost.exe 1808 dllhost.exe 2100 dllhost.exe 992 dllhost.exe 2692 dllhost.exe -
Loads dropped DLL 2 IoCs
pid Process 2400 cmd.exe 2400 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
flow ioc 25 raw.githubusercontent.com 32 raw.githubusercontent.com 35 raw.githubusercontent.com 5 raw.githubusercontent.com 16 raw.githubusercontent.com 19 raw.githubusercontent.com 22 raw.githubusercontent.com 4 raw.githubusercontent.com 9 raw.githubusercontent.com 12 raw.githubusercontent.com 29 raw.githubusercontent.com -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files\Microsoft Office\886983d96e3d3e DllCommonsvc.exe File created C:\Program Files (x86)\Google\CrashReports\WmiPrvSE.exe DllCommonsvc.exe File created C:\Program Files (x86)\Google\CrashReports\24dbde2999530e DllCommonsvc.exe File created C:\Program Files\Microsoft Office\csrss.exe DllCommonsvc.exe -
Drops file in Windows directory 7 IoCs
description ioc Process File created C:\Windows\PCHEALTH\ERRORREP\QHEADLES\69ddcba757bf72 DllCommonsvc.exe File created C:\Windows\Prefetch\taskhost.exe DllCommonsvc.exe File created C:\Windows\Prefetch\b75386f1303e64 DllCommonsvc.exe File created C:\Windows\inf\wsearchidxpi\dllhost.exe DllCommonsvc.exe File opened for modification C:\Windows\inf\wsearchidxpi\dllhost.exe DllCommonsvc.exe File created C:\Windows\inf\wsearchidxpi\5940a34987c991 DllCommonsvc.exe File created C:\Windows\PCHEALTH\ERRORREP\QHEADLES\smss.exe DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_6967526d2772ad9afaf9d37407a183989f72032e43469452d45647e2a281771f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2676 schtasks.exe 1148 schtasks.exe 2976 schtasks.exe 2660 schtasks.exe 2932 schtasks.exe 3020 schtasks.exe 2688 schtasks.exe 2256 schtasks.exe 3016 schtasks.exe 2936 schtasks.exe 2636 schtasks.exe 560 schtasks.exe 1108 schtasks.exe 2820 schtasks.exe 2824 schtasks.exe 2312 schtasks.exe 2680 schtasks.exe 2488 schtasks.exe 2692 schtasks.exe 2332 schtasks.exe 2472 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 2712 DllCommonsvc.exe 2520 powershell.exe 2172 powershell.exe 2380 powershell.exe 2368 powershell.exe 2268 powershell.exe 1936 powershell.exe 2508 powershell.exe 1912 powershell.exe 872 dllhost.exe 2820 dllhost.exe 1872 dllhost.exe 2164 dllhost.exe 2328 dllhost.exe 2096 dllhost.exe 564 dllhost.exe 1808 dllhost.exe 2100 dllhost.exe 992 dllhost.exe 2692 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 20 IoCs
description pid Process Token: SeDebugPrivilege 2712 DllCommonsvc.exe Token: SeDebugPrivilege 2520 powershell.exe Token: SeDebugPrivilege 2172 powershell.exe Token: SeDebugPrivilege 2380 powershell.exe Token: SeDebugPrivilege 2368 powershell.exe Token: SeDebugPrivilege 2268 powershell.exe Token: SeDebugPrivilege 1936 powershell.exe Token: SeDebugPrivilege 2508 powershell.exe Token: SeDebugPrivilege 1912 powershell.exe Token: SeDebugPrivilege 872 dllhost.exe Token: SeDebugPrivilege 2820 dllhost.exe Token: SeDebugPrivilege 1872 dllhost.exe Token: SeDebugPrivilege 2164 dllhost.exe Token: SeDebugPrivilege 2328 dllhost.exe Token: SeDebugPrivilege 2096 dllhost.exe Token: SeDebugPrivilege 564 dllhost.exe Token: SeDebugPrivilege 1808 dllhost.exe Token: SeDebugPrivilege 2100 dllhost.exe Token: SeDebugPrivilege 992 dllhost.exe Token: SeDebugPrivilege 2692 dllhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2440 wrote to memory of 2328 2440 JaffaCakes118_6967526d2772ad9afaf9d37407a183989f72032e43469452d45647e2a281771f.exe 30 PID 2440 wrote to memory of 2328 2440 JaffaCakes118_6967526d2772ad9afaf9d37407a183989f72032e43469452d45647e2a281771f.exe 30 PID 2440 wrote to memory of 2328 2440 JaffaCakes118_6967526d2772ad9afaf9d37407a183989f72032e43469452d45647e2a281771f.exe 30 PID 2440 wrote to memory of 2328 2440 JaffaCakes118_6967526d2772ad9afaf9d37407a183989f72032e43469452d45647e2a281771f.exe 30 PID 2328 wrote to memory of 2400 2328 WScript.exe 31 PID 2328 wrote to memory of 2400 2328 WScript.exe 31 PID 2328 wrote to memory of 2400 2328 WScript.exe 31 PID 2328 wrote to memory of 2400 2328 WScript.exe 31 PID 2400 wrote to memory of 2712 2400 cmd.exe 33 PID 2400 wrote to memory of 2712 2400 cmd.exe 33 PID 2400 wrote to memory of 2712 2400 cmd.exe 33 PID 2400 wrote to memory of 2712 2400 cmd.exe 33 PID 2712 wrote to memory of 2520 2712 DllCommonsvc.exe 57 PID 2712 wrote to memory of 2520 2712 DllCommonsvc.exe 57 PID 2712 wrote to memory of 2520 2712 DllCommonsvc.exe 57 PID 2712 wrote to memory of 2172 2712 DllCommonsvc.exe 58 PID 2712 wrote to memory of 2172 2712 DllCommonsvc.exe 58 PID 2712 wrote to memory of 2172 2712 DllCommonsvc.exe 58 PID 2712 wrote to memory of 2268 2712 DllCommonsvc.exe 59 PID 2712 wrote to memory of 2268 2712 DllCommonsvc.exe 59 PID 2712 wrote to memory of 2268 2712 DllCommonsvc.exe 59 PID 2712 wrote to memory of 1912 2712 DllCommonsvc.exe 60 PID 2712 wrote to memory of 1912 2712 DllCommonsvc.exe 60 PID 2712 wrote to memory of 1912 2712 DllCommonsvc.exe 60 PID 2712 wrote to memory of 1936 2712 DllCommonsvc.exe 61 PID 2712 wrote to memory of 1936 2712 DllCommonsvc.exe 61 PID 2712 wrote to memory of 1936 2712 DllCommonsvc.exe 61 PID 2712 wrote to memory of 2368 2712 DllCommonsvc.exe 62 PID 2712 wrote to memory of 2368 2712 DllCommonsvc.exe 62 PID 2712 wrote to memory of 2368 2712 DllCommonsvc.exe 62 PID 2712 wrote to memory of 2380 2712 DllCommonsvc.exe 63 PID 2712 wrote to memory of 2380 2712 DllCommonsvc.exe 63 PID 2712 wrote to memory of 2380 2712 DllCommonsvc.exe 63 PID 2712 wrote to memory of 2508 2712 DllCommonsvc.exe 64 PID 2712 wrote to memory of 2508 2712 DllCommonsvc.exe 64 PID 2712 wrote to memory of 2508 2712 DllCommonsvc.exe 64 PID 2712 wrote to memory of 1460 2712 DllCommonsvc.exe 73 PID 2712 wrote to memory of 1460 2712 DllCommonsvc.exe 73 PID 2712 wrote to memory of 1460 2712 DllCommonsvc.exe 73 PID 1460 wrote to memory of 2548 1460 cmd.exe 75 PID 1460 wrote to memory of 2548 1460 cmd.exe 75 PID 1460 wrote to memory of 2548 1460 cmd.exe 75 PID 1460 wrote to memory of 872 1460 cmd.exe 76 PID 1460 wrote to memory of 872 1460 cmd.exe 76 PID 1460 wrote to memory of 872 1460 cmd.exe 76 PID 872 wrote to memory of 2000 872 dllhost.exe 77 PID 872 wrote to memory of 2000 872 dllhost.exe 77 PID 872 wrote to memory of 2000 872 dllhost.exe 77 PID 2000 wrote to memory of 2332 2000 cmd.exe 79 PID 2000 wrote to memory of 2332 2000 cmd.exe 79 PID 2000 wrote to memory of 2332 2000 cmd.exe 79 PID 2000 wrote to memory of 2820 2000 cmd.exe 80 PID 2000 wrote to memory of 2820 2000 cmd.exe 80 PID 2000 wrote to memory of 2820 2000 cmd.exe 80 PID 2820 wrote to memory of 1500 2820 dllhost.exe 81 PID 2820 wrote to memory of 1500 2820 dllhost.exe 81 PID 2820 wrote to memory of 1500 2820 dllhost.exe 81 PID 1500 wrote to memory of 2132 1500 cmd.exe 83 PID 1500 wrote to memory of 2132 1500 cmd.exe 83 PID 1500 wrote to memory of 2132 1500 cmd.exe 83 PID 1500 wrote to memory of 1872 1500 cmd.exe 84 PID 1500 wrote to memory of 1872 1500 cmd.exe 84 PID 1500 wrote to memory of 1872 1500 cmd.exe 84 PID 1872 wrote to memory of 1584 1872 dllhost.exe 85 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6967526d2772ad9afaf9d37407a183989f72032e43469452d45647e2a281771f.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6967526d2772ad9afaf9d37407a183989f72032e43469452d45647e2a281771f.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2520
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\inf\wsearchidxpi\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2172
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2268
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft\Assistance\Client\1.0\fr-FR\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1912
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PCHEALTH\ERRORREP\QHEADLES\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1936
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2368
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Prefetch\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2380
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\CrashReports\WmiPrvSE.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2508
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\J4Xd3ofT6n.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:2548
-
-
C:\Windows\inf\wsearchidxpi\dllhost.exe"C:\Windows\inf\wsearchidxpi\dllhost.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:872 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\00pP7nIBMq.bat"7⤵
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:2332
-
-
C:\Windows\inf\wsearchidxpi\dllhost.exe"C:\Windows\inf\wsearchidxpi\dllhost.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2Oj9OucH8K.bat"9⤵
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:2132
-
-
C:\Windows\inf\wsearchidxpi\dllhost.exe"C:\Windows\inf\wsearchidxpi\dllhost.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\15yWIDpGaf.bat"11⤵PID:1584
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:1920
-
-
C:\Windows\inf\wsearchidxpi\dllhost.exe"C:\Windows\inf\wsearchidxpi\dllhost.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2164 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VG36Hwy0Lv.bat"13⤵PID:2996
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:884
-
-
C:\Windows\inf\wsearchidxpi\dllhost.exe"C:\Windows\inf\wsearchidxpi\dllhost.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2328 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qUPyb5cGVE.bat"15⤵PID:3008
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:1552
-
-
C:\Windows\inf\wsearchidxpi\dllhost.exe"C:\Windows\inf\wsearchidxpi\dllhost.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2096 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RnBkS9jGYw.bat"17⤵PID:1580
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:1960
-
-
C:\Windows\inf\wsearchidxpi\dllhost.exe"C:\Windows\inf\wsearchidxpi\dllhost.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:564 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WVE2eLfZN7.bat"19⤵PID:2548
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:2648
-
-
C:\Windows\inf\wsearchidxpi\dllhost.exe"C:\Windows\inf\wsearchidxpi\dllhost.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1808 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IMpAoVHioU.bat"21⤵PID:2588
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:340
-
-
C:\Windows\inf\wsearchidxpi\dllhost.exe"C:\Windows\inf\wsearchidxpi\dllhost.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2100 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5eI0Zh92hY.bat"23⤵PID:1564
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:1184
-
-
C:\Windows\inf\wsearchidxpi\dllhost.exe"C:\Windows\inf\wsearchidxpi\dllhost.exe"24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:992 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\blOcFVMglb.bat"25⤵PID:572
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:226⤵PID:1716
-
-
C:\Windows\inf\wsearchidxpi\dllhost.exe"C:\Windows\inf\wsearchidxpi\dllhost.exe"26⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2692
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Windows\inf\wsearchidxpi\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\inf\wsearchidxpi\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Windows\inf\wsearchidxpi\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Microsoft\Assistance\Client\1.0\fr-FR\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\Assistance\Client\1.0\fr-FR\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2332
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Microsoft\Assistance\Client\1.0\fr-FR\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Windows\PCHEALTH\ERRORREP\QHEADLES\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\PCHEALTH\ERRORREP\QHEADLES\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Windows\PCHEALTH\ERRORREP\QHEADLES\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2472
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Windows\Prefetch\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\Prefetch\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Windows\Prefetch\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Google\CrashReports\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2488
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\CrashReports\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1148
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\CrashReports\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2256
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ed663a74a6c8385c54cd242f041d23e1
SHA104ac82b8d3e08c9bd6488c4fb54079205d15b3cc
SHA256dcee90960705bdd63a11c48ab439c2c7b5026e8e0209ec70a50e6a51c5e58725
SHA512f87ca0c7a08ee91d44a1c433397f0fa5e0023d74e6a9c7b76061f89f5db81c72a0a4c0a43a21cc31a46e853216908ee9227f2696835225d9c65a95f7f1b67baa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f8e2530019d4237fb00c40bff068cd95
SHA1559286907e4fab310de2a0bb693d6e97bd36e788
SHA256fd2798a7aa2ff5f4a5493f7d442544f077b055d98ef2687fb9106f4852cb238a
SHA512f14e7781f760e7f95c81b1a524cf2ecd7edf4a1e3610b8702c989f31fe5e84623987ddb0f6da2ef3f3b069a64503489d3666f44341d709a66083ab4b969ec855
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58c3e978d09dee946c971a646bd359a73
SHA138ba645d11aa63993e3c8017c2518cfacb7548cd
SHA2564c1a268856091a13cb8f8baef7758007be56462b7559b9591d45e767004c8fd1
SHA51244616728470f16373c176eedcb6260e82520fae31971dd0f7186fc8b9880868c440765038f24294fa09826603064455d84c2dc259915a6aa400161eddb535596
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD560d92203dc53d1d7a439651e2a199c96
SHA13eca80ff09e9f48755940c196c24b92543b7fc04
SHA2569b8ba49486e13af402cd7ea9359bac6d6d4e18466e0d5f05801d77b321bf8c09
SHA512859394dc4b73aa10056d262e5ccf0f7d71423cf7ec706360aa43e51cb5c9ddcb4897a08d3bbabee6f41b9246fd80d37ee634b5288a7897a6de05bf2676f98d87
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5cadd657d3208d921b8efa4328ca53d5b
SHA1953078ef2c5cb4beb6218f05c06ee5e4ded6050b
SHA256bb28900f9e0f9a212ee5ceb4f200ecca741b700b0226353c106d122c7c7cfb27
SHA512d8db2b0fb7023c4b4013bff8597bfadf50bbfd40c2bd041e1b74b4e01a12aeaca30b44ccf70419aa2c27139ac5ff633879c0a2766f6350037fd9eafa827924c4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5432d646cfc792250118cfebf830965d8
SHA1c5703f4878337842fc6cce0ea4dffd6b1fc73075
SHA25638d451f9428fbd27921b8fd440e7944cef12a8238e5c7baf6fa95eb93ea25149
SHA512a2e581e8669e7eca2450f567ae59fb06d88db206f208731530594c40dca5a8d4c9a779d559625cabfeeaacfdda15cc3ca22ea5a4a4440f5191c76fc50b230264
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c962bb8dee6e6481e801773bcc8b3458
SHA1ea0cdd394d42f8a500eb96e46af3115ec72cb206
SHA256fcb7d560316622e5bf4ddefad6de706f4c7af408885fd08ad57e10f52734c1b5
SHA5124352823ed96c298479fc317c2c76b653dc5a9bfdd1ce7f8fd33a400fa7473c083d53d9423a404bca4c9e147c4708c163c1bdae64eddfa723ab532dd954330f9e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5bc3877d18af98dce50a54330f94139eb
SHA18bc4fa0a9152f1b5005c44e22af83fa6ac8cb2d3
SHA25678896088086d2e2bba55c50cab2f577c715f24c9e3645b0c0e191e4dd73105f0
SHA512c1a1caf5a0b6ece150950f2485fc24f189e4812197475c04aa00702396f1f1e1263cf59a1f57b1255c8edb8e43491bccd74ba0a529918ffd68cb03f7c38c2c05
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55f4641de2e4344d0136a7c5cf2da05b7
SHA198610daff13dacdc7f09c4c0dad2bf018bc98dbe
SHA256282d26e7f3246844f19af7a8506f3994a62fb4edade917d0b9dcedac2bcc9f0c
SHA51298e9fda6777bd7acb2fdb9174eb996030b0f977f6eaec7cb62a2adc78c189dd7f48de2204c5f86022082063f7fbf72d4f75287e093615d7a47e2ca070552e652
-
Filesize
204B
MD5e94b3d1358aaab6ff355e44c51caff36
SHA16938744953f009b657f58ee4fb207627bb8f0a78
SHA256bdd285f1fabd3b53968571c277e7f99c484fa862d8fcd3c6adb2b6644df287b2
SHA51253ab2c9a9d23ce27176cce1ef3c8d9f6be32e4d1a8bdb6b036c99211493ce9b995e5ef8afddcbe2f60f861f762d8be17d09e75ffaf30414893e6a81432b9df6e
-
Filesize
204B
MD598e37877a1e74ad495f25a0401627820
SHA112b5498308f9140d0e285506c22f0a8339a65c3b
SHA2564f1ce7e70914c78cc9e72cf103545088410e1ceadffbe64521e0767a7161ca19
SHA512c33b950f29cae7cac08176c42ce80219dc649ccb0fc340ada7ddf0e65bd9496b4421b5a0a4456d8b0cdd792a729e8fbe786be531c391abde8d2f1d79c304569e
-
Filesize
204B
MD561b6e49a06a213f69adc3bb8eca23fe8
SHA1d32bda1de220e635192150a5659dbee2809d438f
SHA256b3fa8d6389bdb39908fda328dc3a2acddab99f8349d0c3b2cfb9ad3dad2faba7
SHA512598d4c27cf0955bf047b5807fdd586911f69d9007dcbb90426f8ddaf27b99a7e7951665e630ea41cc428173229c9c9781b8c6733e9d037fa5d6b80ad96e37415
-
Filesize
204B
MD5022732bee0662cbd2b4b38e4d149f956
SHA16efa018cf78ec32468aac0113f06f25f92a94adb
SHA256dd474b47b4575e54079725c362bbf5c7b14afd2b84707907f7938c05808b1f01
SHA512d16f3a96f0839873b935b6a638c20f80c2eb243caa8eecbb867d0e28bf091f4588e688aaa40f70eeeaf0fa66c73b627598a691f2ae6d92478c7968f45420266c
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
204B
MD5b5d721c1632f079362ee6e5ed603e23e
SHA15806ae0c52493dd60d44736b1082bdb8a72bbf1a
SHA2564f15b73ea1f8fbbc4e87c50c9b1a313353f4f59dc1aba0789cce304200b4a8af
SHA5122a9370def70798003eee7986d8cec4daa0eb3aad2e5c8976e016c48b5b39ea668b08eb6e7e102ecc0875c19bfd559c5020a12a2026ac79d08e49c7b4953f0b64
-
Filesize
204B
MD5fbafd5eacee8522161dbfc0bf6b6977a
SHA1f85e6ca3f0f1918be8ec360be90f472b5338c8b4
SHA256674d37b41c0a65253f4c4bb0685eeb8e715a3d6a49c197b338b66d1906072824
SHA512bc047254c46b8163cb6074d794eacd0a112f951fee85550d82774be956d797b185bff32d8d258f5a6620be931f9f103f57bbb93f8d86646dbad9c7325cac542c
-
Filesize
204B
MD5ca29dee26e5e46fdcc4509ed27dacd45
SHA1df9653370fe8bf8d892c7954df3ffb1c67dd3060
SHA256c963e3c2cfbfa229ff017e5fb129d07f65d76c9b096a7feddf991f4a6fec7f99
SHA5127d3e6b730591cf9c9702a4be37c8b96974f7c51c942b3105abc841e708c8f48315fcdfde071f4b6af92361277b7759377768aa19ce31aa67f53fb50c4940231c
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
204B
MD5295b3c5d09437036984dd384cafb01c9
SHA18cd07fd36b26a239bf58aa8e89144fe8493e0996
SHA256517ceef23de6e8c59914906df00dad51153ca57e4086ad58e76b2120920b28ac
SHA512c07a477b78da8d9c77a9ef4e79bed87f5fb596cdcd92b065ef1a3a6fe0a2409ad7870233d5975b8b5bde00ea0061e6cecf6ba223db8d70a73046f4a01277243d
-
Filesize
204B
MD5ecbb1cf5c7784cdf9fdd7f0ad4197255
SHA136ca5f45d43c3416121b56e7b63b2169363b2c40
SHA256204bb9bd66e99fa0d2499640e54f6e782adb53cdd2288a1c4a4cc9214b5b1bfe
SHA5124ce7bc5138e886790dc441c5e2e6f53bc2022bcd2ad9e020f7658c3a6383f5d2e81f81b27f3d8516313cd174af2a264cc9d10edb25b97ec81b74d32cdf7cfbcf
-
Filesize
204B
MD5e2d4c0f3c8ae9b2e14c9a24ad97296e1
SHA167e30a3838c9f38489fedcc044b98369dde64ca7
SHA25607e11a2c46b62b08ac55ecfa495025c78ef9977e7e93ba9728ef6d9696decebe
SHA512bebec1ab7c05b9b58a3bebbd69591726c6640b1c106e1059b50c61e0f511137f1797792daf64de042baf68b7cb0a961c7f368eb54aab4f3dc54c7b1367414bdf
-
Filesize
204B
MD59db7491acf8c3f5362ecef787c82b133
SHA1526d2b0fa076ace625a6408c329a7b8110f4e52e
SHA256cd1a7d8dfd5f363dfd40d59b2c1bb2ebe4238d2bd970b17eca5ef299646e20a8
SHA5126aa5b49d17fe82ad0a71fa311b73df3f9f2e0f676ee133200d1ff3d421e2c63928fd56fae81a043b40741de2b7590c952e43e3f29cbf5bf8db16dc58801e01c0
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD57de5f8f4d9992fec2bfc8945af0ba54f
SHA1501f9b86ef8a18c709e1e7177847600fdfb9e5c1
SHA2567367818e0a1e0e35f5f43a40ff82ad70ac66592251605f1a06e39f2579baad70
SHA512c174131464492260c430603da5e41efac2e0179d81a6c4f4a4c899ca7f827447538a979048c399d6da515c1231a6c18061d37fd853b65d014de80a103f8e6bbb
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394