Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
30/12/2024, 02:49
Behavioral task
behavioral1
Sample
JaffaCakes118_d3cb3989ed3aa6cd9ee8d51a2878a697dcc4b20d574dc2a240aff2192548bf4c.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_d3cb3989ed3aa6cd9ee8d51a2878a697dcc4b20d574dc2a240aff2192548bf4c.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_d3cb3989ed3aa6cd9ee8d51a2878a697dcc4b20d574dc2a240aff2192548bf4c.exe
-
Size
1.3MB
-
MD5
7611c93f171fcae828a6392638eb46d2
-
SHA1
5751f17b0e1e3963565ce4b40ae189e0eebe6420
-
SHA256
d3cb3989ed3aa6cd9ee8d51a2878a697dcc4b20d574dc2a240aff2192548bf4c
-
SHA512
67dd292126f7e20342ef9e91eb92d4297ef5e1ea9b69be8bf78fb21d2b85e9f6c460cf553657c5d42b734e3b19b78de1e9e6ea77cdf00911c27d9b110e12d73e
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 24 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2736 2764 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2644 2764 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1500 2764 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 768 2764 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2628 2764 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2696 2764 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2180 2764 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2632 2764 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1092 2764 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1984 2764 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2828 2764 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1936 2764 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1028 2764 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2156 2764 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2520 2764 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2848 2764 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1988 2764 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1428 2764 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2844 2764 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1764 2764 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2956 2764 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1588 2764 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2276 2764 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2132 2764 schtasks.exe 35 -
resource yara_rule behavioral1/files/0x0007000000018687-9.dat dcrat behavioral1/memory/2500-13-0x00000000000F0000-0x0000000000200000-memory.dmp dcrat behavioral1/memory/2928-88-0x00000000001A0000-0x00000000002B0000-memory.dmp dcrat behavioral1/memory/3016-147-0x0000000001390000-0x00000000014A0000-memory.dmp dcrat behavioral1/memory/3016-384-0x0000000000230000-0x0000000000340000-memory.dmp dcrat behavioral1/memory/1828-444-0x0000000001030000-0x0000000001140000-memory.dmp dcrat behavioral1/memory/2720-563-0x0000000000130000-0x0000000000240000-memory.dmp dcrat behavioral1/memory/2320-623-0x0000000001050000-0x0000000001160000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2280 powershell.exe 2200 powershell.exe 2188 powershell.exe 2376 powershell.exe 1360 powershell.exe 2208 powershell.exe 840 powershell.exe 2444 powershell.exe 1084 powershell.exe -
Executes dropped EXE 11 IoCs
pid Process 2500 DllCommonsvc.exe 2928 explorer.exe 3016 explorer.exe 2340 explorer.exe 2704 explorer.exe 2976 explorer.exe 3016 explorer.exe 1828 explorer.exe 2756 explorer.exe 2720 explorer.exe 2320 explorer.exe -
Loads dropped DLL 2 IoCs
pid Process 2152 cmd.exe 2152 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
flow ioc 22 raw.githubusercontent.com 26 raw.githubusercontent.com 12 raw.githubusercontent.com 15 raw.githubusercontent.com 18 raw.githubusercontent.com 29 raw.githubusercontent.com 32 raw.githubusercontent.com 4 raw.githubusercontent.com 5 raw.githubusercontent.com 9 raw.githubusercontent.com -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\Windows NT\TableTextService\es-ES\wininit.exe DllCommonsvc.exe File created C:\Program Files\Windows NT\TableTextService\es-ES\56085415360792 DllCommonsvc.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Panther\UnattendGC\taskhost.exe DllCommonsvc.exe File created C:\Windows\Panther\UnattendGC\b75386f1303e64 DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_d3cb3989ed3aa6cd9ee8d51a2878a697dcc4b20d574dc2a240aff2192548bf4c.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2956 schtasks.exe 1092 schtasks.exe 1936 schtasks.exe 1028 schtasks.exe 1988 schtasks.exe 2276 schtasks.exe 2132 schtasks.exe 2736 schtasks.exe 2644 schtasks.exe 2828 schtasks.exe 2520 schtasks.exe 2848 schtasks.exe 1428 schtasks.exe 1764 schtasks.exe 1500 schtasks.exe 2628 schtasks.exe 2632 schtasks.exe 1984 schtasks.exe 2156 schtasks.exe 2844 schtasks.exe 1588 schtasks.exe 768 schtasks.exe 2696 schtasks.exe 2180 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
pid Process 2500 DllCommonsvc.exe 2500 DllCommonsvc.exe 2500 DllCommonsvc.exe 2208 powershell.exe 2200 powershell.exe 840 powershell.exe 1084 powershell.exe 2188 powershell.exe 2444 powershell.exe 1360 powershell.exe 2376 powershell.exe 2280 powershell.exe 2928 explorer.exe 3016 explorer.exe 2340 explorer.exe 2704 explorer.exe 2976 explorer.exe 3016 explorer.exe 1828 explorer.exe 2756 explorer.exe 2720 explorer.exe 2320 explorer.exe -
Suspicious use of AdjustPrivilegeToken 20 IoCs
description pid Process Token: SeDebugPrivilege 2500 DllCommonsvc.exe Token: SeDebugPrivilege 2208 powershell.exe Token: SeDebugPrivilege 2200 powershell.exe Token: SeDebugPrivilege 840 powershell.exe Token: SeDebugPrivilege 1084 powershell.exe Token: SeDebugPrivilege 2188 powershell.exe Token: SeDebugPrivilege 2444 powershell.exe Token: SeDebugPrivilege 1360 powershell.exe Token: SeDebugPrivilege 2376 powershell.exe Token: SeDebugPrivilege 2280 powershell.exe Token: SeDebugPrivilege 2928 explorer.exe Token: SeDebugPrivilege 3016 explorer.exe Token: SeDebugPrivilege 2340 explorer.exe Token: SeDebugPrivilege 2704 explorer.exe Token: SeDebugPrivilege 2976 explorer.exe Token: SeDebugPrivilege 3016 explorer.exe Token: SeDebugPrivilege 1828 explorer.exe Token: SeDebugPrivilege 2756 explorer.exe Token: SeDebugPrivilege 2720 explorer.exe Token: SeDebugPrivilege 2320 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2532 wrote to memory of 2580 2532 JaffaCakes118_d3cb3989ed3aa6cd9ee8d51a2878a697dcc4b20d574dc2a240aff2192548bf4c.exe 31 PID 2532 wrote to memory of 2580 2532 JaffaCakes118_d3cb3989ed3aa6cd9ee8d51a2878a697dcc4b20d574dc2a240aff2192548bf4c.exe 31 PID 2532 wrote to memory of 2580 2532 JaffaCakes118_d3cb3989ed3aa6cd9ee8d51a2878a697dcc4b20d574dc2a240aff2192548bf4c.exe 31 PID 2532 wrote to memory of 2580 2532 JaffaCakes118_d3cb3989ed3aa6cd9ee8d51a2878a697dcc4b20d574dc2a240aff2192548bf4c.exe 31 PID 2580 wrote to memory of 2152 2580 WScript.exe 32 PID 2580 wrote to memory of 2152 2580 WScript.exe 32 PID 2580 wrote to memory of 2152 2580 WScript.exe 32 PID 2580 wrote to memory of 2152 2580 WScript.exe 32 PID 2152 wrote to memory of 2500 2152 cmd.exe 34 PID 2152 wrote to memory of 2500 2152 cmd.exe 34 PID 2152 wrote to memory of 2500 2152 cmd.exe 34 PID 2152 wrote to memory of 2500 2152 cmd.exe 34 PID 2500 wrote to memory of 2208 2500 DllCommonsvc.exe 60 PID 2500 wrote to memory of 2208 2500 DllCommonsvc.exe 60 PID 2500 wrote to memory of 2208 2500 DllCommonsvc.exe 60 PID 2500 wrote to memory of 2280 2500 DllCommonsvc.exe 61 PID 2500 wrote to memory of 2280 2500 DllCommonsvc.exe 61 PID 2500 wrote to memory of 2280 2500 DllCommonsvc.exe 61 PID 2500 wrote to memory of 2200 2500 DllCommonsvc.exe 62 PID 2500 wrote to memory of 2200 2500 DllCommonsvc.exe 62 PID 2500 wrote to memory of 2200 2500 DllCommonsvc.exe 62 PID 2500 wrote to memory of 2188 2500 DllCommonsvc.exe 63 PID 2500 wrote to memory of 2188 2500 DllCommonsvc.exe 63 PID 2500 wrote to memory of 2188 2500 DllCommonsvc.exe 63 PID 2500 wrote to memory of 840 2500 DllCommonsvc.exe 64 PID 2500 wrote to memory of 840 2500 DllCommonsvc.exe 64 PID 2500 wrote to memory of 840 2500 DllCommonsvc.exe 64 PID 2500 wrote to memory of 2376 2500 DllCommonsvc.exe 65 PID 2500 wrote to memory of 2376 2500 DllCommonsvc.exe 65 PID 2500 wrote to memory of 2376 2500 DllCommonsvc.exe 65 PID 2500 wrote to memory of 2444 2500 DllCommonsvc.exe 66 PID 2500 wrote to memory of 2444 2500 DllCommonsvc.exe 66 PID 2500 wrote to memory of 2444 2500 DllCommonsvc.exe 66 PID 2500 wrote to memory of 1360 2500 DllCommonsvc.exe 67 PID 2500 wrote to memory of 1360 2500 DllCommonsvc.exe 67 PID 2500 wrote to memory of 1360 2500 DllCommonsvc.exe 67 PID 2500 wrote to memory of 1084 2500 DllCommonsvc.exe 68 PID 2500 wrote to memory of 1084 2500 DllCommonsvc.exe 68 PID 2500 wrote to memory of 1084 2500 DllCommonsvc.exe 68 PID 2500 wrote to memory of 1508 2500 DllCommonsvc.exe 74 PID 2500 wrote to memory of 1508 2500 DllCommonsvc.exe 74 PID 2500 wrote to memory of 1508 2500 DllCommonsvc.exe 74 PID 1508 wrote to memory of 952 1508 cmd.exe 80 PID 1508 wrote to memory of 952 1508 cmd.exe 80 PID 1508 wrote to memory of 952 1508 cmd.exe 80 PID 1508 wrote to memory of 2928 1508 cmd.exe 81 PID 1508 wrote to memory of 2928 1508 cmd.exe 81 PID 1508 wrote to memory of 2928 1508 cmd.exe 81 PID 2928 wrote to memory of 2988 2928 explorer.exe 82 PID 2928 wrote to memory of 2988 2928 explorer.exe 82 PID 2928 wrote to memory of 2988 2928 explorer.exe 82 PID 2988 wrote to memory of 2912 2988 cmd.exe 84 PID 2988 wrote to memory of 2912 2988 cmd.exe 84 PID 2988 wrote to memory of 2912 2988 cmd.exe 84 PID 2988 wrote to memory of 3016 2988 cmd.exe 85 PID 2988 wrote to memory of 3016 2988 cmd.exe 85 PID 2988 wrote to memory of 3016 2988 cmd.exe 85 PID 3016 wrote to memory of 2592 3016 explorer.exe 86 PID 3016 wrote to memory of 2592 3016 explorer.exe 86 PID 3016 wrote to memory of 2592 3016 explorer.exe 86 PID 2592 wrote to memory of 2332 2592 cmd.exe 88 PID 2592 wrote to memory of 2332 2592 cmd.exe 88 PID 2592 wrote to memory of 2332 2592 cmd.exe 88 PID 2592 wrote to memory of 2340 2592 cmd.exe 89 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d3cb3989ed3aa6cd9ee8d51a2878a697dcc4b20d574dc2a240aff2192548bf4c.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d3cb3989ed3aa6cd9ee8d51a2878a697dcc4b20d574dc2a240aff2192548bf4c.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2208
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WMIADAP.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2280
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\TableTextService\es-ES\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2200
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2188
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:840
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2376
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2444
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1360
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Panther\UnattendGC\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1084
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Qh10l5BGEn.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:952
-
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Q0tVgmHuxR.bat"7⤵
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:2912
-
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xEvQv3iUx6.bat"9⤵
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:2332
-
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2340 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3jGxsc69Nm.bat"11⤵PID:2560
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:2128
-
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2704 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZES4mQr7Bk.bat"13⤵PID:2848
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:2036
-
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2976 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\q3WH03M43W.bat"15⤵PID:2396
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:2068
-
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3016 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NDsGBfOUR3.bat"17⤵PID:2412
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:1520
-
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1828 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\voEVGuhWUp.bat"19⤵PID:2204
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:2520
-
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2756 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\z6HXYUNDfk.bat"21⤵PID:2724
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:2892
-
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2720 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oqEnL4f5pl.bat"23⤵PID:2896
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:1972
-
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe"24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2320
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 8 /tr "'C:\providercommon\WMIADAP.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\providercommon\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 14 /tr "'C:\providercommon\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows NT\TableTextService\es-ES\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1500
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\es-ES\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows NT\TableTextService\es-ES\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1092
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2156
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2520
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Admin\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1428
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\providercommon\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Windows\Panther\UnattendGC\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\Panther\UnattendGC\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Windows\Panther\UnattendGC\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5594d060e778a7f0c90dfa2419513d07e
SHA193a977543d700ac1d65413a450942ecea473f746
SHA256d24b4eb0aa564c9f3b26f60601188236927d4cc54fb1ac6cc22cab6c87bc2123
SHA5126947901512d677e641482f0f87782592775eb66db796bc1ac86dac04cd81889e9816dbead5530e63c53b4c38454c9a33e5fa60c13df38026d2a66e508deb793b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5695a7593e5efc755507382a1b2f93824
SHA1a969a820c25d28264e0f1691bb4b7278e227172d
SHA256a948310f4d79acdd9c14d0751deeb66b7879ae711f2ee5e4a10ab3d56e3ecf15
SHA51265cda4e44ca7f190d414e5ee45e1dd31c65222ee767abf07df7a1d9f33c16c1a6c8e55d3b53f2284a21a23074da004a546f68f3e1fdd7a4f25eda68ffcc62f98
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59d45425945b985147e25178c46062898
SHA1e0ef0aaf4971c20b4bf137594ed2d1194aa9abeb
SHA256cdb95d1db1ed126bfbee787084ace1cca35ec693bdbe52f511bcdaed6c7e387d
SHA512e685af117d6f3621dcb24cb28367147de25d09c2fe263a4c9eae134a803c0349ab3aeff9f7790fa683af1856081966479cdf647f87fad364536612f79c24ccbf
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59bf3308e59addafe17c14f1895996e3d
SHA1d730318f03f2a7a111517580a7a7e772fe8c1be9
SHA256c5cf817b45ece5db533250582bd88a5b229cf71cc10ac0b626e63faad0ff73cb
SHA512cb82ce5329cc4116e1234295aaf77c64daf70141bef2481dcb0d47fd7a73e89b5467fbcae6ff8bb98c568ebb9c938fef185be607169877f3302b62d43d247a1b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55137ee65b798f17e913ecf79d76b0f29
SHA13562652f00a6900cc43d817758a1da69b88d0c17
SHA2567156f3c798d1f1644a04b0c1d67cad5b1ba8fa16d11552cc0dc2a5fc1de553c1
SHA51254a01da2539ef683982be2cc51b976c8dfa9a645dd265d85ce1f10ec46dbd4e05209a7999699f55d8fc065c0f1ae6afae4edac346eb01a49ca434301d9de04b0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5677cd6d5112de1a5fd9708490e0d2ac9
SHA19604362a40d73ca376df85ae235e3b91c030e647
SHA256d48846d211736738081a19358a3d7d5a5151274b14cdb6a8f54b0952452737df
SHA512b7dd9c570859f20d44970a4b7a51a4a6ab16c40390ac695aa1ab971600adb382f25fad97b80ea294f2eea7ddd482a63f7c7fca7c1354759eac739aa5c7e1293e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c9729752d4176e42ef25bc9de7942cf1
SHA1373b79579c61ba50d8531e229522b20d4ca5291d
SHA256cdc0ff64e3dd64a49d8dd42ec208deaa008bf1d84f30da48bd30483246a00a8f
SHA512486a7f80c3417be35e2d11cf9f6b88f18f38e527ec64fdcdd49510000ff966e6f2d282d3b02c718f340a564856371c4eb2377148ad1a2fc690941ded8d19d65a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5dd297802df9fdd4842b5f8473f2c288b
SHA1e90287a913d0792a7f05fbcc946160c76a169e90
SHA2567d219289e5b708ec510935909c28b61a9d2cc1d47fa5a1f3cd0fdb95d3a0bff8
SHA5127af9d947d57254c7f3274d7e5e3ea691fda699d913ca33c4ae775828d50c0a508d265d63e968852d11898d495d49e48bc3c03d3f4c841f7d76fd71e6e863caf9
-
Filesize
240B
MD5d8a90d49582a1511556d17c72010780c
SHA100a497a15289fab6f936946d1a977a4008c30ffa
SHA256321ca0e8a48a1eabb28156ad89f4cf9418ac90bd40a10a418327d9ecebe3dffe
SHA512486f376e6b2422d9c231eb04bbdf8ab66f70e8d79a0971afb2d0c8188cd775f8a655533418eb2ff70e6f8e8f173650fdc31bebe4679c3a217a635b93aaa9c636
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
240B
MD54038575ebd201910086fd500e4bd2ffb
SHA1289b4e926466ae3b1b748781174d984c95dd1d4a
SHA2568b02686eed9984c55198ce5b2dca5dbb397cd7bcd742d7b1c8cbcf74c3931f4b
SHA512634553fbb20d962a513c96e134c7bcb49bfab3c6cf329c0f457fc4f7eb12331b4b41156142f7c06ee8bc3051187c2faa6bcebf991b061dcbd13420c61b962242
-
Filesize
240B
MD55159e48ea840e52f3ab6094533354c3e
SHA147fc4a442a2c74b23b35fe8a7139d0cfa453484f
SHA256e9734107f8817fe4b8634e043cf5a6813242e6bc339d92004a7c0c795b8a596a
SHA512ec9d97e9a01bc5d98f258a02f5aba946ab4a04ffe45f2bb67424d42061ad5c2bdc07efbd4f34e4ecb7d2c094e117ce03c1d88a9a54d74b1ea146023b8c6f45d2
-
Filesize
240B
MD56038330155c04bbb2cf97f5eaf0f560c
SHA1b82e8943d3dabfaf359355963e6d8b18e0bc7fee
SHA256e34fd359d55f80c463beebb8e932f680090711e677f2701f8dcb397a66d00041
SHA5122905cbdac1aed37248f89a543580c60232ab0b6c21dee1e7b608773e97de8a9beecc6a43452a62788fcbc758e31af8b3c2aff2fbb7e73c1c46a6a93328210498
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
240B
MD5480f34995aecd0496e4cdd9442a9b231
SHA1b8b8348b94975f5a3840a4d40885470b53eb06a4
SHA256e51d0568d6eda362d1ebd9d5ee95ff920a2d19ec5832bce9a8d17dd2a444d13c
SHA5128b51a4c1c64ad5b27188e9456367e63399bfa87984260713f8da4c9ff64886eed1d622d1d643fe9ee7bcb08a381f96f03814e53d8e349297f86cbfa199b1a6c5
-
Filesize
240B
MD52a37542f93a722be90cc58b8d0c3e059
SHA1400c5e7cf7a59f6bac80cebbd6bc289f461e5b94
SHA2569b2c998db89573cb1ce401db7c0019e476e5c862a92560014b19befd310ef512
SHA512bef31c128e3af41edc95575a2758d9159329b2b820d07b0c2d97e1183ddd5cbfbd76459b357befaecd40e8dc8e79d53f9bf5d40075a79b41478e6ad8f5b35191
-
Filesize
240B
MD5502dfd9a0f6f13820f8dd0defbb8e94c
SHA17d48e83bff91754e7b28477d77bc424e8bf254d8
SHA2569cbd7488657700488bbf3ba2df340179e4820266187aa1df517ad8c00ad74562
SHA512f5e6625c2ada4580c2683d99fc53043e0f3e3e032955eccc502c5f1f88ff2d873abf07ed7e7cc5114a1b6abb6012cb70b536459b2ba96276bf32559e52a1d60c
-
Filesize
240B
MD5728c0eeb5e7738c6318d2646c54ed37c
SHA105ec85a848767b57795d69ca99f6e92ba1ee81cd
SHA256b5c0333cff54c9a97a80e3d0bcb9da2aff4d0988baec9bb7e98ff2589755e1a5
SHA512fed3a04aa469bdc2c79bb3a8b024cba176453908c7e559f3653bcd3da88f43aeaf26bc3f3c50a040f5ca49d683cff17872ecf3f48028db01d8a4312386348c8d
-
Filesize
240B
MD55bf3a216fa2ec24aaa0182dcc44b15d2
SHA1a98b3884d1b5d97ac66b6d69c248ce821c8f630f
SHA25638a5529fc6047d2547723e5329a4cba6753d56fa320e45ad8044e4264eb9eb7d
SHA5120226758fd1f5ad0311e2fe021d0b1545b4c407a51a8009e0a6830f8b05cc13ca5c4bc406747ed67ce99567644cb271c31ae6714402c124bd968001def0b5feda
-
Filesize
240B
MD57b536950882ea478fd2951b500a865f7
SHA19c92b99eb80b98d7047990f2b28708861c4d590c
SHA2562620f92ee7a880c82154d18680d22773955b243bcdbcd70af4ea644edd5a2cc0
SHA512b99086dabef65c357cf8ce61ea96b42f619b7d20109a2ec1a58da6ffa31ace9bde75d201b7750a091c898034761c8acc94a5ebc18c6af5637c99af78f3d6864e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\05AWEZOB3BT3B2VBAXOV.temp
Filesize7KB
MD5e685010ab8bc3e171cab517f565460db
SHA196cdada08ed8c4bc2a8e2f558d165e9fd5e86dce
SHA256762ece42625624308588cf903faa30d9f24aca861c26d878717082073cbfe392
SHA512bcda7545748548d01c5d9b5af5d865aa94147c0eab29201e0a24bbaa42e4f18556f2c95420ee25e4d7e47506a3be22770a06c35417f8c1bd04abcdfc89f1845e
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394