Analysis
-
max time kernel
146s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
30/12/2024, 17:35
Behavioral task
behavioral1
Sample
JaffaCakes118_8bd5385c30b54b4890ccd384447c3532fc22fb975c00731cf134cb4e3c6677db.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
JaffaCakes118_8bd5385c30b54b4890ccd384447c3532fc22fb975c00731cf134cb4e3c6677db.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_8bd5385c30b54b4890ccd384447c3532fc22fb975c00731cf134cb4e3c6677db.exe
-
Size
1.3MB
-
MD5
ef9929a8179ccfcb8742812486534e53
-
SHA1
7b04591c689e7ab85edb495b7f6c26f08bfef9b6
-
SHA256
8bd5385c30b54b4890ccd384447c3532fc22fb975c00731cf134cb4e3c6677db
-
SHA512
e13619e405603a72c9ac0bd370c058c7d2feb1325a07316beecc7c9a48c763140071454ef6465d77ad4d0dd372d61b9b3bd05546583864a82d5a486068ba53b2
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 24 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1440 2164 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2712 2164 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2824 2164 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2580 2164 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2608 2164 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2616 2164 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2604 2164 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1744 2164 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2612 2164 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2024 2164 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 688 2164 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2600 2164 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1644 2164 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1324 2164 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1740 2164 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2044 2164 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1816 2164 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1732 2164 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1392 2164 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2856 2164 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2732 2164 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2864 2164 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2236 2164 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2592 2164 schtasks.exe 35 -
resource yara_rule behavioral1/files/0x0006000000019219-9.dat dcrat behavioral1/memory/2084-13-0x0000000001220000-0x0000000001330000-memory.dmp dcrat behavioral1/memory/1788-40-0x00000000009D0000-0x0000000000AE0000-memory.dmp dcrat behavioral1/memory/2700-145-0x0000000000FD0000-0x00000000010E0000-memory.dmp dcrat behavioral1/memory/2660-205-0x00000000003E0000-0x00000000004F0000-memory.dmp dcrat behavioral1/memory/2436-265-0x0000000000990000-0x0000000000AA0000-memory.dmp dcrat behavioral1/memory/1976-325-0x0000000001120000-0x0000000001230000-memory.dmp dcrat behavioral1/memory/1144-446-0x00000000002F0000-0x0000000000400000-memory.dmp dcrat behavioral1/memory/1124-506-0x0000000000A20000-0x0000000000B30000-memory.dmp dcrat behavioral1/memory/1864-625-0x00000000001F0000-0x0000000000300000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2156 powershell.exe 1864 powershell.exe 1396 powershell.exe 3020 powershell.exe 2136 powershell.exe 2448 powershell.exe 1484 powershell.exe 2080 powershell.exe 576 powershell.exe -
Executes dropped EXE 11 IoCs
pid Process 2084 DllCommonsvc.exe 1788 spoolsv.exe 2700 spoolsv.exe 2660 spoolsv.exe 2436 spoolsv.exe 1976 spoolsv.exe 2292 spoolsv.exe 1144 spoolsv.exe 1124 spoolsv.exe 656 spoolsv.exe 1864 spoolsv.exe -
Loads dropped DLL 2 IoCs
pid Process 2332 cmd.exe 2332 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
flow ioc 12 raw.githubusercontent.com 16 raw.githubusercontent.com 20 raw.githubusercontent.com 23 raw.githubusercontent.com 30 raw.githubusercontent.com 9 raw.githubusercontent.com 5 raw.githubusercontent.com 27 raw.githubusercontent.com 33 raw.githubusercontent.com 4 raw.githubusercontent.com -
Drops file in Program Files directory 5 IoCs
description ioc Process File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\0a1fd5f707cd16 DllCommonsvc.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\csrss.exe DllCommonsvc.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\886983d96e3d3e DllCommonsvc.exe File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\sppsvc.exe DllCommonsvc.exe File opened for modification C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\sppsvc.exe DllCommonsvc.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\BitLockerDiscoveryVolumeContents\spoolsv.exe DllCommonsvc.exe File created C:\Windows\BitLockerDiscoveryVolumeContents\f3b6ecef712a24 DllCommonsvc.exe File created C:\Windows\Speech\Common\wininit.exe DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_8bd5385c30b54b4890ccd384447c3532fc22fb975c00731cf134cb4e3c6677db.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1440 schtasks.exe 2824 schtasks.exe 1644 schtasks.exe 2856 schtasks.exe 2024 schtasks.exe 1740 schtasks.exe 2044 schtasks.exe 2732 schtasks.exe 2600 schtasks.exe 1392 schtasks.exe 2864 schtasks.exe 2712 schtasks.exe 2580 schtasks.exe 2604 schtasks.exe 1744 schtasks.exe 688 schtasks.exe 2236 schtasks.exe 1732 schtasks.exe 2592 schtasks.exe 2608 schtasks.exe 2616 schtasks.exe 2612 schtasks.exe 1324 schtasks.exe 1816 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 2084 DllCommonsvc.exe 2084 DllCommonsvc.exe 2084 DllCommonsvc.exe 2084 DllCommonsvc.exe 2084 DllCommonsvc.exe 576 powershell.exe 2080 powershell.exe 2136 powershell.exe 2448 powershell.exe 3020 powershell.exe 2156 powershell.exe 1484 powershell.exe 1396 powershell.exe 1864 powershell.exe 1788 spoolsv.exe 2700 spoolsv.exe 2660 spoolsv.exe 2436 spoolsv.exe 1976 spoolsv.exe 2292 spoolsv.exe 1144 spoolsv.exe 1124 spoolsv.exe 656 spoolsv.exe 1864 spoolsv.exe -
Suspicious use of AdjustPrivilegeToken 20 IoCs
description pid Process Token: SeDebugPrivilege 2084 DllCommonsvc.exe Token: SeDebugPrivilege 576 powershell.exe Token: SeDebugPrivilege 2080 powershell.exe Token: SeDebugPrivilege 2448 powershell.exe Token: SeDebugPrivilege 2136 powershell.exe Token: SeDebugPrivilege 3020 powershell.exe Token: SeDebugPrivilege 2156 powershell.exe Token: SeDebugPrivilege 1484 powershell.exe Token: SeDebugPrivilege 1396 powershell.exe Token: SeDebugPrivilege 1864 powershell.exe Token: SeDebugPrivilege 1788 spoolsv.exe Token: SeDebugPrivilege 2700 spoolsv.exe Token: SeDebugPrivilege 2660 spoolsv.exe Token: SeDebugPrivilege 2436 spoolsv.exe Token: SeDebugPrivilege 1976 spoolsv.exe Token: SeDebugPrivilege 2292 spoolsv.exe Token: SeDebugPrivilege 1144 spoolsv.exe Token: SeDebugPrivilege 1124 spoolsv.exe Token: SeDebugPrivilege 656 spoolsv.exe Token: SeDebugPrivilege 1864 spoolsv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2976 wrote to memory of 1972 2976 JaffaCakes118_8bd5385c30b54b4890ccd384447c3532fc22fb975c00731cf134cb4e3c6677db.exe 30 PID 2976 wrote to memory of 1972 2976 JaffaCakes118_8bd5385c30b54b4890ccd384447c3532fc22fb975c00731cf134cb4e3c6677db.exe 30 PID 2976 wrote to memory of 1972 2976 JaffaCakes118_8bd5385c30b54b4890ccd384447c3532fc22fb975c00731cf134cb4e3c6677db.exe 30 PID 2976 wrote to memory of 1972 2976 JaffaCakes118_8bd5385c30b54b4890ccd384447c3532fc22fb975c00731cf134cb4e3c6677db.exe 30 PID 1972 wrote to memory of 2332 1972 WScript.exe 32 PID 1972 wrote to memory of 2332 1972 WScript.exe 32 PID 1972 wrote to memory of 2332 1972 WScript.exe 32 PID 1972 wrote to memory of 2332 1972 WScript.exe 32 PID 2332 wrote to memory of 2084 2332 cmd.exe 34 PID 2332 wrote to memory of 2084 2332 cmd.exe 34 PID 2332 wrote to memory of 2084 2332 cmd.exe 34 PID 2332 wrote to memory of 2084 2332 cmd.exe 34 PID 2084 wrote to memory of 2156 2084 DllCommonsvc.exe 60 PID 2084 wrote to memory of 2156 2084 DllCommonsvc.exe 60 PID 2084 wrote to memory of 2156 2084 DllCommonsvc.exe 60 PID 2084 wrote to memory of 2136 2084 DllCommonsvc.exe 61 PID 2084 wrote to memory of 2136 2084 DllCommonsvc.exe 61 PID 2084 wrote to memory of 2136 2084 DllCommonsvc.exe 61 PID 2084 wrote to memory of 2448 2084 DllCommonsvc.exe 62 PID 2084 wrote to memory of 2448 2084 DllCommonsvc.exe 62 PID 2084 wrote to memory of 2448 2084 DllCommonsvc.exe 62 PID 2084 wrote to memory of 576 2084 DllCommonsvc.exe 63 PID 2084 wrote to memory of 576 2084 DllCommonsvc.exe 63 PID 2084 wrote to memory of 576 2084 DllCommonsvc.exe 63 PID 2084 wrote to memory of 3020 2084 DllCommonsvc.exe 64 PID 2084 wrote to memory of 3020 2084 DllCommonsvc.exe 64 PID 2084 wrote to memory of 3020 2084 DllCommonsvc.exe 64 PID 2084 wrote to memory of 1396 2084 DllCommonsvc.exe 66 PID 2084 wrote to memory of 1396 2084 DllCommonsvc.exe 66 PID 2084 wrote to memory of 1396 2084 DllCommonsvc.exe 66 PID 2084 wrote to memory of 2080 2084 DllCommonsvc.exe 67 PID 2084 wrote to memory of 2080 2084 DllCommonsvc.exe 67 PID 2084 wrote to memory of 2080 2084 DllCommonsvc.exe 67 PID 2084 wrote to memory of 1864 2084 DllCommonsvc.exe 69 PID 2084 wrote to memory of 1864 2084 DllCommonsvc.exe 69 PID 2084 wrote to memory of 1864 2084 DllCommonsvc.exe 69 PID 2084 wrote to memory of 1484 2084 DllCommonsvc.exe 70 PID 2084 wrote to memory of 1484 2084 DllCommonsvc.exe 70 PID 2084 wrote to memory of 1484 2084 DllCommonsvc.exe 70 PID 2084 wrote to memory of 1788 2084 DllCommonsvc.exe 77 PID 2084 wrote to memory of 1788 2084 DllCommonsvc.exe 77 PID 2084 wrote to memory of 1788 2084 DllCommonsvc.exe 77 PID 1788 wrote to memory of 1708 1788 spoolsv.exe 79 PID 1788 wrote to memory of 1708 1788 spoolsv.exe 79 PID 1788 wrote to memory of 1708 1788 spoolsv.exe 79 PID 1708 wrote to memory of 2280 1708 cmd.exe 81 PID 1708 wrote to memory of 2280 1708 cmd.exe 81 PID 1708 wrote to memory of 2280 1708 cmd.exe 81 PID 1708 wrote to memory of 2700 1708 cmd.exe 82 PID 1708 wrote to memory of 2700 1708 cmd.exe 82 PID 1708 wrote to memory of 2700 1708 cmd.exe 82 PID 2700 wrote to memory of 2380 2700 spoolsv.exe 83 PID 2700 wrote to memory of 2380 2700 spoolsv.exe 83 PID 2700 wrote to memory of 2380 2700 spoolsv.exe 83 PID 2380 wrote to memory of 2324 2380 cmd.exe 85 PID 2380 wrote to memory of 2324 2380 cmd.exe 85 PID 2380 wrote to memory of 2324 2380 cmd.exe 85 PID 2380 wrote to memory of 2660 2380 cmd.exe 86 PID 2380 wrote to memory of 2660 2380 cmd.exe 86 PID 2380 wrote to memory of 2660 2380 cmd.exe 86 PID 2660 wrote to memory of 1608 2660 spoolsv.exe 87 PID 2660 wrote to memory of 1608 2660 spoolsv.exe 87 PID 2660 wrote to memory of 1608 2660 spoolsv.exe 87 PID 1608 wrote to memory of 1816 1608 cmd.exe 89 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8bd5385c30b54b4890ccd384447c3532fc22fb975c00731cf134cb4e3c6677db.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8bd5385c30b54b4890ccd384447c3532fc22fb975c00731cf134cb4e3c6677db.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2156
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2136
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\WMIADAP.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2448
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\BitLockerDiscoveryVolumeContents\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:576
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3020
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1396
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2080
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Favorites\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1864
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1484
-
-
C:\Windows\BitLockerDiscoveryVolumeContents\spoolsv.exe"C:\Windows\BitLockerDiscoveryVolumeContents\spoolsv.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yTz6y56Ktd.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:2280
-
-
C:\Windows\BitLockerDiscoveryVolumeContents\spoolsv.exe"C:\Windows\BitLockerDiscoveryVolumeContents\spoolsv.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ffEuziAK6w.bat"8⤵
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:2324
-
-
C:\Windows\BitLockerDiscoveryVolumeContents\spoolsv.exe"C:\Windows\BitLockerDiscoveryVolumeContents\spoolsv.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7ezzJRb6cS.bat"10⤵
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:1816
-
-
C:\Windows\BitLockerDiscoveryVolumeContents\spoolsv.exe"C:\Windows\BitLockerDiscoveryVolumeContents\spoolsv.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2436 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\F1gdtReUkn.bat"12⤵PID:2516
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:904
-
-
C:\Windows\BitLockerDiscoveryVolumeContents\spoolsv.exe"C:\Windows\BitLockerDiscoveryVolumeContents\spoolsv.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1976 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fH1ASKIIFN.bat"14⤵PID:2372
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:572
-
-
C:\Windows\BitLockerDiscoveryVolumeContents\spoolsv.exe"C:\Windows\BitLockerDiscoveryVolumeContents\spoolsv.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2292 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\W3ML2JPNvQ.bat"16⤵PID:2736
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:2732
-
-
C:\Windows\BitLockerDiscoveryVolumeContents\spoolsv.exe"C:\Windows\BitLockerDiscoveryVolumeContents\spoolsv.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1144 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mv5UKbIUPK.bat"18⤵PID:1568
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:2756
-
-
C:\Windows\BitLockerDiscoveryVolumeContents\spoolsv.exe"C:\Windows\BitLockerDiscoveryVolumeContents\spoolsv.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1124 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sQQ1IAg9p0.bat"20⤵PID:1876
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:2760
-
-
C:\Windows\BitLockerDiscoveryVolumeContents\spoolsv.exe"C:\Windows\BitLockerDiscoveryVolumeContents\spoolsv.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:656 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pkmftNZ3Wr.bat"22⤵PID:3056
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:2448
-
-
C:\Windows\BitLockerDiscoveryVolumeContents\spoolsv.exe"C:\Windows\BitLockerDiscoveryVolumeContents\spoolsv.exe"23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1864
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1440
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\WMIADAP.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\MSOCache\All Users\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\providercommon\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1324
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1732
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Favorites\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1392
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Default\Favorites\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Favorites\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2236
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c8ad59d7c94b4c4d3b9d1c867e71d43f
SHA1f3e54f589015bd69530014666f2bcbcb387330e9
SHA256b5e78dfd2f58eaa8808462e5baa178e56bab1bd50b00cccbd12004aa74115693
SHA512b5744f04925161225bbf98d035b2e78af2bfab1d4f60dbe6a483ae0f06b949456db29f94fe7ba921ec856f4e0afa4bdd8a5576a45fab4c22dc791153aff1c745
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52d6ce279481c170af1ef5bc3d4d33bab
SHA15912a62be435ad364c747d9a7a0372abfa18f2f5
SHA256c45d7870fc2e3548bf4010078a096635e1357d51cdccf9dde40b7b43d75baef4
SHA512e65564628707e484215a1f1755c364e63d3119a51c01320357f8e7a6794711ce381a757596513e855e7e4fed2078228f554116dc8db66dd83cae82514891ae28
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50b8091aca9c1e8754bb0096b431adb6c
SHA17ebceeb839e3d0d78f841ef7e9bf1d545613909f
SHA256a5c78f8ac67810a1d2253c1455f91f24aba5760087a6a6b43d1c557c7a48012d
SHA5125d64deb7ebc241bff56609381759496da2d8d09a7b493a74a2a94b072270c2c95d842d54942996cf2642e04eec306380a7b99c70313aa16e016bbcf398528ccc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5165c82871aada43213e0dcdc565befd5
SHA10048056717668addfb070e2156e81d4938d978de
SHA256f430c6fd8135b3b00a67826e55c0a0342a7a55b58372ace07738c6049f74cf32
SHA512e4007d9d0b477bfda56d0bed9d5d276276b31c2375a886aed5789f089a40571566921760b8d8607bcd3590d56beeb5290bf926ac0577d84bb47f2a532ed49625
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50ec1ba22c3567b1dc6fdf5cef9fe9456
SHA1b6f0e53702bdfece328cb73c7bc66ee19469514a
SHA2564c542fcb53d0e3cfdb3c2e4110f863debaa0fe8cf96d93332b2d2aa9ef84ec40
SHA5125321d9bf81cb43bf535f0d608cb4b36b3463a9709b613084e58bb3e4f9082c2af61dded34f1cf1ccbda560408eab2e447d2bf99a206ff6073cfa9a368338b93d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5927eec1d91fcda3e044e838b0c4dd707
SHA1e41c88589579536df9834273b91319a6b139b419
SHA256b1bbf5cca4287062e7889f6909c6b5d3eecf09a3c67e3e94b7c0883de62229a4
SHA5129c723861cf1d7fb447c645720fa1f4b0c9637c82502270f0d86d8ee352f1129cad67fe8c7fc6d4bf8fc333aa45bd12ea73871590f5c1ffd813e5522f7d414182
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD593504cee4ec7f127561eb2e15ac031c0
SHA13e74c2ac79a72357a05cc7adc1168a740e4ef2c2
SHA256c5922a039b4980728fecd7a7508cb3911e536b73d68512d38b6f98741b9a8bae
SHA512be7480291cb1e4cd682ea7bb9a423afa7d2bd1bd24f6d5d3917975df1776c4b8e6a99db82dab52ec75053c6b91a25ecf53ebcd0beb31cb3e1d1056f3de1f37a6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d00b916ccf7dea3355e342ddf5d3c23a
SHA1ac998455203571c8573cb8dd3a3d67ed683d68f8
SHA256bbc9527709cd2076eed4cf0ab38807ee4320b352888fa27d1a81171adfc9cc35
SHA512cdd155d451e91f93734168466f4854e0d82711f0cd66f58b46965888f5fc0570932e368424802ed57cb5857da2c63f020633297b18e74a2c7870cde1437c899a
-
Filesize
220B
MD5f77e37140ccfe33159abdbe963b8b643
SHA16823094b0ad1126c6f17e9b7a779b4f84bd1a85a
SHA256ba3777b229f89136213caf02db857c8bd35c84f16fdff2b4e9f0a0795e6bde1d
SHA512193914476529a50f0404cde3657cfa6939bf1f0c02367bfb6fb60b56c59bcacc75c572df2b0e12ca4b36224277d76aa021f3d44dc19d22160a9982bd30e1038a
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
220B
MD5894c0496821c7d7af74f08b2a06cbd5c
SHA158ee700af1a67fe3625cd2ad41aec6a682e73dcf
SHA2564b798f13beda4d1cabbb6248949e3b405cde4743579695c8120adcb4ac260137
SHA5124840bcfa881277ae9cbf9fdd4c6851357182e789f1272deb3d13650584ad6b7135361fb2acc554dbc61eff60ad68539417a9964843dec460c97887896a184aae
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
220B
MD59b8dd010b988c1fc963dde5e6745bc05
SHA1436869d63d0e041b72a6e742dfff5aeb567dfa0b
SHA256d5c796bc9a888e0914e0393aa168481ce872cfc2cb26f63cb27d3bc37dac0c97
SHA51269a1340b675c6aa0038794ff93d4315db66ab73a6efa15972c7cd789aa288cb8fdf40303e78ca4e4ffc42c9de6e06e2111394d1da2fce7977abce1f5ebffea6f
-
Filesize
220B
MD59f3dc2ba159198b35342986672fa7e70
SHA199f31e93c4d4e1dd743ea29bc7a8c108c2b9ee7d
SHA256aff277b1a6c324ea3a11e3e4718740a3acd2f6656325e46c7cccf2da43da3f1a
SHA5126b009e4415f61b133311528f0fb1ecc86beeb870a7becb7c7d3db8b49d0f56e1adde4b305852052d846d0c1067852d1428ac50856cd1ed168c033ccceb6d7a32
-
Filesize
220B
MD57a3a7754fde73ca8e1e2ecbcc40af04b
SHA1e9679355ab2237391a7c992528ccc189e44239a5
SHA2562b853997ce7260d8bf4932340334fce789b86c7a85d1e68467ff1dbd8310f02d
SHA5125cd62a6f36c52144f7cff1b5341b528954081ccf2d54e9e562e7325f05949923bcbd52c6e812ab8ddee3287ac819ffe477c419f7db4a977d3ba0cbdd76cb30db
-
Filesize
220B
MD56a9fa21a9dc3498c5bf6ab1965f86f5e
SHA1d9fcd29d1c0a16bae70b5bf0aa663dccc28a22b7
SHA256d225663e5b655e6852e65e1f2e5c2c126f34b6ccfdf033c04dd8fbf8d46f2ad4
SHA512bb2172c52414a8837791a4724ff73d620bdf38ff8196daeb7a62bd9f0ce2e053601ee78d3340027f4630cec08f94a2b8fc021f8a17e280ae0051501b45a9341f
-
Filesize
220B
MD50ed0c733b09e4822fe704ed35467c4b6
SHA12b9ca061c52c5af54d51283c437cec764e15999e
SHA256c2092c1b169e09cce3764465c06e83eadfebdd6f65326b9de60299dfc85af6a4
SHA512750e60d9923ba8e454c797969b525cd074bbb498218c39e9e295f7b4344782b66748a96399ead0a711af9aaa27479e50fa3810b6e5ea53d33c653299f17c6c39
-
Filesize
220B
MD53b8ffa9460ea1e0571d6843d23f6cf2d
SHA178197f07f7533a20e2c77b21844196bcb6884859
SHA2564ce00c60e4c03f62617b4f4e2e3608ad68dc824f0bfed7c58f950900cd027600
SHA51276fde843b9c355ff8280e1ef21ce7a4581faf20df1a8bb503d42f499dc7bf47a0c5c0abdec7d4e2af1ed7458e11eaa35170a0aa9fada549e28d7bbba48d65963
-
Filesize
220B
MD51c854ebf591ae4082ce5b00bf4aa0450
SHA1251cb6eca97b3a9381e4f64d424f329243c09b0f
SHA256c7703e0762f8413c0f3e63bb01eebd0c2a8f72741d2160928b86de017f9a5b5d
SHA5126aca81aa91ed2aa1ae4f8686875c4d6ab31296a08d727655ccb5ccee5b163c041b214820463407e040f00b21e2ee095040e2cd1cf73720605856b44087e0dfff
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5b60be4aa81827e05039f5a9a321cf6dc
SHA1b617a0ca054d5b02acd12912b1f13a7e0bfa74fa
SHA2566d9812cdcd9fd91baf02eb1cd60ca57de365032bcaddbddee5c70c967d8ccf9e
SHA512f20910f7fe36f9817ed6fdb7c7c0d1b97ddb98bfce068902a452fa240c3ab9fe8cc96f7665dc58f543acbdb749e7070f596622291c7df6a8619b3f3d0202c8c8
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394