Analysis
-
max time kernel
158s -
max time network
174s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
06/11/2022, 09:51
Static task
static1
Behavioral task
behavioral1
Sample
0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe
Resource
win7-20220812-en
General
-
Target
0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe
-
Size
387KB
-
MD5
2184e73b4a2ecee7a726b2d7f8374946
-
SHA1
8dd0ef00c55f8470ae513b66773a6369539a8dc9
-
SHA256
0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc
-
SHA512
15c5dce97fa43344e7d4f53c992d23fa13d107fec0fa3eca5cbdc12902981157d12df5d74ce226afabe787a53565437c728b9c3b18b2f3d828b27d8a1ba0b0b6
-
SSDEEP
6144:27D6KarVGMXvnF/Cq/HgZ4OYSUO8mJuWV918BMgVvraUdctrs+s3jwwV:sDGR3dCyHtOZ/JuWV9uBMg10ewwV
Malware Config
Extracted
cybergate
2.6
ÖÍíÉ
127.0.0.1:8081
tunisia-sat.no-ip.biz:8081
***MUTEX***
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
svchost.exe
-
install_dir
bin
-
install_file
windows.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
texto da mensagem
-
message_box_title
t?tulo da mensagem
-
password
abcd1234
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
description pid Process procid_target PID 1124 created 3280 1124 WerFault.exe 88 -
Adds policy Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\windows\\system32\\microsoft\\bin\\windows.exe" 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\windows\\system32\\microsoft\\bin\\windows.exe" 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe -
Executes dropped EXE 4 IoCs
pid Process 4616 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 2064 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 1244 windows.exe 3280 windows.exe -
Modifies Installed Components in the registry 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{GF4X7745-WQW6-GR05-83C3-J2A4J26U82BY}\StubPath = "c:\\windows\\system32\\microsoft\\bin\\windows.exe" explorer.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{GF4X7745-WQW6-GR05-83C3-J2A4J26U82BY} 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{GF4X7745-WQW6-GR05-83C3-J2A4J26U82BY}\StubPath = "c:\\windows\\system32\\microsoft\\bin\\windows.exe Restart" 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{GF4X7745-WQW6-GR05-83C3-J2A4J26U82BY} explorer.exe -
resource yara_rule behavioral2/memory/4616-135-0x0000000000400000-0x0000000000459000-memory.dmp upx behavioral2/memory/4616-138-0x0000000000400000-0x0000000000459000-memory.dmp upx behavioral2/memory/4616-140-0x0000000000400000-0x0000000000459000-memory.dmp upx behavioral2/memory/4616-142-0x0000000000400000-0x0000000000459000-memory.dmp upx behavioral2/memory/4616-144-0x0000000024010000-0x0000000024072000-memory.dmp upx behavioral2/memory/4616-149-0x0000000024080000-0x00000000240E2000-memory.dmp upx behavioral2/memory/4152-152-0x0000000024080000-0x00000000240E2000-memory.dmp upx behavioral2/memory/4152-153-0x0000000024080000-0x00000000240E2000-memory.dmp upx behavioral2/memory/4616-157-0x00000000023E0000-0x0000000002442000-memory.dmp upx behavioral2/memory/4616-163-0x00000000240F0000-0x0000000024152000-memory.dmp upx behavioral2/memory/4616-167-0x0000000000400000-0x0000000000459000-memory.dmp upx behavioral2/memory/2064-166-0x00000000240F0000-0x0000000024152000-memory.dmp upx behavioral2/memory/4152-168-0x0000000031B80000-0x0000000031B8D000-memory.dmp upx behavioral2/memory/2064-169-0x00000000240F0000-0x0000000024152000-memory.dmp upx behavioral2/memory/3280-178-0x0000000000400000-0x0000000000459000-memory.dmp upx behavioral2/memory/3280-179-0x0000000000400000-0x0000000000459000-memory.dmp upx behavioral2/memory/4168-182-0x0000000031BA0000-0x0000000031BAD000-memory.dmp upx behavioral2/memory/4168-183-0x0000000031BA0000-0x0000000031BAD000-memory.dmp upx behavioral2/memory/3280-184-0x0000000031BB0000-0x0000000031BBD000-memory.dmp upx behavioral2/memory/3280-185-0x0000000000400000-0x0000000000459000-memory.dmp upx behavioral2/memory/3280-186-0x0000000031BB0000-0x0000000031BBD000-memory.dmp upx behavioral2/memory/1124-187-0x0000000031BD0000-0x0000000031BDD000-memory.dmp upx behavioral2/memory/4940-188-0x0000000031BF0000-0x0000000031BFD000-memory.dmp upx behavioral2/memory/4940-189-0x0000000031BF0000-0x0000000031BFD000-memory.dmp upx behavioral2/memory/4152-190-0x0000000024080000-0x00000000240E2000-memory.dmp upx behavioral2/memory/4152-191-0x0000000031B80000-0x0000000031B8D000-memory.dmp upx behavioral2/memory/2064-192-0x00000000240F0000-0x0000000024152000-memory.dmp upx behavioral2/memory/4696-193-0x0000000031C10000-0x0000000031C1D000-memory.dmp upx behavioral2/memory/4696-194-0x0000000031C10000-0x0000000031C1D000-memory.dmp upx behavioral2/memory/4940-195-0x0000000031BF0000-0x0000000031BFD000-memory.dmp upx behavioral2/memory/4696-196-0x0000000031C10000-0x0000000031C1D000-memory.dmp upx behavioral2/memory/4696-197-0x0000000031C10000-0x0000000031C1D000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FacebookUpdater.com = "C:\\Windows\\system32\\bin\\help.exe" 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FacebookUpdater.com = "C:\\Windows\\system32\\bin\\help.exe" 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FacebookUpdater.com = "C:\\Windows\\system32\\bin\\help.exe" windows.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FacebookUpdater.com = "C:\\Windows\\system32\\bin\\help.exe" windows.exe -
Drops file in System32 directory 9 IoCs
description ioc Process File created C:\Windows\SysWOW64\bin\help.exe 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe File created \??\c:\windows\SysWOW64\microsoft\bin\windows.exe 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe File opened for modification \??\c:\windows\SysWOW64\microsoft\bin\windows.exe 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe File opened for modification C:\windows\SysWOW64\microsoft\bin\windows.exe windows.exe File opened for modification C:\Windows\SysWOW64\bin 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe File opened for modification \??\c:\windows\SysWOW64\microsoft\bin\windows.exe 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe File opened for modification \??\c:\windows\SysWOW64\microsoft\bin\ 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe File opened for modification C:\Windows\SysWOW64\bin\help.exe windows.exe File opened for modification C:\Windows\SysWOW64\bin\help.exe 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1692 set thread context of 4616 1692 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 80 PID 1244 set thread context of 3280 1244 windows.exe 88 -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp WerFault.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
pid pid_target Process procid_target 4940 3280 WerFault.exe 88 4696 4940 WerFault.exe 94 -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4616 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 4616 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 4616 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 4616 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 2064 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 2064 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 2064 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 2064 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 2064 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 2064 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 2064 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 2064 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 2064 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 2064 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 2064 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 2064 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 2064 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 2064 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 2064 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 2064 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 2064 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 2064 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 2064 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 2064 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 2064 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 2064 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 2064 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 2064 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 2064 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 2064 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 2064 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 2064 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 2064 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 2064 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 2064 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 2064 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 2064 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 2064 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 2064 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 2064 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 2064 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 2064 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 2064 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 2064 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 2064 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 2064 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 2064 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 2064 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 2064 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 2064 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 2064 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 2064 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 2064 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 2064 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 2064 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 2064 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 2064 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 2064 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 2064 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 2064 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 2064 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 2064 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 2064 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 2064 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2064 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 2064 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe Token: SeDebugPrivilege 2064 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe Token: SeRestorePrivilege 4940 WerFault.exe Token: SeBackupPrivilege 4940 WerFault.exe Token: SeBackupPrivilege 4940 WerFault.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4616 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1692 wrote to memory of 1660 1692 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 79 PID 1692 wrote to memory of 1660 1692 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 79 PID 1692 wrote to memory of 1660 1692 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 79 PID 1692 wrote to memory of 4616 1692 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 80 PID 1692 wrote to memory of 4616 1692 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 80 PID 1692 wrote to memory of 4616 1692 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 80 PID 1692 wrote to memory of 4616 1692 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 80 PID 1692 wrote to memory of 4616 1692 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 80 PID 1692 wrote to memory of 4616 1692 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 80 PID 1692 wrote to memory of 4616 1692 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 80 PID 1692 wrote to memory of 4616 1692 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 80 PID 1660 wrote to memory of 5060 1660 cmd.exe 82 PID 1660 wrote to memory of 5060 1660 cmd.exe 82 PID 1660 wrote to memory of 5060 1660 cmd.exe 82 PID 5060 wrote to memory of 4252 5060 net.exe 83 PID 5060 wrote to memory of 4252 5060 net.exe 83 PID 5060 wrote to memory of 4252 5060 net.exe 83 PID 4616 wrote to memory of 2132 4616 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 39 PID 4616 wrote to memory of 2132 4616 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 39 PID 4616 wrote to memory of 2132 4616 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 39 PID 4616 wrote to memory of 2132 4616 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 39 PID 4616 wrote to memory of 2132 4616 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 39 PID 4616 wrote to memory of 2132 4616 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 39 PID 4616 wrote to memory of 2132 4616 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 39 PID 4616 wrote to memory of 2132 4616 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 39 PID 4616 wrote to memory of 2132 4616 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 39 PID 4616 wrote to memory of 2132 4616 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 39 PID 4616 wrote to memory of 2132 4616 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 39 PID 4616 wrote to memory of 2132 4616 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 39 PID 4616 wrote to memory of 2132 4616 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 39 PID 4616 wrote to memory of 2132 4616 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 39 PID 4616 wrote to memory of 2132 4616 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 39 PID 4616 wrote to memory of 2132 4616 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 39 PID 4616 wrote to memory of 2132 4616 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 39 PID 4616 wrote to memory of 2132 4616 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 39 PID 4616 wrote to memory of 2132 4616 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 39 PID 4616 wrote to memory of 2132 4616 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 39 PID 4616 wrote to memory of 2132 4616 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 39 PID 4616 wrote to memory of 2132 4616 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 39 PID 4616 wrote to memory of 2132 4616 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 39 PID 4616 wrote to memory of 2132 4616 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 39 PID 4616 wrote to memory of 2132 4616 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 39 PID 4616 wrote to memory of 2132 4616 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 39 PID 4616 wrote to memory of 2132 4616 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 39 PID 4616 wrote to memory of 2132 4616 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 39 PID 4616 wrote to memory of 2132 4616 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 39 PID 4616 wrote to memory of 2132 4616 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 39 PID 4616 wrote to memory of 2132 4616 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 39 PID 4616 wrote to memory of 2132 4616 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 39 PID 4616 wrote to memory of 2132 4616 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 39 PID 4616 wrote to memory of 2132 4616 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 39 PID 4616 wrote to memory of 2132 4616 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 39 PID 4616 wrote to memory of 2132 4616 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 39 PID 4616 wrote to memory of 2132 4616 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 39 PID 4616 wrote to memory of 2132 4616 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 39 PID 4616 wrote to memory of 2132 4616 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 39 PID 4616 wrote to memory of 2132 4616 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 39 PID 4616 wrote to memory of 2132 4616 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 39 PID 4616 wrote to memory of 2132 4616 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 39 PID 4616 wrote to memory of 2132 4616 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 39 PID 4616 wrote to memory of 2132 4616 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 39 PID 4616 wrote to memory of 2132 4616 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 39 PID 4616 wrote to memory of 2132 4616 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 39 PID 4616 wrote to memory of 2132 4616 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 39
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:672
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:592
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"2⤵PID:784
-
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵PID:376
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:956
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS -p1⤵PID:908
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p1⤵PID:800
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵PID:3424
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca2⤵PID:3344
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}2⤵PID:3260
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}2⤵PID:4404
-
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding2⤵PID:1864
-
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe2⤵PID:3756
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵PID:4852
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵PID:3688
-
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca2⤵PID:3516
-
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding2⤵PID:1408
-
-
C:\Windows\System32\mousocoreworker.exeC:\Windows\System32\mousocoreworker.exe -Embedding2⤵PID:4612
-
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:788
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:540
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p1⤵PID:428
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵PID:1700
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p1⤵PID:1880
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:720
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵PID:1976
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵PID:1920
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1900
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵PID:1892
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵PID:1816
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1772
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵PID:1668
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵PID:1636
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵PID:2116
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2416
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵PID:2660
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵PID:2648
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵PID:2612
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2556
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵PID:2532
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵PID:2668
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:2716
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:2132
-
C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe"C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe"2⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\SysWOW64\cmd.exe/c net stop MpsSvc3⤵
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\SysWOW64\net.exenet stop MpsSvc4⤵
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc5⤵PID:4252
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exeC:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe3⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Modifies Installed Components in the registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4616 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
- Modifies Installed Components in the registry
PID:4152
-
-
C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe"C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2064 -
C:\windows\SysWOW64\microsoft\bin\windows.exe"C:\windows\system32\microsoft\bin\windows.exe"5⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
PID:1244 -
C:\Windows\SysWOW64\cmd.exe/c net stop MpsSvc6⤵PID:4168
-
C:\Windows\SysWOW64\net.exenet stop MpsSvc7⤵PID:1988
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc8⤵PID:3660
-
-
-
-
C:\windows\SysWOW64\microsoft\bin\windows.exeC:\windows\SysWOW64\microsoft\bin\windows.exe6⤵
- Executes dropped EXE
PID:3280 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3280 -s 5447⤵
- Drops file in Windows directory
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4940 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4940 -s 6488⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:4696
-
-
-
-
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵PID:2340
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s W32Time1⤵PID:3012
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵PID:2288
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵PID:4716
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵PID:2552
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵PID:4732
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵PID:4264
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵PID:2524
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2456
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵PID:2320
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵PID:2312
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s FontCache1⤵PID:1628
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵PID:1560
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵PID:1480
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:1396
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:1372
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵PID:1356
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵PID:1340
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵PID:1256
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵PID:1228
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1192
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵PID:1100
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:1036
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:1028
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:688
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵PID:980
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3280 -ip 32802⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1124
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4940 -ip 49402⤵PID:4184
-
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe 8746cef025cd36a47dc626f7391c34b3 eYmZbZQ62kGF77bHBITviQ.0.1.0.0.01⤵PID:2216
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2104
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵PID:1068
-
C:\Windows\servicing\TrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exe1⤵PID:3792
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵PID:3104
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe
Filesize387KB
MD52184e73b4a2ecee7a726b2d7f8374946
SHA18dd0ef00c55f8470ae513b66773a6369539a8dc9
SHA2560344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc
SHA51215c5dce97fa43344e7d4f53c992d23fa13d107fec0fa3eca5cbdc12902981157d12df5d74ce226afabe787a53565437c728b9c3b18b2f3d828b27d8a1ba0b0b6
-
C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe
Filesize387KB
MD52184e73b4a2ecee7a726b2d7f8374946
SHA18dd0ef00c55f8470ae513b66773a6369539a8dc9
SHA2560344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc
SHA51215c5dce97fa43344e7d4f53c992d23fa13d107fec0fa3eca5cbdc12902981157d12df5d74ce226afabe787a53565437c728b9c3b18b2f3d828b27d8a1ba0b0b6
-
Filesize
240KB
MD5b2c82cbdb8f096f842da7521b7944713
SHA1bc6d73b2a3ab5e88e601dcee7a2dc80fa05ced54
SHA256ea6023ee5139e5fcc3682d7a562ae7cbbe58c045f20ec5727fa61a2c4c25f33b
SHA51227589fd68218bf7b5b2eb27d17e9145a79f027665c71ef503d9a6cd0914a8ae75801618fd20101ef01c1ebbb24c2255ef1b6bec9b73f006255da84bc6fe9533a
-
Filesize
387KB
MD52184e73b4a2ecee7a726b2d7f8374946
SHA18dd0ef00c55f8470ae513b66773a6369539a8dc9
SHA2560344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc
SHA51215c5dce97fa43344e7d4f53c992d23fa13d107fec0fa3eca5cbdc12902981157d12df5d74ce226afabe787a53565437c728b9c3b18b2f3d828b27d8a1ba0b0b6
-
Filesize
387KB
MD52184e73b4a2ecee7a726b2d7f8374946
SHA18dd0ef00c55f8470ae513b66773a6369539a8dc9
SHA2560344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc
SHA51215c5dce97fa43344e7d4f53c992d23fa13d107fec0fa3eca5cbdc12902981157d12df5d74ce226afabe787a53565437c728b9c3b18b2f3d828b27d8a1ba0b0b6
-
Filesize
387KB
MD52184e73b4a2ecee7a726b2d7f8374946
SHA18dd0ef00c55f8470ae513b66773a6369539a8dc9
SHA2560344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc
SHA51215c5dce97fa43344e7d4f53c992d23fa13d107fec0fa3eca5cbdc12902981157d12df5d74ce226afabe787a53565437c728b9c3b18b2f3d828b27d8a1ba0b0b6
-
Filesize
387KB
MD52184e73b4a2ecee7a726b2d7f8374946
SHA18dd0ef00c55f8470ae513b66773a6369539a8dc9
SHA2560344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc
SHA51215c5dce97fa43344e7d4f53c992d23fa13d107fec0fa3eca5cbdc12902981157d12df5d74ce226afabe787a53565437c728b9c3b18b2f3d828b27d8a1ba0b0b6