Analysis
-
max time kernel
143s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
18-03-2023 22:20
Static task
static1
Behavioral task
behavioral1
Sample
af57201f58f444088a8e26ca0f38cadbc4e1d0966804103553033a6f89e32f97.exe
Resource
win10v2004-20230220-en
General
-
Target
af57201f58f444088a8e26ca0f38cadbc4e1d0966804103553033a6f89e32f97.exe
-
Size
1.0MB
-
MD5
e17e532056fc57f6eb56a08e99bd5b2e
-
SHA1
93438f3fd0663c0a7ab5ba470ec2dcd17c1f1b34
-
SHA256
af57201f58f444088a8e26ca0f38cadbc4e1d0966804103553033a6f89e32f97
-
SHA512
491be34431249c9be6919475afb1e10e157123d82f092d46939233c7a1e869efaef764aebc7c8e1eaa8ab2a9dd0dd1ee6aa99d1b39a9a6a2583b84c0abf63582
-
SSDEEP
24576:hyeMYOP9lxlOkUt75Fj79felH+IMa+HE5Rro6ViRH4bgrw:UHYAPxlOBJ5pBeAIMHCxiRYb
Malware Config
Extracted
redline
gena
193.233.20.30:4125
-
auth_value
93c20961cb6b06b2d5781c212db6201e
Extracted
redline
vint
193.233.20.30:4125
-
auth_value
fb8811912f8370b3d23bffda092d88d0
Extracted
amadey
3.68
62.204.41.87/joomla/index.php
Extracted
aurora
212.87.204.93:8081
Extracted
redline
build_main
80.85.156.168:20189
-
auth_value
5e5c9cacc6d168f8ade7fb6419edb114
Signatures
-
Detect rhadamanthys stealer shellcode 4 IoCs
Processes:
resource yara_rule behavioral1/memory/5000-1286-0x0000000002B90000-0x0000000002BAC000-memory.dmp family_rhadamanthys behavioral1/memory/1828-1291-0x00000000013E0000-0x00000000013FC000-memory.dmp family_rhadamanthys behavioral1/memory/5000-1293-0x0000000004AC0000-0x0000000005AC0000-memory.dmp family_rhadamanthys behavioral1/memory/5000-1296-0x0000000002B90000-0x0000000002BAC000-memory.dmp family_rhadamanthys -
Processes:
mx8667Xd.exens8198Nr.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection mx8667Xd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" mx8667Xd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" mx8667Xd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection ns8198Nr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" ns8198Nr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" ns8198Nr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" ns8198Nr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" ns8198Nr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" mx8667Xd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" mx8667Xd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" mx8667Xd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" ns8198Nr.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 19 IoCs
Processes:
resource yara_rule behavioral1/memory/4744-210-0x0000000007680000-0x00000000076BE000-memory.dmp family_redline behavioral1/memory/4744-211-0x0000000007680000-0x00000000076BE000-memory.dmp family_redline behavioral1/memory/4744-217-0x0000000007680000-0x00000000076BE000-memory.dmp family_redline behavioral1/memory/4744-215-0x0000000007680000-0x00000000076BE000-memory.dmp family_redline behavioral1/memory/4744-213-0x0000000007680000-0x00000000076BE000-memory.dmp family_redline behavioral1/memory/4744-219-0x0000000007680000-0x00000000076BE000-memory.dmp family_redline behavioral1/memory/4744-229-0x0000000007680000-0x00000000076BE000-memory.dmp family_redline behavioral1/memory/4744-231-0x0000000007680000-0x00000000076BE000-memory.dmp family_redline behavioral1/memory/4744-235-0x0000000007680000-0x00000000076BE000-memory.dmp family_redline behavioral1/memory/4744-233-0x0000000007680000-0x00000000076BE000-memory.dmp family_redline behavioral1/memory/4744-237-0x0000000007680000-0x00000000076BE000-memory.dmp family_redline behavioral1/memory/4744-241-0x0000000007680000-0x00000000076BE000-memory.dmp family_redline behavioral1/memory/4744-243-0x0000000007680000-0x00000000076BE000-memory.dmp family_redline behavioral1/memory/4744-239-0x0000000007680000-0x00000000076BE000-memory.dmp family_redline behavioral1/memory/4744-227-0x0000000007680000-0x00000000076BE000-memory.dmp family_redline behavioral1/memory/4744-225-0x0000000007680000-0x00000000076BE000-memory.dmp family_redline behavioral1/memory/4744-223-0x0000000007680000-0x00000000076BE000-memory.dmp family_redline behavioral1/memory/4744-221-0x0000000007680000-0x00000000076BE000-memory.dmp family_redline behavioral1/memory/4744-399-0x0000000004990000-0x00000000049A0000-memory.dmp family_redline -
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
KMuffPQJRlr6.exedescription pid process target process PID 5044 created 2724 5044 KMuffPQJRlr6.exe taskhostw.exe -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ry86Py58.exelegenda.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation ry86Py58.exe Key value queried \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation legenda.exe -
Executes dropped EXE 14 IoCs
Processes:
will4093.exewill0558.exewill7748.exemx8667Xd.exens8198Nr.exepy19DH08.exeqs5647ix.exery86Py58.exelegenda.exeKMuffPQJRlr6.exesvchost.exeserv.exelegenda.exelegenda.exepid process 5092 will4093.exe 384 will0558.exe 3540 will7748.exe 4496 mx8667Xd.exe 1856 ns8198Nr.exe 4744 py19DH08.exe 3824 qs5647ix.exe 1460 ry86Py58.exe 4184 legenda.exe 5044 KMuffPQJRlr6.exe 2408 svchost.exe 5000 serv.exe 1692 legenda.exe 4752 legenda.exe -
Loads dropped DLL 2 IoCs
Processes:
KMuffPQJRlr6.exerundll32.exepid process 5044 KMuffPQJRlr6.exe 3868 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
mx8667Xd.exens8198Nr.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" mx8667Xd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features ns8198Nr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" ns8198Nr.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
af57201f58f444088a8e26ca0f38cadbc4e1d0966804103553033a6f89e32f97.exewill4093.exewill0558.exewill7748.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" af57201f58f444088a8e26ca0f38cadbc4e1d0966804103553033a6f89e32f97.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce will4093.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" will4093.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce will0558.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" will0558.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce will7748.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" will7748.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce af57201f58f444088a8e26ca0f38cadbc4e1d0966804103553033a6f89e32f97.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
serv.exepid process 5000 serv.exe 5000 serv.exe 5000 serv.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
KMuffPQJRlr6.exedescription pid process target process PID 5044 set thread context of 860 5044 KMuffPQJRlr6.exe ngentask.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 5 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 904 1856 WerFault.exe ns8198Nr.exe 4668 4744 WerFault.exe py19DH08.exe 3744 5044 WerFault.exe KMuffPQJRlr6.exe 316 5044 WerFault.exe KMuffPQJRlr6.exe 4464 5000 WerFault.exe serv.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
serv.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 serv.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID serv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI serv.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI serv.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI serv.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 58 IoCs
Processes:
mx8667Xd.exens8198Nr.exepy19DH08.exeqs5647ix.exeKMuffPQJRlr6.exengentask.exepid process 4496 mx8667Xd.exe 4496 mx8667Xd.exe 1856 ns8198Nr.exe 1856 ns8198Nr.exe 4744 py19DH08.exe 4744 py19DH08.exe 3824 qs5647ix.exe 3824 qs5647ix.exe 5044 KMuffPQJRlr6.exe 5044 KMuffPQJRlr6.exe 5044 KMuffPQJRlr6.exe 5044 KMuffPQJRlr6.exe 5044 KMuffPQJRlr6.exe 5044 KMuffPQJRlr6.exe 5044 KMuffPQJRlr6.exe 5044 KMuffPQJRlr6.exe 5044 KMuffPQJRlr6.exe 5044 KMuffPQJRlr6.exe 5044 KMuffPQJRlr6.exe 5044 KMuffPQJRlr6.exe 5044 KMuffPQJRlr6.exe 5044 KMuffPQJRlr6.exe 5044 KMuffPQJRlr6.exe 5044 KMuffPQJRlr6.exe 5044 KMuffPQJRlr6.exe 5044 KMuffPQJRlr6.exe 5044 KMuffPQJRlr6.exe 5044 KMuffPQJRlr6.exe 5044 KMuffPQJRlr6.exe 5044 KMuffPQJRlr6.exe 5044 KMuffPQJRlr6.exe 5044 KMuffPQJRlr6.exe 5044 KMuffPQJRlr6.exe 5044 KMuffPQJRlr6.exe 5044 KMuffPQJRlr6.exe 5044 KMuffPQJRlr6.exe 5044 KMuffPQJRlr6.exe 5044 KMuffPQJRlr6.exe 5044 KMuffPQJRlr6.exe 5044 KMuffPQJRlr6.exe 5044 KMuffPQJRlr6.exe 5044 KMuffPQJRlr6.exe 5044 KMuffPQJRlr6.exe 5044 KMuffPQJRlr6.exe 5044 KMuffPQJRlr6.exe 5044 KMuffPQJRlr6.exe 5044 KMuffPQJRlr6.exe 5044 KMuffPQJRlr6.exe 5044 KMuffPQJRlr6.exe 5044 KMuffPQJRlr6.exe 5044 KMuffPQJRlr6.exe 5044 KMuffPQJRlr6.exe 5044 KMuffPQJRlr6.exe 5044 KMuffPQJRlr6.exe 5044 KMuffPQJRlr6.exe 5044 KMuffPQJRlr6.exe 860 ngentask.exe 860 ngentask.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
mx8667Xd.exens8198Nr.exepy19DH08.exeqs5647ix.exewmic.exeWMIC.exedescription pid process Token: SeDebugPrivilege 4496 mx8667Xd.exe Token: SeDebugPrivilege 1856 ns8198Nr.exe Token: SeDebugPrivilege 4744 py19DH08.exe Token: SeDebugPrivilege 3824 qs5647ix.exe Token: SeIncreaseQuotaPrivilege 4052 wmic.exe Token: SeSecurityPrivilege 4052 wmic.exe Token: SeTakeOwnershipPrivilege 4052 wmic.exe Token: SeLoadDriverPrivilege 4052 wmic.exe Token: SeSystemProfilePrivilege 4052 wmic.exe Token: SeSystemtimePrivilege 4052 wmic.exe Token: SeProfSingleProcessPrivilege 4052 wmic.exe Token: SeIncBasePriorityPrivilege 4052 wmic.exe Token: SeCreatePagefilePrivilege 4052 wmic.exe Token: SeBackupPrivilege 4052 wmic.exe Token: SeRestorePrivilege 4052 wmic.exe Token: SeShutdownPrivilege 4052 wmic.exe Token: SeDebugPrivilege 4052 wmic.exe Token: SeSystemEnvironmentPrivilege 4052 wmic.exe Token: SeRemoteShutdownPrivilege 4052 wmic.exe Token: SeUndockPrivilege 4052 wmic.exe Token: SeManageVolumePrivilege 4052 wmic.exe Token: 33 4052 wmic.exe Token: 34 4052 wmic.exe Token: 35 4052 wmic.exe Token: 36 4052 wmic.exe Token: SeIncreaseQuotaPrivilege 4052 wmic.exe Token: SeSecurityPrivilege 4052 wmic.exe Token: SeTakeOwnershipPrivilege 4052 wmic.exe Token: SeLoadDriverPrivilege 4052 wmic.exe Token: SeSystemProfilePrivilege 4052 wmic.exe Token: SeSystemtimePrivilege 4052 wmic.exe Token: SeProfSingleProcessPrivilege 4052 wmic.exe Token: SeIncBasePriorityPrivilege 4052 wmic.exe Token: SeCreatePagefilePrivilege 4052 wmic.exe Token: SeBackupPrivilege 4052 wmic.exe Token: SeRestorePrivilege 4052 wmic.exe Token: SeShutdownPrivilege 4052 wmic.exe Token: SeDebugPrivilege 4052 wmic.exe Token: SeSystemEnvironmentPrivilege 4052 wmic.exe Token: SeRemoteShutdownPrivilege 4052 wmic.exe Token: SeUndockPrivilege 4052 wmic.exe Token: SeManageVolumePrivilege 4052 wmic.exe Token: 33 4052 wmic.exe Token: 34 4052 wmic.exe Token: 35 4052 wmic.exe Token: 36 4052 wmic.exe Token: SeIncreaseQuotaPrivilege 1132 WMIC.exe Token: SeSecurityPrivilege 1132 WMIC.exe Token: SeTakeOwnershipPrivilege 1132 WMIC.exe Token: SeLoadDriverPrivilege 1132 WMIC.exe Token: SeSystemProfilePrivilege 1132 WMIC.exe Token: SeSystemtimePrivilege 1132 WMIC.exe Token: SeProfSingleProcessPrivilege 1132 WMIC.exe Token: SeIncBasePriorityPrivilege 1132 WMIC.exe Token: SeCreatePagefilePrivilege 1132 WMIC.exe Token: SeBackupPrivilege 1132 WMIC.exe Token: SeRestorePrivilege 1132 WMIC.exe Token: SeShutdownPrivilege 1132 WMIC.exe Token: SeDebugPrivilege 1132 WMIC.exe Token: SeSystemEnvironmentPrivilege 1132 WMIC.exe Token: SeRemoteShutdownPrivilege 1132 WMIC.exe Token: SeUndockPrivilege 1132 WMIC.exe Token: SeManageVolumePrivilege 1132 WMIC.exe Token: 33 1132 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
af57201f58f444088a8e26ca0f38cadbc4e1d0966804103553033a6f89e32f97.exewill4093.exewill0558.exewill7748.exery86Py58.exelegenda.execmd.exeKMuffPQJRlr6.exedescription pid process target process PID 4024 wrote to memory of 5092 4024 af57201f58f444088a8e26ca0f38cadbc4e1d0966804103553033a6f89e32f97.exe will4093.exe PID 4024 wrote to memory of 5092 4024 af57201f58f444088a8e26ca0f38cadbc4e1d0966804103553033a6f89e32f97.exe will4093.exe PID 4024 wrote to memory of 5092 4024 af57201f58f444088a8e26ca0f38cadbc4e1d0966804103553033a6f89e32f97.exe will4093.exe PID 5092 wrote to memory of 384 5092 will4093.exe will0558.exe PID 5092 wrote to memory of 384 5092 will4093.exe will0558.exe PID 5092 wrote to memory of 384 5092 will4093.exe will0558.exe PID 384 wrote to memory of 3540 384 will0558.exe will7748.exe PID 384 wrote to memory of 3540 384 will0558.exe will7748.exe PID 384 wrote to memory of 3540 384 will0558.exe will7748.exe PID 3540 wrote to memory of 4496 3540 will7748.exe mx8667Xd.exe PID 3540 wrote to memory of 4496 3540 will7748.exe mx8667Xd.exe PID 3540 wrote to memory of 1856 3540 will7748.exe ns8198Nr.exe PID 3540 wrote to memory of 1856 3540 will7748.exe ns8198Nr.exe PID 3540 wrote to memory of 1856 3540 will7748.exe ns8198Nr.exe PID 384 wrote to memory of 4744 384 will0558.exe py19DH08.exe PID 384 wrote to memory of 4744 384 will0558.exe py19DH08.exe PID 384 wrote to memory of 4744 384 will0558.exe py19DH08.exe PID 5092 wrote to memory of 3824 5092 will4093.exe qs5647ix.exe PID 5092 wrote to memory of 3824 5092 will4093.exe qs5647ix.exe PID 5092 wrote to memory of 3824 5092 will4093.exe qs5647ix.exe PID 4024 wrote to memory of 1460 4024 af57201f58f444088a8e26ca0f38cadbc4e1d0966804103553033a6f89e32f97.exe ry86Py58.exe PID 4024 wrote to memory of 1460 4024 af57201f58f444088a8e26ca0f38cadbc4e1d0966804103553033a6f89e32f97.exe ry86Py58.exe PID 4024 wrote to memory of 1460 4024 af57201f58f444088a8e26ca0f38cadbc4e1d0966804103553033a6f89e32f97.exe ry86Py58.exe PID 1460 wrote to memory of 4184 1460 ry86Py58.exe legenda.exe PID 1460 wrote to memory of 4184 1460 ry86Py58.exe legenda.exe PID 1460 wrote to memory of 4184 1460 ry86Py58.exe legenda.exe PID 4184 wrote to memory of 3540 4184 legenda.exe schtasks.exe PID 4184 wrote to memory of 3540 4184 legenda.exe schtasks.exe PID 4184 wrote to memory of 3540 4184 legenda.exe schtasks.exe PID 4184 wrote to memory of 540 4184 legenda.exe cmd.exe PID 4184 wrote to memory of 540 4184 legenda.exe cmd.exe PID 4184 wrote to memory of 540 4184 legenda.exe cmd.exe PID 540 wrote to memory of 4660 540 cmd.exe cmd.exe PID 540 wrote to memory of 4660 540 cmd.exe cmd.exe PID 540 wrote to memory of 4660 540 cmd.exe cmd.exe PID 540 wrote to memory of 4456 540 cmd.exe cacls.exe PID 540 wrote to memory of 4456 540 cmd.exe cacls.exe PID 540 wrote to memory of 4456 540 cmd.exe cacls.exe PID 540 wrote to memory of 3616 540 cmd.exe cacls.exe PID 540 wrote to memory of 3616 540 cmd.exe cacls.exe PID 540 wrote to memory of 3616 540 cmd.exe cacls.exe PID 540 wrote to memory of 1020 540 cmd.exe cmd.exe PID 540 wrote to memory of 1020 540 cmd.exe cmd.exe PID 540 wrote to memory of 1020 540 cmd.exe cmd.exe PID 540 wrote to memory of 4296 540 cmd.exe cacls.exe PID 540 wrote to memory of 4296 540 cmd.exe cacls.exe PID 540 wrote to memory of 4296 540 cmd.exe cacls.exe PID 540 wrote to memory of 2120 540 cmd.exe cacls.exe PID 540 wrote to memory of 2120 540 cmd.exe cacls.exe PID 540 wrote to memory of 2120 540 cmd.exe cacls.exe PID 4184 wrote to memory of 5044 4184 legenda.exe KMuffPQJRlr6.exe PID 4184 wrote to memory of 5044 4184 legenda.exe KMuffPQJRlr6.exe PID 4184 wrote to memory of 5044 4184 legenda.exe KMuffPQJRlr6.exe PID 4184 wrote to memory of 2408 4184 legenda.exe svchost.exe PID 4184 wrote to memory of 2408 4184 legenda.exe svchost.exe PID 4184 wrote to memory of 2408 4184 legenda.exe svchost.exe PID 4184 wrote to memory of 5000 4184 legenda.exe serv.exe PID 4184 wrote to memory of 5000 4184 legenda.exe serv.exe PID 4184 wrote to memory of 5000 4184 legenda.exe serv.exe PID 5044 wrote to memory of 860 5044 KMuffPQJRlr6.exe ngentask.exe PID 5044 wrote to memory of 860 5044 KMuffPQJRlr6.exe ngentask.exe PID 5044 wrote to memory of 860 5044 KMuffPQJRlr6.exe ngentask.exe PID 5044 wrote to memory of 860 5044 KMuffPQJRlr6.exe ngentask.exe PID 5044 wrote to memory of 860 5044 KMuffPQJRlr6.exe ngentask.exe
Processes
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2724
-
C:\Windows\SysWOW64\fontview.exe"C:\Windows\SYSWOW64\fontview.exe"2⤵PID:1828
-
-
C:\Users\Admin\AppData\Local\Temp\af57201f58f444088a8e26ca0f38cadbc4e1d0966804103553033a6f89e32f97.exe"C:\Users\Admin\AppData\Local\Temp\af57201f58f444088a8e26ca0f38cadbc4e1d0966804103553033a6f89e32f97.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4024 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will4093.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will4093.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5092 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will0558.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will0558.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:384 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will7748.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will7748.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3540 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx8667Xd.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx8667Xd.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4496
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns8198Nr.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns8198Nr.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1856 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1856 -s 10726⤵
- Program crash
PID:904
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py19DH08.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py19DH08.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4744 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4744 -s 13365⤵
- Program crash
PID:4668
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs5647ix.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs5647ix.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3824
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry86Py58.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry86Py58.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe"C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4184 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legenda.exe" /P "Admin:N"&&CACLS "legenda.exe" /P "Admin:R" /E&&echo Y|CACLS "..\f22b669919" /P "Admin:N"&&CACLS "..\f22b669919" /P "Admin:R" /E&&Exit4⤵
- Suspicious use of WriteProcessMemory
PID:540
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legenda.exe /TR "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe" /F4⤵
- Creates scheduled task(s)
PID:3540
-
-
C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe"C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5044 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"5⤵
- Suspicious behavior: EnumeratesProcesses
PID:860
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 13285⤵
- Program crash
PID:3744
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 13925⤵
- Program crash
PID:316
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe"C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe"4⤵
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic os get Caption5⤵
- Suspicious use of AdjustPrivilegeToken
PID:4052
-
-
C:\Windows\SysWOW64\cmd.execmd /C "wmic path win32_VideoController get name"5⤵PID:3520
-
-
C:\Windows\SysWOW64\cmd.execmd /C "wmic cpu get name"5⤵PID:5004
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic cpu get name6⤵PID:2140
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe"C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe"4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks SCSI registry key(s)
PID:5000 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 7365⤵
- Program crash
PID:4464
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main4⤵
- Loads dropped DLL
PID:3868
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1856 -ip 18561⤵PID:5024
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4744 -ip 47441⤵PID:320
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"1⤵PID:4660
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"1⤵PID:1020
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\f22b669919" /P "Admin:N"1⤵PID:4296
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\f22b669919" /P "Admin:R" /E1⤵PID:2120
-
C:\Windows\SysWOW64\cacls.exeCACLS "legenda.exe" /P "Admin:R" /E1⤵PID:3616
-
C:\Windows\SysWOW64\cacls.exeCACLS "legenda.exe" /P "Admin:N"1⤵PID:4456
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic path win32_VideoController get name1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1132
-
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exeC:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe1⤵
- Executes dropped EXE
PID:1692
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 5044 -ip 50441⤵PID:3208
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 5044 -ip 50441⤵PID:768
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 5000 -ip 50001⤵PID:4472
-
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exeC:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe1⤵
- Executes dropped EXE
PID:4752
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.5MB
MD5103f1dc5270469cf9414ee95dee9561f
SHA1f44b74ac4e35943c1b9f85ca560595bb64a8c918
SHA2565d8fcce25d88b4e04ddda7cc22108623d6ca4dc9f7a6a671d57e9230fd6a95ac
SHA512a9909671d9b628e34add9aeff9e06d85f505229505732609d32e7db74b887e404712b8ab92d40c12e553adfad0e4eb1225d03655b107462cf316328e5bf90e88
-
Filesize
1.5MB
MD5103f1dc5270469cf9414ee95dee9561f
SHA1f44b74ac4e35943c1b9f85ca560595bb64a8c918
SHA2565d8fcce25d88b4e04ddda7cc22108623d6ca4dc9f7a6a671d57e9230fd6a95ac
SHA512a9909671d9b628e34add9aeff9e06d85f505229505732609d32e7db74b887e404712b8ab92d40c12e553adfad0e4eb1225d03655b107462cf316328e5bf90e88
-
Filesize
1.5MB
MD5103f1dc5270469cf9414ee95dee9561f
SHA1f44b74ac4e35943c1b9f85ca560595bb64a8c918
SHA2565d8fcce25d88b4e04ddda7cc22108623d6ca4dc9f7a6a671d57e9230fd6a95ac
SHA512a9909671d9b628e34add9aeff9e06d85f505229505732609d32e7db74b887e404712b8ab92d40c12e553adfad0e4eb1225d03655b107462cf316328e5bf90e88
-
Filesize
3.0MB
MD5a8a106555b9e1f92569d623c66ee8c12
SHA1a5080c26b5f5911c10d80654c84239a226fc75d1
SHA25684aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a
SHA5129b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26
-
Filesize
3.0MB
MD5a8a106555b9e1f92569d623c66ee8c12
SHA1a5080c26b5f5911c10d80654c84239a226fc75d1
SHA25684aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a
SHA5129b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26
-
Filesize
3.0MB
MD5a8a106555b9e1f92569d623c66ee8c12
SHA1a5080c26b5f5911c10d80654c84239a226fc75d1
SHA25684aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a
SHA5129b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26
-
Filesize
354KB
MD5056d73be069d88974d2d40c5c61d21b3
SHA12c01cf4481fe83bcedbb54f0dcd96ec2b6af6fe8
SHA2562dcef02427419448257ec0e2b63ee8554bcc04b74452cd6e27b5d12ca948ada8
SHA5124b04250776f5f9d0f3a9800b625f24f529db5cd3d1d6ce4d526f2fe7e2839e4c7d3ba12e5827d0c21d698a1c7453e6deeaaf403c7dc008901ca7821b288f9a8a
-
Filesize
354KB
MD5056d73be069d88974d2d40c5c61d21b3
SHA12c01cf4481fe83bcedbb54f0dcd96ec2b6af6fe8
SHA2562dcef02427419448257ec0e2b63ee8554bcc04b74452cd6e27b5d12ca948ada8
SHA5124b04250776f5f9d0f3a9800b625f24f529db5cd3d1d6ce4d526f2fe7e2839e4c7d3ba12e5827d0c21d698a1c7453e6deeaaf403c7dc008901ca7821b288f9a8a
-
Filesize
354KB
MD5056d73be069d88974d2d40c5c61d21b3
SHA12c01cf4481fe83bcedbb54f0dcd96ec2b6af6fe8
SHA2562dcef02427419448257ec0e2b63ee8554bcc04b74452cd6e27b5d12ca948ada8
SHA5124b04250776f5f9d0f3a9800b625f24f529db5cd3d1d6ce4d526f2fe7e2839e4c7d3ba12e5827d0c21d698a1c7453e6deeaaf403c7dc008901ca7821b288f9a8a
-
Filesize
334KB
MD5098a4aa93e275de54bbc35ae4b981301
SHA1d03646dc7c63e0784393f74085405c794b8555af
SHA2565e81e932ef8520dd7de22cb9e3a02af66d29dc1726b133e894cbd7d797b9af3b
SHA5122e039df42a6202f4e4c61c3bef62307dfa5b7e1e9103085c4f73c4459c8cc747bec85da8f1c87f97851de896104712c71f13da396c6016fc27f60cd358e93f46
-
Filesize
235KB
MD55086db99de54fca268169a1c6cf26122
SHA1003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA25642873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA51290531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5
-
Filesize
235KB
MD55086db99de54fca268169a1c6cf26122
SHA1003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA25642873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA51290531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5
-
Filesize
851KB
MD5dda85794ac803d7bfc64db2a7cb65861
SHA150e0dd9c7a8a4ff733b25474f8b9fd128d00669b
SHA256d47e32569e8935baa2244f2607113cdec10a242d28e340a5edabbb0c5ee926c8
SHA51218ce994cffdb1e7f7f106d5bf008302141940f5dde067b089af9d8dc6d259e75d21e2b63902a683b1488b250ecef29e5a58528c3083ef83d132ad97cd8c46ba9
-
Filesize
851KB
MD5dda85794ac803d7bfc64db2a7cb65861
SHA150e0dd9c7a8a4ff733b25474f8b9fd128d00669b
SHA256d47e32569e8935baa2244f2607113cdec10a242d28e340a5edabbb0c5ee926c8
SHA51218ce994cffdb1e7f7f106d5bf008302141940f5dde067b089af9d8dc6d259e75d21e2b63902a683b1488b250ecef29e5a58528c3083ef83d132ad97cd8c46ba9
-
Filesize
175KB
MD53389637c0d072121bf1b127629736d37
SHA1300e915efdf2479bfd0d3699c0a6bc51260f9655
SHA2562b74c4ce2674a8fc0c78fffa39c5de5e43ae28b8bf425349a5f97c6a61135153
SHA512a32cc060d2600f6ca94ffdce07c95ea5e2f56c0b418260456b568cb41e5f55db0c4fc97c35ca4103c674e61a17300d834d2c0da5a78b7084b6bc342fd23a7fb4
-
Filesize
175KB
MD53389637c0d072121bf1b127629736d37
SHA1300e915efdf2479bfd0d3699c0a6bc51260f9655
SHA2562b74c4ce2674a8fc0c78fffa39c5de5e43ae28b8bf425349a5f97c6a61135153
SHA512a32cc060d2600f6ca94ffdce07c95ea5e2f56c0b418260456b568cb41e5f55db0c4fc97c35ca4103c674e61a17300d834d2c0da5a78b7084b6bc342fd23a7fb4
-
Filesize
706KB
MD58cffa78cd8d4e7857dff42e365ebff98
SHA1fb81bf71a1c488cb4e9b09bd96beea5d2f3d735a
SHA2565630d17cb8fcbd96b782cd6c8467855a2db221445c8f9f85b22717759b80d556
SHA5128305e766792eaef700c2eece3cbb6edf396ca16c9a5759c76390d133a75aa77f001d2b945d821ef59009d39de45fac19d15e3bd94a628e36a65c826d8039f280
-
Filesize
706KB
MD58cffa78cd8d4e7857dff42e365ebff98
SHA1fb81bf71a1c488cb4e9b09bd96beea5d2f3d735a
SHA2565630d17cb8fcbd96b782cd6c8467855a2db221445c8f9f85b22717759b80d556
SHA5128305e766792eaef700c2eece3cbb6edf396ca16c9a5759c76390d133a75aa77f001d2b945d821ef59009d39de45fac19d15e3bd94a628e36a65c826d8039f280
-
Filesize
391KB
MD597e2deb73ee562336cb217b60425a460
SHA1a28457059ae50328c2a3baa6bb703b2997f3c771
SHA256407ea311113aa14282741ee64c72fd2e2e537d9ddae181cf8d6e39defb300651
SHA5122e9790a732f6f26842a49107b1cc5ad7ad22979f40b85ad7bfeafa0833a90ab669928c2286d183765170767c87551c2c6645862677d085df3b0e09555dd76d73
-
Filesize
391KB
MD597e2deb73ee562336cb217b60425a460
SHA1a28457059ae50328c2a3baa6bb703b2997f3c771
SHA256407ea311113aa14282741ee64c72fd2e2e537d9ddae181cf8d6e39defb300651
SHA5122e9790a732f6f26842a49107b1cc5ad7ad22979f40b85ad7bfeafa0833a90ab669928c2286d183765170767c87551c2c6645862677d085df3b0e09555dd76d73
-
Filesize
353KB
MD531b9b36a423ca915fca3f9c9848b90ac
SHA1b8db13207dda9b2074b0597e10732ae772f63c41
SHA256ec933d4f6d24a35435154e9bb05755d5493fb7f85212b00b4bbe9e147166c738
SHA512dcb65c2f534d99defb44c61fc2038a6854244ba2dd2e47c72c3b59213c3ba299f4ea71444db62afb1fcbe23bb550c58d94aef45eae1d0924f7d808dd612389a7
-
Filesize
353KB
MD531b9b36a423ca915fca3f9c9848b90ac
SHA1b8db13207dda9b2074b0597e10732ae772f63c41
SHA256ec933d4f6d24a35435154e9bb05755d5493fb7f85212b00b4bbe9e147166c738
SHA512dcb65c2f534d99defb44c61fc2038a6854244ba2dd2e47c72c3b59213c3ba299f4ea71444db62afb1fcbe23bb550c58d94aef45eae1d0924f7d808dd612389a7
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
333KB
MD5eb1e756fcabe7969892940ebc54d1ead
SHA1f27910803d2e63995fb32b04cf0a8549ae31a9ae
SHA256db91f71c2676b2b38a4a869bf7d57112af0ca6504ef4f710ffae35d49e2505fe
SHA5120c9dee39ed0fbf77b3b7dd3c2129294eb8247d23d48d80d1fce9de9c94fb0e5da666a9b4c03291535d100d57b3c6d7ece6f248d1b61f04b931137234bc5a5009
-
Filesize
333KB
MD5eb1e756fcabe7969892940ebc54d1ead
SHA1f27910803d2e63995fb32b04cf0a8549ae31a9ae
SHA256db91f71c2676b2b38a4a869bf7d57112af0ca6504ef4f710ffae35d49e2505fe
SHA5120c9dee39ed0fbf77b3b7dd3c2129294eb8247d23d48d80d1fce9de9c94fb0e5da666a9b4c03291535d100d57b3c6d7ece6f248d1b61f04b931137234bc5a5009
-
Filesize
2KB
MD58c7576873886d730d55e52070f35fea0
SHA1cf8b732cb49dad4e69c8948a6f0b7b87b9b0ccf1
SHA25606b631bf6ea97d79ea2215efa0323aab64bd1b53283ef8640c2a8fd37cac9caa
SHA512374dff92bb31dfb74ec66084dcc8764e166f4adc7c57113d813b430e420b8bcc9e1300aae5f4b2ff09ad3d5b152a8240901ed3acfc76c4788d9ad3442cd2db28
-
Filesize
235KB
MD55086db99de54fca268169a1c6cf26122
SHA1003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA25642873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA51290531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5
-
Filesize
235KB
MD55086db99de54fca268169a1c6cf26122
SHA1003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA25642873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA51290531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5
-
Filesize
235KB
MD55086db99de54fca268169a1c6cf26122
SHA1003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA25642873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA51290531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5
-
Filesize
235KB
MD55086db99de54fca268169a1c6cf26122
SHA1003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA25642873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA51290531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5
-
Filesize
235KB
MD55086db99de54fca268169a1c6cf26122
SHA1003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA25642873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA51290531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5
-
Filesize
72KB
MD55aeeafe26d1e0441647e0b0d7b880c81
SHA145a00f65a99d1cec35bd6a21891ac469a86f451c
SHA256c94d79620e27865ba796be4cbfd98087da8a47f78e07e7220084de05354381dd
SHA5123e70b065b194f14f1ec2735b6003943b492c29a78e12029ae42574cda7fdc785c24eae0c98fbd9a1167ac938387d78aead68688299e3aaf1971794938ab903c5
-
Filesize
89KB
MD516cf28ebb6d37dbaba93f18320c6086e
SHA1eae7d4b7a9636329065877aabe8d4f721a26ab25
SHA256c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106
SHA512f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2
-
Filesize
89KB
MD516cf28ebb6d37dbaba93f18320c6086e
SHA1eae7d4b7a9636329065877aabe8d4f721a26ab25
SHA256c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106
SHA512f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2
-
Filesize
89KB
MD516cf28ebb6d37dbaba93f18320c6086e
SHA1eae7d4b7a9636329065877aabe8d4f721a26ab25
SHA256c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106
SHA512f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2
-
Filesize
223B
MD594cbeec5d4343918fd0e48760e40539c
SHA1a049266c5c1131f692f306c8710d7e72586ae79d
SHA25648eb3ca078da2f5e9fd581197ae1b4dfbac6d86040addbb305e305c014741279
SHA5124e92450333d60b1977f75c240157a8589cfb1c80a979fbe0793cc641e13556004e554bc6f9f4853487dbcfcdc2ca93afe610649e9712e91415ed3f2a60d4fec0