Analysis
-
max time kernel
148s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
18-03-2023 22:32
Static task
static1
Behavioral task
behavioral1
Sample
bae7b9ada9435c572f11a27af110fb2ee2179021d49608180801a4192e730e2d.exe
Resource
win10v2004-20230220-en
General
-
Target
bae7b9ada9435c572f11a27af110fb2ee2179021d49608180801a4192e730e2d.exe
-
Size
1.0MB
-
MD5
160439c9c8a651dd5637dafdbd9e36fc
-
SHA1
5871946b79323692701fd4fbea91e2cc4b04a82d
-
SHA256
bae7b9ada9435c572f11a27af110fb2ee2179021d49608180801a4192e730e2d
-
SHA512
3b84cdf624ce78bdbeb1fd59fb35fb7200c68230eeb63c16d01a91900fd8cccfa5cf5be17ab92b4d38eb0176f743b4ac9ddf3816aa920086bbddf4b4dfd2eef5
-
SSDEEP
24576:myH2UksDu0L2AoBP59YAEHyIhng9AdS6B32A:1H2UA0L2rWA7IFS6x2
Malware Config
Extracted
redline
gena
193.233.20.30:4125
-
auth_value
93c20961cb6b06b2d5781c212db6201e
Extracted
redline
vint
193.233.20.30:4125
-
auth_value
fb8811912f8370b3d23bffda092d88d0
Extracted
amadey
3.68
62.204.41.87/joomla/index.php
Extracted
aurora
212.87.204.93:8081
Extracted
redline
build_main
80.85.156.168:20189
-
auth_value
5e5c9cacc6d168f8ade7fb6419edb114
Signatures
-
Detect rhadamanthys stealer shellcode 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2712-1290-0x0000000004790000-0x00000000047AC000-memory.dmp family_rhadamanthys behavioral1/memory/4260-1294-0x0000000000C20000-0x0000000000C3C000-memory.dmp family_rhadamanthys behavioral1/memory/2712-1299-0x0000000004790000-0x00000000047AC000-memory.dmp family_rhadamanthys -
Processes:
ns0448EK.exemx6026Th.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" ns0448EK.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" ns0448EK.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" mx6026Th.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" mx6026Th.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" mx6026Th.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" ns0448EK.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" ns0448EK.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" ns0448EK.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection mx6026Th.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" mx6026Th.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" mx6026Th.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection ns0448EK.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 18 IoCs
Processes:
resource yara_rule behavioral1/memory/2728-214-0x0000000007100000-0x000000000713E000-memory.dmp family_redline behavioral1/memory/2728-212-0x0000000007100000-0x000000000713E000-memory.dmp family_redline behavioral1/memory/2728-217-0x0000000007100000-0x000000000713E000-memory.dmp family_redline behavioral1/memory/2728-219-0x0000000007100000-0x000000000713E000-memory.dmp family_redline behavioral1/memory/2728-221-0x0000000007100000-0x000000000713E000-memory.dmp family_redline behavioral1/memory/2728-223-0x0000000007100000-0x000000000713E000-memory.dmp family_redline behavioral1/memory/2728-225-0x0000000007100000-0x000000000713E000-memory.dmp family_redline behavioral1/memory/2728-227-0x0000000007100000-0x000000000713E000-memory.dmp family_redline behavioral1/memory/2728-229-0x0000000007100000-0x000000000713E000-memory.dmp family_redline behavioral1/memory/2728-231-0x0000000007100000-0x000000000713E000-memory.dmp family_redline behavioral1/memory/2728-233-0x0000000007100000-0x000000000713E000-memory.dmp family_redline behavioral1/memory/2728-235-0x0000000007100000-0x000000000713E000-memory.dmp family_redline behavioral1/memory/2728-237-0x0000000007100000-0x000000000713E000-memory.dmp family_redline behavioral1/memory/2728-239-0x0000000007100000-0x000000000713E000-memory.dmp family_redline behavioral1/memory/2728-241-0x0000000007100000-0x000000000713E000-memory.dmp family_redline behavioral1/memory/2728-243-0x0000000007100000-0x000000000713E000-memory.dmp family_redline behavioral1/memory/2728-247-0x0000000007100000-0x000000000713E000-memory.dmp family_redline behavioral1/memory/2728-245-0x0000000007100000-0x000000000713E000-memory.dmp family_redline -
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
KMuffPQJRlr6.exedescription pid process target process PID 4988 created 2592 4988 KMuffPQJRlr6.exe taskhostw.exe -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ry21sk83.exelegenda.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation ry21sk83.exe Key value queried \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation legenda.exe -
Executes dropped EXE 14 IoCs
Processes:
will5171.exewill1828.exewill8364.exemx6026Th.exens0448EK.exepy69re87.exeqs1092Ua.exery21sk83.exelegenda.exeKMuffPQJRlr6.exesvchost.exeserv.exelegenda.exelegenda.exepid process 2140 will5171.exe 2452 will1828.exe 2500 will8364.exe 3804 mx6026Th.exe 3584 ns0448EK.exe 2728 py69re87.exe 1816 qs1092Ua.exe 2884 ry21sk83.exe 1524 legenda.exe 4988 KMuffPQJRlr6.exe 4580 svchost.exe 2712 serv.exe 2012 legenda.exe 2792 legenda.exe -
Loads dropped DLL 2 IoCs
Processes:
KMuffPQJRlr6.exerundll32.exepid process 4988 KMuffPQJRlr6.exe 5020 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
mx6026Th.exens0448EK.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" mx6026Th.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features ns0448EK.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" ns0448EK.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
will8364.exebae7b9ada9435c572f11a27af110fb2ee2179021d49608180801a4192e730e2d.exewill5171.exewill1828.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce will8364.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" will8364.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce bae7b9ada9435c572f11a27af110fb2ee2179021d49608180801a4192e730e2d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" bae7b9ada9435c572f11a27af110fb2ee2179021d49608180801a4192e730e2d.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce will5171.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" will5171.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce will1828.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" will1828.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
serv.exepid process 2712 serv.exe 2712 serv.exe 2712 serv.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
KMuffPQJRlr6.exedescription pid process target process PID 4988 set thread context of 4548 4988 KMuffPQJRlr6.exe ngentask.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 3 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exepid pid_target process target process 4208 3584 WerFault.exe ns0448EK.exe 4680 2728 WerFault.exe py69re87.exe 4620 2712 WerFault.exe serv.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
serv.exedescription ioc process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI serv.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI serv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 serv.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID serv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI serv.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 58 IoCs
Processes:
mx6026Th.exens0448EK.exepy69re87.exeqs1092Ua.exeKMuffPQJRlr6.exengentask.exepid process 3804 mx6026Th.exe 3804 mx6026Th.exe 3584 ns0448EK.exe 3584 ns0448EK.exe 2728 py69re87.exe 2728 py69re87.exe 1816 qs1092Ua.exe 1816 qs1092Ua.exe 4988 KMuffPQJRlr6.exe 4988 KMuffPQJRlr6.exe 4988 KMuffPQJRlr6.exe 4988 KMuffPQJRlr6.exe 4988 KMuffPQJRlr6.exe 4988 KMuffPQJRlr6.exe 4988 KMuffPQJRlr6.exe 4988 KMuffPQJRlr6.exe 4988 KMuffPQJRlr6.exe 4988 KMuffPQJRlr6.exe 4988 KMuffPQJRlr6.exe 4988 KMuffPQJRlr6.exe 4988 KMuffPQJRlr6.exe 4988 KMuffPQJRlr6.exe 4988 KMuffPQJRlr6.exe 4988 KMuffPQJRlr6.exe 4988 KMuffPQJRlr6.exe 4988 KMuffPQJRlr6.exe 4988 KMuffPQJRlr6.exe 4988 KMuffPQJRlr6.exe 4988 KMuffPQJRlr6.exe 4988 KMuffPQJRlr6.exe 4988 KMuffPQJRlr6.exe 4988 KMuffPQJRlr6.exe 4988 KMuffPQJRlr6.exe 4988 KMuffPQJRlr6.exe 4988 KMuffPQJRlr6.exe 4988 KMuffPQJRlr6.exe 4988 KMuffPQJRlr6.exe 4988 KMuffPQJRlr6.exe 4988 KMuffPQJRlr6.exe 4988 KMuffPQJRlr6.exe 4988 KMuffPQJRlr6.exe 4988 KMuffPQJRlr6.exe 4988 KMuffPQJRlr6.exe 4988 KMuffPQJRlr6.exe 4988 KMuffPQJRlr6.exe 4988 KMuffPQJRlr6.exe 4988 KMuffPQJRlr6.exe 4988 KMuffPQJRlr6.exe 4988 KMuffPQJRlr6.exe 4988 KMuffPQJRlr6.exe 4988 KMuffPQJRlr6.exe 4988 KMuffPQJRlr6.exe 4988 KMuffPQJRlr6.exe 4988 KMuffPQJRlr6.exe 4988 KMuffPQJRlr6.exe 4988 KMuffPQJRlr6.exe 4548 ngentask.exe 4548 ngentask.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
mx6026Th.exens0448EK.exepy69re87.exeqs1092Ua.exewmic.exeWMIC.exedescription pid process Token: SeDebugPrivilege 3804 mx6026Th.exe Token: SeDebugPrivilege 3584 ns0448EK.exe Token: SeDebugPrivilege 2728 py69re87.exe Token: SeDebugPrivilege 1816 qs1092Ua.exe Token: SeIncreaseQuotaPrivilege 4324 wmic.exe Token: SeSecurityPrivilege 4324 wmic.exe Token: SeTakeOwnershipPrivilege 4324 wmic.exe Token: SeLoadDriverPrivilege 4324 wmic.exe Token: SeSystemProfilePrivilege 4324 wmic.exe Token: SeSystemtimePrivilege 4324 wmic.exe Token: SeProfSingleProcessPrivilege 4324 wmic.exe Token: SeIncBasePriorityPrivilege 4324 wmic.exe Token: SeCreatePagefilePrivilege 4324 wmic.exe Token: SeBackupPrivilege 4324 wmic.exe Token: SeRestorePrivilege 4324 wmic.exe Token: SeShutdownPrivilege 4324 wmic.exe Token: SeDebugPrivilege 4324 wmic.exe Token: SeSystemEnvironmentPrivilege 4324 wmic.exe Token: SeRemoteShutdownPrivilege 4324 wmic.exe Token: SeUndockPrivilege 4324 wmic.exe Token: SeManageVolumePrivilege 4324 wmic.exe Token: 33 4324 wmic.exe Token: 34 4324 wmic.exe Token: 35 4324 wmic.exe Token: 36 4324 wmic.exe Token: SeIncreaseQuotaPrivilege 4324 wmic.exe Token: SeSecurityPrivilege 4324 wmic.exe Token: SeTakeOwnershipPrivilege 4324 wmic.exe Token: SeLoadDriverPrivilege 4324 wmic.exe Token: SeSystemProfilePrivilege 4324 wmic.exe Token: SeSystemtimePrivilege 4324 wmic.exe Token: SeProfSingleProcessPrivilege 4324 wmic.exe Token: SeIncBasePriorityPrivilege 4324 wmic.exe Token: SeCreatePagefilePrivilege 4324 wmic.exe Token: SeBackupPrivilege 4324 wmic.exe Token: SeRestorePrivilege 4324 wmic.exe Token: SeShutdownPrivilege 4324 wmic.exe Token: SeDebugPrivilege 4324 wmic.exe Token: SeSystemEnvironmentPrivilege 4324 wmic.exe Token: SeRemoteShutdownPrivilege 4324 wmic.exe Token: SeUndockPrivilege 4324 wmic.exe Token: SeManageVolumePrivilege 4324 wmic.exe Token: 33 4324 wmic.exe Token: 34 4324 wmic.exe Token: 35 4324 wmic.exe Token: 36 4324 wmic.exe Token: SeIncreaseQuotaPrivilege 1784 WMIC.exe Token: SeSecurityPrivilege 1784 WMIC.exe Token: SeTakeOwnershipPrivilege 1784 WMIC.exe Token: SeLoadDriverPrivilege 1784 WMIC.exe Token: SeSystemProfilePrivilege 1784 WMIC.exe Token: SeSystemtimePrivilege 1784 WMIC.exe Token: SeProfSingleProcessPrivilege 1784 WMIC.exe Token: SeIncBasePriorityPrivilege 1784 WMIC.exe Token: SeCreatePagefilePrivilege 1784 WMIC.exe Token: SeBackupPrivilege 1784 WMIC.exe Token: SeRestorePrivilege 1784 WMIC.exe Token: SeShutdownPrivilege 1784 WMIC.exe Token: SeDebugPrivilege 1784 WMIC.exe Token: SeSystemEnvironmentPrivilege 1784 WMIC.exe Token: SeRemoteShutdownPrivilege 1784 WMIC.exe Token: SeUndockPrivilege 1784 WMIC.exe Token: SeManageVolumePrivilege 1784 WMIC.exe Token: 33 1784 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
bae7b9ada9435c572f11a27af110fb2ee2179021d49608180801a4192e730e2d.exewill5171.exewill1828.exewill8364.exery21sk83.exelegenda.execmd.exeKMuffPQJRlr6.exedescription pid process target process PID 2676 wrote to memory of 2140 2676 bae7b9ada9435c572f11a27af110fb2ee2179021d49608180801a4192e730e2d.exe will5171.exe PID 2676 wrote to memory of 2140 2676 bae7b9ada9435c572f11a27af110fb2ee2179021d49608180801a4192e730e2d.exe will5171.exe PID 2676 wrote to memory of 2140 2676 bae7b9ada9435c572f11a27af110fb2ee2179021d49608180801a4192e730e2d.exe will5171.exe PID 2140 wrote to memory of 2452 2140 will5171.exe will1828.exe PID 2140 wrote to memory of 2452 2140 will5171.exe will1828.exe PID 2140 wrote to memory of 2452 2140 will5171.exe will1828.exe PID 2452 wrote to memory of 2500 2452 will1828.exe will8364.exe PID 2452 wrote to memory of 2500 2452 will1828.exe will8364.exe PID 2452 wrote to memory of 2500 2452 will1828.exe will8364.exe PID 2500 wrote to memory of 3804 2500 will8364.exe mx6026Th.exe PID 2500 wrote to memory of 3804 2500 will8364.exe mx6026Th.exe PID 2500 wrote to memory of 3584 2500 will8364.exe ns0448EK.exe PID 2500 wrote to memory of 3584 2500 will8364.exe ns0448EK.exe PID 2500 wrote to memory of 3584 2500 will8364.exe ns0448EK.exe PID 2452 wrote to memory of 2728 2452 will1828.exe py69re87.exe PID 2452 wrote to memory of 2728 2452 will1828.exe py69re87.exe PID 2452 wrote to memory of 2728 2452 will1828.exe py69re87.exe PID 2140 wrote to memory of 1816 2140 will5171.exe qs1092Ua.exe PID 2140 wrote to memory of 1816 2140 will5171.exe qs1092Ua.exe PID 2140 wrote to memory of 1816 2140 will5171.exe qs1092Ua.exe PID 2676 wrote to memory of 2884 2676 bae7b9ada9435c572f11a27af110fb2ee2179021d49608180801a4192e730e2d.exe ry21sk83.exe PID 2676 wrote to memory of 2884 2676 bae7b9ada9435c572f11a27af110fb2ee2179021d49608180801a4192e730e2d.exe ry21sk83.exe PID 2676 wrote to memory of 2884 2676 bae7b9ada9435c572f11a27af110fb2ee2179021d49608180801a4192e730e2d.exe ry21sk83.exe PID 2884 wrote to memory of 1524 2884 ry21sk83.exe legenda.exe PID 2884 wrote to memory of 1524 2884 ry21sk83.exe legenda.exe PID 2884 wrote to memory of 1524 2884 ry21sk83.exe legenda.exe PID 1524 wrote to memory of 4868 1524 legenda.exe schtasks.exe PID 1524 wrote to memory of 4868 1524 legenda.exe schtasks.exe PID 1524 wrote to memory of 4868 1524 legenda.exe schtasks.exe PID 1524 wrote to memory of 4596 1524 legenda.exe cmd.exe PID 1524 wrote to memory of 4596 1524 legenda.exe cmd.exe PID 1524 wrote to memory of 4596 1524 legenda.exe cmd.exe PID 4596 wrote to memory of 3764 4596 cmd.exe cmd.exe PID 4596 wrote to memory of 3764 4596 cmd.exe cmd.exe PID 4596 wrote to memory of 3764 4596 cmd.exe cmd.exe PID 4596 wrote to memory of 5020 4596 cmd.exe cacls.exe PID 4596 wrote to memory of 5020 4596 cmd.exe cacls.exe PID 4596 wrote to memory of 5020 4596 cmd.exe cacls.exe PID 4596 wrote to memory of 3216 4596 cmd.exe cacls.exe PID 4596 wrote to memory of 3216 4596 cmd.exe cacls.exe PID 4596 wrote to memory of 3216 4596 cmd.exe cacls.exe PID 4596 wrote to memory of 1344 4596 cmd.exe cmd.exe PID 4596 wrote to memory of 1344 4596 cmd.exe cmd.exe PID 4596 wrote to memory of 1344 4596 cmd.exe cmd.exe PID 4596 wrote to memory of 4448 4596 cmd.exe cacls.exe PID 4596 wrote to memory of 4448 4596 cmd.exe cacls.exe PID 4596 wrote to memory of 4448 4596 cmd.exe cacls.exe PID 4596 wrote to memory of 2128 4596 cmd.exe cacls.exe PID 4596 wrote to memory of 2128 4596 cmd.exe cacls.exe PID 4596 wrote to memory of 2128 4596 cmd.exe cacls.exe PID 1524 wrote to memory of 4988 1524 legenda.exe KMuffPQJRlr6.exe PID 1524 wrote to memory of 4988 1524 legenda.exe KMuffPQJRlr6.exe PID 1524 wrote to memory of 4988 1524 legenda.exe KMuffPQJRlr6.exe PID 1524 wrote to memory of 4580 1524 legenda.exe svchost.exe PID 1524 wrote to memory of 4580 1524 legenda.exe svchost.exe PID 1524 wrote to memory of 4580 1524 legenda.exe svchost.exe PID 1524 wrote to memory of 2712 1524 legenda.exe serv.exe PID 1524 wrote to memory of 2712 1524 legenda.exe serv.exe PID 1524 wrote to memory of 2712 1524 legenda.exe serv.exe PID 4988 wrote to memory of 4548 4988 KMuffPQJRlr6.exe ngentask.exe PID 4988 wrote to memory of 4548 4988 KMuffPQJRlr6.exe ngentask.exe PID 4988 wrote to memory of 4548 4988 KMuffPQJRlr6.exe ngentask.exe PID 4988 wrote to memory of 4548 4988 KMuffPQJRlr6.exe ngentask.exe PID 4988 wrote to memory of 4548 4988 KMuffPQJRlr6.exe ngentask.exe
Processes
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2592
-
C:\Windows\SysWOW64\fontview.exe"C:\Windows\SYSWOW64\fontview.exe"2⤵PID:4260
-
-
C:\Users\Admin\AppData\Local\Temp\bae7b9ada9435c572f11a27af110fb2ee2179021d49608180801a4192e730e2d.exe"C:\Users\Admin\AppData\Local\Temp\bae7b9ada9435c572f11a27af110fb2ee2179021d49608180801a4192e730e2d.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will5171.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will5171.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will1828.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will1828.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will8364.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will8364.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx6026Th.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx6026Th.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3804
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns0448EK.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns0448EK.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3584 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3584 -s 10886⤵
- Program crash
PID:4208
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py69re87.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py69re87.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2728 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2728 -s 19525⤵
- Program crash
PID:4680
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs1092Ua.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs1092Ua.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1816
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry21sk83.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry21sk83.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe"C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legenda.exe /TR "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe" /F4⤵
- Creates scheduled task(s)
PID:4868
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legenda.exe" /P "Admin:N"&&CACLS "legenda.exe" /P "Admin:R" /E&&echo Y|CACLS "..\f22b669919" /P "Admin:N"&&CACLS "..\f22b669919" /P "Admin:R" /E&&Exit4⤵
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:3764
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "legenda.exe" /P "Admin:N"5⤵PID:5020
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "legenda.exe" /P "Admin:R" /E5⤵PID:3216
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:1344
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\f22b669919" /P "Admin:N"5⤵PID:4448
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\f22b669919" /P "Admin:R" /E5⤵PID:2128
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe"C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4988 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"5⤵
- Suspicious behavior: EnumeratesProcesses
PID:4548
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe"C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe"4⤵
- Executes dropped EXE
PID:4580 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic os get Caption5⤵
- Suspicious use of AdjustPrivilegeToken
PID:4324
-
-
C:\Windows\SysWOW64\cmd.execmd /C "wmic path win32_VideoController get name"5⤵PID:4892
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic path win32_VideoController get name6⤵
- Suspicious use of AdjustPrivilegeToken
PID:1784
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C "wmic cpu get name"5⤵PID:4644
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic cpu get name6⤵PID:2808
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe"C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe"4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks SCSI registry key(s)
PID:2712 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 6925⤵
- Program crash
PID:4620
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main4⤵
- Loads dropped DLL
PID:5020
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 3584 -ip 35841⤵PID:1996
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2728 -ip 27281⤵PID:4572
-
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exeC:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe1⤵
- Executes dropped EXE
PID:2012
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2712 -ip 27121⤵PID:1828
-
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exeC:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe1⤵
- Executes dropped EXE
PID:2792
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.5MB
MD5103f1dc5270469cf9414ee95dee9561f
SHA1f44b74ac4e35943c1b9f85ca560595bb64a8c918
SHA2565d8fcce25d88b4e04ddda7cc22108623d6ca4dc9f7a6a671d57e9230fd6a95ac
SHA512a9909671d9b628e34add9aeff9e06d85f505229505732609d32e7db74b887e404712b8ab92d40c12e553adfad0e4eb1225d03655b107462cf316328e5bf90e88
-
Filesize
1.5MB
MD5103f1dc5270469cf9414ee95dee9561f
SHA1f44b74ac4e35943c1b9f85ca560595bb64a8c918
SHA2565d8fcce25d88b4e04ddda7cc22108623d6ca4dc9f7a6a671d57e9230fd6a95ac
SHA512a9909671d9b628e34add9aeff9e06d85f505229505732609d32e7db74b887e404712b8ab92d40c12e553adfad0e4eb1225d03655b107462cf316328e5bf90e88
-
Filesize
1.5MB
MD5103f1dc5270469cf9414ee95dee9561f
SHA1f44b74ac4e35943c1b9f85ca560595bb64a8c918
SHA2565d8fcce25d88b4e04ddda7cc22108623d6ca4dc9f7a6a671d57e9230fd6a95ac
SHA512a9909671d9b628e34add9aeff9e06d85f505229505732609d32e7db74b887e404712b8ab92d40c12e553adfad0e4eb1225d03655b107462cf316328e5bf90e88
-
Filesize
3.0MB
MD5a8a106555b9e1f92569d623c66ee8c12
SHA1a5080c26b5f5911c10d80654c84239a226fc75d1
SHA25684aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a
SHA5129b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26
-
Filesize
3.0MB
MD5a8a106555b9e1f92569d623c66ee8c12
SHA1a5080c26b5f5911c10d80654c84239a226fc75d1
SHA25684aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a
SHA5129b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26
-
Filesize
3.0MB
MD5a8a106555b9e1f92569d623c66ee8c12
SHA1a5080c26b5f5911c10d80654c84239a226fc75d1
SHA25684aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a
SHA5129b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26
-
Filesize
354KB
MD56d81d19b6e02e1dc86b1bd2eb40e1507
SHA1645e362eb27610601c57b9ca78d80ee84a5c0640
SHA256178f26c99326101da77ce0620eb9fe584833d6ea8442913fe7ede38b72316db1
SHA5129fa181b27f826b494a72d6498c83fe7cb7f31a98f28c5f50c4ed97a2d505ae7d032bbfcb5d0ca67864206ff72e487129749b64074003d0f33a5f4b2aefe060bc
-
Filesize
354KB
MD56d81d19b6e02e1dc86b1bd2eb40e1507
SHA1645e362eb27610601c57b9ca78d80ee84a5c0640
SHA256178f26c99326101da77ce0620eb9fe584833d6ea8442913fe7ede38b72316db1
SHA5129fa181b27f826b494a72d6498c83fe7cb7f31a98f28c5f50c4ed97a2d505ae7d032bbfcb5d0ca67864206ff72e487129749b64074003d0f33a5f4b2aefe060bc
-
Filesize
354KB
MD56d81d19b6e02e1dc86b1bd2eb40e1507
SHA1645e362eb27610601c57b9ca78d80ee84a5c0640
SHA256178f26c99326101da77ce0620eb9fe584833d6ea8442913fe7ede38b72316db1
SHA5129fa181b27f826b494a72d6498c83fe7cb7f31a98f28c5f50c4ed97a2d505ae7d032bbfcb5d0ca67864206ff72e487129749b64074003d0f33a5f4b2aefe060bc
-
Filesize
334KB
MD5098a4aa93e275de54bbc35ae4b981301
SHA1d03646dc7c63e0784393f74085405c794b8555af
SHA2565e81e932ef8520dd7de22cb9e3a02af66d29dc1726b133e894cbd7d797b9af3b
SHA5122e039df42a6202f4e4c61c3bef62307dfa5b7e1e9103085c4f73c4459c8cc747bec85da8f1c87f97851de896104712c71f13da396c6016fc27f60cd358e93f46
-
Filesize
235KB
MD55086db99de54fca268169a1c6cf26122
SHA1003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA25642873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA51290531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5
-
Filesize
235KB
MD55086db99de54fca268169a1c6cf26122
SHA1003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA25642873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA51290531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5
-
Filesize
851KB
MD55f964c2fa494030bd675007fea7a340a
SHA11e2d50ca003c04165f09a6d04dab8e20b73e688f
SHA256ea909381b9a73697f4278a7cbba9b6ddd98f2822a228389d046f0a54a40df8d9
SHA51281d327bc80088b4a7499ed185743c82cc28fa3940d1f722bf9d3a91aa8e61dc203eb4d109d2622cda16143a202040155f094ff59540fa3e8b4ced9a232bf0321
-
Filesize
851KB
MD55f964c2fa494030bd675007fea7a340a
SHA11e2d50ca003c04165f09a6d04dab8e20b73e688f
SHA256ea909381b9a73697f4278a7cbba9b6ddd98f2822a228389d046f0a54a40df8d9
SHA51281d327bc80088b4a7499ed185743c82cc28fa3940d1f722bf9d3a91aa8e61dc203eb4d109d2622cda16143a202040155f094ff59540fa3e8b4ced9a232bf0321
-
Filesize
175KB
MD53389637c0d072121bf1b127629736d37
SHA1300e915efdf2479bfd0d3699c0a6bc51260f9655
SHA2562b74c4ce2674a8fc0c78fffa39c5de5e43ae28b8bf425349a5f97c6a61135153
SHA512a32cc060d2600f6ca94ffdce07c95ea5e2f56c0b418260456b568cb41e5f55db0c4fc97c35ca4103c674e61a17300d834d2c0da5a78b7084b6bc342fd23a7fb4
-
Filesize
175KB
MD53389637c0d072121bf1b127629736d37
SHA1300e915efdf2479bfd0d3699c0a6bc51260f9655
SHA2562b74c4ce2674a8fc0c78fffa39c5de5e43ae28b8bf425349a5f97c6a61135153
SHA512a32cc060d2600f6ca94ffdce07c95ea5e2f56c0b418260456b568cb41e5f55db0c4fc97c35ca4103c674e61a17300d834d2c0da5a78b7084b6bc342fd23a7fb4
-
Filesize
706KB
MD5cb61c0fd640171298eaff3bb7b096591
SHA119dc47bc150c090cac0bbd11e8cad26c89f6f3a2
SHA256a1c172d051708b428f8d064e994aa7aceb031e817008648da7c49541e1e5610b
SHA512360da9cad5dc60f1439b4a567f5d1a2f50530e9e98260d42f4d908321033cfcedae9b676748c6aa5410a4e66e52c28663a54d9ec855ffec1ad3bba7e0f69eee4
-
Filesize
706KB
MD5cb61c0fd640171298eaff3bb7b096591
SHA119dc47bc150c090cac0bbd11e8cad26c89f6f3a2
SHA256a1c172d051708b428f8d064e994aa7aceb031e817008648da7c49541e1e5610b
SHA512360da9cad5dc60f1439b4a567f5d1a2f50530e9e98260d42f4d908321033cfcedae9b676748c6aa5410a4e66e52c28663a54d9ec855ffec1ad3bba7e0f69eee4
-
Filesize
391KB
MD56f556cb991c66123db790dc867974aac
SHA17c2276b09e48a3e809f4b6695ad558f116c516e6
SHA25666de5a29b8802ad91ea116be0b6fd3c7974655d0f7b2308d5f96e36a13b470db
SHA512ff8e059b12ebdd9dd7d1375eafe5c778e996d343705c2092b8479610a822073076f5f33afca13fadcf303caec0c70707ca58928a70199b488dfe56d0d247982b
-
Filesize
391KB
MD56f556cb991c66123db790dc867974aac
SHA17c2276b09e48a3e809f4b6695ad558f116c516e6
SHA25666de5a29b8802ad91ea116be0b6fd3c7974655d0f7b2308d5f96e36a13b470db
SHA512ff8e059b12ebdd9dd7d1375eafe5c778e996d343705c2092b8479610a822073076f5f33afca13fadcf303caec0c70707ca58928a70199b488dfe56d0d247982b
-
Filesize
353KB
MD5dae37348bb5a160cc1e011b011654178
SHA1f7b8491cb68cc2aa1989ecb38c72130879ff9b2d
SHA256cb459dd0dbf0cc23615ab13b8ff459f5349bd05fc81ad089bff1a869d742fbd6
SHA512d1bff775cff9fd369e92bb989a25c62b7349dc172f662645e819099f12772eeb6c6c5e4299064e1a6d902a61f5bb9b731fc1d52666a42ab55c1080e7a9ab1a16
-
Filesize
353KB
MD5dae37348bb5a160cc1e011b011654178
SHA1f7b8491cb68cc2aa1989ecb38c72130879ff9b2d
SHA256cb459dd0dbf0cc23615ab13b8ff459f5349bd05fc81ad089bff1a869d742fbd6
SHA512d1bff775cff9fd369e92bb989a25c62b7349dc172f662645e819099f12772eeb6c6c5e4299064e1a6d902a61f5bb9b731fc1d52666a42ab55c1080e7a9ab1a16
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
333KB
MD50d788ff51f171840cebd933821d299c7
SHA1826846204120eb248b9e64fc2898a461099d3f57
SHA2565b125ab9166a213a34694e085eee5a08dc4984b56afa6011a1b6f8ac2ba3b14b
SHA51246c923a6548a2ee09b2a7100ef9ecd39f5ec4b804386e6b2fc877165b869c5dd58eab6827397ac3b455ba92f7dcb32ff57710c01bcc92817afbd160057c6e975
-
Filesize
333KB
MD50d788ff51f171840cebd933821d299c7
SHA1826846204120eb248b9e64fc2898a461099d3f57
SHA2565b125ab9166a213a34694e085eee5a08dc4984b56afa6011a1b6f8ac2ba3b14b
SHA51246c923a6548a2ee09b2a7100ef9ecd39f5ec4b804386e6b2fc877165b869c5dd58eab6827397ac3b455ba92f7dcb32ff57710c01bcc92817afbd160057c6e975
-
Filesize
2KB
MD5dce9b749d38fdc247ab517e8a76e6102
SHA1d6c5b6548e1a3da3326bd097c50c49fc7906be3f
SHA2565087b8c7f2cecceac61d7bd02b939888cf2cc5a452676f28fd5c076eb1ae7ea7
SHA51256c276f0a070da656c98520aa720994d78f1bf0bbb085a5f6fb4fd18fed2bbba1eb8e97b54d58eaa9a978d21d64678170f49c020feb19d8545d158a2d8d58446
-
Filesize
235KB
MD55086db99de54fca268169a1c6cf26122
SHA1003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA25642873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA51290531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5
-
Filesize
235KB
MD55086db99de54fca268169a1c6cf26122
SHA1003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA25642873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA51290531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5
-
Filesize
235KB
MD55086db99de54fca268169a1c6cf26122
SHA1003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA25642873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA51290531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5
-
Filesize
235KB
MD55086db99de54fca268169a1c6cf26122
SHA1003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA25642873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA51290531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5
-
Filesize
235KB
MD55086db99de54fca268169a1c6cf26122
SHA1003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA25642873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA51290531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5
-
Filesize
71KB
MD592d24961d2ebaacf1ace5463dfc9930d
SHA199ffaf6904ab616c33a37ce01d383e4a493df335
SHA2569013688dec264c615178e151c2eb5f0b2eb9fe8cfad867b311d8581d921c73f3
SHA51277598c77f219ab5234b8b84bcfe873f40e7464b224fac3c8568b300d3f2563f7ef5ad9ec5cccc0d719e7d3e489a164b04b6b36316196afea0b8051de3c751cc7
-
Filesize
89KB
MD516cf28ebb6d37dbaba93f18320c6086e
SHA1eae7d4b7a9636329065877aabe8d4f721a26ab25
SHA256c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106
SHA512f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2
-
Filesize
89KB
MD516cf28ebb6d37dbaba93f18320c6086e
SHA1eae7d4b7a9636329065877aabe8d4f721a26ab25
SHA256c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106
SHA512f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2
-
Filesize
89KB
MD516cf28ebb6d37dbaba93f18320c6086e
SHA1eae7d4b7a9636329065877aabe8d4f721a26ab25
SHA256c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106
SHA512f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2
-
Filesize
223B
MD594cbeec5d4343918fd0e48760e40539c
SHA1a049266c5c1131f692f306c8710d7e72586ae79d
SHA25648eb3ca078da2f5e9fd581197ae1b4dfbac6d86040addbb305e305c014741279
SHA5124e92450333d60b1977f75c240157a8589cfb1c80a979fbe0793cc641e13556004e554bc6f9f4853487dbcfcdc2ca93afe610649e9712e91415ed3f2a60d4fec0