Analysis
-
max time kernel
113s -
max time network
144s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
18-03-2023 23:35
Static task
static1
Behavioral task
behavioral1
Sample
934f9cf6bc79eb4e4a2e9b82df7f024294c88eba57f5a19d43d2a9c3bbd7dc92.exe
Resource
win10-20230220-en
General
-
Target
934f9cf6bc79eb4e4a2e9b82df7f024294c88eba57f5a19d43d2a9c3bbd7dc92.exe
-
Size
1.0MB
-
MD5
13d663251ecd6368c2ccfad1e19a2aa0
-
SHA1
dc11f14bf1af927275451db1b91a43bbc8a4c50a
-
SHA256
934f9cf6bc79eb4e4a2e9b82df7f024294c88eba57f5a19d43d2a9c3bbd7dc92
-
SHA512
a50fcbaaeb0fae15e62f36ae9403735cefe0a55b33cc4a3de48821ea66ff1c578adcacc5c9cc16cc63cae6d4ae4e8a85e9da44cab6ba4fd42ee564dfb4e54db1
-
SSDEEP
24576:FyKTPtqPP92E7XFSavH9IrJJBDUSd+UzvhLp50:gK5qPP92IX9IpPHv1
Malware Config
Extracted
redline
gena
193.233.20.30:4125
-
auth_value
93c20961cb6b06b2d5781c212db6201e
Extracted
redline
vint
193.233.20.30:4125
-
auth_value
fb8811912f8370b3d23bffda092d88d0
Extracted
amadey
3.68
62.204.41.87/joomla/index.php
Extracted
aurora
212.87.204.93:8081
Extracted
redline
build_main
80.85.156.168:20189
-
auth_value
5e5c9cacc6d168f8ade7fb6419edb114
Signatures
-
Detect rhadamanthys stealer shellcode 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2496-1247-0x00000000001E0000-0x00000000001FC000-memory.dmp family_rhadamanthys behavioral1/memory/1452-1251-0x0000000002BC0000-0x0000000002BDC000-memory.dmp family_rhadamanthys behavioral1/memory/2496-1255-0x00000000001E0000-0x00000000001FC000-memory.dmp family_rhadamanthys -
Processes:
mx6821ff.exens3060an.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" mx6821ff.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" mx6821ff.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" ns3060an.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" ns3060an.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" mx6821ff.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" mx6821ff.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" mx6821ff.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" ns3060an.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" ns3060an.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" ns3060an.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
Processes:
resource yara_rule behavioral1/memory/3648-199-0x0000000004970000-0x00000000049B6000-memory.dmp family_redline behavioral1/memory/3648-202-0x00000000075F0000-0x0000000007634000-memory.dmp family_redline behavioral1/memory/3648-204-0x00000000075F0000-0x000000000762E000-memory.dmp family_redline behavioral1/memory/3648-205-0x00000000075F0000-0x000000000762E000-memory.dmp family_redline behavioral1/memory/3648-207-0x00000000075F0000-0x000000000762E000-memory.dmp family_redline behavioral1/memory/3648-209-0x00000000075F0000-0x000000000762E000-memory.dmp family_redline behavioral1/memory/3648-213-0x00000000075F0000-0x000000000762E000-memory.dmp family_redline behavioral1/memory/3648-215-0x00000000075F0000-0x000000000762E000-memory.dmp family_redline behavioral1/memory/3648-211-0x00000000075F0000-0x000000000762E000-memory.dmp family_redline behavioral1/memory/3648-217-0x00000000075F0000-0x000000000762E000-memory.dmp family_redline behavioral1/memory/3648-219-0x00000000075F0000-0x000000000762E000-memory.dmp family_redline behavioral1/memory/3648-221-0x00000000075F0000-0x000000000762E000-memory.dmp family_redline behavioral1/memory/3648-223-0x00000000075F0000-0x000000000762E000-memory.dmp family_redline behavioral1/memory/3648-225-0x00000000075F0000-0x000000000762E000-memory.dmp family_redline behavioral1/memory/3648-227-0x00000000075F0000-0x000000000762E000-memory.dmp family_redline behavioral1/memory/3648-229-0x00000000075F0000-0x000000000762E000-memory.dmp family_redline behavioral1/memory/3648-231-0x00000000075F0000-0x000000000762E000-memory.dmp family_redline behavioral1/memory/3648-233-0x00000000075F0000-0x000000000762E000-memory.dmp family_redline behavioral1/memory/3648-235-0x00000000075F0000-0x000000000762E000-memory.dmp family_redline behavioral1/memory/3648-237-0x00000000075F0000-0x000000000762E000-memory.dmp family_redline -
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
KMuffPQJRlr6.exedescription pid process target process PID 612 created 2940 612 KMuffPQJRlr6.exe taskhostw.exe -
Downloads MZ/PE file
-
Executes dropped EXE 13 IoCs
Processes:
will8838.exewill2733.exewill3776.exemx6821ff.exens3060an.exepy47XW79.exeqs9159Xc.exery01KF72.exelegenda.exeKMuffPQJRlr6.exesvchost.exeserv.exelegenda.exepid process 8 will8838.exe 4720 will2733.exe 4796 will3776.exe 4908 mx6821ff.exe 4940 ns3060an.exe 3648 py47XW79.exe 2596 qs9159Xc.exe 3484 ry01KF72.exe 4204 legenda.exe 612 KMuffPQJRlr6.exe 2600 svchost.exe 2496 serv.exe 3724 legenda.exe -
Loads dropped DLL 2 IoCs
Processes:
KMuffPQJRlr6.exerundll32.exepid process 612 KMuffPQJRlr6.exe 3516 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
ns3060an.exemx6821ff.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" ns3060an.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" mx6821ff.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features ns3060an.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
will2733.exewill3776.exe934f9cf6bc79eb4e4a2e9b82df7f024294c88eba57f5a19d43d2a9c3bbd7dc92.exewill8838.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" will2733.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce will3776.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" will3776.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 934f9cf6bc79eb4e4a2e9b82df7f024294c88eba57f5a19d43d2a9c3bbd7dc92.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 934f9cf6bc79eb4e4a2e9b82df7f024294c88eba57f5a19d43d2a9c3bbd7dc92.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce will8838.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" will8838.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce will2733.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
serv.exepid process 2496 serv.exe 2496 serv.exe 2496 serv.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
KMuffPQJRlr6.exedescription pid process target process PID 612 set thread context of 1780 612 KMuffPQJRlr6.exe ngentask.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4904 612 WerFault.exe KMuffPQJRlr6.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
serv.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 serv.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID serv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI serv.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI serv.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI serv.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 58 IoCs
Processes:
mx6821ff.exens3060an.exepy47XW79.exeqs9159Xc.exeKMuffPQJRlr6.exengentask.exepid process 4908 mx6821ff.exe 4908 mx6821ff.exe 4940 ns3060an.exe 4940 ns3060an.exe 3648 py47XW79.exe 3648 py47XW79.exe 2596 qs9159Xc.exe 2596 qs9159Xc.exe 612 KMuffPQJRlr6.exe 612 KMuffPQJRlr6.exe 612 KMuffPQJRlr6.exe 612 KMuffPQJRlr6.exe 612 KMuffPQJRlr6.exe 612 KMuffPQJRlr6.exe 612 KMuffPQJRlr6.exe 612 KMuffPQJRlr6.exe 612 KMuffPQJRlr6.exe 612 KMuffPQJRlr6.exe 612 KMuffPQJRlr6.exe 612 KMuffPQJRlr6.exe 612 KMuffPQJRlr6.exe 612 KMuffPQJRlr6.exe 612 KMuffPQJRlr6.exe 612 KMuffPQJRlr6.exe 612 KMuffPQJRlr6.exe 612 KMuffPQJRlr6.exe 612 KMuffPQJRlr6.exe 612 KMuffPQJRlr6.exe 612 KMuffPQJRlr6.exe 612 KMuffPQJRlr6.exe 612 KMuffPQJRlr6.exe 612 KMuffPQJRlr6.exe 612 KMuffPQJRlr6.exe 612 KMuffPQJRlr6.exe 612 KMuffPQJRlr6.exe 612 KMuffPQJRlr6.exe 612 KMuffPQJRlr6.exe 612 KMuffPQJRlr6.exe 612 KMuffPQJRlr6.exe 612 KMuffPQJRlr6.exe 612 KMuffPQJRlr6.exe 612 KMuffPQJRlr6.exe 612 KMuffPQJRlr6.exe 612 KMuffPQJRlr6.exe 612 KMuffPQJRlr6.exe 612 KMuffPQJRlr6.exe 612 KMuffPQJRlr6.exe 612 KMuffPQJRlr6.exe 612 KMuffPQJRlr6.exe 612 KMuffPQJRlr6.exe 612 KMuffPQJRlr6.exe 612 KMuffPQJRlr6.exe 612 KMuffPQJRlr6.exe 612 KMuffPQJRlr6.exe 612 KMuffPQJRlr6.exe 612 KMuffPQJRlr6.exe 1780 ngentask.exe 1780 ngentask.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
mx6821ff.exens3060an.exepy47XW79.exeqs9159Xc.exewmic.exeWMIC.exedescription pid process Token: SeDebugPrivilege 4908 mx6821ff.exe Token: SeDebugPrivilege 4940 ns3060an.exe Token: SeDebugPrivilege 3648 py47XW79.exe Token: SeDebugPrivilege 2596 qs9159Xc.exe Token: SeIncreaseQuotaPrivilege 336 wmic.exe Token: SeSecurityPrivilege 336 wmic.exe Token: SeTakeOwnershipPrivilege 336 wmic.exe Token: SeLoadDriverPrivilege 336 wmic.exe Token: SeSystemProfilePrivilege 336 wmic.exe Token: SeSystemtimePrivilege 336 wmic.exe Token: SeProfSingleProcessPrivilege 336 wmic.exe Token: SeIncBasePriorityPrivilege 336 wmic.exe Token: SeCreatePagefilePrivilege 336 wmic.exe Token: SeBackupPrivilege 336 wmic.exe Token: SeRestorePrivilege 336 wmic.exe Token: SeShutdownPrivilege 336 wmic.exe Token: SeDebugPrivilege 336 wmic.exe Token: SeSystemEnvironmentPrivilege 336 wmic.exe Token: SeRemoteShutdownPrivilege 336 wmic.exe Token: SeUndockPrivilege 336 wmic.exe Token: SeManageVolumePrivilege 336 wmic.exe Token: 33 336 wmic.exe Token: 34 336 wmic.exe Token: 35 336 wmic.exe Token: 36 336 wmic.exe Token: SeIncreaseQuotaPrivilege 336 wmic.exe Token: SeSecurityPrivilege 336 wmic.exe Token: SeTakeOwnershipPrivilege 336 wmic.exe Token: SeLoadDriverPrivilege 336 wmic.exe Token: SeSystemProfilePrivilege 336 wmic.exe Token: SeSystemtimePrivilege 336 wmic.exe Token: SeProfSingleProcessPrivilege 336 wmic.exe Token: SeIncBasePriorityPrivilege 336 wmic.exe Token: SeCreatePagefilePrivilege 336 wmic.exe Token: SeBackupPrivilege 336 wmic.exe Token: SeRestorePrivilege 336 wmic.exe Token: SeShutdownPrivilege 336 wmic.exe Token: SeDebugPrivilege 336 wmic.exe Token: SeSystemEnvironmentPrivilege 336 wmic.exe Token: SeRemoteShutdownPrivilege 336 wmic.exe Token: SeUndockPrivilege 336 wmic.exe Token: SeManageVolumePrivilege 336 wmic.exe Token: 33 336 wmic.exe Token: 34 336 wmic.exe Token: 35 336 wmic.exe Token: 36 336 wmic.exe Token: SeIncreaseQuotaPrivilege 3692 WMIC.exe Token: SeSecurityPrivilege 3692 WMIC.exe Token: SeTakeOwnershipPrivilege 3692 WMIC.exe Token: SeLoadDriverPrivilege 3692 WMIC.exe Token: SeSystemProfilePrivilege 3692 WMIC.exe Token: SeSystemtimePrivilege 3692 WMIC.exe Token: SeProfSingleProcessPrivilege 3692 WMIC.exe Token: SeIncBasePriorityPrivilege 3692 WMIC.exe Token: SeCreatePagefilePrivilege 3692 WMIC.exe Token: SeBackupPrivilege 3692 WMIC.exe Token: SeRestorePrivilege 3692 WMIC.exe Token: SeShutdownPrivilege 3692 WMIC.exe Token: SeDebugPrivilege 3692 WMIC.exe Token: SeSystemEnvironmentPrivilege 3692 WMIC.exe Token: SeRemoteShutdownPrivilege 3692 WMIC.exe Token: SeUndockPrivilege 3692 WMIC.exe Token: SeManageVolumePrivilege 3692 WMIC.exe Token: 33 3692 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
934f9cf6bc79eb4e4a2e9b82df7f024294c88eba57f5a19d43d2a9c3bbd7dc92.exewill8838.exewill2733.exewill3776.exery01KF72.exelegenda.execmd.exeKMuffPQJRlr6.exedescription pid process target process PID 4188 wrote to memory of 8 4188 934f9cf6bc79eb4e4a2e9b82df7f024294c88eba57f5a19d43d2a9c3bbd7dc92.exe will8838.exe PID 4188 wrote to memory of 8 4188 934f9cf6bc79eb4e4a2e9b82df7f024294c88eba57f5a19d43d2a9c3bbd7dc92.exe will8838.exe PID 4188 wrote to memory of 8 4188 934f9cf6bc79eb4e4a2e9b82df7f024294c88eba57f5a19d43d2a9c3bbd7dc92.exe will8838.exe PID 8 wrote to memory of 4720 8 will8838.exe will2733.exe PID 8 wrote to memory of 4720 8 will8838.exe will2733.exe PID 8 wrote to memory of 4720 8 will8838.exe will2733.exe PID 4720 wrote to memory of 4796 4720 will2733.exe will3776.exe PID 4720 wrote to memory of 4796 4720 will2733.exe will3776.exe PID 4720 wrote to memory of 4796 4720 will2733.exe will3776.exe PID 4796 wrote to memory of 4908 4796 will3776.exe mx6821ff.exe PID 4796 wrote to memory of 4908 4796 will3776.exe mx6821ff.exe PID 4796 wrote to memory of 4940 4796 will3776.exe ns3060an.exe PID 4796 wrote to memory of 4940 4796 will3776.exe ns3060an.exe PID 4796 wrote to memory of 4940 4796 will3776.exe ns3060an.exe PID 4720 wrote to memory of 3648 4720 will2733.exe py47XW79.exe PID 4720 wrote to memory of 3648 4720 will2733.exe py47XW79.exe PID 4720 wrote to memory of 3648 4720 will2733.exe py47XW79.exe PID 8 wrote to memory of 2596 8 will8838.exe qs9159Xc.exe PID 8 wrote to memory of 2596 8 will8838.exe qs9159Xc.exe PID 8 wrote to memory of 2596 8 will8838.exe qs9159Xc.exe PID 4188 wrote to memory of 3484 4188 934f9cf6bc79eb4e4a2e9b82df7f024294c88eba57f5a19d43d2a9c3bbd7dc92.exe ry01KF72.exe PID 4188 wrote to memory of 3484 4188 934f9cf6bc79eb4e4a2e9b82df7f024294c88eba57f5a19d43d2a9c3bbd7dc92.exe ry01KF72.exe PID 4188 wrote to memory of 3484 4188 934f9cf6bc79eb4e4a2e9b82df7f024294c88eba57f5a19d43d2a9c3bbd7dc92.exe ry01KF72.exe PID 3484 wrote to memory of 4204 3484 ry01KF72.exe legenda.exe PID 3484 wrote to memory of 4204 3484 ry01KF72.exe legenda.exe PID 3484 wrote to memory of 4204 3484 ry01KF72.exe legenda.exe PID 4204 wrote to memory of 3856 4204 legenda.exe schtasks.exe PID 4204 wrote to memory of 3856 4204 legenda.exe schtasks.exe PID 4204 wrote to memory of 3856 4204 legenda.exe schtasks.exe PID 4204 wrote to memory of 3500 4204 legenda.exe cmd.exe PID 4204 wrote to memory of 3500 4204 legenda.exe cmd.exe PID 4204 wrote to memory of 3500 4204 legenda.exe cmd.exe PID 3500 wrote to memory of 1792 3500 cmd.exe cmd.exe PID 3500 wrote to memory of 1792 3500 cmd.exe cmd.exe PID 3500 wrote to memory of 1792 3500 cmd.exe cmd.exe PID 3500 wrote to memory of 3220 3500 cmd.exe cacls.exe PID 3500 wrote to memory of 3220 3500 cmd.exe cacls.exe PID 3500 wrote to memory of 3220 3500 cmd.exe cacls.exe PID 3500 wrote to memory of 1592 3500 cmd.exe cacls.exe PID 3500 wrote to memory of 1592 3500 cmd.exe cacls.exe PID 3500 wrote to memory of 1592 3500 cmd.exe cacls.exe PID 3500 wrote to memory of 3932 3500 cmd.exe cmd.exe PID 3500 wrote to memory of 3932 3500 cmd.exe cmd.exe PID 3500 wrote to memory of 3932 3500 cmd.exe cmd.exe PID 3500 wrote to memory of 4356 3500 cmd.exe cacls.exe PID 3500 wrote to memory of 4356 3500 cmd.exe cacls.exe PID 3500 wrote to memory of 4356 3500 cmd.exe cacls.exe PID 3500 wrote to memory of 3960 3500 cmd.exe cacls.exe PID 3500 wrote to memory of 3960 3500 cmd.exe cacls.exe PID 3500 wrote to memory of 3960 3500 cmd.exe cacls.exe PID 4204 wrote to memory of 612 4204 legenda.exe KMuffPQJRlr6.exe PID 4204 wrote to memory of 612 4204 legenda.exe KMuffPQJRlr6.exe PID 4204 wrote to memory of 612 4204 legenda.exe KMuffPQJRlr6.exe PID 4204 wrote to memory of 2600 4204 legenda.exe svchost.exe PID 4204 wrote to memory of 2600 4204 legenda.exe svchost.exe PID 4204 wrote to memory of 2600 4204 legenda.exe svchost.exe PID 4204 wrote to memory of 2496 4204 legenda.exe serv.exe PID 4204 wrote to memory of 2496 4204 legenda.exe serv.exe PID 4204 wrote to memory of 2496 4204 legenda.exe serv.exe PID 612 wrote to memory of 1780 612 KMuffPQJRlr6.exe ngentask.exe PID 612 wrote to memory of 1780 612 KMuffPQJRlr6.exe ngentask.exe PID 612 wrote to memory of 1780 612 KMuffPQJRlr6.exe ngentask.exe PID 612 wrote to memory of 1780 612 KMuffPQJRlr6.exe ngentask.exe PID 612 wrote to memory of 1780 612 KMuffPQJRlr6.exe ngentask.exe
Processes
-
c:\windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2940
-
C:\Windows\SYSWOW64\fontview.exe"C:\Windows\SYSWOW64\fontview.exe"2⤵PID:1452
-
-
C:\Users\Admin\AppData\Local\Temp\934f9cf6bc79eb4e4a2e9b82df7f024294c88eba57f5a19d43d2a9c3bbd7dc92.exe"C:\Users\Admin\AppData\Local\Temp\934f9cf6bc79eb4e4a2e9b82df7f024294c88eba57f5a19d43d2a9c3bbd7dc92.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4188 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8838.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8838.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:8 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will2733.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will2733.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4720 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3776.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3776.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4796 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx6821ff.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx6821ff.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4908
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns3060an.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns3060an.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4940
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py47XW79.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py47XW79.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3648
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs9159Xc.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs9159Xc.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2596
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry01KF72.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry01KF72.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3484 -
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe"C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4204 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legenda.exe /TR "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe" /F4⤵
- Creates scheduled task(s)
PID:3856
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legenda.exe" /P "Admin:N"&&CACLS "legenda.exe" /P "Admin:R" /E&&echo Y|CACLS "..\f22b669919" /P "Admin:N"&&CACLS "..\f22b669919" /P "Admin:R" /E&&Exit4⤵
- Suspicious use of WriteProcessMemory
PID:3500 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:1792
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "legenda.exe" /P "Admin:N"5⤵PID:3220
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "legenda.exe" /P "Admin:R" /E5⤵PID:1592
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:3932
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\f22b669919" /P "Admin:N"5⤵PID:4356
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\f22b669919" /P "Admin:R" /E5⤵PID:3960
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe"C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:612 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"5⤵
- Suspicious behavior: EnumeratesProcesses
PID:1780
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 612 -s 4565⤵
- Program crash
PID:4904
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe"C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe"4⤵
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic os get Caption5⤵
- Suspicious use of AdjustPrivilegeToken
PID:336
-
-
C:\Windows\SysWOW64\cmd.execmd /C "wmic path win32_VideoController get name"5⤵PID:2476
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic path win32_VideoController get name6⤵
- Suspicious use of AdjustPrivilegeToken
PID:3692
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C "wmic cpu get name"5⤵PID:1328
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic cpu get name6⤵PID:3848
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe"C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe"4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks SCSI registry key(s)
PID:2496
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main4⤵
- Loads dropped DLL
PID:3516
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exeC:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe1⤵
- Executes dropped EXE
PID:3724
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.5MB
MD5103f1dc5270469cf9414ee95dee9561f
SHA1f44b74ac4e35943c1b9f85ca560595bb64a8c918
SHA2565d8fcce25d88b4e04ddda7cc22108623d6ca4dc9f7a6a671d57e9230fd6a95ac
SHA512a9909671d9b628e34add9aeff9e06d85f505229505732609d32e7db74b887e404712b8ab92d40c12e553adfad0e4eb1225d03655b107462cf316328e5bf90e88
-
Filesize
1.5MB
MD5103f1dc5270469cf9414ee95dee9561f
SHA1f44b74ac4e35943c1b9f85ca560595bb64a8c918
SHA2565d8fcce25d88b4e04ddda7cc22108623d6ca4dc9f7a6a671d57e9230fd6a95ac
SHA512a9909671d9b628e34add9aeff9e06d85f505229505732609d32e7db74b887e404712b8ab92d40c12e553adfad0e4eb1225d03655b107462cf316328e5bf90e88
-
Filesize
1.5MB
MD5103f1dc5270469cf9414ee95dee9561f
SHA1f44b74ac4e35943c1b9f85ca560595bb64a8c918
SHA2565d8fcce25d88b4e04ddda7cc22108623d6ca4dc9f7a6a671d57e9230fd6a95ac
SHA512a9909671d9b628e34add9aeff9e06d85f505229505732609d32e7db74b887e404712b8ab92d40c12e553adfad0e4eb1225d03655b107462cf316328e5bf90e88
-
Filesize
3.0MB
MD5a8a106555b9e1f92569d623c66ee8c12
SHA1a5080c26b5f5911c10d80654c84239a226fc75d1
SHA25684aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a
SHA5129b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26
-
Filesize
3.0MB
MD5a8a106555b9e1f92569d623c66ee8c12
SHA1a5080c26b5f5911c10d80654c84239a226fc75d1
SHA25684aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a
SHA5129b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26
-
Filesize
3.0MB
MD5a8a106555b9e1f92569d623c66ee8c12
SHA1a5080c26b5f5911c10d80654c84239a226fc75d1
SHA25684aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a
SHA5129b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26
-
Filesize
354KB
MD56d81d19b6e02e1dc86b1bd2eb40e1507
SHA1645e362eb27610601c57b9ca78d80ee84a5c0640
SHA256178f26c99326101da77ce0620eb9fe584833d6ea8442913fe7ede38b72316db1
SHA5129fa181b27f826b494a72d6498c83fe7cb7f31a98f28c5f50c4ed97a2d505ae7d032bbfcb5d0ca67864206ff72e487129749b64074003d0f33a5f4b2aefe060bc
-
Filesize
354KB
MD56d81d19b6e02e1dc86b1bd2eb40e1507
SHA1645e362eb27610601c57b9ca78d80ee84a5c0640
SHA256178f26c99326101da77ce0620eb9fe584833d6ea8442913fe7ede38b72316db1
SHA5129fa181b27f826b494a72d6498c83fe7cb7f31a98f28c5f50c4ed97a2d505ae7d032bbfcb5d0ca67864206ff72e487129749b64074003d0f33a5f4b2aefe060bc
-
Filesize
354KB
MD56d81d19b6e02e1dc86b1bd2eb40e1507
SHA1645e362eb27610601c57b9ca78d80ee84a5c0640
SHA256178f26c99326101da77ce0620eb9fe584833d6ea8442913fe7ede38b72316db1
SHA5129fa181b27f826b494a72d6498c83fe7cb7f31a98f28c5f50c4ed97a2d505ae7d032bbfcb5d0ca67864206ff72e487129749b64074003d0f33a5f4b2aefe060bc
-
Filesize
235KB
MD55086db99de54fca268169a1c6cf26122
SHA1003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA25642873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA51290531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5
-
Filesize
235KB
MD55086db99de54fca268169a1c6cf26122
SHA1003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA25642873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA51290531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5
-
Filesize
852KB
MD567418af679c043f15394e34329756ef7
SHA157620d8d460cb9314ff2a497154db21daee9aa45
SHA2562f4102e1bc257b6ef263a6c98dfdbf30d8f291f1a632203398003c2a64e424a1
SHA512e8797ff85d2b077e96669fe0115af9a7a6d60bc12e8bfff6d75aec37ac1c7447fad27d3ab20dbec19a6c1c19c6391e3c9c3e26cba216c865679782b11b7c0972
-
Filesize
852KB
MD567418af679c043f15394e34329756ef7
SHA157620d8d460cb9314ff2a497154db21daee9aa45
SHA2562f4102e1bc257b6ef263a6c98dfdbf30d8f291f1a632203398003c2a64e424a1
SHA512e8797ff85d2b077e96669fe0115af9a7a6d60bc12e8bfff6d75aec37ac1c7447fad27d3ab20dbec19a6c1c19c6391e3c9c3e26cba216c865679782b11b7c0972
-
Filesize
175KB
MD53389637c0d072121bf1b127629736d37
SHA1300e915efdf2479bfd0d3699c0a6bc51260f9655
SHA2562b74c4ce2674a8fc0c78fffa39c5de5e43ae28b8bf425349a5f97c6a61135153
SHA512a32cc060d2600f6ca94ffdce07c95ea5e2f56c0b418260456b568cb41e5f55db0c4fc97c35ca4103c674e61a17300d834d2c0da5a78b7084b6bc342fd23a7fb4
-
Filesize
175KB
MD53389637c0d072121bf1b127629736d37
SHA1300e915efdf2479bfd0d3699c0a6bc51260f9655
SHA2562b74c4ce2674a8fc0c78fffa39c5de5e43ae28b8bf425349a5f97c6a61135153
SHA512a32cc060d2600f6ca94ffdce07c95ea5e2f56c0b418260456b568cb41e5f55db0c4fc97c35ca4103c674e61a17300d834d2c0da5a78b7084b6bc342fd23a7fb4
-
Filesize
707KB
MD54d6df52585f7bc274e578381bfa19db2
SHA1a25d40442a1006eb81788d09f9b416e78b41cf74
SHA2568d4a81759f8d55131a253952f2545a8da845338645630274a7b64d12203de13d
SHA5127da767722e0f89d3d0fc28499d2a05d8b1a2e78c10205ef41c8b3b6dc2fffe5b62042f7a1347db4b550a647ff47eee7b6b096fa71cb66bd3b2fb2f0cbac138b6
-
Filesize
707KB
MD54d6df52585f7bc274e578381bfa19db2
SHA1a25d40442a1006eb81788d09f9b416e78b41cf74
SHA2568d4a81759f8d55131a253952f2545a8da845338645630274a7b64d12203de13d
SHA5127da767722e0f89d3d0fc28499d2a05d8b1a2e78c10205ef41c8b3b6dc2fffe5b62042f7a1347db4b550a647ff47eee7b6b096fa71cb66bd3b2fb2f0cbac138b6
-
Filesize
391KB
MD5772fe45b4250e8e599b867c3c9b2b6f5
SHA192418dcd90485683cb0be1d131b3652bc25850ae
SHA25668fabfc6b53c088e452cdcd04299487619f7d64930973fa8e7b5a8a3e66b0c52
SHA5129dbfe68fe7d4e21a86ef069f84f814f7e5be427b807479e5159851dd52fd0ba56a31150559f9f747df62478b08242537f0887ade9ddbf0b686c8c2926a612142
-
Filesize
391KB
MD5772fe45b4250e8e599b867c3c9b2b6f5
SHA192418dcd90485683cb0be1d131b3652bc25850ae
SHA25668fabfc6b53c088e452cdcd04299487619f7d64930973fa8e7b5a8a3e66b0c52
SHA5129dbfe68fe7d4e21a86ef069f84f814f7e5be427b807479e5159851dd52fd0ba56a31150559f9f747df62478b08242537f0887ade9ddbf0b686c8c2926a612142
-
Filesize
354KB
MD5f0188c4c0ffac7c027e1f6be35979758
SHA1c5116b1d95fac06d7c0f26f37be54f6b4782280a
SHA25629271fc75c22b8eb9e93c9dfd6dfb49af16bfb30b396c20c8d4875366bc49de2
SHA5121618f050896b330bd7152b72238d4aea3cc17fa0cfe02e0a36ae0839a78f232e7cbd04aeaf1241e0f4600a9c657dc46387ccaf130828d9db0a7e6371fd8fe18a
-
Filesize
354KB
MD5f0188c4c0ffac7c027e1f6be35979758
SHA1c5116b1d95fac06d7c0f26f37be54f6b4782280a
SHA25629271fc75c22b8eb9e93c9dfd6dfb49af16bfb30b396c20c8d4875366bc49de2
SHA5121618f050896b330bd7152b72238d4aea3cc17fa0cfe02e0a36ae0839a78f232e7cbd04aeaf1241e0f4600a9c657dc46387ccaf130828d9db0a7e6371fd8fe18a
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
333KB
MD5c91d09456a386f6de0979906b0e43f8e
SHA15453ac12f9e2c58f03612d006e06114b615d3cba
SHA256fa0f3aa364e56c2eb93d361f962d2cac1991ba91e4f5e647e19baaf31c3d4fc6
SHA5127331d36575e58304623a8e71949b27c3b1e6b1b68cfffc801abeeca23b98e1b630abb70618b7c8086ef9608c6e030fba05b615d0acf52cf88b5d9df4ea49d6af
-
Filesize
333KB
MD5c91d09456a386f6de0979906b0e43f8e
SHA15453ac12f9e2c58f03612d006e06114b615d3cba
SHA256fa0f3aa364e56c2eb93d361f962d2cac1991ba91e4f5e647e19baaf31c3d4fc6
SHA5127331d36575e58304623a8e71949b27c3b1e6b1b68cfffc801abeeca23b98e1b630abb70618b7c8086ef9608c6e030fba05b615d0acf52cf88b5d9df4ea49d6af
-
Filesize
235KB
MD55086db99de54fca268169a1c6cf26122
SHA1003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA25642873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA51290531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5
-
Filesize
235KB
MD55086db99de54fca268169a1c6cf26122
SHA1003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA25642873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA51290531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5
-
Filesize
235KB
MD55086db99de54fca268169a1c6cf26122
SHA1003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA25642873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA51290531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5
-
Filesize
235KB
MD55086db99de54fca268169a1c6cf26122
SHA1003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA25642873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA51290531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5
-
Filesize
72KB
MD52b8e1b75b4d4fdf0c640838191ac3946
SHA1dfac012ccaa015f6a9ec5bd1c55ffa7b8074fb7f
SHA25617a69481ffd684f025b0fe6b0f22529bd8454c49915e580da43fcb08a0c56e4e
SHA5123c4de03250813dc78b772cc7e3246ac2726c37fae00844bfceda683e05506b53ba7ea95a06e2929e8ec736ccd50a9138e9f6e3c80980ebde5ed7ac66f06cc038
-
Filesize
89KB
MD516cf28ebb6d37dbaba93f18320c6086e
SHA1eae7d4b7a9636329065877aabe8d4f721a26ab25
SHA256c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106
SHA512f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2
-
Filesize
89KB
MD516cf28ebb6d37dbaba93f18320c6086e
SHA1eae7d4b7a9636329065877aabe8d4f721a26ab25
SHA256c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106
SHA512f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2
-
Filesize
223B
MD594cbeec5d4343918fd0e48760e40539c
SHA1a049266c5c1131f692f306c8710d7e72586ae79d
SHA25648eb3ca078da2f5e9fd581197ae1b4dfbac6d86040addbb305e305c014741279
SHA5124e92450333d60b1977f75c240157a8589cfb1c80a979fbe0793cc641e13556004e554bc6f9f4853487dbcfcdc2ca93afe610649e9712e91415ed3f2a60d4fec0
-
Filesize
334KB
MD5098a4aa93e275de54bbc35ae4b981301
SHA1d03646dc7c63e0784393f74085405c794b8555af
SHA2565e81e932ef8520dd7de22cb9e3a02af66d29dc1726b133e894cbd7d797b9af3b
SHA5122e039df42a6202f4e4c61c3bef62307dfa5b7e1e9103085c4f73c4459c8cc747bec85da8f1c87f97851de896104712c71f13da396c6016fc27f60cd358e93f46
-
Filesize
89KB
MD516cf28ebb6d37dbaba93f18320c6086e
SHA1eae7d4b7a9636329065877aabe8d4f721a26ab25
SHA256c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106
SHA512f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2