Analysis
-
max time kernel
127s -
max time network
122s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
19-03-2023 00:51
Static task
static1
Behavioral task
behavioral1
Sample
09cfe8bdf28850d0ea52d9aaff906ee7f30300d1f1dd3e87641c1252b16bcc39.exe
Resource
win10-20230220-en
General
-
Target
09cfe8bdf28850d0ea52d9aaff906ee7f30300d1f1dd3e87641c1252b16bcc39.exe
-
Size
1.0MB
-
MD5
5aeb282575caae1e3d29ab49ddf1ffb9
-
SHA1
fc371de3cb73f98dc7c9934ef356f5c3791b688a
-
SHA256
09cfe8bdf28850d0ea52d9aaff906ee7f30300d1f1dd3e87641c1252b16bcc39
-
SHA512
ebaf8b4f5c0eb234f3ff7b3ba67506d7888b1ff8f6a213862d395ee4c141df0852fcab8973660eef9d80bdeaf194b7ef57f371a64d7c14217b11c6098024c9de
-
SSDEEP
24576:ayyjhsF7TSIFYu2cE+zg/aIzbJWwphj4Nxs0InD:hyjhs5OIFDF/Iz4QhixsJ
Malware Config
Extracted
redline
gena
193.233.20.30:4125
-
auth_value
93c20961cb6b06b2d5781c212db6201e
Extracted
redline
vint
193.233.20.30:4125
-
auth_value
fb8811912f8370b3d23bffda092d88d0
Extracted
amadey
3.68
62.204.41.87/joomla/index.php
Extracted
aurora
212.87.204.93:8081
Extracted
redline
build_main
80.85.156.168:20189
-
auth_value
5e5c9cacc6d168f8ade7fb6419edb114
Signatures
-
Detect rhadamanthys stealer shellcode 4 IoCs
Processes:
resource yara_rule behavioral1/memory/2596-1226-0x0000000002C30000-0x0000000002C4C000-memory.dmp family_rhadamanthys behavioral1/memory/2596-1249-0x0000000002C30000-0x0000000002C4C000-memory.dmp family_rhadamanthys behavioral1/memory/4048-1265-0x0000000003520000-0x000000000353C000-memory.dmp family_rhadamanthys behavioral1/memory/4048-1268-0x0000000003520000-0x000000000353C000-memory.dmp family_rhadamanthys -
Processes:
ns2730HD.exemx2842fm.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" ns2730HD.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" mx2842fm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" mx2842fm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" ns2730HD.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" ns2730HD.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" ns2730HD.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" mx2842fm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" mx2842fm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" mx2842fm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" ns2730HD.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 21 IoCs
Processes:
resource yara_rule behavioral1/memory/3548-196-0x00000000049B0000-0x00000000049F6000-memory.dmp family_redline behavioral1/memory/3548-197-0x0000000004A70000-0x0000000004AB4000-memory.dmp family_redline behavioral1/memory/3548-198-0x0000000004A70000-0x0000000004AAE000-memory.dmp family_redline behavioral1/memory/3548-201-0x0000000004A70000-0x0000000004AAE000-memory.dmp family_redline behavioral1/memory/3548-199-0x0000000004A70000-0x0000000004AAE000-memory.dmp family_redline behavioral1/memory/3548-203-0x0000000004A70000-0x0000000004AAE000-memory.dmp family_redline behavioral1/memory/3548-205-0x0000000004A70000-0x0000000004AAE000-memory.dmp family_redline behavioral1/memory/3548-207-0x0000000004A70000-0x0000000004AAE000-memory.dmp family_redline behavioral1/memory/3548-215-0x0000000004A70000-0x0000000004AAE000-memory.dmp family_redline behavioral1/memory/3548-217-0x0000000004A70000-0x0000000004AAE000-memory.dmp family_redline behavioral1/memory/3548-213-0x0000000004A70000-0x0000000004AAE000-memory.dmp family_redline behavioral1/memory/3548-219-0x0000000004A70000-0x0000000004AAE000-memory.dmp family_redline behavioral1/memory/3548-225-0x0000000004A70000-0x0000000004AAE000-memory.dmp family_redline behavioral1/memory/3548-223-0x0000000004A70000-0x0000000004AAE000-memory.dmp family_redline behavioral1/memory/3548-229-0x0000000004A70000-0x0000000004AAE000-memory.dmp family_redline behavioral1/memory/3548-227-0x0000000004A70000-0x0000000004AAE000-memory.dmp family_redline behavioral1/memory/3548-221-0x0000000004A70000-0x0000000004AAE000-memory.dmp family_redline behavioral1/memory/3548-232-0x0000000004A70000-0x0000000004AAE000-memory.dmp family_redline behavioral1/memory/3548-211-0x0000000004A70000-0x0000000004AAE000-memory.dmp family_redline behavioral1/memory/3548-209-0x0000000004A70000-0x0000000004AAE000-memory.dmp family_redline behavioral1/memory/3548-1115-0x0000000007200000-0x0000000007210000-memory.dmp family_redline -
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
KMuffPQJRlr6.exedescription pid process target process PID 4980 created 2888 4980 KMuffPQJRlr6.exe taskhostw.exe -
Downloads MZ/PE file
-
Executes dropped EXE 14 IoCs
Processes:
will8154.exewill9106.exewill3700.exemx2842fm.exens2730HD.exepy42Wn05.exeqs7466NF.exery70aB57.exelegenda.exeKMuffPQJRlr6.exesvchost.exeserv.exelegenda.exelegenda.exepid process 1604 will8154.exe 1860 will9106.exe 1288 will3700.exe 2352 mx2842fm.exe 3112 ns2730HD.exe 3548 py42Wn05.exe 4792 qs7466NF.exe 3248 ry70aB57.exe 4672 legenda.exe 4980 KMuffPQJRlr6.exe 3296 svchost.exe 2596 serv.exe 4112 legenda.exe 3480 legenda.exe -
Loads dropped DLL 2 IoCs
Processes:
KMuffPQJRlr6.exerundll32.exepid process 4980 KMuffPQJRlr6.exe 1856 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
ns2730HD.exemx2842fm.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" ns2730HD.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" mx2842fm.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features ns2730HD.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
09cfe8bdf28850d0ea52d9aaff906ee7f30300d1f1dd3e87641c1252b16bcc39.exewill8154.exewill9106.exewill3700.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 09cfe8bdf28850d0ea52d9aaff906ee7f30300d1f1dd3e87641c1252b16bcc39.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 09cfe8bdf28850d0ea52d9aaff906ee7f30300d1f1dd3e87641c1252b16bcc39.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce will8154.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" will8154.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce will9106.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" will9106.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce will3700.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" will3700.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
Processes:
serv.exefontview.exepid process 2596 serv.exe 2596 serv.exe 2596 serv.exe 4048 fontview.exe 4048 fontview.exe 4048 fontview.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
KMuffPQJRlr6.exedescription pid process target process PID 4980 set thread context of 3064 4980 KMuffPQJRlr6.exe ngentask.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3088 4980 WerFault.exe KMuffPQJRlr6.exe -
Checks SCSI registry key(s) 3 TTPs 10 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
fontview.exeserv.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID fontview.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI fontview.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI fontview.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 serv.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI serv.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI serv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 fontview.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID serv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI serv.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI fontview.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 58 IoCs
Processes:
mx2842fm.exens2730HD.exepy42Wn05.exeqs7466NF.exeKMuffPQJRlr6.exengentask.exepid process 2352 mx2842fm.exe 2352 mx2842fm.exe 3112 ns2730HD.exe 3112 ns2730HD.exe 3548 py42Wn05.exe 3548 py42Wn05.exe 4792 qs7466NF.exe 4792 qs7466NF.exe 4980 KMuffPQJRlr6.exe 4980 KMuffPQJRlr6.exe 4980 KMuffPQJRlr6.exe 4980 KMuffPQJRlr6.exe 4980 KMuffPQJRlr6.exe 4980 KMuffPQJRlr6.exe 4980 KMuffPQJRlr6.exe 4980 KMuffPQJRlr6.exe 4980 KMuffPQJRlr6.exe 4980 KMuffPQJRlr6.exe 4980 KMuffPQJRlr6.exe 4980 KMuffPQJRlr6.exe 4980 KMuffPQJRlr6.exe 4980 KMuffPQJRlr6.exe 4980 KMuffPQJRlr6.exe 4980 KMuffPQJRlr6.exe 4980 KMuffPQJRlr6.exe 4980 KMuffPQJRlr6.exe 4980 KMuffPQJRlr6.exe 4980 KMuffPQJRlr6.exe 4980 KMuffPQJRlr6.exe 4980 KMuffPQJRlr6.exe 4980 KMuffPQJRlr6.exe 4980 KMuffPQJRlr6.exe 4980 KMuffPQJRlr6.exe 4980 KMuffPQJRlr6.exe 4980 KMuffPQJRlr6.exe 4980 KMuffPQJRlr6.exe 4980 KMuffPQJRlr6.exe 4980 KMuffPQJRlr6.exe 4980 KMuffPQJRlr6.exe 4980 KMuffPQJRlr6.exe 4980 KMuffPQJRlr6.exe 4980 KMuffPQJRlr6.exe 4980 KMuffPQJRlr6.exe 4980 KMuffPQJRlr6.exe 4980 KMuffPQJRlr6.exe 4980 KMuffPQJRlr6.exe 4980 KMuffPQJRlr6.exe 4980 KMuffPQJRlr6.exe 4980 KMuffPQJRlr6.exe 4980 KMuffPQJRlr6.exe 4980 KMuffPQJRlr6.exe 4980 KMuffPQJRlr6.exe 4980 KMuffPQJRlr6.exe 4980 KMuffPQJRlr6.exe 4980 KMuffPQJRlr6.exe 4980 KMuffPQJRlr6.exe 3064 ngentask.exe 3064 ngentask.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
mx2842fm.exens2730HD.exepy42Wn05.exeqs7466NF.exengentask.exewmic.exeWMIC.exedescription pid process Token: SeDebugPrivilege 2352 mx2842fm.exe Token: SeDebugPrivilege 3112 ns2730HD.exe Token: SeDebugPrivilege 3548 py42Wn05.exe Token: SeDebugPrivilege 4792 qs7466NF.exe Token: SeDebugPrivilege 3064 ngentask.exe Token: SeIncreaseQuotaPrivilege 32 wmic.exe Token: SeSecurityPrivilege 32 wmic.exe Token: SeTakeOwnershipPrivilege 32 wmic.exe Token: SeLoadDriverPrivilege 32 wmic.exe Token: SeSystemProfilePrivilege 32 wmic.exe Token: SeSystemtimePrivilege 32 wmic.exe Token: SeProfSingleProcessPrivilege 32 wmic.exe Token: SeIncBasePriorityPrivilege 32 wmic.exe Token: SeCreatePagefilePrivilege 32 wmic.exe Token: SeBackupPrivilege 32 wmic.exe Token: SeRestorePrivilege 32 wmic.exe Token: SeShutdownPrivilege 32 wmic.exe Token: SeDebugPrivilege 32 wmic.exe Token: SeSystemEnvironmentPrivilege 32 wmic.exe Token: SeRemoteShutdownPrivilege 32 wmic.exe Token: SeUndockPrivilege 32 wmic.exe Token: SeManageVolumePrivilege 32 wmic.exe Token: 33 32 wmic.exe Token: 34 32 wmic.exe Token: 35 32 wmic.exe Token: 36 32 wmic.exe Token: SeIncreaseQuotaPrivilege 32 wmic.exe Token: SeSecurityPrivilege 32 wmic.exe Token: SeTakeOwnershipPrivilege 32 wmic.exe Token: SeLoadDriverPrivilege 32 wmic.exe Token: SeSystemProfilePrivilege 32 wmic.exe Token: SeSystemtimePrivilege 32 wmic.exe Token: SeProfSingleProcessPrivilege 32 wmic.exe Token: SeIncBasePriorityPrivilege 32 wmic.exe Token: SeCreatePagefilePrivilege 32 wmic.exe Token: SeBackupPrivilege 32 wmic.exe Token: SeRestorePrivilege 32 wmic.exe Token: SeShutdownPrivilege 32 wmic.exe Token: SeDebugPrivilege 32 wmic.exe Token: SeSystemEnvironmentPrivilege 32 wmic.exe Token: SeRemoteShutdownPrivilege 32 wmic.exe Token: SeUndockPrivilege 32 wmic.exe Token: SeManageVolumePrivilege 32 wmic.exe Token: 33 32 wmic.exe Token: 34 32 wmic.exe Token: 35 32 wmic.exe Token: 36 32 wmic.exe Token: SeIncreaseQuotaPrivilege 3404 WMIC.exe Token: SeSecurityPrivilege 3404 WMIC.exe Token: SeTakeOwnershipPrivilege 3404 WMIC.exe Token: SeLoadDriverPrivilege 3404 WMIC.exe Token: SeSystemProfilePrivilege 3404 WMIC.exe Token: SeSystemtimePrivilege 3404 WMIC.exe Token: SeProfSingleProcessPrivilege 3404 WMIC.exe Token: SeIncBasePriorityPrivilege 3404 WMIC.exe Token: SeCreatePagefilePrivilege 3404 WMIC.exe Token: SeBackupPrivilege 3404 WMIC.exe Token: SeRestorePrivilege 3404 WMIC.exe Token: SeShutdownPrivilege 3404 WMIC.exe Token: SeDebugPrivilege 3404 WMIC.exe Token: SeSystemEnvironmentPrivilege 3404 WMIC.exe Token: SeRemoteShutdownPrivilege 3404 WMIC.exe Token: SeUndockPrivilege 3404 WMIC.exe Token: SeManageVolumePrivilege 3404 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
09cfe8bdf28850d0ea52d9aaff906ee7f30300d1f1dd3e87641c1252b16bcc39.exewill8154.exewill9106.exewill3700.exery70aB57.exelegenda.execmd.exeKMuffPQJRlr6.exedescription pid process target process PID 1444 wrote to memory of 1604 1444 09cfe8bdf28850d0ea52d9aaff906ee7f30300d1f1dd3e87641c1252b16bcc39.exe will8154.exe PID 1444 wrote to memory of 1604 1444 09cfe8bdf28850d0ea52d9aaff906ee7f30300d1f1dd3e87641c1252b16bcc39.exe will8154.exe PID 1444 wrote to memory of 1604 1444 09cfe8bdf28850d0ea52d9aaff906ee7f30300d1f1dd3e87641c1252b16bcc39.exe will8154.exe PID 1604 wrote to memory of 1860 1604 will8154.exe will9106.exe PID 1604 wrote to memory of 1860 1604 will8154.exe will9106.exe PID 1604 wrote to memory of 1860 1604 will8154.exe will9106.exe PID 1860 wrote to memory of 1288 1860 will9106.exe will3700.exe PID 1860 wrote to memory of 1288 1860 will9106.exe will3700.exe PID 1860 wrote to memory of 1288 1860 will9106.exe will3700.exe PID 1288 wrote to memory of 2352 1288 will3700.exe mx2842fm.exe PID 1288 wrote to memory of 2352 1288 will3700.exe mx2842fm.exe PID 1288 wrote to memory of 3112 1288 will3700.exe ns2730HD.exe PID 1288 wrote to memory of 3112 1288 will3700.exe ns2730HD.exe PID 1288 wrote to memory of 3112 1288 will3700.exe ns2730HD.exe PID 1860 wrote to memory of 3548 1860 will9106.exe py42Wn05.exe PID 1860 wrote to memory of 3548 1860 will9106.exe py42Wn05.exe PID 1860 wrote to memory of 3548 1860 will9106.exe py42Wn05.exe PID 1604 wrote to memory of 4792 1604 will8154.exe qs7466NF.exe PID 1604 wrote to memory of 4792 1604 will8154.exe qs7466NF.exe PID 1604 wrote to memory of 4792 1604 will8154.exe qs7466NF.exe PID 1444 wrote to memory of 3248 1444 09cfe8bdf28850d0ea52d9aaff906ee7f30300d1f1dd3e87641c1252b16bcc39.exe ry70aB57.exe PID 1444 wrote to memory of 3248 1444 09cfe8bdf28850d0ea52d9aaff906ee7f30300d1f1dd3e87641c1252b16bcc39.exe ry70aB57.exe PID 1444 wrote to memory of 3248 1444 09cfe8bdf28850d0ea52d9aaff906ee7f30300d1f1dd3e87641c1252b16bcc39.exe ry70aB57.exe PID 3248 wrote to memory of 4672 3248 ry70aB57.exe legenda.exe PID 3248 wrote to memory of 4672 3248 ry70aB57.exe legenda.exe PID 3248 wrote to memory of 4672 3248 ry70aB57.exe legenda.exe PID 4672 wrote to memory of 4680 4672 legenda.exe schtasks.exe PID 4672 wrote to memory of 4680 4672 legenda.exe schtasks.exe PID 4672 wrote to memory of 4680 4672 legenda.exe schtasks.exe PID 4672 wrote to memory of 796 4672 legenda.exe cmd.exe PID 4672 wrote to memory of 796 4672 legenda.exe cmd.exe PID 4672 wrote to memory of 796 4672 legenda.exe cmd.exe PID 796 wrote to memory of 2244 796 cmd.exe cmd.exe PID 796 wrote to memory of 2244 796 cmd.exe cmd.exe PID 796 wrote to memory of 2244 796 cmd.exe cmd.exe PID 796 wrote to memory of 5028 796 cmd.exe cacls.exe PID 796 wrote to memory of 5028 796 cmd.exe cacls.exe PID 796 wrote to memory of 5028 796 cmd.exe cacls.exe PID 796 wrote to memory of 4308 796 cmd.exe cacls.exe PID 796 wrote to memory of 4308 796 cmd.exe cacls.exe PID 796 wrote to memory of 4308 796 cmd.exe cacls.exe PID 796 wrote to memory of 1836 796 cmd.exe cmd.exe PID 796 wrote to memory of 1836 796 cmd.exe cmd.exe PID 796 wrote to memory of 1836 796 cmd.exe cmd.exe PID 796 wrote to memory of 4412 796 cmd.exe cacls.exe PID 796 wrote to memory of 4412 796 cmd.exe cacls.exe PID 796 wrote to memory of 4412 796 cmd.exe cacls.exe PID 796 wrote to memory of 4408 796 cmd.exe cacls.exe PID 796 wrote to memory of 4408 796 cmd.exe cacls.exe PID 796 wrote to memory of 4408 796 cmd.exe cacls.exe PID 4672 wrote to memory of 4980 4672 legenda.exe KMuffPQJRlr6.exe PID 4672 wrote to memory of 4980 4672 legenda.exe KMuffPQJRlr6.exe PID 4672 wrote to memory of 4980 4672 legenda.exe KMuffPQJRlr6.exe PID 4672 wrote to memory of 3296 4672 legenda.exe svchost.exe PID 4672 wrote to memory of 3296 4672 legenda.exe svchost.exe PID 4672 wrote to memory of 3296 4672 legenda.exe svchost.exe PID 4672 wrote to memory of 2596 4672 legenda.exe serv.exe PID 4672 wrote to memory of 2596 4672 legenda.exe serv.exe PID 4672 wrote to memory of 2596 4672 legenda.exe serv.exe PID 4980 wrote to memory of 2656 4980 KMuffPQJRlr6.exe ngentask.exe PID 4980 wrote to memory of 2656 4980 KMuffPQJRlr6.exe ngentask.exe PID 4980 wrote to memory of 2656 4980 KMuffPQJRlr6.exe ngentask.exe PID 4980 wrote to memory of 2652 4980 KMuffPQJRlr6.exe ngentask.exe PID 4980 wrote to memory of 2652 4980 KMuffPQJRlr6.exe ngentask.exe
Processes
-
c:\windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2888
-
C:\Windows\SYSWOW64\fontview.exe"C:\Windows\SYSWOW64\fontview.exe"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks SCSI registry key(s)
PID:4048
-
-
C:\Users\Admin\AppData\Local\Temp\09cfe8bdf28850d0ea52d9aaff906ee7f30300d1f1dd3e87641c1252b16bcc39.exe"C:\Users\Admin\AppData\Local\Temp\09cfe8bdf28850d0ea52d9aaff906ee7f30300d1f1dd3e87641c1252b16bcc39.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1444 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8154.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will8154.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1604 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9106.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will9106.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3700.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will3700.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1288 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx2842fm.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx2842fm.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2352
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns2730HD.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns2730HD.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3112
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py42Wn05.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py42Wn05.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3548
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs7466NF.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs7466NF.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4792
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry70aB57.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry70aB57.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3248 -
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe"C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4672 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legenda.exe /TR "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe" /F4⤵
- Creates scheduled task(s)
PID:4680
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legenda.exe" /P "Admin:N"&&CACLS "legenda.exe" /P "Admin:R" /E&&echo Y|CACLS "..\f22b669919" /P "Admin:N"&&CACLS "..\f22b669919" /P "Admin:R" /E&&Exit4⤵
- Suspicious use of WriteProcessMemory
PID:796 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:2244
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "legenda.exe" /P "Admin:N"5⤵PID:5028
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "legenda.exe" /P "Admin:R" /E5⤵PID:4308
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:1836
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\f22b669919" /P "Admin:N"5⤵PID:4412
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\f22b669919" /P "Admin:R" /E5⤵PID:4408
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe"C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4980 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"5⤵PID:2656
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"5⤵PID:2652
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3064
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 2805⤵
- Program crash
PID:3088
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe"C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe"4⤵
- Executes dropped EXE
PID:3296 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic os get Caption5⤵
- Suspicious use of AdjustPrivilegeToken
PID:32
-
-
C:\Windows\SysWOW64\cmd.execmd /C "wmic path win32_VideoController get name"5⤵PID:3236
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic path win32_VideoController get name6⤵
- Suspicious use of AdjustPrivilegeToken
PID:3404
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C "wmic cpu get name"5⤵PID:600
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic cpu get name6⤵PID:816
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe"C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe"4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks SCSI registry key(s)
PID:2596
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main4⤵
- Loads dropped DLL
PID:1856
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exeC:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe1⤵
- Executes dropped EXE
PID:4112
-
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exeC:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe1⤵
- Executes dropped EXE
PID:3480
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.5MB
MD5103f1dc5270469cf9414ee95dee9561f
SHA1f44b74ac4e35943c1b9f85ca560595bb64a8c918
SHA2565d8fcce25d88b4e04ddda7cc22108623d6ca4dc9f7a6a671d57e9230fd6a95ac
SHA512a9909671d9b628e34add9aeff9e06d85f505229505732609d32e7db74b887e404712b8ab92d40c12e553adfad0e4eb1225d03655b107462cf316328e5bf90e88
-
Filesize
1.5MB
MD5103f1dc5270469cf9414ee95dee9561f
SHA1f44b74ac4e35943c1b9f85ca560595bb64a8c918
SHA2565d8fcce25d88b4e04ddda7cc22108623d6ca4dc9f7a6a671d57e9230fd6a95ac
SHA512a9909671d9b628e34add9aeff9e06d85f505229505732609d32e7db74b887e404712b8ab92d40c12e553adfad0e4eb1225d03655b107462cf316328e5bf90e88
-
Filesize
1.5MB
MD5103f1dc5270469cf9414ee95dee9561f
SHA1f44b74ac4e35943c1b9f85ca560595bb64a8c918
SHA2565d8fcce25d88b4e04ddda7cc22108623d6ca4dc9f7a6a671d57e9230fd6a95ac
SHA512a9909671d9b628e34add9aeff9e06d85f505229505732609d32e7db74b887e404712b8ab92d40c12e553adfad0e4eb1225d03655b107462cf316328e5bf90e88
-
Filesize
3.0MB
MD5a8a106555b9e1f92569d623c66ee8c12
SHA1a5080c26b5f5911c10d80654c84239a226fc75d1
SHA25684aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a
SHA5129b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26
-
Filesize
3.0MB
MD5a8a106555b9e1f92569d623c66ee8c12
SHA1a5080c26b5f5911c10d80654c84239a226fc75d1
SHA25684aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a
SHA5129b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26
-
Filesize
3.0MB
MD5a8a106555b9e1f92569d623c66ee8c12
SHA1a5080c26b5f5911c10d80654c84239a226fc75d1
SHA25684aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a
SHA5129b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26
-
Filesize
353KB
MD58ad47f6bd62975254ede9b4737429715
SHA1f772c8b56828c4c5dffb1c87ac3116de3c8bbc29
SHA2567f5a1d9a81c8e16ed8e5fff72f8685f529235753bd3ebfabeb947c589774179d
SHA512dd1cbe5302771a312afae4052c8f186bd04fdc313aaa89d4fcad899bfb31a55120f1d71c13799840be28c1d5b501c4a9b6d2e645f04b5af81a2966f3e06228b7
-
Filesize
353KB
MD58ad47f6bd62975254ede9b4737429715
SHA1f772c8b56828c4c5dffb1c87ac3116de3c8bbc29
SHA2567f5a1d9a81c8e16ed8e5fff72f8685f529235753bd3ebfabeb947c589774179d
SHA512dd1cbe5302771a312afae4052c8f186bd04fdc313aaa89d4fcad899bfb31a55120f1d71c13799840be28c1d5b501c4a9b6d2e645f04b5af81a2966f3e06228b7
-
Filesize
353KB
MD58ad47f6bd62975254ede9b4737429715
SHA1f772c8b56828c4c5dffb1c87ac3116de3c8bbc29
SHA2567f5a1d9a81c8e16ed8e5fff72f8685f529235753bd3ebfabeb947c589774179d
SHA512dd1cbe5302771a312afae4052c8f186bd04fdc313aaa89d4fcad899bfb31a55120f1d71c13799840be28c1d5b501c4a9b6d2e645f04b5af81a2966f3e06228b7
-
Filesize
235KB
MD55086db99de54fca268169a1c6cf26122
SHA1003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA25642873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA51290531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5
-
Filesize
235KB
MD55086db99de54fca268169a1c6cf26122
SHA1003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA25642873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA51290531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5
-
Filesize
852KB
MD5782d216a4f582d45553683c01068736c
SHA1541ae93ca19b07383015c653b9f3b52657ee30e3
SHA2561a4bbc8eab77baec1fdc2d6830ca1d997ca6d4b9237a6f577a2f60876886e215
SHA51225c55a01117fc8e85f2a2c9f9b188e33a6a1b8a767b18a11e487fe3efef950fea0bba12e571b8d6c996db263e0b79bdf5978f1b13693ae9c82ea4517588b226f
-
Filesize
852KB
MD5782d216a4f582d45553683c01068736c
SHA1541ae93ca19b07383015c653b9f3b52657ee30e3
SHA2561a4bbc8eab77baec1fdc2d6830ca1d997ca6d4b9237a6f577a2f60876886e215
SHA51225c55a01117fc8e85f2a2c9f9b188e33a6a1b8a767b18a11e487fe3efef950fea0bba12e571b8d6c996db263e0b79bdf5978f1b13693ae9c82ea4517588b226f
-
Filesize
175KB
MD53389637c0d072121bf1b127629736d37
SHA1300e915efdf2479bfd0d3699c0a6bc51260f9655
SHA2562b74c4ce2674a8fc0c78fffa39c5de5e43ae28b8bf425349a5f97c6a61135153
SHA512a32cc060d2600f6ca94ffdce07c95ea5e2f56c0b418260456b568cb41e5f55db0c4fc97c35ca4103c674e61a17300d834d2c0da5a78b7084b6bc342fd23a7fb4
-
Filesize
175KB
MD53389637c0d072121bf1b127629736d37
SHA1300e915efdf2479bfd0d3699c0a6bc51260f9655
SHA2562b74c4ce2674a8fc0c78fffa39c5de5e43ae28b8bf425349a5f97c6a61135153
SHA512a32cc060d2600f6ca94ffdce07c95ea5e2f56c0b418260456b568cb41e5f55db0c4fc97c35ca4103c674e61a17300d834d2c0da5a78b7084b6bc342fd23a7fb4
-
Filesize
707KB
MD578cab8fe13c9427f62d98627a56786a7
SHA1e094b8be61514e9898af1ca040ef0f3a83065b65
SHA256fe681a6f30337bfcecbde0b4a1f712131ec04d69e9ebf67245d50a8a14d24c41
SHA512b426a78dcc97d64dcc02742834f314ea3ebfa8d170174a216ef05e64aa42fcf163f6b2308f60e78dc56d22b027d6cf806758889c27ab4e80ae4144f9f4d6eb6d
-
Filesize
707KB
MD578cab8fe13c9427f62d98627a56786a7
SHA1e094b8be61514e9898af1ca040ef0f3a83065b65
SHA256fe681a6f30337bfcecbde0b4a1f712131ec04d69e9ebf67245d50a8a14d24c41
SHA512b426a78dcc97d64dcc02742834f314ea3ebfa8d170174a216ef05e64aa42fcf163f6b2308f60e78dc56d22b027d6cf806758889c27ab4e80ae4144f9f4d6eb6d
-
Filesize
391KB
MD554bf561258c9508f24ddaf2efa7d8d24
SHA135aae4010373f21fce9b5a6c7a6900b4d8d391db
SHA256cec2d5782901bf673255045a8ce6aff2a7b881eae4ea320150db4312c0bc3c2f
SHA512c6aa794ef5ad279ce64f3a55037a0a986067b76463286cb77f2ad5db0d31b55ff56729a6f8c9236309e8b337602b42052691e76e34c2523864394c236e43f3e2
-
Filesize
391KB
MD554bf561258c9508f24ddaf2efa7d8d24
SHA135aae4010373f21fce9b5a6c7a6900b4d8d391db
SHA256cec2d5782901bf673255045a8ce6aff2a7b881eae4ea320150db4312c0bc3c2f
SHA512c6aa794ef5ad279ce64f3a55037a0a986067b76463286cb77f2ad5db0d31b55ff56729a6f8c9236309e8b337602b42052691e76e34c2523864394c236e43f3e2
-
Filesize
353KB
MD5ac867c4ad850585add83bd34d7da1c03
SHA1c85503c1a347f84ff6d53952f7c79f177709a53f
SHA25658b44ee6379b42d5e49275561f83ae959c24455c17a292c335a2e735970e8ba3
SHA5125976b5e29f8c9cb92f8573d1e1e16896650170df32a3bdcedd42835cbf5d6a57fe77022364fef7087ed15981b5198a702692451ddbf226004319d84b45326fb6
-
Filesize
353KB
MD5ac867c4ad850585add83bd34d7da1c03
SHA1c85503c1a347f84ff6d53952f7c79f177709a53f
SHA25658b44ee6379b42d5e49275561f83ae959c24455c17a292c335a2e735970e8ba3
SHA5125976b5e29f8c9cb92f8573d1e1e16896650170df32a3bdcedd42835cbf5d6a57fe77022364fef7087ed15981b5198a702692451ddbf226004319d84b45326fb6
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
333KB
MD5a42942e66c568c2c7c9f9fe00d6cb8b9
SHA16a56fe2d6a86763f4f489b82656322426bd84481
SHA256c0fe20ceed4977b651fb48d010d8c27d0a07b994bbcd806dc6afef4ba87b7726
SHA512329d46e7ee215791dc8fafda09eb27d1310b43172ee50fa8b6399ad3518b95503ac590364677bc2dfca9d55a3e4901664e9d11ea9e30b64478a8b686107dd602
-
Filesize
333KB
MD5a42942e66c568c2c7c9f9fe00d6cb8b9
SHA16a56fe2d6a86763f4f489b82656322426bd84481
SHA256c0fe20ceed4977b651fb48d010d8c27d0a07b994bbcd806dc6afef4ba87b7726
SHA512329d46e7ee215791dc8fafda09eb27d1310b43172ee50fa8b6399ad3518b95503ac590364677bc2dfca9d55a3e4901664e9d11ea9e30b64478a8b686107dd602
-
Filesize
235KB
MD55086db99de54fca268169a1c6cf26122
SHA1003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA25642873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA51290531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5
-
Filesize
235KB
MD55086db99de54fca268169a1c6cf26122
SHA1003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA25642873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA51290531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5
-
Filesize
235KB
MD55086db99de54fca268169a1c6cf26122
SHA1003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA25642873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA51290531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5
-
Filesize
235KB
MD55086db99de54fca268169a1c6cf26122
SHA1003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA25642873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA51290531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5
-
Filesize
235KB
MD55086db99de54fca268169a1c6cf26122
SHA1003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA25642873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA51290531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5
-
Filesize
71KB
MD595a12fa5756d0040e1c1284371ea17e4
SHA1a9c9c457a87ecca994364b6b0a8bbe815c64197d
SHA256805458918a058fbae738b7e4fc57e4d3b8317adf26d11b9b9e53e22bc946b562
SHA5121d71748f56e83e3d8e68bcec6a17ace238d904e767a10ef20c86be8c785ab3c3fea60c832e3b68e0277467ac1b053849d1f3d52bd872b2b9aa7206616ced56c5
-
Filesize
89KB
MD516cf28ebb6d37dbaba93f18320c6086e
SHA1eae7d4b7a9636329065877aabe8d4f721a26ab25
SHA256c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106
SHA512f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2
-
Filesize
89KB
MD516cf28ebb6d37dbaba93f18320c6086e
SHA1eae7d4b7a9636329065877aabe8d4f721a26ab25
SHA256c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106
SHA512f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2
-
Filesize
223B
MD594cbeec5d4343918fd0e48760e40539c
SHA1a049266c5c1131f692f306c8710d7e72586ae79d
SHA25648eb3ca078da2f5e9fd581197ae1b4dfbac6d86040addbb305e305c014741279
SHA5124e92450333d60b1977f75c240157a8589cfb1c80a979fbe0793cc641e13556004e554bc6f9f4853487dbcfcdc2ca93afe610649e9712e91415ed3f2a60d4fec0
-
Filesize
334KB
MD5098a4aa93e275de54bbc35ae4b981301
SHA1d03646dc7c63e0784393f74085405c794b8555af
SHA2565e81e932ef8520dd7de22cb9e3a02af66d29dc1726b133e894cbd7d797b9af3b
SHA5122e039df42a6202f4e4c61c3bef62307dfa5b7e1e9103085c4f73c4459c8cc747bec85da8f1c87f97851de896104712c71f13da396c6016fc27f60cd358e93f46
-
Filesize
89KB
MD516cf28ebb6d37dbaba93f18320c6086e
SHA1eae7d4b7a9636329065877aabe8d4f721a26ab25
SHA256c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106
SHA512f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2