Analysis
-
max time kernel
140s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
19-03-2023 05:29
Static task
static1
Behavioral task
behavioral1
Sample
1d680b26c5cc4e83dc73a42bac17ed9c8cc615f2bf97eaf4b1d4e142ccfe3962.exe
Resource
win10v2004-20230220-en
General
-
Target
1d680b26c5cc4e83dc73a42bac17ed9c8cc615f2bf97eaf4b1d4e142ccfe3962.exe
-
Size
1.0MB
-
MD5
a3e93f17052e09850480382888204a66
-
SHA1
c626aea3ddade3ee15839537ba6ed345ba420e1d
-
SHA256
1d680b26c5cc4e83dc73a42bac17ed9c8cc615f2bf97eaf4b1d4e142ccfe3962
-
SHA512
0c1e56b0daf21ab7af700eff997a7b43c17cf1457656bb58d987c758b7af397f8dc2dfd0397de0b1405ad361d0ab96b98543375363e91f491186265178512c6d
-
SSDEEP
24576:2yPc0CGgbkOfNfk23+9bY9hBrhnVniwAX9FCslekVe6rOqelfh:FPcFaOOqws9hjnVnHqFp7e6rm
Malware Config
Extracted
redline
gena
193.233.20.30:4125
-
auth_value
93c20961cb6b06b2d5781c212db6201e
Extracted
redline
vint
193.233.20.30:4125
-
auth_value
fb8811912f8370b3d23bffda092d88d0
Extracted
amadey
3.68
62.204.41.87/joomla/index.php
Extracted
aurora
212.87.204.93:8081
Extracted
redline
66.42.108.195:40499
-
auth_value
f93019ca42e7f9440be3a7ee1ebc636d
Extracted
redline
build_main
80.85.156.168:20189
-
auth_value
5e5c9cacc6d168f8ade7fb6419edb114
Signatures
-
Detect rhadamanthys stealer shellcode 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2128-1294-0x0000000002BF0000-0x0000000002C0C000-memory.dmp family_rhadamanthys behavioral1/memory/1756-1298-0x0000000002890000-0x00000000028AC000-memory.dmp family_rhadamanthys behavioral1/memory/2128-1316-0x0000000002BF0000-0x0000000002C0C000-memory.dmp family_rhadamanthys -
Processes:
mx5018aw.exens0004go.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" mx5018aw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" ns0004go.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" ns0004go.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" mx5018aw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" mx5018aw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" mx5018aw.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection ns0004go.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" ns0004go.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" ns0004go.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" ns0004go.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection mx5018aw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" mx5018aw.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 19 IoCs
Processes:
resource yara_rule behavioral1/memory/1168-210-0x00000000070F0000-0x000000000712E000-memory.dmp family_redline behavioral1/memory/1168-211-0x00000000070F0000-0x000000000712E000-memory.dmp family_redline behavioral1/memory/1168-213-0x00000000070F0000-0x000000000712E000-memory.dmp family_redline behavioral1/memory/1168-215-0x00000000070F0000-0x000000000712E000-memory.dmp family_redline behavioral1/memory/1168-217-0x00000000070F0000-0x000000000712E000-memory.dmp family_redline behavioral1/memory/1168-219-0x00000000070F0000-0x000000000712E000-memory.dmp family_redline behavioral1/memory/1168-221-0x00000000070F0000-0x000000000712E000-memory.dmp family_redline behavioral1/memory/1168-225-0x00000000070F0000-0x000000000712E000-memory.dmp family_redline behavioral1/memory/1168-229-0x00000000070F0000-0x000000000712E000-memory.dmp family_redline behavioral1/memory/1168-231-0x00000000070F0000-0x000000000712E000-memory.dmp family_redline behavioral1/memory/1168-233-0x00000000070F0000-0x000000000712E000-memory.dmp family_redline behavioral1/memory/1168-235-0x00000000070F0000-0x000000000712E000-memory.dmp family_redline behavioral1/memory/1168-237-0x00000000070F0000-0x000000000712E000-memory.dmp family_redline behavioral1/memory/1168-241-0x00000000070F0000-0x000000000712E000-memory.dmp family_redline behavioral1/memory/1168-239-0x00000000070F0000-0x000000000712E000-memory.dmp family_redline behavioral1/memory/1168-243-0x00000000070F0000-0x000000000712E000-memory.dmp family_redline behavioral1/memory/1168-245-0x00000000070F0000-0x000000000712E000-memory.dmp family_redline behavioral1/memory/1168-247-0x00000000070F0000-0x000000000712E000-memory.dmp family_redline behavioral1/memory/1168-1128-0x0000000007210000-0x0000000007220000-memory.dmp family_redline -
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
KMuffPQJRlr6.exedescription pid process target process PID 696 created 2564 696 KMuffPQJRlr6.exe taskhostw.exe -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ry77dz98.exelegenda.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation ry77dz98.exe Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation legenda.exe -
Executes dropped EXE 16 IoCs
Processes:
will5944.exewill2104.exewill5230.exemx5018aw.exens0004go.exepy73SY97.exeqs8020zJ.exery77dz98.exelegenda.exeKMuffPQJRlr6.exesvchost.exeserv.exe123ds.exe123ds.exelegenda.exelegenda.exepid process 4080 will5944.exe 4112 will2104.exe 2884 will5230.exe 2344 mx5018aw.exe 4832 ns0004go.exe 1168 py73SY97.exe 492 qs8020zJ.exe 4816 ry77dz98.exe 1192 legenda.exe 696 KMuffPQJRlr6.exe 1220 svchost.exe 2128 serv.exe 1988 123ds.exe 4736 123ds.exe 4676 legenda.exe 4796 legenda.exe -
Loads dropped DLL 2 IoCs
Processes:
KMuffPQJRlr6.exerundll32.exepid process 696 KMuffPQJRlr6.exe 4440 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
mx5018aw.exens0004go.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" mx5018aw.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features ns0004go.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" ns0004go.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
1d680b26c5cc4e83dc73a42bac17ed9c8cc615f2bf97eaf4b1d4e142ccfe3962.exewill5944.exewill2104.exewill5230.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 1d680b26c5cc4e83dc73a42bac17ed9c8cc615f2bf97eaf4b1d4e142ccfe3962.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce will5944.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" will5944.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce will2104.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" will2104.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce will5230.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" will5230.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 1d680b26c5cc4e83dc73a42bac17ed9c8cc615f2bf97eaf4b1d4e142ccfe3962.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
serv.exepid process 2128 serv.exe 2128 serv.exe 2128 serv.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
KMuffPQJRlr6.exedescription pid process target process PID 696 set thread context of 1680 696 KMuffPQJRlr6.exe ngentask.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 4 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 4672 1168 WerFault.exe py73SY97.exe 2064 696 WerFault.exe KMuffPQJRlr6.exe 1140 696 WerFault.exe KMuffPQJRlr6.exe 800 2128 WerFault.exe serv.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
serv.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 serv.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID serv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI serv.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI serv.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI serv.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 62 IoCs
Processes:
mx5018aw.exens0004go.exepy73SY97.exeqs8020zJ.exeKMuffPQJRlr6.exengentask.exe123ds.exe123ds.exepid process 2344 mx5018aw.exe 2344 mx5018aw.exe 4832 ns0004go.exe 4832 ns0004go.exe 1168 py73SY97.exe 1168 py73SY97.exe 492 qs8020zJ.exe 492 qs8020zJ.exe 696 KMuffPQJRlr6.exe 696 KMuffPQJRlr6.exe 696 KMuffPQJRlr6.exe 696 KMuffPQJRlr6.exe 696 KMuffPQJRlr6.exe 696 KMuffPQJRlr6.exe 696 KMuffPQJRlr6.exe 696 KMuffPQJRlr6.exe 696 KMuffPQJRlr6.exe 696 KMuffPQJRlr6.exe 696 KMuffPQJRlr6.exe 696 KMuffPQJRlr6.exe 696 KMuffPQJRlr6.exe 696 KMuffPQJRlr6.exe 696 KMuffPQJRlr6.exe 696 KMuffPQJRlr6.exe 696 KMuffPQJRlr6.exe 696 KMuffPQJRlr6.exe 696 KMuffPQJRlr6.exe 696 KMuffPQJRlr6.exe 696 KMuffPQJRlr6.exe 696 KMuffPQJRlr6.exe 696 KMuffPQJRlr6.exe 696 KMuffPQJRlr6.exe 696 KMuffPQJRlr6.exe 696 KMuffPQJRlr6.exe 696 KMuffPQJRlr6.exe 696 KMuffPQJRlr6.exe 696 KMuffPQJRlr6.exe 696 KMuffPQJRlr6.exe 696 KMuffPQJRlr6.exe 696 KMuffPQJRlr6.exe 696 KMuffPQJRlr6.exe 696 KMuffPQJRlr6.exe 696 KMuffPQJRlr6.exe 696 KMuffPQJRlr6.exe 696 KMuffPQJRlr6.exe 696 KMuffPQJRlr6.exe 696 KMuffPQJRlr6.exe 696 KMuffPQJRlr6.exe 696 KMuffPQJRlr6.exe 696 KMuffPQJRlr6.exe 696 KMuffPQJRlr6.exe 696 KMuffPQJRlr6.exe 696 KMuffPQJRlr6.exe 696 KMuffPQJRlr6.exe 696 KMuffPQJRlr6.exe 696 KMuffPQJRlr6.exe 1680 ngentask.exe 1988 123ds.exe 1988 123ds.exe 4736 123ds.exe 4736 123ds.exe 1680 ngentask.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
mx5018aw.exens0004go.exepy73SY97.exeqs8020zJ.exengentask.exe123ds.exewmic.exe123ds.exeWMIC.exedescription pid process Token: SeDebugPrivilege 2344 mx5018aw.exe Token: SeDebugPrivilege 4832 ns0004go.exe Token: SeDebugPrivilege 1168 py73SY97.exe Token: SeDebugPrivilege 492 qs8020zJ.exe Token: SeDebugPrivilege 1680 ngentask.exe Token: SeDebugPrivilege 1988 123ds.exe Token: SeIncreaseQuotaPrivilege 4768 wmic.exe Token: SeSecurityPrivilege 4768 wmic.exe Token: SeTakeOwnershipPrivilege 4768 wmic.exe Token: SeLoadDriverPrivilege 4768 wmic.exe Token: SeSystemProfilePrivilege 4768 wmic.exe Token: SeSystemtimePrivilege 4768 wmic.exe Token: SeProfSingleProcessPrivilege 4768 wmic.exe Token: SeIncBasePriorityPrivilege 4768 wmic.exe Token: SeCreatePagefilePrivilege 4768 wmic.exe Token: SeBackupPrivilege 4768 wmic.exe Token: SeRestorePrivilege 4768 wmic.exe Token: SeShutdownPrivilege 4768 wmic.exe Token: SeDebugPrivilege 4768 wmic.exe Token: SeSystemEnvironmentPrivilege 4768 wmic.exe Token: SeRemoteShutdownPrivilege 4768 wmic.exe Token: SeUndockPrivilege 4768 wmic.exe Token: SeManageVolumePrivilege 4768 wmic.exe Token: 33 4768 wmic.exe Token: 34 4768 wmic.exe Token: 35 4768 wmic.exe Token: 36 4768 wmic.exe Token: SeIncreaseQuotaPrivilege 4768 wmic.exe Token: SeSecurityPrivilege 4768 wmic.exe Token: SeTakeOwnershipPrivilege 4768 wmic.exe Token: SeLoadDriverPrivilege 4768 wmic.exe Token: SeSystemProfilePrivilege 4768 wmic.exe Token: SeSystemtimePrivilege 4768 wmic.exe Token: SeProfSingleProcessPrivilege 4768 wmic.exe Token: SeIncBasePriorityPrivilege 4768 wmic.exe Token: SeCreatePagefilePrivilege 4768 wmic.exe Token: SeBackupPrivilege 4768 wmic.exe Token: SeRestorePrivilege 4768 wmic.exe Token: SeShutdownPrivilege 4768 wmic.exe Token: SeDebugPrivilege 4768 wmic.exe Token: SeSystemEnvironmentPrivilege 4768 wmic.exe Token: SeRemoteShutdownPrivilege 4768 wmic.exe Token: SeUndockPrivilege 4768 wmic.exe Token: SeManageVolumePrivilege 4768 wmic.exe Token: 33 4768 wmic.exe Token: 34 4768 wmic.exe Token: 35 4768 wmic.exe Token: 36 4768 wmic.exe Token: SeDebugPrivilege 4736 123ds.exe Token: SeIncreaseQuotaPrivilege 924 WMIC.exe Token: SeSecurityPrivilege 924 WMIC.exe Token: SeTakeOwnershipPrivilege 924 WMIC.exe Token: SeLoadDriverPrivilege 924 WMIC.exe Token: SeSystemProfilePrivilege 924 WMIC.exe Token: SeSystemtimePrivilege 924 WMIC.exe Token: SeProfSingleProcessPrivilege 924 WMIC.exe Token: SeIncBasePriorityPrivilege 924 WMIC.exe Token: SeCreatePagefilePrivilege 924 WMIC.exe Token: SeBackupPrivilege 924 WMIC.exe Token: SeRestorePrivilege 924 WMIC.exe Token: SeShutdownPrivilege 924 WMIC.exe Token: SeDebugPrivilege 924 WMIC.exe Token: SeSystemEnvironmentPrivilege 924 WMIC.exe Token: SeRemoteShutdownPrivilege 924 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
1d680b26c5cc4e83dc73a42bac17ed9c8cc615f2bf97eaf4b1d4e142ccfe3962.exewill5944.exewill2104.exewill5230.exery77dz98.exelegenda.execmd.exedescription pid process target process PID 1860 wrote to memory of 4080 1860 1d680b26c5cc4e83dc73a42bac17ed9c8cc615f2bf97eaf4b1d4e142ccfe3962.exe will5944.exe PID 1860 wrote to memory of 4080 1860 1d680b26c5cc4e83dc73a42bac17ed9c8cc615f2bf97eaf4b1d4e142ccfe3962.exe will5944.exe PID 1860 wrote to memory of 4080 1860 1d680b26c5cc4e83dc73a42bac17ed9c8cc615f2bf97eaf4b1d4e142ccfe3962.exe will5944.exe PID 4080 wrote to memory of 4112 4080 will5944.exe will2104.exe PID 4080 wrote to memory of 4112 4080 will5944.exe will2104.exe PID 4080 wrote to memory of 4112 4080 will5944.exe will2104.exe PID 4112 wrote to memory of 2884 4112 will2104.exe will5230.exe PID 4112 wrote to memory of 2884 4112 will2104.exe will5230.exe PID 4112 wrote to memory of 2884 4112 will2104.exe will5230.exe PID 2884 wrote to memory of 2344 2884 will5230.exe mx5018aw.exe PID 2884 wrote to memory of 2344 2884 will5230.exe mx5018aw.exe PID 2884 wrote to memory of 4832 2884 will5230.exe ns0004go.exe PID 2884 wrote to memory of 4832 2884 will5230.exe ns0004go.exe PID 2884 wrote to memory of 4832 2884 will5230.exe ns0004go.exe PID 4112 wrote to memory of 1168 4112 will2104.exe py73SY97.exe PID 4112 wrote to memory of 1168 4112 will2104.exe py73SY97.exe PID 4112 wrote to memory of 1168 4112 will2104.exe py73SY97.exe PID 4080 wrote to memory of 492 4080 will5944.exe qs8020zJ.exe PID 4080 wrote to memory of 492 4080 will5944.exe qs8020zJ.exe PID 4080 wrote to memory of 492 4080 will5944.exe qs8020zJ.exe PID 1860 wrote to memory of 4816 1860 1d680b26c5cc4e83dc73a42bac17ed9c8cc615f2bf97eaf4b1d4e142ccfe3962.exe ry77dz98.exe PID 1860 wrote to memory of 4816 1860 1d680b26c5cc4e83dc73a42bac17ed9c8cc615f2bf97eaf4b1d4e142ccfe3962.exe ry77dz98.exe PID 1860 wrote to memory of 4816 1860 1d680b26c5cc4e83dc73a42bac17ed9c8cc615f2bf97eaf4b1d4e142ccfe3962.exe ry77dz98.exe PID 4816 wrote to memory of 1192 4816 ry77dz98.exe legenda.exe PID 4816 wrote to memory of 1192 4816 ry77dz98.exe legenda.exe PID 4816 wrote to memory of 1192 4816 ry77dz98.exe legenda.exe PID 1192 wrote to memory of 3244 1192 legenda.exe schtasks.exe PID 1192 wrote to memory of 3244 1192 legenda.exe schtasks.exe PID 1192 wrote to memory of 3244 1192 legenda.exe schtasks.exe PID 1192 wrote to memory of 1900 1192 legenda.exe cmd.exe PID 1192 wrote to memory of 1900 1192 legenda.exe cmd.exe PID 1192 wrote to memory of 1900 1192 legenda.exe cmd.exe PID 1900 wrote to memory of 4268 1900 cmd.exe cmd.exe PID 1900 wrote to memory of 4268 1900 cmd.exe cmd.exe PID 1900 wrote to memory of 4268 1900 cmd.exe cmd.exe PID 1900 wrote to memory of 4468 1900 cmd.exe cacls.exe PID 1900 wrote to memory of 4468 1900 cmd.exe cacls.exe PID 1900 wrote to memory of 4468 1900 cmd.exe cacls.exe PID 1900 wrote to memory of 3888 1900 cmd.exe cacls.exe PID 1900 wrote to memory of 3888 1900 cmd.exe cacls.exe PID 1900 wrote to memory of 3888 1900 cmd.exe cacls.exe PID 1900 wrote to memory of 656 1900 cmd.exe cmd.exe PID 1900 wrote to memory of 656 1900 cmd.exe cmd.exe PID 1900 wrote to memory of 656 1900 cmd.exe cmd.exe PID 1900 wrote to memory of 5116 1900 cmd.exe cacls.exe PID 1900 wrote to memory of 5116 1900 cmd.exe cacls.exe PID 1900 wrote to memory of 5116 1900 cmd.exe cacls.exe PID 1900 wrote to memory of 3360 1900 cmd.exe cacls.exe PID 1900 wrote to memory of 3360 1900 cmd.exe cacls.exe PID 1900 wrote to memory of 3360 1900 cmd.exe cacls.exe PID 1192 wrote to memory of 696 1192 legenda.exe KMuffPQJRlr6.exe PID 1192 wrote to memory of 696 1192 legenda.exe KMuffPQJRlr6.exe PID 1192 wrote to memory of 696 1192 legenda.exe KMuffPQJRlr6.exe PID 1192 wrote to memory of 1220 1192 legenda.exe svchost.exe PID 1192 wrote to memory of 1220 1192 legenda.exe svchost.exe PID 1192 wrote to memory of 1220 1192 legenda.exe svchost.exe PID 1192 wrote to memory of 2128 1192 legenda.exe serv.exe PID 1192 wrote to memory of 2128 1192 legenda.exe serv.exe PID 1192 wrote to memory of 2128 1192 legenda.exe serv.exe PID 1192 wrote to memory of 1988 1192 legenda.exe 123ds.exe PID 1192 wrote to memory of 1988 1192 legenda.exe 123ds.exe PID 1192 wrote to memory of 1988 1192 legenda.exe 123ds.exe PID 1192 wrote to memory of 4736 1192 legenda.exe 123ds.exe PID 1192 wrote to memory of 4736 1192 legenda.exe 123ds.exe
Processes
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2564
-
C:\Windows\SysWOW64\fontview.exe"C:\Windows\SYSWOW64\fontview.exe"2⤵PID:1756
-
-
C:\Users\Admin\AppData\Local\Temp\1d680b26c5cc4e83dc73a42bac17ed9c8cc615f2bf97eaf4b1d4e142ccfe3962.exe"C:\Users\Admin\AppData\Local\Temp\1d680b26c5cc4e83dc73a42bac17ed9c8cc615f2bf97eaf4b1d4e142ccfe3962.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will5944.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will5944.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4080 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will2104.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\will2104.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4112 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will5230.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\will5230.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx5018aw.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mx5018aw.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2344
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns0004go.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ns0004go.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4832
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py73SY97.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\py73SY97.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1168 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1168 -s 11085⤵
- Program crash
PID:4672
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs8020zJ.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qs8020zJ.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:492
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry77dz98.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ry77dz98.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4816 -
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe"C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legenda.exe /TR "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe" /F4⤵
- Creates scheduled task(s)
PID:3244
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legenda.exe" /P "Admin:N"&&CACLS "legenda.exe" /P "Admin:R" /E&&echo Y|CACLS "..\f22b669919" /P "Admin:N"&&CACLS "..\f22b669919" /P "Admin:R" /E&&Exit4⤵
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:4268
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "legenda.exe" /P "Admin:N"5⤵PID:4468
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "legenda.exe" /P "Admin:R" /E5⤵PID:3888
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:656
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\f22b669919" /P "Admin:N"5⤵PID:5116
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\f22b669919" /P "Admin:R" /E5⤵PID:3360
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe"C:\Users\Admin\AppData\Local\Temp\1000065001\KMuffPQJRlr6.exe"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:696 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1680
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 696 -s 12565⤵
- Program crash
PID:2064
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 696 -s 14005⤵
- Program crash
PID:1140
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe"C:\Users\Admin\AppData\Local\Temp\1000066001\svchost.exe"4⤵
- Executes dropped EXE
PID:1220 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic os get Caption5⤵
- Suspicious use of AdjustPrivilegeToken
PID:4768
-
-
C:\Windows\SysWOW64\cmd.execmd /C "wmic path win32_VideoController get name"5⤵PID:3820
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic path win32_VideoController get name6⤵
- Suspicious use of AdjustPrivilegeToken
PID:924
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C "wmic cpu get name"5⤵PID:4080
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic cpu get name6⤵PID:4628
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe"C:\Users\Admin\AppData\Local\Temp\1000067001\serv.exe"4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks SCSI registry key(s)
PID:2128 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 6885⤵
- Program crash
PID:800
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000070001\123ds.exe"C:\Users\Admin\AppData\Local\Temp\1000070001\123ds.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1988
-
-
C:\Users\Admin\AppData\Local\Temp\1000071001\123ds.exe"C:\Users\Admin\AppData\Local\Temp\1000071001\123ds.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4736
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main4⤵
- Loads dropped DLL
PID:4440
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1168 -ip 11681⤵PID:1044
-
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exeC:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe1⤵
- Executes dropped EXE
PID:4676
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 696 -ip 6961⤵PID:4244
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 696 -ip 6961⤵PID:2308
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2128 -ip 21281⤵PID:3504
-
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exeC:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe1⤵
- Executes dropped EXE
PID:4796
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD55c9237df35c69a284b3cfd66970ce736
SHA16c25b1319637046c663d18e36bdafbb6f5cadf00
SHA256b4a0eea59921d24fe0f743c96ed5322c79af4c22d37c16f62bdba777c6be717e
SHA51201dcd3afd5f4d395299ad2b8f8c41c1b39422486274d0a95c0f4e187b38d75ff40fce896815fa9dc05b2d66403ae83a697cb43927271f0eb1de28d78163dcc06
-
Filesize
1.5MB
MD5103f1dc5270469cf9414ee95dee9561f
SHA1f44b74ac4e35943c1b9f85ca560595bb64a8c918
SHA2565d8fcce25d88b4e04ddda7cc22108623d6ca4dc9f7a6a671d57e9230fd6a95ac
SHA512a9909671d9b628e34add9aeff9e06d85f505229505732609d32e7db74b887e404712b8ab92d40c12e553adfad0e4eb1225d03655b107462cf316328e5bf90e88
-
Filesize
1.5MB
MD5103f1dc5270469cf9414ee95dee9561f
SHA1f44b74ac4e35943c1b9f85ca560595bb64a8c918
SHA2565d8fcce25d88b4e04ddda7cc22108623d6ca4dc9f7a6a671d57e9230fd6a95ac
SHA512a9909671d9b628e34add9aeff9e06d85f505229505732609d32e7db74b887e404712b8ab92d40c12e553adfad0e4eb1225d03655b107462cf316328e5bf90e88
-
Filesize
1.5MB
MD5103f1dc5270469cf9414ee95dee9561f
SHA1f44b74ac4e35943c1b9f85ca560595bb64a8c918
SHA2565d8fcce25d88b4e04ddda7cc22108623d6ca4dc9f7a6a671d57e9230fd6a95ac
SHA512a9909671d9b628e34add9aeff9e06d85f505229505732609d32e7db74b887e404712b8ab92d40c12e553adfad0e4eb1225d03655b107462cf316328e5bf90e88
-
Filesize
3.0MB
MD5a8a106555b9e1f92569d623c66ee8c12
SHA1a5080c26b5f5911c10d80654c84239a226fc75d1
SHA25684aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a
SHA5129b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26
-
Filesize
3.0MB
MD5a8a106555b9e1f92569d623c66ee8c12
SHA1a5080c26b5f5911c10d80654c84239a226fc75d1
SHA25684aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a
SHA5129b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26
-
Filesize
3.0MB
MD5a8a106555b9e1f92569d623c66ee8c12
SHA1a5080c26b5f5911c10d80654c84239a226fc75d1
SHA25684aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a
SHA5129b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26
-
Filesize
354KB
MD5eed47d292238f663ba7f60d55116cb2a
SHA1f3e654ebe80dc0de1c2062a3a5c182500dbe2986
SHA256432449641afbbe54aaafe6e0efe3e9360106d1a71448f5d85a3be2ab38ff1e13
SHA5126d86cfc865c8e1aceeb0a13304bcbe8d3771dca3f26df54a3402b4ae6f1b4315824efeb6acf407a4282e20b003c3e5c07f9fe44698f664c4bfd0e64ea49ac53d
-
Filesize
354KB
MD5eed47d292238f663ba7f60d55116cb2a
SHA1f3e654ebe80dc0de1c2062a3a5c182500dbe2986
SHA256432449641afbbe54aaafe6e0efe3e9360106d1a71448f5d85a3be2ab38ff1e13
SHA5126d86cfc865c8e1aceeb0a13304bcbe8d3771dca3f26df54a3402b4ae6f1b4315824efeb6acf407a4282e20b003c3e5c07f9fe44698f664c4bfd0e64ea49ac53d
-
Filesize
354KB
MD5eed47d292238f663ba7f60d55116cb2a
SHA1f3e654ebe80dc0de1c2062a3a5c182500dbe2986
SHA256432449641afbbe54aaafe6e0efe3e9360106d1a71448f5d85a3be2ab38ff1e13
SHA5126d86cfc865c8e1aceeb0a13304bcbe8d3771dca3f26df54a3402b4ae6f1b4315824efeb6acf407a4282e20b003c3e5c07f9fe44698f664c4bfd0e64ea49ac53d
-
Filesize
175KB
MD520b01b94fec9143a2adf624945aa41c3
SHA13e3690bb58b1a42cea254a0eb039019c7ebbbf3f
SHA25697a489a4b544ec0c4cd80ec7fba849e66e1f14a89733e23e2f56e29eb77ad2f9
SHA51252b85eefceaf3589b34d831521f27517e6496cc9f26b6a05016b6df348211369a69c3c794af7ba245f2b161fdd2f7d28e1056185ffbf72384991680fd8e15a68
-
Filesize
175KB
MD520b01b94fec9143a2adf624945aa41c3
SHA13e3690bb58b1a42cea254a0eb039019c7ebbbf3f
SHA25697a489a4b544ec0c4cd80ec7fba849e66e1f14a89733e23e2f56e29eb77ad2f9
SHA51252b85eefceaf3589b34d831521f27517e6496cc9f26b6a05016b6df348211369a69c3c794af7ba245f2b161fdd2f7d28e1056185ffbf72384991680fd8e15a68
-
Filesize
175KB
MD520b01b94fec9143a2adf624945aa41c3
SHA13e3690bb58b1a42cea254a0eb039019c7ebbbf3f
SHA25697a489a4b544ec0c4cd80ec7fba849e66e1f14a89733e23e2f56e29eb77ad2f9
SHA51252b85eefceaf3589b34d831521f27517e6496cc9f26b6a05016b6df348211369a69c3c794af7ba245f2b161fdd2f7d28e1056185ffbf72384991680fd8e15a68
-
Filesize
175KB
MD520b01b94fec9143a2adf624945aa41c3
SHA13e3690bb58b1a42cea254a0eb039019c7ebbbf3f
SHA25697a489a4b544ec0c4cd80ec7fba849e66e1f14a89733e23e2f56e29eb77ad2f9
SHA51252b85eefceaf3589b34d831521f27517e6496cc9f26b6a05016b6df348211369a69c3c794af7ba245f2b161fdd2f7d28e1056185ffbf72384991680fd8e15a68
-
Filesize
175KB
MD520b01b94fec9143a2adf624945aa41c3
SHA13e3690bb58b1a42cea254a0eb039019c7ebbbf3f
SHA25697a489a4b544ec0c4cd80ec7fba849e66e1f14a89733e23e2f56e29eb77ad2f9
SHA51252b85eefceaf3589b34d831521f27517e6496cc9f26b6a05016b6df348211369a69c3c794af7ba245f2b161fdd2f7d28e1056185ffbf72384991680fd8e15a68
-
Filesize
334KB
MD5098a4aa93e275de54bbc35ae4b981301
SHA1d03646dc7c63e0784393f74085405c794b8555af
SHA2565e81e932ef8520dd7de22cb9e3a02af66d29dc1726b133e894cbd7d797b9af3b
SHA5122e039df42a6202f4e4c61c3bef62307dfa5b7e1e9103085c4f73c4459c8cc747bec85da8f1c87f97851de896104712c71f13da396c6016fc27f60cd358e93f46
-
Filesize
235KB
MD55086db99de54fca268169a1c6cf26122
SHA1003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA25642873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA51290531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5
-
Filesize
235KB
MD55086db99de54fca268169a1c6cf26122
SHA1003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA25642873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA51290531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5
-
Filesize
866KB
MD505ca549f3680581cbe3cc42936545555
SHA193c83af3999eebb92400b73563d761d53d9bf606
SHA256da37bd98afdf65367e41eebf25df366ed47eebced521ee9b23f9d32f027e7b37
SHA51268ad504c777d32a615d5ee523edd63e433b48b914d14fa69abc9e011a75145b51d046bbd78d69b34fdc078121f162a6b8f7fa3640f2445e65bbfe23cb1f8be98
-
Filesize
866KB
MD505ca549f3680581cbe3cc42936545555
SHA193c83af3999eebb92400b73563d761d53d9bf606
SHA256da37bd98afdf65367e41eebf25df366ed47eebced521ee9b23f9d32f027e7b37
SHA51268ad504c777d32a615d5ee523edd63e433b48b914d14fa69abc9e011a75145b51d046bbd78d69b34fdc078121f162a6b8f7fa3640f2445e65bbfe23cb1f8be98
-
Filesize
175KB
MD53389637c0d072121bf1b127629736d37
SHA1300e915efdf2479bfd0d3699c0a6bc51260f9655
SHA2562b74c4ce2674a8fc0c78fffa39c5de5e43ae28b8bf425349a5f97c6a61135153
SHA512a32cc060d2600f6ca94ffdce07c95ea5e2f56c0b418260456b568cb41e5f55db0c4fc97c35ca4103c674e61a17300d834d2c0da5a78b7084b6bc342fd23a7fb4
-
Filesize
175KB
MD53389637c0d072121bf1b127629736d37
SHA1300e915efdf2479bfd0d3699c0a6bc51260f9655
SHA2562b74c4ce2674a8fc0c78fffa39c5de5e43ae28b8bf425349a5f97c6a61135153
SHA512a32cc060d2600f6ca94ffdce07c95ea5e2f56c0b418260456b568cb41e5f55db0c4fc97c35ca4103c674e61a17300d834d2c0da5a78b7084b6bc342fd23a7fb4
-
Filesize
721KB
MD58b0911a16fadb867c26b55ffd1b6b4e7
SHA1c5329d556792c28421212923be88386e342f38ee
SHA2560c53c7958da71899c7af6b3ec0871ffd3f8972c83ddd909263a439c11be27704
SHA51280bce09bcd98509276b3665cc65d0aa2a579e342151a4b470502469f72f934aa8f490c75435f33dd5952e397df34ed94fb292310f29792ddfecb1f1acc534aa5
-
Filesize
721KB
MD58b0911a16fadb867c26b55ffd1b6b4e7
SHA1c5329d556792c28421212923be88386e342f38ee
SHA2560c53c7958da71899c7af6b3ec0871ffd3f8972c83ddd909263a439c11be27704
SHA51280bce09bcd98509276b3665cc65d0aa2a579e342151a4b470502469f72f934aa8f490c75435f33dd5952e397df34ed94fb292310f29792ddfecb1f1acc534aa5
-
Filesize
391KB
MD559ddc0dabb86341ed052743a5ce5faaa
SHA1cac9f2d7d31a096dcd801ec74ff375e868a92aae
SHA2563cf4efe667c13bb6beb76bc34f810c736c8e80a6bdeed0a802b636b00b95fa80
SHA5129101a3c133ba22723ad2af82d4ee7306c9681d08ca7504497554af5b872472894d9fedfed57188a545a2974754d875255e14003931f851466879d339bf4f8690
-
Filesize
391KB
MD559ddc0dabb86341ed052743a5ce5faaa
SHA1cac9f2d7d31a096dcd801ec74ff375e868a92aae
SHA2563cf4efe667c13bb6beb76bc34f810c736c8e80a6bdeed0a802b636b00b95fa80
SHA5129101a3c133ba22723ad2af82d4ee7306c9681d08ca7504497554af5b872472894d9fedfed57188a545a2974754d875255e14003931f851466879d339bf4f8690
-
Filesize
368KB
MD5372d3e9acdbaae3a31449d239544669d
SHA1af363a947f9fe4d4c63ae8ef50de2e04e5e379a9
SHA2560abb1a52e0046dac525186d65a23f2d569fb3ca8bcc4c882d29f8d0bffede948
SHA5126a0785990226527296d258db9e71aa56aa9493c155a855140de0c3dbe26d81b255fa39c2ed01f3a11d81e71af4843cae513c9484b660e26ed59720a714fe245c
-
Filesize
368KB
MD5372d3e9acdbaae3a31449d239544669d
SHA1af363a947f9fe4d4c63ae8ef50de2e04e5e379a9
SHA2560abb1a52e0046dac525186d65a23f2d569fb3ca8bcc4c882d29f8d0bffede948
SHA5126a0785990226527296d258db9e71aa56aa9493c155a855140de0c3dbe26d81b255fa39c2ed01f3a11d81e71af4843cae513c9484b660e26ed59720a714fe245c
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
371KB
MD50871bb6af6a6cc7a105d1198e2e605be
SHA1ac67c5bc7afb76ccc7ea30de4dc97586d297cf37
SHA256e0da4b2eea086f59606b190815998654d0e254666c1d516b1a999caedcce2fb3
SHA512acbd789900e664f296ae907a07c27fd8a67796c99c83e47eb72661513d9a392991a64891a319eeb80fb89061aac2e54c90017e54085e879d1fd461fd4dd83eaa
-
Filesize
371KB
MD50871bb6af6a6cc7a105d1198e2e605be
SHA1ac67c5bc7afb76ccc7ea30de4dc97586d297cf37
SHA256e0da4b2eea086f59606b190815998654d0e254666c1d516b1a999caedcce2fb3
SHA512acbd789900e664f296ae907a07c27fd8a67796c99c83e47eb72661513d9a392991a64891a319eeb80fb89061aac2e54c90017e54085e879d1fd461fd4dd83eaa
-
Filesize
2KB
MD577e31b1123e94ce5720ceb729a425798
SHA12b65c95f27d8dca23864a3ed4f78490039ae27bf
SHA25668cafb091d3642a1ad2440bdb51834086945ded836ea25c8f75de7e5fc568d85
SHA5129c660381b859040e20745a1cf42646af3bd3780e2795a5ff3cedc61db9877b608d1fc431a1bd3ba3f25dd3643898b1c0f2abfc067c6634e4ce65de2d4c0c724a
-
Filesize
235KB
MD55086db99de54fca268169a1c6cf26122
SHA1003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA25642873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA51290531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5
-
Filesize
235KB
MD55086db99de54fca268169a1c6cf26122
SHA1003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA25642873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA51290531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5
-
Filesize
235KB
MD55086db99de54fca268169a1c6cf26122
SHA1003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA25642873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA51290531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5
-
Filesize
235KB
MD55086db99de54fca268169a1c6cf26122
SHA1003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA25642873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA51290531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5
-
Filesize
235KB
MD55086db99de54fca268169a1c6cf26122
SHA1003f768ffcc99bda5cda1fb966fda8625a8fdc3e
SHA25642873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4
SHA51290531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5
-
Filesize
71KB
MD5386c014d0948d4fc41afa98cfca9022e
SHA1786cc52d9b962f55f92202c7d50c3707eb62607b
SHA256448b329f3a10bbe3e8f86cd91509c2783b63d28a375231eb23724f5e141420f2
SHA51213d46209c6b052977d6242763b54ac5e35b389e765c82ba773b520ebf5eacabdfdc22b642cb9760e39ad59dd82fa40a31a8d41fd6dd7ea9c9ad08c57b7d8150f
-
Filesize
89KB
MD516cf28ebb6d37dbaba93f18320c6086e
SHA1eae7d4b7a9636329065877aabe8d4f721a26ab25
SHA256c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106
SHA512f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2
-
Filesize
89KB
MD516cf28ebb6d37dbaba93f18320c6086e
SHA1eae7d4b7a9636329065877aabe8d4f721a26ab25
SHA256c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106
SHA512f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2
-
Filesize
89KB
MD516cf28ebb6d37dbaba93f18320c6086e
SHA1eae7d4b7a9636329065877aabe8d4f721a26ab25
SHA256c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106
SHA512f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2
-
Filesize
223B
MD594cbeec5d4343918fd0e48760e40539c
SHA1a049266c5c1131f692f306c8710d7e72586ae79d
SHA25648eb3ca078da2f5e9fd581197ae1b4dfbac6d86040addbb305e305c014741279
SHA5124e92450333d60b1977f75c240157a8589cfb1c80a979fbe0793cc641e13556004e554bc6f9f4853487dbcfcdc2ca93afe610649e9712e91415ed3f2a60d4fec0