Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
02/05/2023, 02:13
Static task
static1
Behavioral task
behavioral1
Sample
f04fa749dcf49685eda7f0bbcdf18b8441d4e078f72e943927435ef137829589.exe
Resource
win10v2004-20230220-en
General
-
Target
f04fa749dcf49685eda7f0bbcdf18b8441d4e078f72e943927435ef137829589.exe
-
Size
1.5MB
-
MD5
fbe4e0a09cd8f0bc4453341a3f56b937
-
SHA1
c1dfe90e699a4647365da6fb63a46853f085aed1
-
SHA256
f04fa749dcf49685eda7f0bbcdf18b8441d4e078f72e943927435ef137829589
-
SHA512
fee2fb36549cd2abe038e283db210b04ae60246aa1b2e283c1a0b28f1f5d4b94e79a7b4688b473c9762a056300b64f21b7495de84984cbc340b8560d2daa0bb9
-
SSDEEP
24576:/yO9fbHUSnvsLrM+H1qljIDx0pzVTuUFcf5B+eGr/FUQrx16XPIxJbhBV2OAsP:KO0svarM+H5DCBu4ixGr/yGRxlhBV5
Malware Config
Extracted
redline
maxbi
185.161.248.73:4164
-
auth_value
6aa7dba884fe45693dfa04c91440daef
Extracted
redline
gena
185.161.248.73:4164
-
auth_value
d05bf43eef533e262271449829751d07
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a88149466.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a88149466.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a88149466.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" g92116351.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection a88149466.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a88149466.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a88149466.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" g92116351.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" g92116351.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" g92116351.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" g92116351.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation c08529619.exe Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation oneetx.exe Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation d78272091.exe -
Executes dropped EXE 14 IoCs
pid Process 3600 i16875311.exe 1468 i80499262.exe 4452 i61480797.exe 4116 i29756168.exe 3492 a88149466.exe 4472 b00430406.exe 1020 c08529619.exe 8 oneetx.exe 3016 d78272091.exe 3152 1.exe 1900 f71396050.exe 2356 g92116351.exe 5076 oneetx.exe 2248 oneetx.exe -
Loads dropped DLL 1 IoCs
pid Process 3212 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features a88149466.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" a88149466.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" g92116351.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 10 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce f04fa749dcf49685eda7f0bbcdf18b8441d4e078f72e943927435ef137829589.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce i80499262.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" i80499262.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce i61480797.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce i29756168.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" i29756168.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" f04fa749dcf49685eda7f0bbcdf18b8441d4e078f72e943927435ef137829589.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce i16875311.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" i16875311.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" i61480797.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 32 IoCs
pid pid_target Process procid_target 1920 3492 WerFault.exe 87 1312 1020 WerFault.exe 94 2692 1020 WerFault.exe 94 2688 1020 WerFault.exe 94 1792 1020 WerFault.exe 94 4856 1020 WerFault.exe 94 4944 1020 WerFault.exe 94 1220 1020 WerFault.exe 94 1608 1020 WerFault.exe 94 4280 1020 WerFault.exe 94 372 1020 WerFault.exe 94 2748 8 WerFault.exe 114 2260 8 WerFault.exe 114 2264 8 WerFault.exe 114 3224 8 WerFault.exe 114 4980 8 WerFault.exe 114 2556 8 WerFault.exe 114 2948 8 WerFault.exe 114 4448 8 WerFault.exe 114 4088 8 WerFault.exe 114 1012 8 WerFault.exe 114 4660 8 WerFault.exe 114 3604 8 WerFault.exe 114 2924 8 WerFault.exe 114 372 8 WerFault.exe 114 336 3016 WerFault.exe 117 3604 5076 WerFault.exe 165 4280 8 WerFault.exe 114 3440 8 WerFault.exe 114 3792 8 WerFault.exe 114 3916 2248 WerFault.exe 175 2396 8 WerFault.exe 114 -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4824 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 3492 a88149466.exe 3492 a88149466.exe 4472 b00430406.exe 4472 b00430406.exe 2356 g92116351.exe 2356 g92116351.exe 3152 1.exe 3152 1.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 3492 a88149466.exe Token: SeDebugPrivilege 4472 b00430406.exe Token: SeDebugPrivilege 3016 d78272091.exe Token: SeDebugPrivilege 2356 g92116351.exe Token: SeDebugPrivilege 3152 1.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1020 c08529619.exe -
Suspicious use of WriteProcessMemory 63 IoCs
description pid Process procid_target PID 2424 wrote to memory of 3600 2424 f04fa749dcf49685eda7f0bbcdf18b8441d4e078f72e943927435ef137829589.exe 83 PID 2424 wrote to memory of 3600 2424 f04fa749dcf49685eda7f0bbcdf18b8441d4e078f72e943927435ef137829589.exe 83 PID 2424 wrote to memory of 3600 2424 f04fa749dcf49685eda7f0bbcdf18b8441d4e078f72e943927435ef137829589.exe 83 PID 3600 wrote to memory of 1468 3600 i16875311.exe 84 PID 3600 wrote to memory of 1468 3600 i16875311.exe 84 PID 3600 wrote to memory of 1468 3600 i16875311.exe 84 PID 1468 wrote to memory of 4452 1468 i80499262.exe 85 PID 1468 wrote to memory of 4452 1468 i80499262.exe 85 PID 1468 wrote to memory of 4452 1468 i80499262.exe 85 PID 4452 wrote to memory of 4116 4452 i61480797.exe 86 PID 4452 wrote to memory of 4116 4452 i61480797.exe 86 PID 4452 wrote to memory of 4116 4452 i61480797.exe 86 PID 4116 wrote to memory of 3492 4116 i29756168.exe 87 PID 4116 wrote to memory of 3492 4116 i29756168.exe 87 PID 4116 wrote to memory of 3492 4116 i29756168.exe 87 PID 4116 wrote to memory of 4472 4116 i29756168.exe 93 PID 4116 wrote to memory of 4472 4116 i29756168.exe 93 PID 4116 wrote to memory of 4472 4116 i29756168.exe 93 PID 4452 wrote to memory of 1020 4452 i61480797.exe 94 PID 4452 wrote to memory of 1020 4452 i61480797.exe 94 PID 4452 wrote to memory of 1020 4452 i61480797.exe 94 PID 1020 wrote to memory of 8 1020 c08529619.exe 114 PID 1020 wrote to memory of 8 1020 c08529619.exe 114 PID 1020 wrote to memory of 8 1020 c08529619.exe 114 PID 1468 wrote to memory of 3016 1468 i80499262.exe 117 PID 1468 wrote to memory of 3016 1468 i80499262.exe 117 PID 1468 wrote to memory of 3016 1468 i80499262.exe 117 PID 8 wrote to memory of 4824 8 oneetx.exe 133 PID 8 wrote to memory of 4824 8 oneetx.exe 133 PID 8 wrote to memory of 4824 8 oneetx.exe 133 PID 8 wrote to memory of 3608 8 oneetx.exe 141 PID 8 wrote to memory of 3608 8 oneetx.exe 141 PID 8 wrote to memory of 3608 8 oneetx.exe 141 PID 3608 wrote to memory of 4868 3608 cmd.exe 146 PID 3608 wrote to memory of 4868 3608 cmd.exe 146 PID 3608 wrote to memory of 4868 3608 cmd.exe 146 PID 3608 wrote to memory of 4856 3608 cmd.exe 145 PID 3608 wrote to memory of 4856 3608 cmd.exe 145 PID 3608 wrote to memory of 4856 3608 cmd.exe 145 PID 3608 wrote to memory of 2132 3608 cmd.exe 147 PID 3608 wrote to memory of 2132 3608 cmd.exe 147 PID 3608 wrote to memory of 2132 3608 cmd.exe 147 PID 3608 wrote to memory of 2656 3608 cmd.exe 149 PID 3608 wrote to memory of 2656 3608 cmd.exe 149 PID 3608 wrote to memory of 2656 3608 cmd.exe 149 PID 3608 wrote to memory of 4464 3608 cmd.exe 148 PID 3608 wrote to memory of 4464 3608 cmd.exe 148 PID 3608 wrote to memory of 4464 3608 cmd.exe 148 PID 3608 wrote to memory of 3244 3608 cmd.exe 150 PID 3608 wrote to memory of 3244 3608 cmd.exe 150 PID 3608 wrote to memory of 3244 3608 cmd.exe 150 PID 3016 wrote to memory of 3152 3016 d78272091.exe 160 PID 3016 wrote to memory of 3152 3016 d78272091.exe 160 PID 3016 wrote to memory of 3152 3016 d78272091.exe 160 PID 3600 wrote to memory of 1900 3600 i16875311.exe 163 PID 3600 wrote to memory of 1900 3600 i16875311.exe 163 PID 3600 wrote to memory of 1900 3600 i16875311.exe 163 PID 2424 wrote to memory of 2356 2424 f04fa749dcf49685eda7f0bbcdf18b8441d4e078f72e943927435ef137829589.exe 164 PID 2424 wrote to memory of 2356 2424 f04fa749dcf49685eda7f0bbcdf18b8441d4e078f72e943927435ef137829589.exe 164 PID 2424 wrote to memory of 2356 2424 f04fa749dcf49685eda7f0bbcdf18b8441d4e078f72e943927435ef137829589.exe 164 PID 8 wrote to memory of 3212 8 oneetx.exe 172 PID 8 wrote to memory of 3212 8 oneetx.exe 172 PID 8 wrote to memory of 3212 8 oneetx.exe 172
Processes
-
C:\Users\Admin\AppData\Local\Temp\f04fa749dcf49685eda7f0bbcdf18b8441d4e078f72e943927435ef137829589.exe"C:\Users\Admin\AppData\Local\Temp\f04fa749dcf49685eda7f0bbcdf18b8441d4e078f72e943927435ef137829589.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i16875311.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i16875311.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3600 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i80499262.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i80499262.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i61480797.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i61480797.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4452 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i29756168.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i29756168.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4116 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a88149466.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a88149466.exe6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3492 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3492 -s 10807⤵
- Program crash
PID:1920
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b00430406.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b00430406.exe6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4472
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c08529619.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c08529619.exe5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1020 -s 6966⤵
- Program crash
PID:1312
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1020 -s 7206⤵
- Program crash
PID:2692
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1020 -s 7966⤵
- Program crash
PID:2688
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1020 -s 9766⤵
- Program crash
PID:1792
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1020 -s 9846⤵
- Program crash
PID:4856
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1020 -s 9566⤵
- Program crash
PID:4944
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1020 -s 12206⤵
- Program crash
PID:1220
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1020 -s 12526⤵
- Program crash
PID:1608
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1020 -s 13166⤵
- Program crash
PID:4280
-
-
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:8 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 6927⤵
- Program crash
PID:2748
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 8807⤵
- Program crash
PID:2260
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 10127⤵
- Program crash
PID:2264
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 11087⤵
- Program crash
PID:3224
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 11167⤵
- Program crash
PID:4980
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 11167⤵
- Program crash
PID:2556
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 10207⤵
- Program crash
PID:2948
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F7⤵
- Creates scheduled task(s)
PID:4824
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 9967⤵
- Program crash
PID:4448
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 7807⤵
- Program crash
PID:4088
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit7⤵
- Suspicious use of WriteProcessMemory
PID:3608 -
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:N"8⤵PID:4856
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"8⤵PID:4868
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:R" /E8⤵PID:2132
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\cb7ae701b3" /P "Admin:N"8⤵PID:4464
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"8⤵PID:2656
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\cb7ae701b3" /P "Admin:R" /E8⤵PID:3244
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 9167⤵
- Program crash
PID:1012
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 7567⤵
- Program crash
PID:4660
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 12887⤵
- Program crash
PID:3604
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 12487⤵
- Program crash
PID:2924
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 7287⤵
- Program crash
PID:372
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 10127⤵
- Program crash
PID:4280
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 16247⤵
- Program crash
PID:3440
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main7⤵
- Loads dropped DLL
PID:3212
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 10127⤵
- Program crash
PID:3792
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 16447⤵
- Program crash
PID:2396
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1020 -s 13606⤵
- Program crash
PID:372
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d78272091.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d78272091.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3152
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 13845⤵
- Program crash
PID:336
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f71396050.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\f71396050.exe3⤵
- Executes dropped EXE
PID:1900
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g92116351.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g92116351.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2356
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3492 -ip 34921⤵PID:2780
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1020 -ip 10201⤵PID:4852
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 1020 -ip 10201⤵PID:2356
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1020 -ip 10201⤵PID:2740
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1020 -ip 10201⤵PID:1640
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1020 -ip 10201⤵PID:1040
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1020 -ip 10201⤵PID:4832
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1020 -ip 10201⤵PID:2636
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1020 -ip 10201⤵PID:3980
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1020 -ip 10201⤵PID:2220
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1020 -ip 10201⤵PID:4628
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 8 -ip 81⤵PID:3616
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 8 -ip 81⤵PID:860
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 8 -ip 81⤵PID:1388
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 8 -ip 81⤵PID:1760
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 8 -ip 81⤵PID:336
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 8 -ip 81⤵PID:1064
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 8 -ip 81⤵PID:1020
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 8 -ip 81⤵PID:392
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 8 -ip 81⤵PID:740
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 8 -ip 81⤵PID:1996
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 8 -ip 81⤵PID:1068
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 8 -ip 81⤵PID:2912
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 8 -ip 81⤵PID:2212
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 8 -ip 81⤵PID:4928
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3016 -ip 30161⤵PID:4152
-
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exeC:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe1⤵
- Executes dropped EXE
PID:5076 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 3122⤵
- Program crash
PID:3604
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 5076 -ip 50761⤵PID:4236
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 8 -ip 81⤵PID:2320
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 8 -ip 81⤵PID:1240
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 8 -ip 81⤵PID:4756
-
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exeC:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe1⤵
- Executes dropped EXE
PID:2248 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2248 -s 3122⤵
- Program crash
PID:3916
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2248 -ip 22481⤵PID:3908
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 8 -ip 81⤵PID:512
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
176KB
MD5a31ac4888611c95d8e4e3f8d560d278d
SHA13b4eba57e8a987c10f17a2618aeff2b4f5884301
SHA256e1d0abd0a7eea313ad0cb844dc9ccccd63164613fdef1e2e33ef9aa1f9246508
SHA512718daa0349b83ce9aad92d4aaa48cd75969178334a98d1109ec4267929ddc250973177fded5163b7b3a1baf4026c36319abf676efbdca2bb0f4aec805d040d2a
-
Filesize
176KB
MD5a31ac4888611c95d8e4e3f8d560d278d
SHA13b4eba57e8a987c10f17a2618aeff2b4f5884301
SHA256e1d0abd0a7eea313ad0cb844dc9ccccd63164613fdef1e2e33ef9aa1f9246508
SHA512718daa0349b83ce9aad92d4aaa48cd75969178334a98d1109ec4267929ddc250973177fded5163b7b3a1baf4026c36319abf676efbdca2bb0f4aec805d040d2a
-
Filesize
1.3MB
MD59a91cd5ca7a5fd572782079e9e8fb8e8
SHA1973b59961734f97bf2043c09e8bda0b279b71487
SHA2561620bf8094e97227fc9a57a80a1b37248374a2b8f14eb69cc9f4e0ce58d7699a
SHA5122ceb91b554081328f291f6466678333292ed4fb01c874f2f29abd6563b234a0268f5ff90d2d6d96f404051c037cad176454cc90ca28030d7e78d404bb3c8614a
-
Filesize
1.3MB
MD59a91cd5ca7a5fd572782079e9e8fb8e8
SHA1973b59961734f97bf2043c09e8bda0b279b71487
SHA2561620bf8094e97227fc9a57a80a1b37248374a2b8f14eb69cc9f4e0ce58d7699a
SHA5122ceb91b554081328f291f6466678333292ed4fb01c874f2f29abd6563b234a0268f5ff90d2d6d96f404051c037cad176454cc90ca28030d7e78d404bb3c8614a
-
Filesize
207KB
MD584a6c26aeb4dced5aef3bedc5fede656
SHA1385ca57fcdcd5946a3c1cb7d04c181a45d8afecb
SHA256ae6df5957011b01ebad49838a091ce3ab6a8934ead8553a85bcaddc62dc3c7b4
SHA512b874ab16b6815e6399560e31bc718a2c640740ca339783ad486535173b86405bba22f00c5e4d3c6dc0a44ee75287986c15fc63d021d39ad92652c18555368049
-
Filesize
207KB
MD584a6c26aeb4dced5aef3bedc5fede656
SHA1385ca57fcdcd5946a3c1cb7d04c181a45d8afecb
SHA256ae6df5957011b01ebad49838a091ce3ab6a8934ead8553a85bcaddc62dc3c7b4
SHA512b874ab16b6815e6399560e31bc718a2c640740ca339783ad486535173b86405bba22f00c5e4d3c6dc0a44ee75287986c15fc63d021d39ad92652c18555368049
-
Filesize
1.1MB
MD5e4daca4e43e4afea011285129ad0434e
SHA121a73088a96e03139a25d6ea3389a3b6633082ff
SHA256a21c5cef042b6f8cf0e2e678fccd726bc1434ca94ab553ff8beb5edd12b84264
SHA5125b119b98da4a8c1b4d6ac3f3205a2f373ff3d0c95ab2b611d7620d90d22b87fa36e35db6733d1a8b4ba704f132e7f36b5ec9469c573b7e5e2f3a9fb71f156b62
-
Filesize
1.1MB
MD5e4daca4e43e4afea011285129ad0434e
SHA121a73088a96e03139a25d6ea3389a3b6633082ff
SHA256a21c5cef042b6f8cf0e2e678fccd726bc1434ca94ab553ff8beb5edd12b84264
SHA5125b119b98da4a8c1b4d6ac3f3205a2f373ff3d0c95ab2b611d7620d90d22b87fa36e35db6733d1a8b4ba704f132e7f36b5ec9469c573b7e5e2f3a9fb71f156b62
-
Filesize
530KB
MD5974ad2f3e2000a735a5a315f75446a2e
SHA100fed987f47efa1d738d33da8d0f674b711aafc7
SHA2561c8f575b06989412152e2ca5c94d54f2e92412790f43bbe5a29f18a91081533e
SHA5128c1708f632bafc069484916f1ffce28a5d18ce2d8d951dacc0d7b593e18167ed47286028ca1b4d3d0eebba179a291461188e870a7ab683a600296581f56568cb
-
Filesize
530KB
MD5974ad2f3e2000a735a5a315f75446a2e
SHA100fed987f47efa1d738d33da8d0f674b711aafc7
SHA2561c8f575b06989412152e2ca5c94d54f2e92412790f43bbe5a29f18a91081533e
SHA5128c1708f632bafc069484916f1ffce28a5d18ce2d8d951dacc0d7b593e18167ed47286028ca1b4d3d0eebba179a291461188e870a7ab683a600296581f56568cb
-
Filesize
685KB
MD518dacee72f913dc0e8845e3be6404257
SHA16c108091fe9ecd97061becd19f580a730a5b19e8
SHA256589a6a7bb3b3d525964449d5a71c1355d7a48ecbf70d4a60909f81b4644e870d
SHA512c5f9936db96913e23573456ef26238c32fb752d6f1d174a938614e699dc405f62c77edb6bb949ac641265084e2b2442751b9c092b39e3590190dce97ea942d6c
-
Filesize
685KB
MD518dacee72f913dc0e8845e3be6404257
SHA16c108091fe9ecd97061becd19f580a730a5b19e8
SHA256589a6a7bb3b3d525964449d5a71c1355d7a48ecbf70d4a60909f81b4644e870d
SHA512c5f9936db96913e23573456ef26238c32fb752d6f1d174a938614e699dc405f62c77edb6bb949ac641265084e2b2442751b9c092b39e3590190dce97ea942d6c
-
Filesize
323KB
MD5f6ac53e298274f8ff1d498194117cddd
SHA1ba2081b409820f396c5cbd819e8f0bea57d5d316
SHA256b5ecb381d97683c4b117b722aa798ad629b1a55d878b41b90f04d800c0dfa39c
SHA5120a1614f9ba3d3fc554346d125f6216d604999e5dc939812f1430dd7bcec613c24b8ee2f94c99ab2552a0370a1bca820aec04fd50b669d478a49e1b73c4cd80fc
-
Filesize
323KB
MD5f6ac53e298274f8ff1d498194117cddd
SHA1ba2081b409820f396c5cbd819e8f0bea57d5d316
SHA256b5ecb381d97683c4b117b722aa798ad629b1a55d878b41b90f04d800c0dfa39c
SHA5120a1614f9ba3d3fc554346d125f6216d604999e5dc939812f1430dd7bcec613c24b8ee2f94c99ab2552a0370a1bca820aec04fd50b669d478a49e1b73c4cd80fc
-
Filesize
405KB
MD5aefcb28c953e8c2133ea7417b55dc0ba
SHA1c0833b71da64efaed46eb730bb11da6bcbb9d992
SHA2566a3a47af8b54506d7353a552330199cb1376bcea158533c45e67329fd3e5f778
SHA5123f69a9a2443c65306d67ed2ba91055a187945afbf40b57e1bae5f6e4fdef26aac358e31f355ad68fa05ea07a91b457a23b8edda95da8bdd0b9c96677ee8353a2
-
Filesize
405KB
MD5aefcb28c953e8c2133ea7417b55dc0ba
SHA1c0833b71da64efaed46eb730bb11da6bcbb9d992
SHA2566a3a47af8b54506d7353a552330199cb1376bcea158533c45e67329fd3e5f778
SHA5123f69a9a2443c65306d67ed2ba91055a187945afbf40b57e1bae5f6e4fdef26aac358e31f355ad68fa05ea07a91b457a23b8edda95da8bdd0b9c96677ee8353a2
-
Filesize
345KB
MD57bf06f327e9bf4e1eb66fdf3cee13e56
SHA15accf37a6efe92629c252e3f8d037d60f987c4e1
SHA2561c6ae030524d64016dcda0d28affe79f6bc1c629bb321e9269bbd265f559af66
SHA5121d1ca28eba5b4cbf155c384a345f493ebc1a689b5f3f479aa544eee51d64ae355d8dd23fdf915662e60104268e09e9271eb1bd40e5fe4a0964aecf12aaca1f90
-
Filesize
345KB
MD57bf06f327e9bf4e1eb66fdf3cee13e56
SHA15accf37a6efe92629c252e3f8d037d60f987c4e1
SHA2561c6ae030524d64016dcda0d28affe79f6bc1c629bb321e9269bbd265f559af66
SHA5121d1ca28eba5b4cbf155c384a345f493ebc1a689b5f3f479aa544eee51d64ae355d8dd23fdf915662e60104268e09e9271eb1bd40e5fe4a0964aecf12aaca1f90
-
Filesize
168KB
MD5e8deba4b2ef6e8aee50715aac2604e29
SHA1e1e2888af0223af0f870b8a91777c6c9fbd7dada
SHA256b9bc2c260bc3b8a388601b3c71a775d408e8a7c250c5e7872dd6f48bfeb518ee
SHA512ed6c14e482faac17330ea6b6538efdb66f3ce584e934f37a1bbf04491a2ff84795f4727cce011bbe41093142f41fb7e61a7246837a80b312801d407b767284d5
-
Filesize
168KB
MD5e8deba4b2ef6e8aee50715aac2604e29
SHA1e1e2888af0223af0f870b8a91777c6c9fbd7dada
SHA256b9bc2c260bc3b8a388601b3c71a775d408e8a7c250c5e7872dd6f48bfeb518ee
SHA512ed6c14e482faac17330ea6b6538efdb66f3ce584e934f37a1bbf04491a2ff84795f4727cce011bbe41093142f41fb7e61a7246837a80b312801d407b767284d5
-
Filesize
323KB
MD5f6ac53e298274f8ff1d498194117cddd
SHA1ba2081b409820f396c5cbd819e8f0bea57d5d316
SHA256b5ecb381d97683c4b117b722aa798ad629b1a55d878b41b90f04d800c0dfa39c
SHA5120a1614f9ba3d3fc554346d125f6216d604999e5dc939812f1430dd7bcec613c24b8ee2f94c99ab2552a0370a1bca820aec04fd50b669d478a49e1b73c4cd80fc
-
Filesize
323KB
MD5f6ac53e298274f8ff1d498194117cddd
SHA1ba2081b409820f396c5cbd819e8f0bea57d5d316
SHA256b5ecb381d97683c4b117b722aa798ad629b1a55d878b41b90f04d800c0dfa39c
SHA5120a1614f9ba3d3fc554346d125f6216d604999e5dc939812f1430dd7bcec613c24b8ee2f94c99ab2552a0370a1bca820aec04fd50b669d478a49e1b73c4cd80fc
-
Filesize
323KB
MD5f6ac53e298274f8ff1d498194117cddd
SHA1ba2081b409820f396c5cbd819e8f0bea57d5d316
SHA256b5ecb381d97683c4b117b722aa798ad629b1a55d878b41b90f04d800c0dfa39c
SHA5120a1614f9ba3d3fc554346d125f6216d604999e5dc939812f1430dd7bcec613c24b8ee2f94c99ab2552a0370a1bca820aec04fd50b669d478a49e1b73c4cd80fc
-
Filesize
323KB
MD5f6ac53e298274f8ff1d498194117cddd
SHA1ba2081b409820f396c5cbd819e8f0bea57d5d316
SHA256b5ecb381d97683c4b117b722aa798ad629b1a55d878b41b90f04d800c0dfa39c
SHA5120a1614f9ba3d3fc554346d125f6216d604999e5dc939812f1430dd7bcec613c24b8ee2f94c99ab2552a0370a1bca820aec04fd50b669d478a49e1b73c4cd80fc
-
Filesize
323KB
MD5f6ac53e298274f8ff1d498194117cddd
SHA1ba2081b409820f396c5cbd819e8f0bea57d5d316
SHA256b5ecb381d97683c4b117b722aa798ad629b1a55d878b41b90f04d800c0dfa39c
SHA5120a1614f9ba3d3fc554346d125f6216d604999e5dc939812f1430dd7bcec613c24b8ee2f94c99ab2552a0370a1bca820aec04fd50b669d478a49e1b73c4cd80fc
-
Filesize
89KB
MD5cfe2ef912f30ac9bc36d8686888ca0d3
SHA1ddbbb63670b2f5bd903dadcff54ff8270825499b
SHA256675771ae0ef1ba5c7fdde82f950461c2c4487e56b3fc41f5c544b73c8b33f10d
SHA5125e0f51d137000e42e9cd0a41ab9de5a4c91bda677fce992f7b391ea5f9cb7cfb44c31a990bc6249b9dfed8f346881311c7c56f63fb1ef41ea8f757247cd9b68a
-
Filesize
89KB
MD5cfe2ef912f30ac9bc36d8686888ca0d3
SHA1ddbbb63670b2f5bd903dadcff54ff8270825499b
SHA256675771ae0ef1ba5c7fdde82f950461c2c4487e56b3fc41f5c544b73c8b33f10d
SHA5125e0f51d137000e42e9cd0a41ab9de5a4c91bda677fce992f7b391ea5f9cb7cfb44c31a990bc6249b9dfed8f346881311c7c56f63fb1ef41ea8f757247cd9b68a
-
Filesize
89KB
MD5cfe2ef912f30ac9bc36d8686888ca0d3
SHA1ddbbb63670b2f5bd903dadcff54ff8270825499b
SHA256675771ae0ef1ba5c7fdde82f950461c2c4487e56b3fc41f5c544b73c8b33f10d
SHA5125e0f51d137000e42e9cd0a41ab9de5a4c91bda677fce992f7b391ea5f9cb7cfb44c31a990bc6249b9dfed8f346881311c7c56f63fb1ef41ea8f757247cd9b68a
-
Filesize
162B
MD51b7c22a214949975556626d7217e9a39
SHA1d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5
-
Filesize
168KB
MD5f16fb63d4e551d3808e8f01f2671b57e
SHA1781153ad6235a1152da112de1fb39a6f2d063575
SHA2568a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581
SHA512fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf
-
Filesize
168KB
MD5f16fb63d4e551d3808e8f01f2671b57e
SHA1781153ad6235a1152da112de1fb39a6f2d063575
SHA2568a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581
SHA512fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf
-
Filesize
168KB
MD5f16fb63d4e551d3808e8f01f2671b57e
SHA1781153ad6235a1152da112de1fb39a6f2d063575
SHA2568a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581
SHA512fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf