Analysis
-
max time kernel
141s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
20/10/2023, 20:06
Static task
static1
General
-
Target
instruction.txt
-
Size
1KB
-
MD5
e7e95a95ae3ce1cf265f40ec915764d7
-
SHA1
cab3098c228d4f349ef40075b5d6673689b487de
-
SHA256
0c753ca939dc8c012bc327f6662e8ff3fa8a18e549b27b31be7e6a9a62a40826
-
SHA512
7a2746589a60221385700099c848e6c29e63fa28ca9f2cfd670a99af9454021ddf99aa461f2d2272ebbf6d10281bea4009fcac02bca31af89c63baa5b2e352ff
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect Xworm Payload 3 IoCs
resource yara_rule behavioral1/memory/3584-192-0x0000000006780000-0x00000000071F2000-memory.dmp family_xworm behavioral1/memory/3584-203-0x00000000077B0000-0x0000000008366000-memory.dmp family_xworm behavioral1/files/0x0006000000022f0a-232.dat family_xworm -
AgentTesla payload 1 IoCs
resource yara_rule behavioral1/memory/3584-206-0x000000000AC60000-0x000000000AE54000-memory.dmp family_agenttesla -
Loads dropped DLL 1 IoCs
pid Process 3584 XWormLoader.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
resource yara_rule behavioral1/memory/3584-192-0x0000000006780000-0x00000000071F2000-memory.dmp agile_net -
Uses the VBS compiler for execution 1 TTPs
-
Drops file in System32 directory 12 IoCs
description ioc Process File created C:\Windows\system32\perfh00A.dat lodctr.exe File created C:\Windows\system32\perfc00C.dat lodctr.exe File created C:\Windows\system32\perfh011.dat lodctr.exe File created C:\Windows\system32\perfc007.dat lodctr.exe File created C:\Windows\system32\perfh007.dat lodctr.exe File created C:\Windows\system32\perfh009.dat lodctr.exe File created C:\Windows\system32\perfc010.dat lodctr.exe File created C:\Windows\system32\perfh010.dat lodctr.exe File created C:\Windows\system32\perfc011.dat lodctr.exe File created C:\Windows\system32\perfc009.dat lodctr.exe File created C:\Windows\system32\perfc00A.dat lodctr.exe File created C:\Windows\system32\perfh00C.dat lodctr.exe -
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 XWormLoader.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz XWormLoader.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion XWormLoader.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS XWormLoader.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer XWormLoader.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Software\Microsoft\Internet Explorer\TypedURLs XWormLoader.exe -
Modifies registry class 35 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 XWormLoader.exe Set value (int) \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" XWormLoader.exe Set value (str) \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic" XWormLoader.exe Set value (str) \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" XWormLoader.exe Set value (int) \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" XWormLoader.exe Key created \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell XWormLoader.exe Set value (data) \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 14002e803accbfb42cdb4c42b0297fe99a87c6410000 XWormLoader.exe Key created \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3 XWormLoader.exe Set value (data) \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 XWormLoader.exe Set value (data) \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff XWormLoader.exe Set value (data) \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0 = 60003100000000005457e5a0100058574f524d567e312e300000460009000400efbe5457e4a05457e5a02e000000772e02000000070000000000000000000000000000005d0ae600580057006f0072006d002000560035002e00300000001a000000 XWormLoader.exe Key created \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags XWormLoader.exe Set value (data) \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff XWormLoader.exe Key created \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0 XWormLoader.exe Set value (data) \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202 XWormLoader.exe Key created \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg XWormLoader.exe Set value (data) \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 XWormLoader.exe Key created \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings firefox.exe Key created \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings XWormLoader.exe Key created \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU XWormLoader.exe Key created \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ XWormLoader.exe Set value (int) \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" XWormLoader.exe Set value (int) \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" XWormLoader.exe Set value (int) \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" XWormLoader.exe Set value (data) \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = 00000000ffffffff XWormLoader.exe Key created \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell XWormLoader.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ XWormLoader.exe Set value (int) \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" XWormLoader.exe Set value (int) \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" XWormLoader.exe Set value (int) \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" XWormLoader.exe Set value (data) \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 XWormLoader.exe Key created \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 XWormLoader.exe Set value (data) \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\MRUListEx = ffffffff XWormLoader.exe Set value (int) \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\NodeSlot = "3" XWormLoader.exe Key created \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} XWormLoader.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 4468 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 39 IoCs
pid Process 1380 msedge.exe 1380 msedge.exe 3416 identity_helper.exe 3416 identity_helper.exe 64 msedge.exe 64 msedge.exe 3584 XWormLoader.exe 3584 XWormLoader.exe 3584 XWormLoader.exe 3584 XWormLoader.exe 3584 XWormLoader.exe 3584 XWormLoader.exe 3584 XWormLoader.exe 3584 XWormLoader.exe 3584 XWormLoader.exe 3584 XWormLoader.exe 3584 XWormLoader.exe 3584 XWormLoader.exe 3584 XWormLoader.exe 3584 XWormLoader.exe 3584 XWormLoader.exe 3584 XWormLoader.exe 3584 XWormLoader.exe 3584 XWormLoader.exe 3584 XWormLoader.exe 3584 XWormLoader.exe 3584 XWormLoader.exe 3584 XWormLoader.exe 3584 XWormLoader.exe 3584 XWormLoader.exe 3584 XWormLoader.exe 3584 XWormLoader.exe 3584 XWormLoader.exe 3584 XWormLoader.exe 3584 XWormLoader.exe 3400 msedge.exe 3400 msedge.exe 3400 msedge.exe 3400 msedge.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3584 XWormLoader.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 2156 firefox.exe Token: SeDebugPrivilege 2156 firefox.exe Token: 33 4908 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 4908 AUDIODG.EXE Token: SeDebugPrivilege 3584 XWormLoader.exe -
Suspicious use of FindShellTrayWindow 6 IoCs
pid Process 2156 firefox.exe 2156 firefox.exe 2156 firefox.exe 2156 firefox.exe 3584 XWormLoader.exe 3584 XWormLoader.exe -
Suspicious use of SendNotifyMessage 5 IoCs
pid Process 2156 firefox.exe 2156 firefox.exe 2156 firefox.exe 3584 XWormLoader.exe 3584 XWormLoader.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2156 firefox.exe 3584 XWormLoader.exe 3584 XWormLoader.exe 3584 XWormLoader.exe 3584 XWormLoader.exe 3584 XWormLoader.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2156 wrote to memory of 3020 2156 firefox.exe 87 PID 2156 wrote to memory of 3020 2156 firefox.exe 87 PID 2156 wrote to memory of 4844 2156 firefox.exe 89 PID 2156 wrote to memory of 4844 2156 firefox.exe 89 PID 2156 wrote to memory of 4844 2156 firefox.exe 89 PID 2156 wrote to memory of 4844 2156 firefox.exe 89 PID 2156 wrote to memory of 4844 2156 firefox.exe 89 PID 2156 wrote to memory of 4844 2156 firefox.exe 89 PID 2156 wrote to memory of 4844 2156 firefox.exe 89 PID 2156 wrote to memory of 4844 2156 firefox.exe 89 PID 2156 wrote to memory of 4844 2156 firefox.exe 89 PID 2156 wrote to memory of 4844 2156 firefox.exe 89 PID 2156 wrote to memory of 4844 2156 firefox.exe 89 PID 2156 wrote to memory of 4844 2156 firefox.exe 89 PID 2156 wrote to memory of 4844 2156 firefox.exe 89 PID 2156 wrote to memory of 4844 2156 firefox.exe 89 PID 2156 wrote to memory of 4844 2156 firefox.exe 89 PID 2156 wrote to memory of 4844 2156 firefox.exe 89 PID 2156 wrote to memory of 4844 2156 firefox.exe 89 PID 2156 wrote to memory of 4844 2156 firefox.exe 89 PID 2156 wrote to memory of 4844 2156 firefox.exe 89 PID 2156 wrote to memory of 4844 2156 firefox.exe 89 PID 2156 wrote to memory of 4844 2156 firefox.exe 89 PID 2156 wrote to memory of 4844 2156 firefox.exe 89 PID 2156 wrote to memory of 4844 2156 firefox.exe 89 PID 2156 wrote to memory of 4844 2156 firefox.exe 89 PID 2156 wrote to memory of 4844 2156 firefox.exe 89 PID 2156 wrote to memory of 4844 2156 firefox.exe 89 PID 2156 wrote to memory of 4844 2156 firefox.exe 89 PID 2156 wrote to memory of 4844 2156 firefox.exe 89 PID 2156 wrote to memory of 4844 2156 firefox.exe 89 PID 2156 wrote to memory of 4844 2156 firefox.exe 89 PID 2156 wrote to memory of 4844 2156 firefox.exe 89 PID 2156 wrote to memory of 4844 2156 firefox.exe 89 PID 2156 wrote to memory of 4844 2156 firefox.exe 89 PID 2156 wrote to memory of 4844 2156 firefox.exe 89 PID 2156 wrote to memory of 4844 2156 firefox.exe 89 PID 2156 wrote to memory of 4844 2156 firefox.exe 89 PID 2156 wrote to memory of 4844 2156 firefox.exe 89 PID 2156 wrote to memory of 4844 2156 firefox.exe 89 PID 2156 wrote to memory of 4844 2156 firefox.exe 89 PID 2156 wrote to memory of 4844 2156 firefox.exe 89 PID 2156 wrote to memory of 4844 2156 firefox.exe 89 PID 2156 wrote to memory of 4844 2156 firefox.exe 89 PID 2156 wrote to memory of 4844 2156 firefox.exe 89 PID 2156 wrote to memory of 4844 2156 firefox.exe 89 PID 2156 wrote to memory of 4844 2156 firefox.exe 89 PID 2156 wrote to memory of 4844 2156 firefox.exe 89 PID 2156 wrote to memory of 4844 2156 firefox.exe 89 PID 2156 wrote to memory of 4844 2156 firefox.exe 89 PID 2156 wrote to memory of 1072 2156 firefox.exe 90 PID 2156 wrote to memory of 1072 2156 firefox.exe 90 PID 2156 wrote to memory of 1072 2156 firefox.exe 90 PID 2156 wrote to memory of 1072 2156 firefox.exe 90 PID 2156 wrote to memory of 1072 2156 firefox.exe 90 PID 2156 wrote to memory of 1072 2156 firefox.exe 90 PID 2156 wrote to memory of 1072 2156 firefox.exe 90 PID 2156 wrote to memory of 1072 2156 firefox.exe 90 PID 2156 wrote to memory of 1072 2156 firefox.exe 90 PID 2156 wrote to memory of 1072 2156 firefox.exe 90 PID 2156 wrote to memory of 1072 2156 firefox.exe 90 PID 2156 wrote to memory of 1072 2156 firefox.exe 90 PID 2156 wrote to memory of 1072 2156 firefox.exe 90 PID 2156 wrote to memory of 1072 2156 firefox.exe 90 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\NOTEPAD.EXEC:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\instruction.txt1⤵
- Opens file in notepad (likely ransom note)
PID:4468
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2156.0.1452772280\657892286" -parentBuildID 20221007134813 -prefsHandle 1916 -prefMapHandle 1908 -prefsLen 20938 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {96605ed9-e73b-4bcb-9c67-477e3e01fa67} 2156 "\\.\pipe\gecko-crash-server-pipe.2156" 1996 238852d8a58 gpu2⤵PID:3020
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2156.1.1413160332\1355975850" -parentBuildID 20221007134813 -prefsHandle 2368 -prefMapHandle 2296 -prefsLen 20974 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2c2f8d2d-16a8-417f-a467-20deab57677c} 2156 "\\.\pipe\gecko-crash-server-pipe.2156" 2396 2388520de58 socket2⤵
- Checks processor information in registry
PID:4844
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2156.2.755457372\1682818251" -childID 1 -isForBrowser -prefsHandle 1724 -prefMapHandle 1736 -prefsLen 21012 -prefMapSize 232675 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f7d271e5-6dae-45e1-9d20-1ff1b8d603c1} 2156 "\\.\pipe\gecko-crash-server-pipe.2156" 3292 238893fb258 tab2⤵PID:1072
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2156.3.113905748\742965972" -childID 2 -isForBrowser -prefsHandle 3616 -prefMapHandle 3612 -prefsLen 26437 -prefMapSize 232675 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {17fd69fa-063f-42a3-bdc7-1a2b4626020d} 2156 "\\.\pipe\gecko-crash-server-pipe.2156" 3628 23887da8658 tab2⤵PID:4372
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2156.4.1653326702\792164990" -childID 3 -isForBrowser -prefsHandle 4584 -prefMapHandle 4600 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {53367d16-634d-498f-810a-72fab2a114eb} 2156 "\\.\pipe\gecko-crash-server-pipe.2156" 4580 2388975a258 tab2⤵PID:4800
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff9f45546f8,0x7ff9f4554708,0x7ff9f45547181⤵PID:1248
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2180,17555132985451129623,8841140969145476867,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2312 /prefetch:31⤵
- Suspicious behavior: EnumeratesProcesses
PID:1380
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2180,17555132985451129623,8841140969145476867,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2704 /prefetch:81⤵PID:4872
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,17555132985451129623,8841140969145476867,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2236 /prefetch:21⤵PID:3272
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,17555132985451129623,8841140969145476867,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:11⤵PID:340
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,17555132985451129623,8841140969145476867,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:11⤵PID:3740
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1972
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4904
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,17555132985451129623,8841140969145476867,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5036 /prefetch:11⤵PID:3336
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,17555132985451129623,8841140969145476867,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5056 /prefetch:11⤵PID:3276
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2180,17555132985451129623,8841140969145476867,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3696 /prefetch:81⤵PID:3888
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2180,17555132985451129623,8841140969145476867,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3696 /prefetch:81⤵
- Suspicious behavior: EnumeratesProcesses
PID:3416
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,17555132985451129623,8841140969145476867,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4960 /prefetch:11⤵PID:676
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,17555132985451129623,8841140969145476867,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5816 /prefetch:11⤵PID:4212
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,17555132985451129623,8841140969145476867,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5944 /prefetch:11⤵PID:2456
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,17555132985451129623,8841140969145476867,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4288 /prefetch:11⤵PID:3324
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,17555132985451129623,8841140969145476867,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5780 /prefetch:11⤵PID:4688
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,17555132985451129623,8841140969145476867,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5052 /prefetch:11⤵PID:2084
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2180,17555132985451129623,8841140969145476867,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6060 /prefetch:81⤵PID:1544
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x450 0x5041⤵
- Suspicious use of AdjustPrivilegeToken
PID:4908
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,17555132985451129623,8841140969145476867,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5264 /prefetch:11⤵PID:4508
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2180,17555132985451129623,8841140969145476867,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6092 /prefetch:81⤵
- Suspicious behavior: EnumeratesProcesses
PID:64
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2180,17555132985451129623,8841140969145476867,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5044 /prefetch:81⤵PID:1776
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3036
-
C:\Users\Admin\Desktop\XWorm V5.0\XWormLoader.exe"C:\Users\Admin\Desktop\XWorm V5.0\XWormLoader.exe"1⤵
- Loads dropped DLL
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3584 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ggdmp1yc\ggdmp1yc.cmdline"2⤵PID:4668
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5951.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc35B8FB7C427E45D2B31BD24CE2BFCDC.TMP"3⤵PID:3296
-
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:4924
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\XWorm V5.0\Fixer.bat"1⤵PID:4924
-
C:\Windows\system32\lodctr.exelodctr /r2⤵
- Drops file in System32 directory
PID:4612
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,17555132985451129623,8841140969145476867,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 /prefetch:21⤵
- Suspicious behavior: EnumeratesProcesses
PID:3400
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
400B
MD533cd05e534ff62557b8f7311bcc381ae
SHA15b7e8d58b93a1d612430ee4c634d2209f6204c87
SHA25634b9fb264f16b6fb7446378bd84c76c887cf3d7b2d652ff017ac0a897c8bd703
SHA5121372bc8936ce4968c76e6dcd630962ce419bed31a61e67686741e2573bef04e8e44944a754865e35b52f39fc02f0f76f9ec1aaab05e3d6d7b5310ca36b34423e
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\f3zxqty5.default-release\activity-stream.discovery_stream.json.tmp
Filesize22KB
MD5754523d771955ab4c041680eeb69554c
SHA115aff9c903f605d39e7ee8dfb5ac123f12d44e46
SHA256a62b82647bea79e03673c97a84ce7f5cd3262c301e30c80d37ebba57120a4ed5
SHA512657e01e051dfa2567c927f7d83714578aea5802e03acb2924de08b74484cd97fcd885bc295cab0add97751dd25b1db3c31df907b525ae692194c5a87e5c2f520
-
C:\Users\Admin\AppData\Local\Temp\BE731319AC3C9A3FBF49A732595E665F\BE731319AC3C9A3FBF49A732595E665F.dll
Filesize84KB
MD5230e9947bdacac72fa6556c32a3fd721
SHA1c534758bd97f59782da939ca8c43e76df394f920
SHA256bb4315535a02ab1041c2d9501c79e090e3c1e69ea2eebb564bf9a8bb84bf50fd
SHA512259b16a89d681e84d6590116c85e89556ec009848fbaed4d6c27c4a77630c152d596db172ff95e6c7d79b5c2986252d58bd04f2a963bea75b8a3f1159683c1e9
-
C:\Users\Admin\AppData\Local\Temp\BE731319AC3C9A3FBF49A732595E665F\BE731319AC3C9A3FBF49A732595E665F.dll
Filesize84KB
MD5230e9947bdacac72fa6556c32a3fd721
SHA1c534758bd97f59782da939ca8c43e76df394f920
SHA256bb4315535a02ab1041c2d9501c79e090e3c1e69ea2eebb564bf9a8bb84bf50fd
SHA512259b16a89d681e84d6590116c85e89556ec009848fbaed4d6c27c4a77630c152d596db172ff95e6c7d79b5c2986252d58bd04f2a963bea75b8a3f1159683c1e9
-
Filesize
1KB
MD5490b7bfc4804cc6dca382654bf54a51c
SHA1c8dab67e2cc615367be5062379bfbca16eea4611
SHA256c1b08f749c0e3f4f7046ddee8cf5924ab5614958ad1087d9404ee06b1d7fc695
SHA5122683c6b4f41e64b2983403315b611fb088d439495ad143b03ce21b2072901bb14e31e87736ce9a5251169c18bcbe5d9b7c2247f3623c4725960ce39de094ebab
-
Filesize
77KB
MD5ad4c7b7cd17c722da8d8db13b5a8453d
SHA175456a9b25822fcf4c72cf99ac461a61c37cadd3
SHA2566b2bd97f5fa856a55b7c982950be53ba85645a4374b0281ebcb151594d2a2da3
SHA512a0d38760a4d8295e5bd2b43f648ab0f68fb7da54b4e16303cfbf0fe86d326f5906c286527b41bd86bc9af91f2d44fbcb23be39237a3517c271d108cc7ce9f08f
-
Filesize
301B
MD56265a9021ab33aacb80505fe4acf04d9
SHA12acfc11970a836b84a3b54665b7507205744d7b2
SHA2569e587a92973a27c7b49dc09de939e58d059f5781e3d67f76eb8218ce99cebc81
SHA512daea6a034ec03bfd60eb57f782e535afed1a19e84ff2e1ecbc258880076c469c2e66160ad2b73da11233ef25c0a28e0665617ebf4a8dc8802cce2f36d2bca625
-
Filesize
1KB
MD5d40c58bd46211e4ffcbfbdfac7c2bb69
SHA1c5cf88224acc284a4e81bd612369f0e39f3ac604
SHA25601902f1903d080c6632ae2209136e8e713e9fd408db4621ae21246b65bfea2ca
SHA51248b14748e86b7d92a3ea18f29caf1d7b4b2e1de75377012378d146575048a2531d2e5aaeae1abf2d322d06146177cdbf0c2940ac023efae007b9f235f18e2c68
-
Filesize
6KB
MD5216c94bf64236c34e9dcb24e1178d34f
SHA13b0f7c54f1bb6da0fda910731bef69da35e1cea1
SHA256b85eb5d66ca3c6aa46d4b309b5aa8c3b5c75450882529b0954cb99b587045693
SHA512b3788e634baa9f83cc9e5403e3f361e7933874738e9a576dc6e203978cd4bc7b8d2b9290dcdc1b7db9d1b228a5ec0d1165697df06071164bfd54bc8c52329895
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f3zxqty5.default-release\sessionstore.jsonlz4
Filesize446B
MD5ac1ac8345b5c866277cf747119c24138
SHA164aeb9d9df71844070dfee3908c671635d308dd6
SHA256050d4485594ea97dea3ba9756fe87fdbfb9da577bf559282fd6defc52a7a2357
SHA5120932c1df51f008786442e16088c5ccff5120423a25df0286b9c3afdd8a12617853e039c7cb4a0ba5efefb351c17e677c4981877c7355e7e83a8953c243083c27
-
Filesize
39KB
MD5c6a00700213a4cdfac7b02faabc2fa10
SHA1d1fab1803050a67c59dfce442c1f1dacb166d0dc
SHA256987d276742eba82260ac1509adc8678651d30103162b44d4e62fbde1b2f28559
SHA512e3c879502f91b7e4ccbd300372108ffe0cfd2e49070c54f1b27fb83d3c0a7344ea7393b619f1fd6b21314915e32c50fb93f5a1511a383098107c57f1a14faf1d
-
Filesize
47KB
MD569c02ba10f3f430568e00bcb54ddf5a9
SHA18b95d298633e37c42ea5f96ac08d950973d6ee9d
SHA25662e5660f9018da67d3c6727c39e9690650beb62749df0b4c00e6085f36c8e94e
SHA51216e4d29324c2b50e1347532cd0982a149a7c67c4f27a743bbad8609ac662c3e00fa1be645b1b5f23adca3abd60c812f3f87d669f5ffb42b90ca5026dcbf2824e
-
Filesize
43KB
MD58b4b53cf469919a32481ce37bcce203a
SHA158ee96630adf29e79771bfc39a400a486b4efbb0
SHA256a7b3a2b6c67e98cf2b13684c8774113c4ed4f60cd6fc673d4c9dcb360c60ce42
SHA51262217e68c9e4c7b077e127040318c603e2f2cbcc5517ce0cfc6189e43023f8d8a05b8e694b2a35d4b409241136a1067749b7b6e2049d6910246d8c0fa6e9e575
-
Filesize
42KB
MD5bea0a3b9b4dc8d06303d3d2f65f78b82
SHA1361df606ee1c66a0b394716ba7253d9785a87024
SHA256e88439ae381e57e207ce09bbf369859c34b239b08124339534dcc935a89ac927
SHA512341132d443cd41acf0a7eaee0d6883c40d8a4db8c59e056211e898c817c2847377f0208ed3a40e0fd6f73f0196ffcc680c55754e160edafd97036739861a6c88
-
Filesize
32KB
MD550681b748a019d0096b5df4ebe1eab74
SHA10fa741b445f16f05a1984813c7b07cc66097e180
SHA25633295c7ee1b56a41e809432bc25dd745ba55b2dc91bfa97aa1f55156880cd71a
SHA512568439b3547dcbcce28499d45663fdd0e2222f6c5c90053769ce2585f65721f679c071393328bde72c9a3f03da4c17abb84b8303897688b59598887ceb31438e
-
Filesize
298KB
MD5eadd51b4e0a81aa0a1ec7392a1ce681a
SHA1f384c3bc0f16ccb5049ebbf7df776e684da84706
SHA2561a2fd21891c4055b2ee03ee06665f1a09a6503f7a4b57acba67820ec561d12e4
SHA512de74112ed8f81f4723241102e9e493921419f836e7f095000a0ae34616db1886c22dff6ab4dfd5bd1ebbc9840498c3606ac0e5791f7fadac1b52c18043571ae4
-
Filesize
192KB
MD580496b7a39979146a130dc67571bb8bb
SHA1d64dd42402b23e5659162e777492b742f2616848
SHA2564ada882055aa543d45dca0b95c1ad03d19b1ec0629c3585070ef1e10ecbd5711
SHA5126ef96110dcaa82375c13ebc1dab6b734e5b363f79a553d578a4f8e6be7dcfbe242d00f01f4f800ae8b68a10c19bf9a93ee81bfb60a913e893d5559dbc0cf1e0c
-
Filesize
347KB
MD549032045f6bcb9f676c7437df76c7ffa
SHA1f1bf3ba149cd1e581fe12fb06e93d512fe3a241b
SHA256089f30c1e60f038627531d486659fab66a8b927d65e4eca18f104d6ae4c7f641
SHA51255b459b7787e6efacdcc17adb830dc3172a316ff8dd3b14a51bf4496a9479f513ae279a839674b472c1424170ee4aa63a5d45fc7fbd38a533a885282858c74f1
-
Filesize
350KB
MD5518020fbecea70e8fecaa0afe298a79e
SHA1c16d691c479a05958958bd19d1cb449769602976
SHA2569a139a16fe741593e50fa5e1e2a0c706c0eba7f4d1e1a7a91035428185fde125
SHA512ff910efee092c2b4a3fa1114f745feb7d01a38b55b0345e0118cdc601a056f79035bd92c76b49559480b515da4cd66d2fbe789baacdde67485cab989ff009b2e
-
Filesize
340KB
MD5f9fcefdf318c60de1e79166043b85ec4
SHA1a99d480b322c9789c161ee3a46684f030ec9ad33
SHA2569c92309f7a11b916d0e9b99f9083f58b1a2fa7a9aad283b064f01c11781160e7
SHA512881e112fedccc8643d872396baf726ceb7a49c5cce09489ddcb88400b5a4578dd5ee62a4082d81a6c721c74edb00d84d225e08ab892cc094976149a1a2c486d8
-
Filesize
145KB
MD5f4f62aa4c479d68f2b43f81261ffd4e3
SHA16fa9ff1dbb2c6983afc3d57b699bc1a9d9418daa
SHA256c2f81f06c86bf118a97fba7772d20d2c4ba92944551cd14e9d9bab40bf22816c
SHA512cbd94b41fc3136c05981e880e1f854a5847a18708459112ca7eb0bdcb04d0034c42af8c58501a21ae56e07a29751236af9735b0a4ded3a6b0ef57d717acd5ff3