Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
12-03-2024 10:34
Behavioral task
behavioral1
Sample
2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe
-
Size
197KB
-
MD5
5d65d61b82de6b9dcdb67a30cae300cd
-
SHA1
e32500c38d39665f5af7860b6bf3b06af3f9c300
-
SHA256
a0e6a9fec2e7ed51bf36286e416deaec40e6bae8174e8c3fb3c1996fa7ef81ed
-
SHA512
f3fa41d0ba991dfa1f23c1ade289201adce06bae9a0495efee15afb3d17f06c9fde43d1fd63e580f8c7abd7cab333a041cb8c502d351ab85aa21196ca76b59d5
-
SSDEEP
3072:sr85CykgZqltP33686plZG1kqxSb6WpDDDDDDDDDDDDDDDDDDDE45d/t6sq:k9pgZqll32rZ2txSb35d/zq
Malware Config
Extracted
C:\Users\O957g99QW.README.txt
http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/
http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/
http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/
http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/
http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/
http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/
http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/
https://twitter.com/hashtag/lockbit?f=live
http://lockbit7a2g6ve7etbcy6iyizjnuleffz4szgmxaawcbfauluavi5jqd.onion
http://lockbit5eevg7vec4vwwtzgkl4kulap6oxbic2ye4mnmlq6njnpc47qd.onion
http://lockbit74beza5z3e3so7qmjnvlgoemscp7wtp33xo7xv7f7xtlqbkqd.onion
http://lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onion
http://lockbitaa46gwjck2xzmi2xops6x4x3aqn6ez7yntitero2k7ae6yoyd.onion
http://lockbitb42tkml3ipianjbs6e33vhcshb7oxm2stubfvdzn3y2yqgbad.onion
http://lockbitcuo23q7qrymbk6dsp2sadltspjvjxgcyp4elbnbr6tcnwq7qd.onion
Signatures
-
Detect Neshta payload 16 IoCs
Processes:
resource yara_rule C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe family_neshta behavioral1/memory/2664-395-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2664-437-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2664-438-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2664-439-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2664-440-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2664-443-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2664-444-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2664-447-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta C:\Windows\svchost.com family_neshta C:\DOCUME~1\ALLUSE~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\PACKAG~1\{61087~1\VCREDI~1.EXE family_neshta C:\DOCUME~1\ALLUSE~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\PACKAG~1\{57A73~1\VC_RED~1.EXE family_neshta C:\DOCUME~1\ALLUSE~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\PACKAG~1\{4D8DC~1\VC_RED~1.EXE family_neshta C:\DOCUME~1\ALLUSE~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\PACKAG~1\{33D1F~1\VCREDI~1.EXE family_neshta behavioral1/memory/2664-512-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/992-510-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta -
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Rule to detect Lockbit 3.0 ransomware Windows payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\3582-490\2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe family_lockbit -
Renames multiple (186) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE 3 IoCs
Processes:
2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe5C34.tmpsvchost.compid process 2424 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe 1580 5C34.tmp 992 svchost.com -
Loads dropped DLL 30 IoCs
Processes:
2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exesvchost.compid process 2664 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe 2664 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe 2664 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe 2424 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe 992 svchost.com 992 svchost.com 992 svchost.com 992 svchost.com 992 svchost.com 992 svchost.com 992 svchost.com 992 svchost.com 992 svchost.com 992 svchost.com 992 svchost.com 992 svchost.com 992 svchost.com 992 svchost.com 992 svchost.com 992 svchost.com 992 svchost.com 992 svchost.com 992 svchost.com 992 svchost.com 992 svchost.com 992 svchost.com 992 svchost.com 992 svchost.com 992 svchost.com 992 svchost.com -
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
Processes:
2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exedescription ioc process File opened for modification C:\$Recycle.Bin\S-1-5-21-1298544033-3225604241-2703760938-1000\desktop.ini 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1298544033-3225604241-2703760938-1000\desktop.ini 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\O957g99QW.bmp" 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\O957g99QW.bmp" 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
Processes:
2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe5C34.tmppid process 2424 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe 2424 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe 2424 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe 2424 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe 2424 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe 2424 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe 1580 5C34.tmp 1580 5C34.tmp 1580 5C34.tmp 1580 5C34.tmp 1580 5C34.tmp 1580 5C34.tmp -
Drops file in Program Files directory 64 IoCs
Processes:
2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exesvchost.comdescription ioc process File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe svchost.com File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe svchost.com File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe File opened for modification C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE svchost.com File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe svchost.com File opened for modification C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe svchost.com File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\OIS.EXE 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe svchost.com File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe File opened for modification C:\PROGRA~2\WINDOW~1\wabmig.exe svchost.com File opened for modification C:\PROGRA~2\WINDOW~4\ImagingDevices.exe svchost.com File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe File opened for modification C:\PROGRA~2\WINDOW~1\WinMail.exe svchost.com File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe svchost.com File opened for modification C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe svchost.com File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe File opened for modification C:\PROGRA~2\WINDOW~1\WinMail.exe 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe svchost.com -
Drops file in Windows directory 3 IoCs
Processes:
2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exesvchost.comdescription ioc process File opened for modification C:\Windows\svchost.com 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Control Panel 2 IoCs
Processes:
2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\WallpaperStyle = "10" 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe -
Modifies registry class 6 IoCs
Processes:
2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.O957g99QW 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.O957g99QW\ = "O957g99QW" 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\O957g99QW\DefaultIcon 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\O957g99QW 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\O957g99QW\DefaultIcon\ = "C:\\ProgramData\\O957g99QW.ico" 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exepid process 2424 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe 2424 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe 2424 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe 2424 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe 2424 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe 2424 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe 2424 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe 2424 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe 2424 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe 2424 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe 2424 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe 2424 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exevssvc.exedescription pid process Token: SeAssignPrimaryTokenPrivilege 2424 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: SeBackupPrivilege 2424 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: SeDebugPrivilege 2424 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: 36 2424 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: SeImpersonatePrivilege 2424 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: SeIncBasePriorityPrivilege 2424 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: SeIncreaseQuotaPrivilege 2424 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: 33 2424 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: SeManageVolumePrivilege 2424 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: SeProfSingleProcessPrivilege 2424 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: SeRestorePrivilege 2424 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: SeSecurityPrivilege 2424 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: SeSystemProfilePrivilege 2424 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: SeTakeOwnershipPrivilege 2424 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: SeShutdownPrivilege 2424 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: SeDebugPrivilege 2424 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: SeBackupPrivilege 2580 vssvc.exe Token: SeRestorePrivilege 2580 vssvc.exe Token: SeAuditPrivilege 2580 vssvc.exe Token: SeBackupPrivilege 2424 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: SeBackupPrivilege 2424 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: SeSecurityPrivilege 2424 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: SeSecurityPrivilege 2424 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: SeBackupPrivilege 2424 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: SeBackupPrivilege 2424 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: SeSecurityPrivilege 2424 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: SeSecurityPrivilege 2424 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: SeBackupPrivilege 2424 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: SeBackupPrivilege 2424 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: SeSecurityPrivilege 2424 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: SeSecurityPrivilege 2424 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: SeBackupPrivilege 2424 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: SeBackupPrivilege 2424 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: SeSecurityPrivilege 2424 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: SeSecurityPrivilege 2424 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: SeBackupPrivilege 2424 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: SeBackupPrivilege 2424 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: SeSecurityPrivilege 2424 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: SeSecurityPrivilege 2424 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: SeBackupPrivilege 2424 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: SeBackupPrivilege 2424 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: SeSecurityPrivilege 2424 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: SeSecurityPrivilege 2424 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: SeBackupPrivilege 2424 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: SeBackupPrivilege 2424 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: SeSecurityPrivilege 2424 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: SeSecurityPrivilege 2424 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: SeBackupPrivilege 2424 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: SeBackupPrivilege 2424 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: SeSecurityPrivilege 2424 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: SeSecurityPrivilege 2424 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: SeBackupPrivilege 2424 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: SeBackupPrivilege 2424 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: SeSecurityPrivilege 2424 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: SeSecurityPrivilege 2424 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: SeBackupPrivilege 2424 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: SeBackupPrivilege 2424 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: SeSecurityPrivilege 2424 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: SeSecurityPrivilege 2424 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: SeBackupPrivilege 2424 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: SeBackupPrivilege 2424 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: SeSecurityPrivilege 2424 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: SeSecurityPrivilege 2424 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: SeBackupPrivilege 2424 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe5C34.tmpsvchost.comdescription pid process target process PID 2664 wrote to memory of 2424 2664 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe PID 2664 wrote to memory of 2424 2664 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe PID 2664 wrote to memory of 2424 2664 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe PID 2664 wrote to memory of 2424 2664 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe PID 2424 wrote to memory of 1580 2424 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe 5C34.tmp PID 2424 wrote to memory of 1580 2424 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe 5C34.tmp PID 2424 wrote to memory of 1580 2424 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe 5C34.tmp PID 2424 wrote to memory of 1580 2424 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe 5C34.tmp PID 2424 wrote to memory of 1580 2424 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe 5C34.tmp PID 1580 wrote to memory of 992 1580 5C34.tmp svchost.com PID 1580 wrote to memory of 992 1580 5C34.tmp svchost.com PID 1580 wrote to memory of 992 1580 5C34.tmp svchost.com PID 1580 wrote to memory of 992 1580 5C34.tmp svchost.com PID 992 wrote to memory of 2708 992 svchost.com cmd.exe PID 992 wrote to memory of 2708 992 svchost.com cmd.exe PID 992 wrote to memory of 2708 992 svchost.com cmd.exe PID 992 wrote to memory of 2708 992 svchost.com cmd.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe"C:\Users\Admin\AppData\Local\Temp\2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe"1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\ProgramData\5C34.tmp"C:\ProgramData\5C34.tmp"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\5C34.tmp >> NUL4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:992 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\cmd.exe /C DEL /F /Q C:\PROGRA~3\5C34.tmp >> NUL5⤵PID:2708
-
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2580
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x1481⤵PID:1456
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD52464bd2e9d9b793f781fcc95af03062d
SHA1cdf5eef2b46f1ec7e324999f11c88baed2bf53fd
SHA256004ffe9a00a21513bf1d5dc61c728ab7bfd10defb231a16787a586ea8b4d16bb
SHA51266f4c163aa3b3424c538e982823d12795d21dbd2ebbf74e57d0ea4bfefa2da631c26262df71ddadaa6ec6f48c31268665b7c1acb579a7578257dd8003bb40967
-
C:\DOCUME~1\ALLUSE~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\PACKAG~1\{33D1F~1\VCREDI~1.EXE
Filesize288KB
MD5648f3ea73ef1d99facde9573a0db8e4a
SHA1a4a4b417a8b066a627e03ac061c0f5042e3070c7
SHA2561b24d63a2e5186d796d4a3fec8fbf1b2c6fb7656873e199da964b2ea20f74ef9
SHA5120bd5ba98ffcc743ea35beacfef719c97d48da54b114faa59bb8aa52ef7c252d57583aff6b44007041faef46f01a938176a924097d0a6a3c6e4e9c4201940710b
-
C:\DOCUME~1\ALLUSE~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\PACKAG~1\{4D8DC~1\VC_RED~1.EXE
Filesize299KB
MD518ff8ef3d803c9062ba9d921a92ef791
SHA159ed19106bd17031d40f553cc754a3b61b363e1f
SHA2566e51c5f3ac76d1083b3557e58053aa6fb3ed6f280566e9ee30676f48d05f9282
SHA512beea19c5598ab8bc048ff1af6e09382679a0f120dc53905c54cf03d3ec46aec6756d33680795da2dd0abe1220319231cafcd0ba483cb627ff5eea8a08ef026e3
-
C:\DOCUME~1\ALLUSE~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\PACKAG~1\{57A73~1\VC_RED~1.EXE
Filesize226KB
MD5139007b8c6635d18742fba227563b6cd
SHA1fe0fa1101937f91d61ab8d3b11b0ed5b5dd26518
SHA256467aff60be5fb37c0dc8b59a6590d857a4c052bf9099caa57c5c2bbb4cbab349
SHA5124b15e13105f2e99c0701dd90edcead5ded363b84370216cc96ca868f4bba6efa8090e038bb0372644e5c166fc6e99414f839da6bacef0c1f868b1a147ba3f2d4
-
C:\DOCUME~1\ALLUSE~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\PACKAG~1\{61087~1\VCREDI~1.EXE
Filesize256KB
MD524c5dfd895860fbf605570b662fb3690
SHA19314c19dc8225b8b4b8a16a170b72d7633de242d
SHA256570f2cf4999dbed52cce548c8c55acf6b6af8546b4ac901a27632cc9c59f7e2c
SHA512a3d318d5001fce7b80e23aef75fb1392227b83bb2b3ac84909de3df5100adf96ac1a11cb931dd1f0389492bab3ddee7777f5991d887dd9f23b60597d88f25931
-
Filesize
547KB
MD5cf6c595d3e5e9667667af096762fd9c4
SHA19bb44da8d7f6457099cb56e4f7d1026963dce7ce
SHA256593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d
SHA512ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80
-
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe
Filesize156KB
MD5a175ca484940389283e07fb84d8ffc42
SHA19cef46aa62f7aed8432b9ff5de84db4cf0136d0a
SHA2562f2025850e0b4815addbb66a07c2ef3098b1f9be82ab6b8cc302d35bf505d5ab
SHA512aae517fcc14790a939dfd3c33e4190c786032f10cf8d1e56f38ca28583b08767d1293fecb4a73f5255ea5fcb9ca6822ff471b76b0cdb2ee0474be372fa018127
-
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe
Filesize156KB
MD575e3d908fdddee413481dba88258783b
SHA14cd6c1a88f3575d298aa168356651d5237bb72ab
SHA25636aae3ba1a6fd78e040bba4522f6c15d5a3627ae78b27ff6879ee64d038445a4
SHA512d7c1e0bd3eb3888579ef696ea48ae4d83d70f08b3bafb23288a81ed40e1501513e2739af119c4a0f9d788f7aa4a6500df80260151a8eeeb7f6fe19fc5cf34256
-
Filesize
3KB
MD5ccd0020a56b259b7603254459a6c57a2
SHA11561f25c7b343f7d68cf52282623185d54f32fb7
SHA2569db19336f347d3cc82b7d5686b29499b391c28007a774309090028e8f154cfd1
SHA512beb385cfc4e61c4ac170a4d49394e2d9040159af0f0329d3dfd9afa889ef9a7d8a0f752a3cfcb41ae04eae7f47b96b10d8128054a5ee51533361e4238ab55d55
-
Filesize
40KB
MD536fd5e09c417c767a952b4609d73a54b
SHA1299399c5a2403080a5bf67fb46faec210025b36d
SHA256980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2
SHA5121813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92
-
Filesize
129B
MD58016f935675267d311d5a8c859bfc51b
SHA10fa1bf0e634cffa307de5d2c1cc2efd3cbd48c45
SHA256b36035117b6797e7e0524a96b35aaba4666054fb98b2afa6c890c5bb59c989b4
SHA512d33a40eaa31f8f936b0cf534e6e46abe3b5bd08450e6d519162448ed086af3c6a2782183178df516d19c9183e56493c44567a1cf68cabae01a8afaa57c1678f0
-
Filesize
252KB
MD59e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1ec66cda99f44b62470c6930e5afda061579cde35
SHA2568899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA5122ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
Filesize
101KB
MD55fa12960c18b210df20f17a8e490a36d
SHA16aaae027aeace6b4f220b230ae953a8e371a8732
SHA2568ca9966345c004c565ef23c1161db338e82ba66fbfa3f8ee3dca75990a39509f
SHA5124ce4cedc48affc5e421cf5adec2bae7c62f59a614d614de1d661a1c85826b60a3d2bada622aace36b4c867237200d4d79ed8eb12fcf8d64af921c89d1e8fc55d
-
Filesize
65KB
MD591c57f898958f1b9ee322bbbaeaaa8b7
SHA1625771313c46a19c3e2abb0298f1a46c44cdda13
SHA2569daf27feee51caaf1f80ecbef6b95edd0032b90dedd7877f6ae6f34f8a166f76
SHA5120e8161cdc769b553fcea9e5983c98b6a0bef826ef59336ae4f35f60fe748fa5fc26f4d4c31619dc1799ed983f1f72376ac88f250181400c10487d9c28185dc86
-
Filesize
86KB
MD5ccaf6b444aab7ef75168300dba7d75db
SHA1687b946b433dd3f24792369ae5cda34c1d7ed266
SHA25651e0b31d820e3b4d3efa64d960b9dc497ce3505e4217bfdf25a78ee1f8612747
SHA5129f41c94cd70e44a1afc405ef36746a0e86b70eb82b346138e3677f44934be4d3f4c3b90068b5d558cf5fba715329a2a141ceace0b958d9751a66a6e40a8a2a9c
-
Filesize
81KB
MD567a7d1da5a79e99501f9e862942fdb3f
SHA180aa2c6e453dc6ea742a8cbd72fc315d7cf1db86
SHA256927c3f9c8ae5f6d533c586aa25545c14f80899389c6250dd9747fb1a4b95ae71
SHA5122a687121e7de7f14f4c4fb387e9724d04ac9474278eda39856469ffdabfee7a7bd49a8e13d022e4057853af39f94c647367850c77335dc08d79d6115250b0c70
-
Filesize
89KB
MD5fabd61bf97e435984b0cb67c937f0049
SHA161ce59106be51d51fb16b7cea5f6b3ac395259c5
SHA25684466f593f3e6062e000a60041eb79a5a2af0f69cc14aff00d88913f8907dc60
SHA5124ebade3602a336c7488b5c030f56a76d2c54c3b63936162a172f34cc0485fb5a583d33b01fde5957f8ad2d278b7b6c4fdd8b0b4f88ca7ca1b7b1a5641de9fd8b
-
Filesize
64KB
MD5a62fc2654bdbfc4c75e8692ee3527f55
SHA14088e11873dc706448173c401df740b0c14eab5c
SHA2567de70b1bafa5415725ac4f3b74bee6ada458a22e745306056bbb230d483e2ffb
SHA51282df198c16f9ee05ed927209302a24370353b9f0949215e84d27a3fca2b4060d85ed3595ca681e053deac9aee8b62f7feb05d5e8d5f85db584b1b9624b48b246
-
Filesize
96KB
MD52866b8104a439f3c6226af2cfbc0d1a7
SHA11fe9b8706ef6e83f45cb7c1ee4c2c857245627af
SHA25634faa306357c9da00ac2bc4679e0890313b5ae96c648a5f7fd3806da62a32587
SHA512b9b282126ca9811419024bbc9a82959cc511715f563080e6bf0864cb31743180d9518835a90f5f66d28cdf01308ca5ba77854aeb085a48066f65071768f64e37
-
Filesize
69KB
MD5130276acc5f632aa2f829225e06053b3
SHA131515dd44e222c34b726d798ae26c71ed8e5f570
SHA256387891bbdd8b6c20d86b77e13039165b0bf0d324dea20d915476d3881d739ba3
SHA5128394a0c8b7c8933bd3e214a46263e36f20c607379f15b6b1da852bee9065c96d2b059e945b418cea0bb3d7ef9ab8bd85cefed5a6abac9d7dcb77268b8d46ef85
-
Filesize
92KB
MD5187ce0baef0cb808a268fa699bb51a91
SHA100b88d4a11a2c41636335b5b770e7f4d1b214ee7
SHA2565389a7be581f7685e476b5fb3a9755ec541ce8ccd620d64d36f633c0e9c4c575
SHA512b6c4505611f18c9586a0a10604e9b3f530770c641dec10eb962be18cbcf0b7da48073a0f9abe1d2e525f8a7ace6875d925928c85c94578cd27ddd6ed246c4813
-
Filesize
113KB
MD5898375c6974e5e33eef0629cbfc09686
SHA199d960b6de8b5b3724b965f5c899daecb6a9ac32
SHA256b63ae14be50731147d559115d24f05bc28b79021331e45897780acdd1e58a75b
SHA512a6f61af6e3a33957eec4f6a8ad23cef48d8f8512dc737ca8891ceef72e1ae1f670d70a03d405289e1469662b76ad01ef5853a605551a9c98be7b59373c1f2706
-
Filesize
71KB
MD5ec3f8efd105b0ce61f37ecac41f671ad
SHA141722a94ecc20b9c1aacc242587c2a5a416654c5
SHA2564ce2f06c82e26989030312be36f5830fb7ac8546bedb4999bb0f986176b15583
SHA512f9291a03f09f5793a802d7567fabed1441ba2cfda980058c939fe595bfa11daf2ceb04d2c0d68cf887a8c1323111403aa8b0148fdf14e6fc0c58199d4c390639
-
Filesize
65KB
MD56175c1c0f6c5a82b291871d734ef46ab
SHA1f77b3cf33181643ee02ae8786abad3cf179c5d0f
SHA256f70e93ed700013545118ad7a323cad25d03d912e2b4c869975dcc6c2e10d6bd8
SHA512ecd0ee31a06e9f267d39e585911ae5a23c9634329a0503f28e2600db76fd64ddd6f6627c7a70eaae98e85b11dd04d4cb12bc3aa17db678b6e08c6571f31eff20
-
Filesize
98KB
MD564b8654c956120b45b2b7e8a98dd577d
SHA1366f4f7a0519e329de4cfb7f570eca33443e5c8e
SHA25695902dba1dfb1802c54406cd72a0b7d25d38e0e63aa5b1bc96ba5d24685a0aa2
SHA512ce02de227a53633aec3b11551a6f57e136d5f8ad5de918c8ab7486cbcc02e735760ff0971046576b49a8dc26d31751bf14b02f2c46032b048ba4edbdc36bb045
-
Filesize
81KB
MD5c9fa56d0978f894ea1aaddb2f40fec53
SHA1a01fe27c9ea735b417ae4a8626f1fa0515f0abf0
SHA256d940ced7b80108a799f64b904450e6f9e3a9fc2246cd39a1c814b3b66b8214d9
SHA512f5d61e7dea3cc9173d3413e3d16e227c9dd295880f5dccd1063462525381bbc24e77b4f7c73345544ac3dd3aa9cd9c56ded8250790fa810706741181fa64aa42
-
Filesize
94KB
MD5104c632250145892e4c658bf50112e10
SHA1731c5b273b4a5e438eab511545b38b49ea6fe40a
SHA2562e871d8f3160584c99fdbc9b9c1c6253312202e39037578bf42a60dde4c71197
SHA512038dafcd99acbfea2c3ca3ea9ffc56af014db2551ab98e28a1067d26661df7044dcf4cbc701885acea44cacae1a27ac21ce06565b75f55ee94857888582aa2af
-
Filesize
98KB
MD50c8920b199d68c31edc6732810d5abe8
SHA118a1954ee9f19d1c6310a81863faa91a1756ef95
SHA25642b9140abf67305299ec1e15823355e76adeb30530112f24358520f9aab63621
SHA512decfc253e7ed90030e4b008df8ab19722b4ef227e257ff7dd1c68ca6905973416d1caad88c60fc0ba84a90d5e0863a74e11688a6b310ce12e6d22fb58314e754
-
Filesize
85KB
MD58e36dc4124de172a5e5ed72e5d985b30
SHA1524eeebf6c143b82d971ab22076ef53d88526a92
SHA2564d86b8cf08727de5ec964756f80e18853b7f077bb35f5d827fa3bac02d320bf1
SHA512a033e978dae6c6485523cc446030bf58bb5fbef5594346a6bde2f72d9ea52e124c0036d44785a13e2bf770d85778fdcda4412206c8e6638a2f71b9a60c10558c
-
Filesize
113KB
MD53c9202ec76fb78112e2bb6395d3c244f
SHA19c11456eab4db0f6586ed22cec70cd3592c0948c
SHA256f4ec778b5d22c066afe88ae0e4bea2424b930f8af4d1c0231a67fb7344f3a93a
SHA512c0defd9a2ebd01cd92cc61c516bac30a3365cf0c54a7dac4d89c7196c4ec32bbf4609b3ebe8ab3ee5b84418c3b0e439a4b43b05f11e6892de51d026248bdca46
-
Filesize
102KB
MD58e352014bb8179579b51f15ac6cc43b2
SHA149c23d38c11014c606529a21b069dcc4ac441f25
SHA256351fff4f63c706073273dc97996c3011fcf7bc43d8c81cc21b5b6608420daf3c
SHA5120f01e94bac0157d1d19bf89ca3ca826e5501e59aab3e7918b8265b2a35db041c02791d888ba855fc9088fb35dd393e1a840f77ffc062a1551672dd6acb2ba640
-
Filesize
126KB
MD53cdc91ddf1cec04568251afe2c98f4c9
SHA1b83c7c498ca4d4894764466c372fe5a59f190b00
SHA256c69143a0f7546f6aee87caa6445011a6f991af0aff75e2ab6f3bdbf839b1fdd6
SHA5129051e4cf51412e2439a93e094e70e352f23df154381706b501b8e5cb12f762c31b59d6369104a2d69ec91e4131730e749fa7dd13bd0a8cfa332d0100a0de2d71
-
Filesize
116KB
MD561c0f507e8e4f9b7c31473dbd9fdaeb5
SHA14763c0d359415a1fab9a95f1b206a93657aa65b1
SHA25625964ee4b84fee6637cc70f6a1161c0415dee5a8ad7e9140ff919ad9d012587d
SHA5125ab8bde91d4a9485c388123bff42866295ee29df3f11f3e8261031bcce057f1344b0c5d210777d4e26544aaee2013ce14e0b4863d0228a25e6e299369038d642