Overview
overview
10Static
static
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.ps1
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.msi
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.ps1
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
8Ransomware...KB.exe
windows10-2004-x64
10Resubmissions
28-07-2024 16:38
240728-t5tryssgmm 1007-07-2024 14:07
240707-rfgd8atekm 1007-07-2024 14:07
240707-re689awdpe 1013-09-2022 17:54
220913-wg1lpsgbg7 10Analysis
-
max time kernel
1803s -
max time network
1600s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
13-09-2022 17:54
Static task
static1
Behavioral task
behavioral1
Sample
RansomwareSamples/Babuk_20_04_2021_79KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral2
Sample
RansomwareSamples/BlackKingdom_23_03_2021_12460KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral3
Sample
RansomwareSamples/BlackMatter_02_08_2021_67KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral4
Sample
RansomwareSamples/Conti_22_12_2020_186KB.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral5
Sample
RansomwareSamples/Cuba_08_03_2021_1130KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral6
Sample
RansomwareSamples/DarkSide_01_05_2021_30KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral7
Sample
RansomwareSamples/DarkSide_16_01_2021_59KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral8
Sample
RansomwareSamples/DarkSide_18_11_2020_17KB.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral9
Sample
RansomwareSamples/DearCry_13_03_2021_1292KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral10
Sample
RansomwareSamples/Hades_29_03_2021_1909KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral11
Sample
RansomwareSamples/Hive_17_07_2021_808KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral12
Sample
RansomwareSamples/LockBit_14_02_2021_146KB.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral13
Sample
RansomwareSamples/MAKOP_27_10_2020_115KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral14
Sample
RansomwareSamples/MedusaLocker_24_04_2020_661KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral15
Sample
RansomwareSamples/MountLocker_20_11_2020_200KB.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral16
Sample
RansomwareSamples/Nefilim_31_08_2020_3061KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral17
Sample
RansomwareSamples/Nemty_03_02_2021_124KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral18
Sample
RansomwareSamples/NetWalker_19_10_2020_903KB.ps1
Resource
win10v2004-20220812-en
Behavioral task
behavioral19
Sample
RansomwareSamples/Phoenix_29_03_2021_1930KB.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral20
Sample
RansomwareSamples/PwndLocker_04_03_2020_17KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral21
Sample
RansomwareSamples/Pysa_08_04_2021_500KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral22
Sample
RansomwareSamples/REvil_07_04_2021_121KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral23
Sample
RansomwareSamples/REvil_08_04_2021_121KB.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral24
Sample
RansomwareSamples/Ragnar_11_02_2020_40KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral25
Sample
RansomwareSamples/RansomEXX_14_12_2020_156KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral26
Sample
RansomwareSamples/Ranzy_20_11_2020_138KB.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral27
Sample
RansomwareSamples/Ryuk_21_03_2021_274KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral28
Sample
RansomwareSamples/Sekhmet_30_03_2020_364KB.msi
Resource
win10v2004-20220812-en
Behavioral task
behavioral29
Sample
RansomwareSamples/Sodinokibi_04_07_2019_253KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral30
Sample
RansomwareSamples/SunCrypt_26_01_2021_1422KB.ps1
Resource
win10v2004-20220901-en
Behavioral task
behavioral31
Sample
RansomwareSamples/Thanos_23_03_2021_91KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral32
Sample
RansomwareSamples/Zeppelin_08_03_2021_813KB.exe
Resource
win10v2004-20220812-en
General
-
Target
RansomwareSamples/NetWalker_19_10_2020_903KB.ps1
-
Size
902KB
-
MD5
7770c598848339cf3562b7480856d584
-
SHA1
b3d39042aab832b7d2bed732c8b8e600a4cf5197
-
SHA256
ee3b0468a16789da8706d46aa361049ec51586c36899646a596b630d913e7304
-
SHA512
02af6d5910f0627074fbea72901b2f2b491f7dba58f53ae1fad1dc47230e000a7b459c8475a76aaf006629bb5822d89d4672d32fb64d073464ca41140cb134d2
-
SSDEEP
6144:KxYcCQ2x63Ib0NQrqxpPbI1ZVedvUhwDNGjG+zBumDKemdglhykA:KCQ2x6TdvUqDUjG+zBumDKemdgy9
Malware Config
Extracted
C:\Users\Admin\Desktop\BE4FC4-Readme.txt
netwalker
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion
Signatures
-
Netwalker Ransomware
Ransomware family with multiple versions. Also known as MailTo.
-
Modifies extensions of user files 6 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File opened for modification C:\Users\Admin\Pictures\TraceUndo.tiff Explorer.EXE File renamed C:\Users\Admin\Pictures\NewStep.png => C:\Users\Admin\Pictures\NewStep.png.be4fc4 Explorer.EXE File renamed C:\Users\Admin\Pictures\SkipUnblock.png => C:\Users\Admin\Pictures\SkipUnblock.png.be4fc4 Explorer.EXE File opened for modification C:\Users\Admin\Pictures\DenyUninstall.tiff Explorer.EXE File opened for modification C:\Users\Admin\Pictures\ResizeOpen.tiff Explorer.EXE File opened for modification C:\Users\Admin\Pictures\SyncCheckpoint.tiff Explorer.EXE -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\1850_40x40x32.png Explorer.EXE File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\GADUGI.TTF Explorer.EXE File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\hr-hr\BE4FC4-Readme.txt Explorer.EXE File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\el.pak.DATA Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\ScreenSketchSplashScreen.scale-125_contrast-black.png Explorer.EXE File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Advanced-Light.scale-150.png Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\LargeTile.scale-150_contrast-white.png Explorer.EXE File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_PrepidBypass-ppd.xrm-ms Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\snooze.contrast-white.png Explorer.EXE File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\zh-tw\ui-strings.js Explorer.EXE File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\es-es\ui-strings.js Explorer.EXE File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\rhp_world_icon.png Explorer.EXE File opened for modification C:\Program Files\VideoLAN\VLC\locale\bn_IN\LC_MESSAGES\vlc.mo Explorer.EXE File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\as80.xsl Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-30_contrast-white.png Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-white\MedTile.scale-100.png Explorer.EXE File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-36_altform-unplated.png Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Call_Reconnected.m4a Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Video_Msg_Stop.m4a Explorer.EXE File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\PhotosWideTile.scale-100.png Explorer.EXE File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CASCADE\PREVIEW.GIF Explorer.EXE File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessDemoR_BypassTrial365-ppd.xrm-ms Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\WinMetadata\Microsoft.UI.Xaml.winmd Explorer.EXE File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\eu-es\ui-strings.js Explorer.EXE File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\de-de\BE4FC4-Readme.txt Explorer.EXE File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_filterselected-hover_32.svg Explorer.EXE File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\requests\playlist_jstree.xml Explorer.EXE File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EXPEDITN\PREVIEW.GIF Explorer.EXE File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\s_filetype_psd.svg Explorer.EXE File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\cstm_brand_preview.png Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNewNoteSmallTile.scale-150.png Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\Scientific.targetsize-64_contrast-black.png Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.targetsize-24_altform-unplated.png Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Lighting\Dark\Campfire.png Explorer.EXE File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ro-ro\ui-strings.js Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-16_contrast-white.png Explorer.EXE File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\javaws.jar Explorer.EXE File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_filterselected-dark-hover_32.svg Explorer.EXE File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\duplicate.svg Explorer.EXE File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\security\java.security Explorer.EXE File opened for modification C:\Program Files\7-Zip\Lang\af.txt Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\whatsnewsrc\bulletin_board_light.css Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-40_altform-unplated.png Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-black\LargeTile.scale-100.png Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-white\WideTile.scale-200.png Explorer.EXE File opened for modification C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\GostName.XSL Explorer.EXE File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.osgi.compatibility.state_1.0.1.v20140709-1414.jar Explorer.EXE File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp-pl.xrm-ms Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Videos\Help\Sticker.mp4 Explorer.EXE File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\mobile_view.html Explorer.EXE File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\de-de\ui-strings.js Explorer.EXE File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.renderers.swt.nl_ja_4.4.0.v20140623020002.jar Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\MicrosoftSolitaireAppList.targetsize-96_altform-unplated_contrast-white_devicefamily-colorfulunplated.png Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\Tented\TentMobile_100x96.png Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\te-IN\View3d\3DViewerProductDescription-universal.xml Explorer.EXE File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\sql70.xsl Explorer.EXE File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\BE4FC4-Readme.txt Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNotebookSmallTile.scale-400.png Explorer.EXE File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Generic-Dark.scale-200.png Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedMedTile.scale-100_contrast-white.png Explorer.EXE File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\contrast-white\WideTile.scale-100.png Explorer.EXE File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Yellow.xml Explorer.EXE File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ru-ru\BE4FC4-Readme.txt Explorer.EXE File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_KMS_ClientC2R-ul-oob.xrm-ms Explorer.EXE -
Enumerates system info in registry 2 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS SearchApp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU SearchApp.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS SearchApp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU SearchApp.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\IESettingSync Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" Explorer.EXE -
Modifies registry class 43 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "926" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\www.bing.com SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "926" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "926" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "893" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "926" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Recognizers\\Tokens\\MS-1033-110-WINMO-DNN" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\bing.com SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\MuiCache SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "893" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "893" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "893" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\bing.com SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "893" SearchApp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\www.bing.com SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "926" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "893" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\MuiCache SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "926" SearchApp.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4132 powershell.exe 4132 powershell.exe 4132 powershell.exe 2492 Explorer.EXE 2492 Explorer.EXE 2492 Explorer.EXE 2492 Explorer.EXE 2492 Explorer.EXE 2492 Explorer.EXE 2492 Explorer.EXE 2492 Explorer.EXE 2492 Explorer.EXE 2492 Explorer.EXE 2492 Explorer.EXE 2492 Explorer.EXE 2492 Explorer.EXE 2492 Explorer.EXE 2492 Explorer.EXE 2492 Explorer.EXE 2492 Explorer.EXE 2492 Explorer.EXE 2492 Explorer.EXE 2492 Explorer.EXE 2492 Explorer.EXE 2492 Explorer.EXE 2492 Explorer.EXE 2492 Explorer.EXE 2492 Explorer.EXE 2492 Explorer.EXE 2492 Explorer.EXE 2492 Explorer.EXE 2492 Explorer.EXE 2492 Explorer.EXE 2492 Explorer.EXE 2492 Explorer.EXE 2492 Explorer.EXE 2492 Explorer.EXE 2492 Explorer.EXE 2492 Explorer.EXE 2492 Explorer.EXE 2492 Explorer.EXE 2492 Explorer.EXE 2492 Explorer.EXE 2492 Explorer.EXE 2492 Explorer.EXE 2492 Explorer.EXE 2492 Explorer.EXE 2492 Explorer.EXE 2492 Explorer.EXE 2492 Explorer.EXE 2492 Explorer.EXE 2492 Explorer.EXE 2492 Explorer.EXE 2492 Explorer.EXE 2492 Explorer.EXE 2492 Explorer.EXE 2492 Explorer.EXE 2492 Explorer.EXE 2492 Explorer.EXE 2492 Explorer.EXE 2492 Explorer.EXE 2492 Explorer.EXE 2492 Explorer.EXE 2492 Explorer.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2492 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 40 IoCs
description pid Process Token: SeDebugPrivilege 4132 powershell.exe Token: SeDebugPrivilege 2492 Explorer.EXE Token: SeImpersonatePrivilege 2492 Explorer.EXE Token: SeBackupPrivilege 1552 vssvc.exe Token: SeRestorePrivilege 1552 vssvc.exe Token: SeAuditPrivilege 1552 vssvc.exe Token: SeShutdownPrivilege 2492 Explorer.EXE Token: SeCreatePagefilePrivilege 2492 Explorer.EXE Token: SeShutdownPrivilege 2492 Explorer.EXE Token: SeCreatePagefilePrivilege 2492 Explorer.EXE Token: SeShutdownPrivilege 2492 Explorer.EXE Token: SeCreatePagefilePrivilege 2492 Explorer.EXE Token: SeShutdownPrivilege 2492 Explorer.EXE Token: SeCreatePagefilePrivilege 2492 Explorer.EXE Token: SeShutdownPrivilege 2492 Explorer.EXE Token: SeCreatePagefilePrivilege 2492 Explorer.EXE Token: SeShutdownPrivilege 2492 Explorer.EXE Token: SeCreatePagefilePrivilege 2492 Explorer.EXE Token: SeShutdownPrivilege 2492 Explorer.EXE Token: SeCreatePagefilePrivilege 2492 Explorer.EXE Token: SeShutdownPrivilege 2492 Explorer.EXE Token: SeCreatePagefilePrivilege 2492 Explorer.EXE Token: SeShutdownPrivilege 2492 Explorer.EXE Token: SeCreatePagefilePrivilege 2492 Explorer.EXE Token: SeShutdownPrivilege 2492 Explorer.EXE Token: SeCreatePagefilePrivilege 2492 Explorer.EXE Token: SeShutdownPrivilege 2492 Explorer.EXE Token: SeCreatePagefilePrivilege 2492 Explorer.EXE Token: SeShutdownPrivilege 2492 Explorer.EXE Token: SeCreatePagefilePrivilege 2492 Explorer.EXE Token: SeShutdownPrivilege 2492 Explorer.EXE Token: SeCreatePagefilePrivilege 2492 Explorer.EXE Token: SeShutdownPrivilege 2492 Explorer.EXE Token: SeCreatePagefilePrivilege 2492 Explorer.EXE Token: SeShutdownPrivilege 2492 Explorer.EXE Token: SeCreatePagefilePrivilege 2492 Explorer.EXE Token: SeShutdownPrivilege 2492 Explorer.EXE Token: SeCreatePagefilePrivilege 2492 Explorer.EXE Token: SeShutdownPrivilege 2492 Explorer.EXE Token: SeCreatePagefilePrivilege 2492 Explorer.EXE -
Suspicious use of FindShellTrayWindow 5 IoCs
pid Process 2492 Explorer.EXE 2492 Explorer.EXE 2492 Explorer.EXE 2492 Explorer.EXE 2492 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
pid Process 2492 Explorer.EXE 2492 Explorer.EXE 2492 Explorer.EXE 2492 Explorer.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 6540 SearchApp.exe 6816 SearchApp.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 4132 wrote to memory of 2676 4132 powershell.exe 80 PID 4132 wrote to memory of 2676 4132 powershell.exe 80 PID 2676 wrote to memory of 728 2676 csc.exe 81 PID 2676 wrote to memory of 728 2676 csc.exe 81 PID 4132 wrote to memory of 4836 4132 powershell.exe 82 PID 4132 wrote to memory of 4836 4132 powershell.exe 82 PID 4836 wrote to memory of 4908 4836 csc.exe 83 PID 4836 wrote to memory of 4908 4836 csc.exe 83 PID 4132 wrote to memory of 2492 4132 powershell.exe 54 PID 2492 wrote to memory of 6184 2492 Explorer.EXE 98 PID 2492 wrote to memory of 6184 2492 Explorer.EXE 98
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\NetWalker_19_10_2020_903KB.ps12⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4132 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yfocfwtd\yfocfwtd.cmdline"3⤵
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8561.tmp" "c:\Users\Admin\AppData\Local\Temp\yfocfwtd\CSC9810FA4E5840405B8374A352AEA734CB.TMP"4⤵PID:728
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gd2sgmnv\gd2sgmnv.cmdline"3⤵
- Suspicious use of WriteProcessMemory
PID:4836 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8B0E.tmp" "c:\Users\Admin\AppData\Local\Temp\gd2sgmnv\CSC260CA674ADD146B69231B4916DD38EC1.TMP"4⤵PID:4908
-
-
-
-
C:\Windows\system32\notepad.exeC:\Windows\system32\notepad.exe "C:\Users\Admin\Desktop\BE4FC4-Readme.txt"2⤵PID:6184
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1552
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:6540
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:6816
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133076487607126064.txt
Filesize71KB
MD5b2a08dfbfad762fa8b0cc837be238401
SHA151a4ad8b13f5c593d8da20d4b317666022cadaef
SHA2567db07e239f25c7a589416a0c10c2cd58ddc5cb67e4397c112b1cae0c324cfab9
SHA512af1f3631e2b83a0e2f49e9655a0bf52f321cde5fce986eecf98ee715c62150e6b9cffa7253627ec779b2df1fcf4774e3ab4792886fd19c0aba97ec94974cc83c
-
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\B0ESNM48\www.bing[1].xml
Filesize1KB
MD5d3435f0a28674b514bbd7ec84e7c9d95
SHA13dc57c9137b01765e8d26218dac59f33b84ccd7e
SHA256c8dbcf5bc4252528592ee6de2c0f7db5615f7586ecf98aa70b3658e8701da07c
SHA51202234d3394828844c162a9457687a8218e5290aa1edbd11f012f24f1586e0b86cb38af66d89ce27ca4ed5b5cb36e1aa6be17cef4a51b4c5c99c3bfa97a31c71f
-
Filesize
1KB
MD53bff9c4e1982dc263994dda79dc26525
SHA19b5308ca8976a15912e86e3dc2d630c789390c15
SHA256d8d0bad402d18fed8bc818dfc9a4a359c29406009d100d7ee1b11a2881bfb0fa
SHA512938e18d1acd19e0241fa88d4f9aa678008e6819660aa330e687b01338f4873822e9b3664e1841e656aee62842a91ef340d28e627f9b84cc800b0fa68f36f2d9c
-
Filesize
1KB
MD51c259e0e61040b9bd4bac03726deaa35
SHA139f1fd01d0b503ee08ed8d8a466f4421401a15a1
SHA256d2bcb57cc39851a8fd318d4c9592f5cb956fb4d94fa7b5294f83fa3500656f05
SHA5123880641066b8aa364a155746c4da432819a8d160af7197781b154f2ef722f021a170c8e21b6c352339acc5cc3df07ff2c0c3c28dd83a73e5f4c492e9f1b51b0a
-
Filesize
4KB
MD50ef848e9530dd92f398413047aeee4f3
SHA145252a501058a7663420208b1fbfb9e57b9dd119
SHA2566902d05f6f53f98b97fe559e30a43ceedb62ba7ca8c9d820486420a15cfe431a
SHA5128597f925bf88d1076558739ddec503d00282076cf5f46395f00aa09b012af383ee06464a63f14ae9a16376646073fb4ac8d45045735c78e8fc27aefa70a624f6
-
Filesize
6KB
MD5b3e44825d4b51fed8c3e148eb194b554
SHA197732418ae0886fc69a5b6b09ac156627c72813f
SHA256b3001c6d193ec1af24c0c99c889744911be4cffe0c5d2ca4b3b0f65fea8dfde1
SHA512d4f4d92828a7ce8fc0739cd26432284e62e3dd2a5c0d33faecf73f4d31414dc862817600b2b259ec4bc34f5679bf73f15493d8cc000dea1b6855f47682c0ef0c
-
Filesize
2KB
MD5b46b97d5c97c1533c06b1ffbee6b0087
SHA1b595f449cac2b6b4dc9d5e9ecb3e37cd842e3c13
SHA25600e8fdd0645912363983c0631de758db9fa57e5a1d468e14ac63e7913417028b
SHA512401499c409168ea2e8b380dcad84db48680a87183fef3714c143084b1275f8435c90e3df83a2e628459d3540f3be8b13c5c9b0188ebba6c2df61cc093c1bd5ad
-
Filesize
652B
MD53c4e596af22261bc9b799e43d23a775c
SHA15f8fcbd7ef0d1f59300036836d5ed6e56d61f81c
SHA256b871286443ddb67a3f4ebdf66ffdcd1267aba3036cac81d6bd3e1a431b4a8813
SHA512e1e2a04b1759b879eb8af37d3e03053b97f581f14f3ce516b981fe5381bedef7d78b642ca9d885fec7b16043c9211500dbd36389e7f717a5f6171b92ebd9bc22
-
Filesize
2KB
MD51cae52936facd4972987d3baef367d8d
SHA1ad2b4b58d20f290b9da416cef1ef305cf1df6781
SHA25628b45e56fb27763b4785974e380c96eef1436fc151a802f492db25052392d400
SHA5124ae36c0ac78177eea5a6e0fbab0f51f7d24c7a76eae75b67eab41fcace921cef256b02fb088e1afb3c445e59598fbea73270e6bca1eda32514221190daa501df
-
Filesize
369B
MD5029404c5e599fcbf0eedd69ea3c6ab43
SHA1cf2222109177af14dfbb9f5739fe8f2025357502
SHA256a89c086f8b53e309bdf12611ea071838c8162283b7b231be055c4da85591ccb5
SHA512c499229f0a49f205468ea1dc7e5ed6fe60b3fbb420b86b235b323251104fc95cfcb702bba3d7a5cc0b0841edfc6b4e9506bbf3e10e99bb0a45fca7884d0eb88f
-
Filesize
652B
MD50594c13e862f161d3af22552ca28f4e2
SHA1bdf19102aec9a4189283f51727a403e18767f3ca
SHA2567c4e0f8c79c7a51375ef3951eb4f89d9d366f8ed75db0a9c4ac79a6d7026a03f
SHA51268ee73f3f84fc4a5c303747f658c6d3e0afe53940ae28a59f6e0c3e759d2e3047354e46f3ee886139ec043c73a5448b28b7f35912a3fb542084c1b669722ea02
-
Filesize
9KB
MD564db54f88f46e2ecc57b05a25966da8e
SHA1488dbbbab872714609ded38db924d38971a3685f
SHA256e2b586aa1613682b4f1b92f981fea15d0612a3e632bbd73cd7287518c9ed7cb5
SHA5128791b75874fd7a90bf63742abe6d299bc4370ad910591207d7630901d80765f6f6a4475809f23becf112360403423d0c691744f1024af3dd89c104f2b0b9e729
-
Filesize
369B
MD52dba910482ee581616b11a4408ecee6c
SHA13c9677516dc9916a0abab1a35bc81301ec96b8b7
SHA256b8a13403f7c891798170310760bdd09ab76170309fc2a423a5cafc649e62e97b
SHA512e875de0ea3cee3de928aef073de6e3b2e5f227718af44ec397fc37cb400723461232f806099b444324f6fead2b9d5ce7eeca1110aa9b3962b50fee62a7351438