Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
26/09/2022, 03:04
Behavioral task
behavioral1
Sample
WinSecurityUpdates.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
WinSecurityUpdates.exe
Resource
win10v2004-20220812-en
General
-
Target
WinSecurityUpdates.exe
-
Size
14.0MB
-
MD5
81ec54952bb1f2d77755acc1c72a1022
-
SHA1
f61fa40dd3b1b36f0ef08335653624a9cf0c0fe5
-
SHA256
eea3cb397782654810eea1c7bfc350a5c4760b9ea776f08de36b8356a1a3c3a7
-
SHA512
77d0fd17bb91ac80e747b62f177fe8d2c013a2c7d261ceca0d9738109fa8ef957c6e6e3014a8548da76aaddbf5154a277f529902a3cb05d5e8c128e8a26c7e72
-
SSDEEP
393216:Ncfbl5euWkQSrstR9zCLFKoL205Suuy0kiOJitcCWRmmd:GfblqkrsX9OLF3L2ASuuy/iCo6Z
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Disables Task Manager via registry modification
-
Modifies Installed Components in the registry 2 TTPs 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95} unregmp2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\DontAsk = "2" unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\Version = "12,0,19041,1266" unregmp2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\IsInstalled = "0" unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\Stubpath = "%SystemRoot%\\system32\\unregmp2.exe /ShowWMP" unregmp2.exe -
Modifies extensions of user files 3 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File created C:\Users\Admin\Pictures\CompleteResolve.tiff.crypted WinSecurityUpdates.exe File created C:\Users\Admin\Pictures\ConvertToInvoke.png.crypted WinSecurityUpdates.exe File created C:\Users\Admin\Pictures\UninstallRename.png.crypted WinSecurityUpdates.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.crypted WinSecurityUpdates.exe -
Loads dropped DLL 42 IoCs
pid Process 3948 WinSecurityUpdates.exe 3948 WinSecurityUpdates.exe 3948 WinSecurityUpdates.exe 3948 WinSecurityUpdates.exe 3948 WinSecurityUpdates.exe 3948 WinSecurityUpdates.exe 3948 WinSecurityUpdates.exe 3948 WinSecurityUpdates.exe 3948 WinSecurityUpdates.exe 3948 WinSecurityUpdates.exe 3948 WinSecurityUpdates.exe 3948 WinSecurityUpdates.exe 3948 WinSecurityUpdates.exe 3948 WinSecurityUpdates.exe 3948 WinSecurityUpdates.exe 3948 WinSecurityUpdates.exe 3948 WinSecurityUpdates.exe 3948 WinSecurityUpdates.exe 3948 WinSecurityUpdates.exe 3948 WinSecurityUpdates.exe 3948 WinSecurityUpdates.exe 3948 WinSecurityUpdates.exe 3948 WinSecurityUpdates.exe 3948 WinSecurityUpdates.exe 3948 WinSecurityUpdates.exe 3948 WinSecurityUpdates.exe 3948 WinSecurityUpdates.exe 3948 WinSecurityUpdates.exe 3948 WinSecurityUpdates.exe 3948 WinSecurityUpdates.exe 3948 WinSecurityUpdates.exe 3948 WinSecurityUpdates.exe 3948 WinSecurityUpdates.exe 3948 WinSecurityUpdates.exe 3948 WinSecurityUpdates.exe 3948 WinSecurityUpdates.exe 3948 WinSecurityUpdates.exe 3948 WinSecurityUpdates.exe 3948 WinSecurityUpdates.exe 3948 WinSecurityUpdates.exe 3948 WinSecurityUpdates.exe 3948 WinSecurityUpdates.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Crypter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WinSecurityUpdates.exe" WinSecurityUpdates.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini unregmp2.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\K: wmplayer.exe File opened (read-only) \??\P: wmplayer.exe File opened (read-only) \??\X: wmplayer.exe File opened (read-only) \??\E: unregmp2.exe File opened (read-only) \??\F: unregmp2.exe File opened (read-only) \??\I: unregmp2.exe File opened (read-only) \??\A: wmplayer.exe File opened (read-only) \??\V: wmplayer.exe File opened (read-only) \??\W: wmplayer.exe File opened (read-only) \??\S: unregmp2.exe File opened (read-only) \??\U: unregmp2.exe File opened (read-only) \??\V: unregmp2.exe File opened (read-only) \??\U: wmplayer.exe File opened (read-only) \??\M: wmplayer.exe File opened (read-only) \??\N: wmplayer.exe File opened (read-only) \??\O: wmplayer.exe File opened (read-only) \??\Y: unregmp2.exe File opened (read-only) \??\Z: unregmp2.exe File opened (read-only) \??\T: wmplayer.exe File opened (read-only) \??\B: unregmp2.exe File opened (read-only) \??\O: unregmp2.exe File opened (read-only) \??\R: unregmp2.exe File opened (read-only) \??\X: unregmp2.exe File opened (read-only) \??\P: unregmp2.exe File opened (read-only) \??\F: wmplayer.exe File opened (read-only) \??\H: wmplayer.exe File opened (read-only) \??\Y: wmplayer.exe File opened (read-only) \??\H: unregmp2.exe File opened (read-only) \??\M: unregmp2.exe File opened (read-only) \??\Q: unregmp2.exe File opened (read-only) \??\T: unregmp2.exe File opened (read-only) \??\I: wmplayer.exe File opened (read-only) \??\J: wmplayer.exe File opened (read-only) \??\L: wmplayer.exe File opened (read-only) \??\Q: wmplayer.exe File opened (read-only) \??\G: unregmp2.exe File opened (read-only) \??\K: unregmp2.exe File opened (read-only) \??\E: wmplayer.exe File opened (read-only) \??\G: wmplayer.exe File opened (read-only) \??\R: wmplayer.exe File opened (read-only) \??\S: wmplayer.exe File opened (read-only) \??\Z: wmplayer.exe File opened (read-only) \??\W: unregmp2.exe File opened (read-only) \??\B: wmplayer.exe File opened (read-only) \??\A: unregmp2.exe File opened (read-only) \??\J: unregmp2.exe File opened (read-only) \??\L: unregmp2.exe File opened (read-only) \??\N: unregmp2.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File opened for modification C:\Program Files\Windows Media Player\wmplayer.exe unregmp2.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll svchost.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll svchost.exe -
Checks processor information in registry 2 TTPs 11 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3272 schtasks.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 8 vssadmin.EXE -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\NetworkExplorerPlugins\urn:schemas-upnp-org:device:MediaRenderer:1\ShellEx\ContextMenuHandlers\{17FC1A80-140E-4290-A64F-4A29A951A867}\ = "Open Media Sharing Handler" unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Play\ = "&Play with Windows Media Player" unregmp2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\video\shellex\ContextMenuHandlers\PlayTo unregmp2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shellex\ContextMenuHandlers\PlayTo unregmp2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shellex\ContextMenuHandlers\PlayTo unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Play\command\DelegateExecute = "{ed1d0fdf-4414-470a-a56d-cfb68623fc58}" unregmp2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Play\command unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Enqueue\NeverDefault unregmp2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Video\shellex\ContextMenuHandlers\PlayTo unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Play\NeverDefault unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Enqueue\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9800" unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Play\NeverDefault unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\video\shellex\ContextMenuHandlers\PlayTo\ = "{7AD84985-87B4-4a16-BE58-8B72A5B390F7}" unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\image\shellex\ContextMenuHandlers\PlayTo\ = "{7AD84985-87B4-4a16-BE58-8B72A5B390F7}" unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\NetworkExplorerPlugins\urn:schemas-upnp-org:device:MediaRenderer:1\ShellEx\ContextMenuHandlers\{A45AEC2B-549E-405F-AF3E-C6B03C4FDFBF}\ = "Toggle DMR Authorization Handler" unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Enqueue\ = "&Add to Windows Media Player list" unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Enqueue\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9800" unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Enqueue\NeverDefault unregmp2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Play unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Enqueue\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9800" unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shellex\ContextMenuHandlers\PlayTo\ = "{7AD84985-87B4-4a16-BE58-8B72A5B390F7}" unregmp2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\image\shellex\ContextMenuHandlers\PlayTo unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shellex\ContextMenuHandlers\PlayTo\ = "{7AD84985-87B4-4a16-BE58-8B72A5B390F7}" unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Play\ = "&Play with Windows Media Player" unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Enqueue\NeverDefault unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Enqueue\command\DelegateExecute = "{45597c98-80f6-4549-84ff-752cf55e2d29}" unregmp2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Play\command unregmp2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shellex\ContextMenuHandlers\PlayTo unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shellex\ContextMenuHandlers\PlayTo\ = "{7AD84985-87B4-4a16-BE58-8B72A5B390F7}" unregmp2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Play\command unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Play\command\DelegateExecute = "{ed1d0fdf-4414-470a-a56d-cfb68623fc58}" unregmp2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shellex\ContextMenuHandlers\PlayTo unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Enqueue\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9800" unregmp2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Enqueue\command unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Enqueue\ = "&Add to Windows Media Player list" unregmp2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Enqueue\command unregmp2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Enqueue unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Enqueue\ = "&Add to Windows Media Player list" unregmp2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Play unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Enqueue\command\DelegateExecute = "{45597c98-80f6-4549-84ff-752cf55e2d29}" unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Video\shellex\ContextMenuHandlers\PlayTo\ = "{7AD84985-87B4-4a16-BE58-8B72A5B390F7}" unregmp2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Video\shellex\ContextMenuHandlers\PlayTo unregmp2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Enqueue unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Enqueue\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9800" unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Play\NeverDefault unregmp2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Play\command unregmp2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shellex\ContextMenuHandlers\PlayTo unregmp2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Enqueue\command unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Play\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9801" unregmp2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Enqueue unregmp2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Play unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shellex\ContextMenuHandlers\PlayTo\ = "{7AD84985-87B4-4a16-BE58-8B72A5B390F7}" unregmp2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Play unregmp2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Enqueue\command unregmp2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Play unregmp2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Play\command unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Play\command\DelegateExecute = "{ed1d0fdf-4414-470a-a56d-cfb68623fc58}" unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Play\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9801" unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Play\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9801" unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Enqueue\ = "&Add to Windows Media Player list" unregmp2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Enqueue unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Play\ = "&Play with Windows Media Player" unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Play\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9801" unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shellex\ContextMenuHandlers\PlayTo\ = "{7AD84985-87B4-4a16-BE58-8B72A5B390F7}" unregmp2.exe -
Suspicious behavior: AddClipboardFormatListener 3 IoCs
pid Process 3932 WINWORD.EXE 3932 WINWORD.EXE 4200 vlc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4200 vlc.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: 35 3948 WinSecurityUpdates.exe Token: SeBackupPrivilege 4904 vssvc.exe Token: SeRestorePrivilege 4904 vssvc.exe Token: SeAuditPrivilege 4904 vssvc.exe Token: SeDebugPrivilege 4088 firefox.exe Token: SeDebugPrivilege 4088 firefox.exe Token: SeDebugPrivilege 4088 firefox.exe Token: SeDebugPrivilege 4088 firefox.exe Token: SeShutdownPrivilege 4520 unregmp2.exe Token: SeCreatePagefilePrivilege 4520 unregmp2.exe Token: SeShutdownPrivilege 3144 wmplayer.exe Token: SeCreatePagefilePrivilege 3144 wmplayer.exe -
Suspicious use of FindShellTrayWindow 17 IoCs
pid Process 4088 firefox.exe 4088 firefox.exe 4088 firefox.exe 4088 firefox.exe 4088 firefox.exe 4088 firefox.exe 4088 firefox.exe 4200 vlc.exe 4200 vlc.exe 4200 vlc.exe 4200 vlc.exe 4200 vlc.exe 4200 vlc.exe 4200 vlc.exe 4200 vlc.exe 4200 vlc.exe 3144 wmplayer.exe -
Suspicious use of SendNotifyMessage 14 IoCs
pid Process 4088 firefox.exe 4088 firefox.exe 4088 firefox.exe 4088 firefox.exe 4088 firefox.exe 4088 firefox.exe 4200 vlc.exe 4200 vlc.exe 4200 vlc.exe 4200 vlc.exe 4200 vlc.exe 4200 vlc.exe 4200 vlc.exe 4200 vlc.exe -
Suspicious use of SetWindowsHookEx 16 IoCs
pid Process 3948 WinSecurityUpdates.exe 3948 WinSecurityUpdates.exe 3932 WINWORD.EXE 3932 WINWORD.EXE 3932 WINWORD.EXE 3932 WINWORD.EXE 3932 WINWORD.EXE 3932 WINWORD.EXE 3932 WINWORD.EXE 3932 WINWORD.EXE 3932 WINWORD.EXE 3932 WINWORD.EXE 3932 WINWORD.EXE 3932 WINWORD.EXE 4088 firefox.exe 4200 vlc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1048 wrote to memory of 3948 1048 WinSecurityUpdates.exe 77 PID 1048 wrote to memory of 3948 1048 WinSecurityUpdates.exe 77 PID 3948 wrote to memory of 2608 3948 WinSecurityUpdates.exe 85 PID 3948 wrote to memory of 2608 3948 WinSecurityUpdates.exe 85 PID 2608 wrote to memory of 3272 2608 cmd.exe 87 PID 2608 wrote to memory of 3272 2608 cmd.exe 87 PID 3948 wrote to memory of 4496 3948 WinSecurityUpdates.exe 88 PID 3948 wrote to memory of 4496 3948 WinSecurityUpdates.exe 88 PID 4496 wrote to memory of 1704 4496 cmd.exe 90 PID 4496 wrote to memory of 1704 4496 cmd.exe 90 PID 3948 wrote to memory of 1136 3948 WinSecurityUpdates.exe 92 PID 3948 wrote to memory of 1136 3948 WinSecurityUpdates.exe 92 PID 1136 wrote to memory of 1740 1136 cmd.exe 95 PID 1136 wrote to memory of 1740 1136 cmd.exe 95 PID 4800 wrote to memory of 4088 4800 firefox.exe 106 PID 4800 wrote to memory of 4088 4800 firefox.exe 106 PID 4800 wrote to memory of 4088 4800 firefox.exe 106 PID 4800 wrote to memory of 4088 4800 firefox.exe 106 PID 4800 wrote to memory of 4088 4800 firefox.exe 106 PID 4800 wrote to memory of 4088 4800 firefox.exe 106 PID 4800 wrote to memory of 4088 4800 firefox.exe 106 PID 4800 wrote to memory of 4088 4800 firefox.exe 106 PID 4800 wrote to memory of 4088 4800 firefox.exe 106 PID 4088 wrote to memory of 3504 4088 firefox.exe 107 PID 4088 wrote to memory of 3504 4088 firefox.exe 107 PID 4088 wrote to memory of 2276 4088 firefox.exe 108 PID 4088 wrote to memory of 2276 4088 firefox.exe 108 PID 4088 wrote to memory of 2276 4088 firefox.exe 108 PID 4088 wrote to memory of 2276 4088 firefox.exe 108 PID 4088 wrote to memory of 2276 4088 firefox.exe 108 PID 4088 wrote to memory of 2276 4088 firefox.exe 108 PID 4088 wrote to memory of 2276 4088 firefox.exe 108 PID 4088 wrote to memory of 2276 4088 firefox.exe 108 PID 4088 wrote to memory of 2276 4088 firefox.exe 108 PID 4088 wrote to memory of 2276 4088 firefox.exe 108 PID 4088 wrote to memory of 2276 4088 firefox.exe 108 PID 4088 wrote to memory of 2276 4088 firefox.exe 108 PID 4088 wrote to memory of 2276 4088 firefox.exe 108 PID 4088 wrote to memory of 2276 4088 firefox.exe 108 PID 4088 wrote to memory of 2276 4088 firefox.exe 108 PID 4088 wrote to memory of 2276 4088 firefox.exe 108 PID 4088 wrote to memory of 2276 4088 firefox.exe 108 PID 4088 wrote to memory of 2276 4088 firefox.exe 108 PID 4088 wrote to memory of 2276 4088 firefox.exe 108 PID 4088 wrote to memory of 2276 4088 firefox.exe 108 PID 4088 wrote to memory of 2276 4088 firefox.exe 108 PID 4088 wrote to memory of 2276 4088 firefox.exe 108 PID 4088 wrote to memory of 2276 4088 firefox.exe 108 PID 4088 wrote to memory of 2276 4088 firefox.exe 108 PID 4088 wrote to memory of 2276 4088 firefox.exe 108 PID 4088 wrote to memory of 2276 4088 firefox.exe 108 PID 4088 wrote to memory of 2276 4088 firefox.exe 108 PID 4088 wrote to memory of 2276 4088 firefox.exe 108 PID 4088 wrote to memory of 2276 4088 firefox.exe 108 PID 4088 wrote to memory of 2276 4088 firefox.exe 108 PID 4088 wrote to memory of 2276 4088 firefox.exe 108 PID 4088 wrote to memory of 2276 4088 firefox.exe 108 PID 4088 wrote to memory of 2276 4088 firefox.exe 108 PID 4088 wrote to memory of 2276 4088 firefox.exe 108 PID 4088 wrote to memory of 2276 4088 firefox.exe 108 PID 4088 wrote to memory of 2276 4088 firefox.exe 108 PID 4088 wrote to memory of 2276 4088 firefox.exe 108 PID 4088 wrote to memory of 2276 4088 firefox.exe 108 PID 4088 wrote to memory of 2276 4088 firefox.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\WinSecurityUpdates.exe"C:\Users\Admin\AppData\Local\Temp\WinSecurityUpdates.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Users\Admin\AppData\Local\Temp\WinSecurityUpdates.exe"C:\Users\Admin\AppData\Local\Temp\WinSecurityUpdates.exe"2⤵
- Modifies extensions of user files
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3948 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "schtasks /create /tn updater47 /sc once /sd 01/01/1901 /tr "vssadmin Delete Shadows /All /Quiet" /st 00:00 /rl highest /ru SYSTEM /f"3⤵
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\system32\schtasks.exeschtasks /create /tn updater47 /sc once /sd 01/01/1901 /tr "vssadmin Delete Shadows /All /Quiet" /st 00:00 /rl highest /ru SYSTEM /f4⤵
- Creates scheduled task(s)
PID:3272
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "schtasks /run /i /tn updater47"3⤵
- Suspicious use of WriteProcessMemory
PID:4496 -
C:\Windows\system32\schtasks.exeschtasks /run /i /tn updater474⤵PID:1704
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "schtasks /delete /tn updater47 /f"3⤵
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Windows\system32\schtasks.exeschtasks /delete /tn updater47 /f4⤵PID:1740
-
-
-
-
C:\Windows\system32\vssadmin.EXEC:\Windows\system32\vssadmin.EXE Delete Shadows /All /Quiet1⤵
- Interacts with shadow copies
PID:8
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4904
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Documents\Recently.docx" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3932
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4800 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4088 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4088.0.1307588868\296399950" -parentBuildID 20200403170909 -prefsHandle 2016 -prefMapHandle 2008 -prefsLen 1 -prefMapSize 215966 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4088 "\\.\pipe\gecko-crash-server-pipe.4088" 2112 gpu3⤵PID:3504
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4088.6.278586496\2111053647" -childID 1 -isForBrowser -prefsHandle 2692 -prefMapHandle 2492 -prefsLen 1369 -prefMapSize 215966 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4088 "\\.\pipe\gecko-crash-server-pipe.4088" 2680 tab3⤵PID:2276
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4088.13.1583652585\1302500600" -childID 2 -isForBrowser -prefsHandle 3028 -prefMapHandle 3024 -prefsLen 1403 -prefMapSize 215966 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4088 "\\.\pipe\gecko-crash-server-pipe.4088" 3040 tab3⤵PID:3280
-
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵PID:4048
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
PID:4080
-
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\InvokeRestore.ADT"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4200
-
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding1⤵PID:3044
-
C:\Program Files (x86)\Windows Media Player\setup_wm.exe"C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding2⤵PID:816
-
C:\Windows\SysWOW64\unregmp2.exeC:\Windows\system32\unregmp2.exe /ShowWMP /SetShowState /CreateMediaLibrary3⤵PID:2992
-
C:\Windows\system32\unregmp2.exe"C:\Windows\SysNative\unregmp2.exe" /ShowWMP /SetShowState /CreateMediaLibrary /REENTRANT4⤵
- Modifies Installed Components in the registry
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies registry class
PID:2924
-
-
-
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Relaunch /Play C:\Users\Admin\Desktop\ExitSearch.mp23⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3144
-
-
-
C:\Windows\SysWOW64\unregmp2.exe"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon2⤵PID:720
-
C:\Windows\system32\unregmp2.exe"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT3⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:4520
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost1⤵
- Drops file in Windows directory
PID:1752
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14KB
MD596c019ba4c6a75a6ad8e087b624aa8e1
SHA1ea39c747717851ee256bee5a206c496dd5a6d9f9
SHA256174f4330858bb5734683eb90d2968a1febfba0680960ddda9b1133e725580b0f
SHA512f9c68d606103587430c852cca690c05f61e237a3806f46fb4e8ba246dd523d1447991784c7a7f292a1522b53bb2ae7d689676b507ee4ad9f0c347c26f0e08569
-
Filesize
14KB
MD596c019ba4c6a75a6ad8e087b624aa8e1
SHA1ea39c747717851ee256bee5a206c496dd5a6d9f9
SHA256174f4330858bb5734683eb90d2968a1febfba0680960ddda9b1133e725580b0f
SHA512f9c68d606103587430c852cca690c05f61e237a3806f46fb4e8ba246dd523d1447991784c7a7f292a1522b53bb2ae7d689676b507ee4ad9f0c347c26f0e08569
-
Filesize
12KB
MD5b4ff6eadfa71be840cc9178a7bf52db1
SHA1bf3542403a46ae88e405276e6c58043871a7be2e
SHA25649879774226782e41f98c8c8b682b601bd54e72ce0876903c8c30155f22f76a7
SHA5127019e0d29c3f7e7b205812e6fd5470775a5d94d0cd5bc3e1341fe57849ae55f8034db8e3897349fe44b7f09a4e15dff8ba35678f9edaf42756d359070962fda5
-
Filesize
12KB
MD5b4ff6eadfa71be840cc9178a7bf52db1
SHA1bf3542403a46ae88e405276e6c58043871a7be2e
SHA25649879774226782e41f98c8c8b682b601bd54e72ce0876903c8c30155f22f76a7
SHA5127019e0d29c3f7e7b205812e6fd5470775a5d94d0cd5bc3e1341fe57849ae55f8034db8e3897349fe44b7f09a4e15dff8ba35678f9edaf42756d359070962fda5
-
Filesize
12KB
MD55e754f101bd51f405a05549b4f00f6aa
SHA117caf4578cc90ab2173a106a9027e9f330949280
SHA2566ba36fb03938d61705d449bac0aaf202ec20ddb68d0cfba33bb99f6356e0e341
SHA512b061da23f5bd96b3a5d8b93d2f794df91e3756062ef9615061674155b348d922e7b0bcf5ca3fa8ceab588478b4b2369bd1b9e98e17f0e878ef09089d7e9ab3ee
-
Filesize
12KB
MD55e754f101bd51f405a05549b4f00f6aa
SHA117caf4578cc90ab2173a106a9027e9f330949280
SHA2566ba36fb03938d61705d449bac0aaf202ec20ddb68d0cfba33bb99f6356e0e341
SHA512b061da23f5bd96b3a5d8b93d2f794df91e3756062ef9615061674155b348d922e7b0bcf5ca3fa8ceab588478b4b2369bd1b9e98e17f0e878ef09089d7e9ab3ee
-
Filesize
13KB
MD5b3985c5c37502486fa4213f4acd5c2d1
SHA177989c53891a16d9fd73b0ff4e84f0a8f2aea9f4
SHA256351df966662e73f9b628839a325ab263d47bb22291e8a0f4b91e7df3de5f310e
SHA5122496ca54fa2d68af91dd5799fe902caa65f699a9c51e4de51bccf187a0b1fb2042a4a75648fccf421500d8b1fa939794ac0ab84b34b676cbb44b8b1583bc1a53
-
Filesize
13KB
MD5b3985c5c37502486fa4213f4acd5c2d1
SHA177989c53891a16d9fd73b0ff4e84f0a8f2aea9f4
SHA256351df966662e73f9b628839a325ab263d47bb22291e8a0f4b91e7df3de5f310e
SHA5122496ca54fa2d68af91dd5799fe902caa65f699a9c51e4de51bccf187a0b1fb2042a4a75648fccf421500d8b1fa939794ac0ab84b34b676cbb44b8b1583bc1a53
-
Filesize
10KB
MD5d119c1cb84ca41e0de1246142adbdaf5
SHA1152b54dcf71ec6e914cedeb06bc18c08b52fa2d5
SHA25612b6a82181da229e217e78c1bb38ef1b197b2df065b81fb88c3a54da276f592d
SHA512f50e851d6ac079b3821f9b2fa7156ccac755ca428abb6ff1c2fa4e8624e62023bb4c1146c64b158437b58b28e9866998cc28e6b8328ba46187d4285774b6014b
-
Filesize
10KB
MD5d119c1cb84ca41e0de1246142adbdaf5
SHA1152b54dcf71ec6e914cedeb06bc18c08b52fa2d5
SHA25612b6a82181da229e217e78c1bb38ef1b197b2df065b81fb88c3a54da276f592d
SHA512f50e851d6ac079b3821f9b2fa7156ccac755ca428abb6ff1c2fa4e8624e62023bb4c1146c64b158437b58b28e9866998cc28e6b8328ba46187d4285774b6014b
-
Filesize
11KB
MD533c3e81264c15d1d0ea094833eb46294
SHA19a45f9cda616cd2a3a06de4198c4a97e94f96c42
SHA2565ddfabbce9ed85dd683c22adbc85d13ab754806a01f8b97fc9701c6d064ca98c
SHA512ad62387f07927eff792d6bbb48e6dcdf3c93b23d55a5a6805dc53c6d3a67c3e8da0dc9048c9766af464c650f6db720e87ab56d898688c3c5ac84a4caf35b2b37
-
Filesize
11KB
MD533c3e81264c15d1d0ea094833eb46294
SHA19a45f9cda616cd2a3a06de4198c4a97e94f96c42
SHA2565ddfabbce9ed85dd683c22adbc85d13ab754806a01f8b97fc9701c6d064ca98c
SHA512ad62387f07927eff792d6bbb48e6dcdf3c93b23d55a5a6805dc53c6d3a67c3e8da0dc9048c9766af464c650f6db720e87ab56d898688c3c5ac84a4caf35b2b37
-
Filesize
14KB
MD5f8824fe3796445d8bfaf1dd463e444d5
SHA1c9f1e1e58b6b43b4e01b5a668b3496870c615380
SHA256567d6539fe7b065bd219d491363bb7dcd2e28a2cd8ad8e321672b4152c29fbe7
SHA512980d07b2d7dcc5fba352428f71686df2b58597c985c06a9995c07159f882df8005349662fdc25a922bfedc82349c15389c42c95fe69f03d72198c5dffd7e6d54
-
Filesize
14KB
MD5f8824fe3796445d8bfaf1dd463e444d5
SHA1c9f1e1e58b6b43b4e01b5a668b3496870c615380
SHA256567d6539fe7b065bd219d491363bb7dcd2e28a2cd8ad8e321672b4152c29fbe7
SHA512980d07b2d7dcc5fba352428f71686df2b58597c985c06a9995c07159f882df8005349662fdc25a922bfedc82349c15389c42c95fe69f03d72198c5dffd7e6d54
-
Filesize
15KB
MD592b10b99669a3b0d6f4d43d02f62b128
SHA13c915dc84d84404dd04d0e13cd04669b88f7bd4d
SHA2568a149ca1450ba9aa5a70b52b1bb214a2e6b410f8275ecd1d824da727f366dc3f
SHA5120ed27022b7bde6b59625f8c684b8bbe1357ef7cf1ddc56b27a7eb4d939c3d145ae56ce462720ecb8eca1df1e7dc0e18c8bc929ddca9cb48137d943fce67305ef
-
Filesize
15KB
MD592b10b99669a3b0d6f4d43d02f62b128
SHA13c915dc84d84404dd04d0e13cd04669b88f7bd4d
SHA2568a149ca1450ba9aa5a70b52b1bb214a2e6b410f8275ecd1d824da727f366dc3f
SHA5120ed27022b7bde6b59625f8c684b8bbe1357ef7cf1ddc56b27a7eb4d939c3d145ae56ce462720ecb8eca1df1e7dc0e18c8bc929ddca9cb48137d943fce67305ef
-
Filesize
18KB
MD53c6f2ad02c87a4bd7b51e9aa642b4609
SHA1d0a249f3022364779bcbe3892b3e798c85c60c4d
SHA256a74f7a2c195ff82ef14663335fe816cd5efb08fb8f1665cef3210f9be3e4aeed
SHA512eba9289d5feda60921ab49ec84011e0368f79c9016fe207d83b7ca9e2d16f25f5bc58d7ea4738f4a0496da32ae821782e64a7e06650dbda67d1130b2f5d95ad8
-
Filesize
18KB
MD53c6f2ad02c87a4bd7b51e9aa642b4609
SHA1d0a249f3022364779bcbe3892b3e798c85c60c4d
SHA256a74f7a2c195ff82ef14663335fe816cd5efb08fb8f1665cef3210f9be3e4aeed
SHA512eba9289d5feda60921ab49ec84011e0368f79c9016fe207d83b7ca9e2d16f25f5bc58d7ea4738f4a0496da32ae821782e64a7e06650dbda67d1130b2f5d95ad8
-
Filesize
20KB
MD564cdc6fa75fcdfebcb05b39a03da6002
SHA1aacecd53af933e846c6fe00af1a3468cdb1ad614
SHA2567c149adad06fa32526af46f4d0161867bff0ccfd53322ed0f92fe5a5ffb76873
SHA512f9d5a2d68d5e361b1cf86b2aede637c2692966deabbfc482b8866368feb36cc0bafdf7b8bdbe6459efad1d1b08e0a007528f0f8fa5f98169093725f85d9976c2
-
Filesize
20KB
MD564cdc6fa75fcdfebcb05b39a03da6002
SHA1aacecd53af933e846c6fe00af1a3468cdb1ad614
SHA2567c149adad06fa32526af46f4d0161867bff0ccfd53322ed0f92fe5a5ffb76873
SHA512f9d5a2d68d5e361b1cf86b2aede637c2692966deabbfc482b8866368feb36cc0bafdf7b8bdbe6459efad1d1b08e0a007528f0f8fa5f98169093725f85d9976c2
-
Filesize
12KB
MD555ba4fd1c50dbc3f2461a5d3f06790aa
SHA151c18b459bbad2bda7a5370d99af805d7743f7e3
SHA25672854c82f5bf8485d0b0491b58c93c43c0eca55c9d6e1822a8155b860ddf609e
SHA512345aa8622f0b04d6506e62f9526ee241927bfd7e243ab18b36f7ed0531aafbe7bb382be7cf535f43bc063b4480c229c1a74ee24c993fe579fc86c23a984e7204
-
Filesize
12KB
MD555ba4fd1c50dbc3f2461a5d3f06790aa
SHA151c18b459bbad2bda7a5370d99af805d7743f7e3
SHA25672854c82f5bf8485d0b0491b58c93c43c0eca55c9d6e1822a8155b860ddf609e
SHA512345aa8622f0b04d6506e62f9526ee241927bfd7e243ab18b36f7ed0531aafbe7bb382be7cf535f43bc063b4480c229c1a74ee24c993fe579fc86c23a984e7204
-
Filesize
28KB
MD51d4f450a11faa5e041d71105a0f31fcd
SHA19c8fa305c7ab51e084f3a61c6b606c37d33735f7
SHA256e7b16b2e296fdb63583925123a101e87e7d33f11cdf03250856111753d6c1fef
SHA51269fb92933372a46b88c24d6eed614c1842c09f7505da3e9a629ee23b592fcafaaed3f89a33158a243a8e25108dabb7cab15aec83a8e1e2ab40764b40c14cde17
-
Filesize
28KB
MD51d4f450a11faa5e041d71105a0f31fcd
SHA19c8fa305c7ab51e084f3a61c6b606c37d33735f7
SHA256e7b16b2e296fdb63583925123a101e87e7d33f11cdf03250856111753d6c1fef
SHA51269fb92933372a46b88c24d6eed614c1842c09f7505da3e9a629ee23b592fcafaaed3f89a33158a243a8e25108dabb7cab15aec83a8e1e2ab40764b40c14cde17
-
Filesize
12KB
MD59a5ae1c72ed6060e78409eae812d56b6
SHA15e64dd9a06e9f38b65cfb1aaf09798161b15f389
SHA256d770e3df18b272a9346457e23b21813f13882be6aeffc11521bdb15de46d8f3e
SHA5128fdc777e6142873c644499b43f91f9e67f76fadf80142458768679dee4730e2bdbdd1e8f06fa875a5f924eb20497da8cb59e8514456e739b85240026df382b4e
-
Filesize
12KB
MD59a5ae1c72ed6060e78409eae812d56b6
SHA15e64dd9a06e9f38b65cfb1aaf09798161b15f389
SHA256d770e3df18b272a9346457e23b21813f13882be6aeffc11521bdb15de46d8f3e
SHA5128fdc777e6142873c644499b43f91f9e67f76fadf80142458768679dee4730e2bdbdd1e8f06fa875a5f924eb20497da8cb59e8514456e739b85240026df382b4e
-
Filesize
10KB
MD5adcaa559ced2de90ed2ce17e502c74a7
SHA13b8e845fcd63ce421730dcefa063a6055ebdb4fd
SHA256d4aa3dd6d7d05f3037c37ecfb423d1cb5916906a42404b6e21473a52ae1f2560
SHA51286266861dfde5f7feb3009b6b2e7e9926967dae70639862285c84a55b307763b7c0d7350aa40fd22fae721f32a5a1659a1b51fbbe6bc216d5dd8c80bb1d8f827
-
Filesize
10KB
MD5adcaa559ced2de90ed2ce17e502c74a7
SHA13b8e845fcd63ce421730dcefa063a6055ebdb4fd
SHA256d4aa3dd6d7d05f3037c37ecfb423d1cb5916906a42404b6e21473a52ae1f2560
SHA51286266861dfde5f7feb3009b6b2e7e9926967dae70639862285c84a55b307763b7c0d7350aa40fd22fae721f32a5a1659a1b51fbbe6bc216d5dd8c80bb1d8f827
-
Filesize
10KB
MD522e61ad75d6e19718ee1d60405229ad1
SHA13052864c611910d153ca0ee5697541aa98170c69
SHA256f542f3064fe7c816ec735431a0d6da91984df6764fb6e0ab1758060db19e1bec
SHA512e9cd83774db518b96ab627e35f6c31aa6f35ee121ead45abbbe17d11890376e1842f2d0bdecaa19d4570b31cefe13453a69e5ad151943705e8c9665d0761cfd2
-
Filesize
10KB
MD522e61ad75d6e19718ee1d60405229ad1
SHA13052864c611910d153ca0ee5697541aa98170c69
SHA256f542f3064fe7c816ec735431a0d6da91984df6764fb6e0ab1758060db19e1bec
SHA512e9cd83774db518b96ab627e35f6c31aa6f35ee121ead45abbbe17d11890376e1842f2d0bdecaa19d4570b31cefe13453a69e5ad151943705e8c9665d0761cfd2
-
Filesize
624KB
MD51c33cb1547a1c5ba7455bb0bf0215a7c
SHA17952bec4fa818a443c7199e3bf46c680cc0b0c38
SHA2561599657f775cbeedb9ebb1feb7aaa339f0598e446620b9d2131a54f58af8a628
SHA512fe812921f4dabf157c35260c6e7bebef8b5a3f060e597ce55c602008eed479e067f2356d0b1c19ff0121c348e0aff7f828b2eb69fa9f18d62d77f536245f7196
-
Filesize
624KB
MD51c33cb1547a1c5ba7455bb0bf0215a7c
SHA17952bec4fa818a443c7199e3bf46c680cc0b0c38
SHA2561599657f775cbeedb9ebb1feb7aaa339f0598e446620b9d2131a54f58af8a628
SHA512fe812921f4dabf157c35260c6e7bebef8b5a3f060e597ce55c602008eed479e067f2356d0b1c19ff0121c348e0aff7f828b2eb69fa9f18d62d77f536245f7196
-
Filesize
85KB
MD5edf9d5c18111d82cf10ec99f6afa6b47
SHA1d247f5b9d4d3061e3d421e0e623595aa40d9493c
SHA256d89c7b863fc1ac3a179d45d5fe1b9fd35fb6fbd45171ca68d0d68ab1c1ad04fb
SHA512bf017aa8275c5b6d064984a606c5d40852aa70047759468395fe520f7f68b5452befc3145efaa7c51f8ec3bf71d9e32dbd5633637f040d58ff9a4b6953bf1cbf
-
Filesize
85KB
MD5edf9d5c18111d82cf10ec99f6afa6b47
SHA1d247f5b9d4d3061e3d421e0e623595aa40d9493c
SHA256d89c7b863fc1ac3a179d45d5fe1b9fd35fb6fbd45171ca68d0d68ab1c1ad04fb
SHA512bf017aa8275c5b6d064984a606c5d40852aa70047759468395fe520f7f68b5452befc3145efaa7c51f8ec3bf71d9e32dbd5633637f040d58ff9a4b6953bf1cbf
-
Filesize
92KB
MD53806228ef5006db1ad04339fc980b491
SHA13a9c94cc60c2e6d60f2d23b656966e11bea0b7b1
SHA256b391fe732d01ce9a1c8631f880439d1e692502fda12409164db4581d01108405
SHA5125910cc182935a7fab0d2acb5ec674ac77c35a985b3932493da19d56f4675ce09420579b479355aae638a7a309b0f5dc4ffff5857f43fd937eff7f3fe072d7e59
-
Filesize
92KB
MD53806228ef5006db1ad04339fc980b491
SHA13a9c94cc60c2e6d60f2d23b656966e11bea0b7b1
SHA256b391fe732d01ce9a1c8631f880439d1e692502fda12409164db4581d01108405
SHA5125910cc182935a7fab0d2acb5ec674ac77c35a985b3932493da19d56f4675ce09420579b479355aae638a7a309b0f5dc4ffff5857f43fd937eff7f3fe072d7e59
-
Filesize
128KB
MD5ef7e49501bd6bd1a50ba784490fbdf4f
SHA1d2cd4c60898a3901a32995fed56c08887c25296c
SHA2568786e7cfadc2dde1f3ef711bbbe51283d96999724eb7cf8072e5d3d8bf8c38af
SHA512873dd73df7b6245773896b1fd4087fc13ddb95e33120e0b1b2e5bd77b256d320781eb039664b1943496fe4fd2ff959eb6424bfdd019b71362609570f74e3a307
-
Filesize
128KB
MD5ef7e49501bd6bd1a50ba784490fbdf4f
SHA1d2cd4c60898a3901a32995fed56c08887c25296c
SHA2568786e7cfadc2dde1f3ef711bbbe51283d96999724eb7cf8072e5d3d8bf8c38af
SHA512873dd73df7b6245773896b1fd4087fc13ddb95e33120e0b1b2e5bd77b256d320781eb039664b1943496fe4fd2ff959eb6424bfdd019b71362609570f74e3a307
-
Filesize
248KB
MD5cf663f1c5bab7c44c9db8046206f50bf
SHA1c1400e03f08673a822ae10eda17f48526f1c8db0
SHA25684c130547ff962eacd496ec92926a89b9d8bbdb30019fd3cb3097b7c5c2e8efe
SHA512ff6ce25fd22712a83f5c28d14f105cb0c982b01c649445ca2b6786ccf1ff7cdf3dcbdb52086ca805a3592a4e53502433d96196241733015540896d8413640d19
-
Filesize
248KB
MD5cf663f1c5bab7c44c9db8046206f50bf
SHA1c1400e03f08673a822ae10eda17f48526f1c8db0
SHA25684c130547ff962eacd496ec92926a89b9d8bbdb30019fd3cb3097b7c5c2e8efe
SHA512ff6ce25fd22712a83f5c28d14f105cb0c982b01c649445ca2b6786ccf1ff7cdf3dcbdb52086ca805a3592a4e53502433d96196241733015540896d8413640d19
-
Filesize
754KB
MD55d790dc641335ed8d7bae04af8e65054
SHA15f2e1f216cfffbc9a8118b051a016b5d4cb20c23
SHA256b71bb573f250efff3ff315227e4efa747d4cd642c6e7473f48992382f8b66182
SHA5121ee6d932be8b3015d7a9dd2e7b89878d2bc58ba736e2910f83659bddc33f5d8ea216c9403abb7e7fc603f3d646e9e8c7ae738613bb01fb815095666726c450e4
-
Filesize
3.4MB
MD52cedeba37718ca4ac9d2bbd317264dd7
SHA1a3e9cd02eb969df703443fd9a83e28f28be0b4ee
SHA256189de7e277760595b3a4be2679283227fb298709db29dbebc60b3a02f227a1a0
SHA512b55b8b3b1d61f953a5be99848fe096a066cae22b4d43b960afb93f988d67aabc9a2fc13bd346a93ef7685a25c2e0dbbaf01680540463f19793881f41164bf76d
-
Filesize
3.4MB
MD52cedeba37718ca4ac9d2bbd317264dd7
SHA1a3e9cd02eb969df703443fd9a83e28f28be0b4ee
SHA256189de7e277760595b3a4be2679283227fb298709db29dbebc60b3a02f227a1a0
SHA512b55b8b3b1d61f953a5be99848fe096a066cae22b4d43b960afb93f988d67aabc9a2fc13bd346a93ef7685a25c2e0dbbaf01680540463f19793881f41164bf76d
-
Filesize
136KB
MD58eadc90326166b11dfab03975c0a747c
SHA16d3cf5c98ab72e1bf97436355619b576a36e4e16
SHA25671bf0a66de1ea95b4a61a9a4b4e752fc792e389f39d6cdcf529c35a3706ea99e
SHA5122df996a0136364ffaead291f5b6017dfd5df103e033dbdcc78f464c315fe85a55099f8e313e77e85065634d342628ad165f409e5eeb8535371da545eaeca5173
-
Filesize
136KB
MD58eadc90326166b11dfab03975c0a747c
SHA16d3cf5c98ab72e1bf97436355619b576a36e4e16
SHA25671bf0a66de1ea95b4a61a9a4b4e752fc792e389f39d6cdcf529c35a3706ea99e
SHA5122df996a0136364ffaead291f5b6017dfd5df103e033dbdcc78f464c315fe85a55099f8e313e77e85065634d342628ad165f409e5eeb8535371da545eaeca5173
-
Filesize
1.1MB
MD53b337c2d41069b0a1e43e30f891c3813
SHA1ebee2827b5cb153cbbb51c9718da1549fa80fc5c
SHA256c04daeba7e7c4b711d33993ab4c51a2e087f98f4211aea0dcb3a216656ba0ab7
SHA512fdb3012a71221447b35757ed2bdca6ed1f8833b2f81d03aabebd2cd7780a33a9c3d816535d03c5c3edd5aaf11d91156842b380e2a63135e3c7f87193ad211499
-
Filesize
1.1MB
MD53b337c2d41069b0a1e43e30f891c3813
SHA1ebee2827b5cb153cbbb51c9718da1549fa80fc5c
SHA256c04daeba7e7c4b711d33993ab4c51a2e087f98f4211aea0dcb3a216656ba0ab7
SHA512fdb3012a71221447b35757ed2bdca6ed1f8833b2f81d03aabebd2cd7780a33a9c3d816535d03c5c3edd5aaf11d91156842b380e2a63135e3c7f87193ad211499
-
Filesize
129KB
MD5ed2a30ab838d76dbd5ccbb272798af31
SHA1d0d07e64c09993cee447b9b6e4cdfd48653b156a
SHA25668b4fc8226000e6b270badf0f5e2a79b4f8d515ce4447be68d4eee7c5b3ae4d2
SHA512f4de6ac3ad50ca0f978413ada0f2d5a587d86668f900d7c9cb55822927f9d81ac695db581f385c1185da63ff3912ac3e7f17306b70aeeba7aee59abc4e10724b
-
Filesize
129KB
MD5ed2a30ab838d76dbd5ccbb272798af31
SHA1d0d07e64c09993cee447b9b6e4cdfd48653b156a
SHA25668b4fc8226000e6b270badf0f5e2a79b4f8d515ce4447be68d4eee7c5b3ae4d2
SHA512f4de6ac3ad50ca0f978413ada0f2d5a587d86668f900d7c9cb55822927f9d81ac695db581f385c1185da63ff3912ac3e7f17306b70aeeba7aee59abc4e10724b
-
Filesize
26KB
MD5f595a386e1eb9b25ddaf83602f3da65d
SHA1499ad098b60c76b6257771d3ada8bed0683d04f0
SHA256d8dbb29f4945436f12d258aba0b31a05cfd2f699a0fbdde2fd59a857ea00be62
SHA512d5c98374549bb182a2e8fc41cb5ef4e19fa50da1ead9a173a2d2201060660f9c027642199153335fd1c5803d58c439e7fbef7a0955d54bc3cca790d3c414426e
-
Filesize
26KB
MD5f595a386e1eb9b25ddaf83602f3da65d
SHA1499ad098b60c76b6257771d3ada8bed0683d04f0
SHA256d8dbb29f4945436f12d258aba0b31a05cfd2f699a0fbdde2fd59a857ea00be62
SHA512d5c98374549bb182a2e8fc41cb5ef4e19fa50da1ead9a173a2d2201060660f9c027642199153335fd1c5803d58c439e7fbef7a0955d54bc3cca790d3c414426e
-
Filesize
152KB
MD50b507c90203c52b2ad260f0d756112c3
SHA1f8f9f10b7c90ea44aa5ed8613d1a42463fc150c2
SHA2566b6f2bd8f7e9f5ead3b524ca71175b2065bb6955c3e3039fc1a49d37ca6cfb01
SHA512f6c9356cb9e9fe73422730b0ec9bc5ea88ae44b0d3320c184a856463c284859460c11cc32c44ee0b26d17d7e2e02bc6c21691217266153101ca28ae1fbb5d76c
-
Filesize
152KB
MD50b507c90203c52b2ad260f0d756112c3
SHA1f8f9f10b7c90ea44aa5ed8613d1a42463fc150c2
SHA2566b6f2bd8f7e9f5ead3b524ca71175b2065bb6955c3e3039fc1a49d37ca6cfb01
SHA512f6c9356cb9e9fe73422730b0ec9bc5ea88ae44b0d3320c184a856463c284859460c11cc32c44ee0b26d17d7e2e02bc6c21691217266153101ca28ae1fbb5d76c
-
Filesize
7.1MB
MD558a95fc6dfb8229d9038b9d96f7828b7
SHA1911987838636b980fc2e3dcb150151c3031cb3d9
SHA256856ab06d8318c146636abb4ea7e36ade19a9ab3628e2caaa0b2933b17795f177
SHA5123471fa94d02af39263564cdcd096ed42e70eaacd601f848e430c7f03e99788ae633285fd1a92fe39c753ac23e9166b4153a6f53137a0d72f174159cad2248fdf
-
Filesize
7.1MB
MD558a95fc6dfb8229d9038b9d96f7828b7
SHA1911987838636b980fc2e3dcb150151c3031cb3d9
SHA256856ab06d8318c146636abb4ea7e36ade19a9ab3628e2caaa0b2933b17795f177
SHA5123471fa94d02af39263564cdcd096ed42e70eaacd601f848e430c7f03e99788ae633285fd1a92fe39c753ac23e9166b4153a6f53137a0d72f174159cad2248fdf
-
Filesize
115KB
MD5ac6f69bf07fc18e8487d3509681b1c5e
SHA153bff2ee26769cd1c9b0b9d1fdae3874907e40f9
SHA25640d7ea7b899932a612e22a2509c4823ccad8574b1110b1fea16962f7dcf81aaa
SHA512c160e7f1af003e423507ccba2c5858f08997deafb76ad7d0cc6e3c5299918e779597e65b77cf9f3bcacb6b1a9d45bd5b5ba4077006ff1d066713dcab40ff069e
-
Filesize
115KB
MD5ac6f69bf07fc18e8487d3509681b1c5e
SHA153bff2ee26769cd1c9b0b9d1fdae3874907e40f9
SHA25640d7ea7b899932a612e22a2509c4823ccad8574b1110b1fea16962f7dcf81aaa
SHA512c160e7f1af003e423507ccba2c5858f08997deafb76ad7d0cc6e3c5299918e779597e65b77cf9f3bcacb6b1a9d45bd5b5ba4077006ff1d066713dcab40ff069e
-
Filesize
186KB
MD53473852d4eb8e6ebb384031f158e7f79
SHA16d3183ee032aafc19de54c556beab6844a499715
SHA256d84b813a3b4c9f9a8708256a406652673d48066a9a603068b0fed196e1398c65
SHA512bb83752d3956ef95ca3363381714189f7f9493b5cc0d55f3366577937fb5fb2b261f2aae3b1eb459683eb877fe7c72b4f48045d0cb76a26622c85af3014df409
-
Filesize
186KB
MD53473852d4eb8e6ebb384031f158e7f79
SHA16d3183ee032aafc19de54c556beab6844a499715
SHA256d84b813a3b4c9f9a8708256a406652673d48066a9a603068b0fed196e1398c65
SHA512bb83752d3956ef95ca3363381714189f7f9493b5cc0d55f3366577937fb5fb2b261f2aae3b1eb459683eb877fe7c72b4f48045d0cb76a26622c85af3014df409
-
Filesize
2.5MB
MD5c02afabf5556d37181ea7458b385b29a
SHA15bc983ac58ebbf5d826e7ea06b12b9e56e28d35b
SHA256bf5160a2746860747a3871a7d800e6c1ad29868752292148df40044822a3c1b3
SHA51299eaa906cea86a84721c3fd9e5e0050114b33b6453892679f4f6eb985e5a8c9dc864f52c7de8dae576cef1505d96983ce7d4f73ff8e9ba2ad9f4e8452440abc1
-
Filesize
2.5MB
MD5c02afabf5556d37181ea7458b385b29a
SHA15bc983ac58ebbf5d826e7ea06b12b9e56e28d35b
SHA256bf5160a2746860747a3871a7d800e6c1ad29868752292148df40044822a3c1b3
SHA51299eaa906cea86a84721c3fd9e5e0050114b33b6453892679f4f6eb985e5a8c9dc864f52c7de8dae576cef1505d96983ce7d4f73ff8e9ba2ad9f4e8452440abc1
-
Filesize
2.5MB
MD5c02afabf5556d37181ea7458b385b29a
SHA15bc983ac58ebbf5d826e7ea06b12b9e56e28d35b
SHA256bf5160a2746860747a3871a7d800e6c1ad29868752292148df40044822a3c1b3
SHA51299eaa906cea86a84721c3fd9e5e0050114b33b6453892679f4f6eb985e5a8c9dc864f52c7de8dae576cef1505d96983ce7d4f73ff8e9ba2ad9f4e8452440abc1
-
Filesize
5.9MB
MD599a474de9672b2f9e75f71259750a98a
SHA1be4a91e867f366a36b42d49924c1e1f8e2882988
SHA2569999f3ae3c8328a50001815e4a0c1e8f6de8644eb0ac243b1a8b13a400977af7
SHA51230d78244bff64c3e95cefa08e4d470304a6c7b2d28016d7529812aa4fc68473ffed9f429555bf42fedafe09f1803b8073ac32cb849a32c6ddcff534167d5e8a7
-
Filesize
5.9MB
MD599a474de9672b2f9e75f71259750a98a
SHA1be4a91e867f366a36b42d49924c1e1f8e2882988
SHA2569999f3ae3c8328a50001815e4a0c1e8f6de8644eb0ac243b1a8b13a400977af7
SHA51230d78244bff64c3e95cefa08e4d470304a6c7b2d28016d7529812aa4fc68473ffed9f429555bf42fedafe09f1803b8073ac32cb849a32c6ddcff534167d5e8a7