Analysis
-
max time kernel
443s -
max time network
432s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
18-05-2024 07:25
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://dropmeafile.com/#4da74a3119
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
https://dropmeafile.com/#4da74a3119
Resource
win10v2004-20240226-en
General
-
Target
https://dropmeafile.com/#4da74a3119
Malware Config
Extracted
C:\Users\Admin\Desktop\!Please Read Me!.txt
wannacry
15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs
Processes:
taskmgr.exedescription pid process target process PID 4556 created 4424 4556 taskmgr.exe !WannaDecryptor!.exe PID 4556 created 4424 4556 taskmgr.exe !WannaDecryptor!.exe -
Wannacry
WannaCry is a ransomware cryptoworm.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Drops startup file 2 IoCs
Processes:
be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDC65C.tmp be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDC672.tmp be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe -
Executes dropped EXE 24 IoCs
Processes:
be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exepid process 700 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe 4924 !WannaDecryptor!.exe 4956 !WannaDecryptor!.exe 2920 !WannaDecryptor!.exe 4424 !WannaDecryptor!.exe 4268 !WannaDecryptor!.exe 3664 !WannaDecryptor!.exe 3088 !WannaDecryptor!.exe 1260 !WannaDecryptor!.exe 1544 !WannaDecryptor!.exe 4344 !WannaDecryptor!.exe 968 !WannaDecryptor!.exe 2400 !WannaDecryptor!.exe 4404 !WannaDecryptor!.exe 5064 !WannaDecryptor!.exe 3724 !WannaDecryptor!.exe 4028 !WannaDecryptor!.exe 1228 !WannaDecryptor!.exe 1740 !WannaDecryptor!.exe 1084 !WannaDecryptor!.exe 4384 !WannaDecryptor!.exe 4716 !WannaDecryptor!.exe 3364 !WannaDecryptor!.exe 4488 !WannaDecryptor!.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\Desktop\\be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe\" /r" be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
!WannaDecryptor!.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp" !WannaDecryptor!.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Kills process with taskkill 6 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 4356 taskkill.exe 1688 taskkill.exe 1548 taskkill.exe 4388 taskkill.exe 2800 taskkill.exe 1628 taskkill.exe -
Processes:
SearchApp.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\GPU SearchApp.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
chrome.exedescription ioc process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133604907536259354" chrome.exe -
Modifies registry class 20 IoCs
Processes:
SearchApp.exechrome.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\MuiCache SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings chrome.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage SearchApp.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
chrome.exetaskmgr.exepid process 1900 chrome.exe 1900 chrome.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
taskmgr.exepid process 4556 taskmgr.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
Processes:
chrome.exepid process 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
chrome.exedescription pid process Token: SeShutdownPrivilege 1900 chrome.exe Token: SeCreatePagefilePrivilege 1900 chrome.exe Token: SeShutdownPrivilege 1900 chrome.exe Token: SeCreatePagefilePrivilege 1900 chrome.exe Token: SeShutdownPrivilege 1900 chrome.exe Token: SeCreatePagefilePrivilege 1900 chrome.exe Token: SeShutdownPrivilege 1900 chrome.exe Token: SeCreatePagefilePrivilege 1900 chrome.exe Token: SeShutdownPrivilege 1900 chrome.exe Token: SeCreatePagefilePrivilege 1900 chrome.exe Token: SeShutdownPrivilege 1900 chrome.exe Token: SeCreatePagefilePrivilege 1900 chrome.exe Token: SeShutdownPrivilege 1900 chrome.exe Token: SeCreatePagefilePrivilege 1900 chrome.exe Token: SeShutdownPrivilege 1900 chrome.exe Token: SeCreatePagefilePrivilege 1900 chrome.exe Token: SeShutdownPrivilege 1900 chrome.exe Token: SeCreatePagefilePrivilege 1900 chrome.exe Token: SeShutdownPrivilege 1900 chrome.exe Token: SeCreatePagefilePrivilege 1900 chrome.exe Token: SeShutdownPrivilege 1900 chrome.exe Token: SeCreatePagefilePrivilege 1900 chrome.exe Token: SeShutdownPrivilege 1900 chrome.exe Token: SeCreatePagefilePrivilege 1900 chrome.exe Token: SeShutdownPrivilege 1900 chrome.exe Token: SeCreatePagefilePrivilege 1900 chrome.exe Token: SeShutdownPrivilege 1900 chrome.exe Token: SeCreatePagefilePrivilege 1900 chrome.exe Token: SeShutdownPrivilege 1900 chrome.exe Token: SeCreatePagefilePrivilege 1900 chrome.exe Token: SeShutdownPrivilege 1900 chrome.exe Token: SeCreatePagefilePrivilege 1900 chrome.exe Token: SeShutdownPrivilege 1900 chrome.exe Token: SeCreatePagefilePrivilege 1900 chrome.exe Token: SeShutdownPrivilege 1900 chrome.exe Token: SeCreatePagefilePrivilege 1900 chrome.exe Token: SeShutdownPrivilege 1900 chrome.exe Token: SeCreatePagefilePrivilege 1900 chrome.exe Token: SeShutdownPrivilege 1900 chrome.exe Token: SeCreatePagefilePrivilege 1900 chrome.exe Token: SeShutdownPrivilege 1900 chrome.exe Token: SeCreatePagefilePrivilege 1900 chrome.exe Token: SeShutdownPrivilege 1900 chrome.exe Token: SeCreatePagefilePrivilege 1900 chrome.exe Token: SeShutdownPrivilege 1900 chrome.exe Token: SeCreatePagefilePrivilege 1900 chrome.exe Token: SeShutdownPrivilege 1900 chrome.exe Token: SeCreatePagefilePrivilege 1900 chrome.exe Token: SeShutdownPrivilege 1900 chrome.exe Token: SeCreatePagefilePrivilege 1900 chrome.exe Token: SeShutdownPrivilege 1900 chrome.exe Token: SeCreatePagefilePrivilege 1900 chrome.exe Token: SeShutdownPrivilege 1900 chrome.exe Token: SeCreatePagefilePrivilege 1900 chrome.exe Token: SeShutdownPrivilege 1900 chrome.exe Token: SeCreatePagefilePrivilege 1900 chrome.exe Token: SeShutdownPrivilege 1900 chrome.exe Token: SeCreatePagefilePrivilege 1900 chrome.exe Token: SeShutdownPrivilege 1900 chrome.exe Token: SeCreatePagefilePrivilege 1900 chrome.exe Token: SeShutdownPrivilege 1900 chrome.exe Token: SeCreatePagefilePrivilege 1900 chrome.exe Token: SeShutdownPrivilege 1900 chrome.exe Token: SeCreatePagefilePrivilege 1900 chrome.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
chrome.exeNOTEPAD.EXEtaskmgr.exepid process 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe 940 NOTEPAD.EXE 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
chrome.exetaskmgr.exepid process 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe 1900 chrome.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe 4556 taskmgr.exe -
Suspicious use of SetWindowsHookEx 47 IoCs
Processes:
!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exeSearchApp.exepid process 4924 !WannaDecryptor!.exe 4924 !WannaDecryptor!.exe 4956 !WannaDecryptor!.exe 4956 !WannaDecryptor!.exe 2920 !WannaDecryptor!.exe 2920 !WannaDecryptor!.exe 4424 !WannaDecryptor!.exe 4424 !WannaDecryptor!.exe 4268 !WannaDecryptor!.exe 4268 !WannaDecryptor!.exe 3664 !WannaDecryptor!.exe 3664 !WannaDecryptor!.exe 3088 !WannaDecryptor!.exe 3088 !WannaDecryptor!.exe 1260 !WannaDecryptor!.exe 1260 !WannaDecryptor!.exe 1544 !WannaDecryptor!.exe 1544 !WannaDecryptor!.exe 4344 !WannaDecryptor!.exe 4344 !WannaDecryptor!.exe 968 !WannaDecryptor!.exe 968 !WannaDecryptor!.exe 2400 !WannaDecryptor!.exe 2400 !WannaDecryptor!.exe 4404 !WannaDecryptor!.exe 4404 !WannaDecryptor!.exe 5064 !WannaDecryptor!.exe 5064 !WannaDecryptor!.exe 3724 !WannaDecryptor!.exe 3724 !WannaDecryptor!.exe 4028 !WannaDecryptor!.exe 4028 !WannaDecryptor!.exe 1228 !WannaDecryptor!.exe 1228 !WannaDecryptor!.exe 1740 !WannaDecryptor!.exe 1740 !WannaDecryptor!.exe 1084 !WannaDecryptor!.exe 1084 !WannaDecryptor!.exe 4384 !WannaDecryptor!.exe 4384 !WannaDecryptor!.exe 4716 !WannaDecryptor!.exe 4716 !WannaDecryptor!.exe 3364 !WannaDecryptor!.exe 3364 !WannaDecryptor!.exe 4488 !WannaDecryptor!.exe 4488 !WannaDecryptor!.exe 1828 SearchApp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
chrome.exedescription pid process target process PID 1900 wrote to memory of 3192 1900 chrome.exe chrome.exe PID 1900 wrote to memory of 3192 1900 chrome.exe chrome.exe PID 1900 wrote to memory of 3220 1900 chrome.exe chrome.exe PID 1900 wrote to memory of 3220 1900 chrome.exe chrome.exe PID 1900 wrote to memory of 3220 1900 chrome.exe chrome.exe PID 1900 wrote to memory of 3220 1900 chrome.exe chrome.exe PID 1900 wrote to memory of 3220 1900 chrome.exe chrome.exe PID 1900 wrote to memory of 3220 1900 chrome.exe chrome.exe PID 1900 wrote to memory of 3220 1900 chrome.exe chrome.exe PID 1900 wrote to memory of 3220 1900 chrome.exe chrome.exe PID 1900 wrote to memory of 3220 1900 chrome.exe chrome.exe PID 1900 wrote to memory of 3220 1900 chrome.exe chrome.exe PID 1900 wrote to memory of 3220 1900 chrome.exe chrome.exe PID 1900 wrote to memory of 3220 1900 chrome.exe chrome.exe PID 1900 wrote to memory of 3220 1900 chrome.exe chrome.exe PID 1900 wrote to memory of 3220 1900 chrome.exe chrome.exe PID 1900 wrote to memory of 3220 1900 chrome.exe chrome.exe PID 1900 wrote to memory of 3220 1900 chrome.exe chrome.exe PID 1900 wrote to memory of 3220 1900 chrome.exe chrome.exe PID 1900 wrote to memory of 3220 1900 chrome.exe chrome.exe PID 1900 wrote to memory of 3220 1900 chrome.exe chrome.exe PID 1900 wrote to memory of 3220 1900 chrome.exe chrome.exe PID 1900 wrote to memory of 3220 1900 chrome.exe chrome.exe PID 1900 wrote to memory of 3220 1900 chrome.exe chrome.exe PID 1900 wrote to memory of 3220 1900 chrome.exe chrome.exe PID 1900 wrote to memory of 3220 1900 chrome.exe chrome.exe PID 1900 wrote to memory of 3220 1900 chrome.exe chrome.exe PID 1900 wrote to memory of 3220 1900 chrome.exe chrome.exe PID 1900 wrote to memory of 3220 1900 chrome.exe chrome.exe PID 1900 wrote to memory of 3220 1900 chrome.exe chrome.exe PID 1900 wrote to memory of 3220 1900 chrome.exe chrome.exe PID 1900 wrote to memory of 3220 1900 chrome.exe chrome.exe PID 1900 wrote to memory of 3220 1900 chrome.exe chrome.exe PID 1900 wrote to memory of 3220 1900 chrome.exe chrome.exe PID 1900 wrote to memory of 3220 1900 chrome.exe chrome.exe PID 1900 wrote to memory of 3220 1900 chrome.exe chrome.exe PID 1900 wrote to memory of 3220 1900 chrome.exe chrome.exe PID 1900 wrote to memory of 3220 1900 chrome.exe chrome.exe PID 1900 wrote to memory of 3220 1900 chrome.exe chrome.exe PID 1900 wrote to memory of 3220 1900 chrome.exe chrome.exe PID 1900 wrote to memory of 2364 1900 chrome.exe chrome.exe PID 1900 wrote to memory of 2364 1900 chrome.exe chrome.exe PID 1900 wrote to memory of 3432 1900 chrome.exe chrome.exe PID 1900 wrote to memory of 3432 1900 chrome.exe chrome.exe PID 1900 wrote to memory of 3432 1900 chrome.exe chrome.exe PID 1900 wrote to memory of 3432 1900 chrome.exe chrome.exe PID 1900 wrote to memory of 3432 1900 chrome.exe chrome.exe PID 1900 wrote to memory of 3432 1900 chrome.exe chrome.exe PID 1900 wrote to memory of 3432 1900 chrome.exe chrome.exe PID 1900 wrote to memory of 3432 1900 chrome.exe chrome.exe PID 1900 wrote to memory of 3432 1900 chrome.exe chrome.exe PID 1900 wrote to memory of 3432 1900 chrome.exe chrome.exe PID 1900 wrote to memory of 3432 1900 chrome.exe chrome.exe PID 1900 wrote to memory of 3432 1900 chrome.exe chrome.exe PID 1900 wrote to memory of 3432 1900 chrome.exe chrome.exe PID 1900 wrote to memory of 3432 1900 chrome.exe chrome.exe PID 1900 wrote to memory of 3432 1900 chrome.exe chrome.exe PID 1900 wrote to memory of 3432 1900 chrome.exe chrome.exe PID 1900 wrote to memory of 3432 1900 chrome.exe chrome.exe PID 1900 wrote to memory of 3432 1900 chrome.exe chrome.exe PID 1900 wrote to memory of 3432 1900 chrome.exe chrome.exe PID 1900 wrote to memory of 3432 1900 chrome.exe chrome.exe PID 1900 wrote to memory of 3432 1900 chrome.exe chrome.exe PID 1900 wrote to memory of 3432 1900 chrome.exe chrome.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://dropmeafile.com/#4da74a31191⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffee7ce9758,0x7ffee7ce9768,0x7ffee7ce97782⤵PID:3192
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1744 --field-trial-handle=1876,i,14122952394060607244,16219684635470627815,131072 /prefetch:22⤵PID:3220
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2116 --field-trial-handle=1876,i,14122952394060607244,16219684635470627815,131072 /prefetch:82⤵PID:2364
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2236 --field-trial-handle=1876,i,14122952394060607244,16219684635470627815,131072 /prefetch:82⤵PID:3432
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3056 --field-trial-handle=1876,i,14122952394060607244,16219684635470627815,131072 /prefetch:12⤵PID:1176
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3076 --field-trial-handle=1876,i,14122952394060607244,16219684635470627815,131072 /prefetch:12⤵PID:1160
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5296 --field-trial-handle=1876,i,14122952394060607244,16219684635470627815,131072 /prefetch:82⤵PID:2444
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5368 --field-trial-handle=1876,i,14122952394060607244,16219684635470627815,131072 /prefetch:82⤵PID:4396
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=2620 --field-trial-handle=1876,i,14122952394060607244,16219684635470627815,131072 /prefetch:12⤵PID:1796
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5536 --field-trial-handle=1876,i,14122952394060607244,16219684635470627815,131072 /prefetch:82⤵PID:2592
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5524 --field-trial-handle=1876,i,14122952394060607244,16219684635470627815,131072 /prefetch:82⤵PID:828
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5508 --field-trial-handle=1876,i,14122952394060607244,16219684635470627815,131072 /prefetch:82⤵PID:3288
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4728 --field-trial-handle=1876,i,14122952394060607244,16219684635470627815,131072 /prefetch:82⤵PID:4224
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3176 --field-trial-handle=1876,i,14122952394060607244,16219684635470627815,131072 /prefetch:82⤵PID:4744
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:4340
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4120 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:81⤵PID:212
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1432
-
C:\Users\Admin\Desktop\be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe"C:\Users\Admin\Desktop\be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe"1⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
PID:700 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 277271716017239.bat2⤵PID:2104
-
C:\Windows\SysWOW64\cscript.execscript //nologo c.vbs3⤵PID:3636
-
C:\Users\Admin\Desktop\!WannaDecryptor!.exe!WannaDecryptor!.exe f2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4924 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im MSExchange*2⤵
- Kills process with taskkill
PID:4356 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Microsoft.Exchange.*2⤵
- Kills process with taskkill
PID:1688 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sqlserver.exe2⤵
- Kills process with taskkill
PID:4388 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sqlwriter.exe2⤵
- Kills process with taskkill
PID:1548 -
C:\Users\Admin\Desktop\!WannaDecryptor!.exe!WannaDecryptor!.exe c2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4956 -
C:\Windows\SysWOW64\cmd.execmd.exe /c start /b !WannaDecryptor!.exe v2⤵PID:988
-
C:\Users\Admin\Desktop\!WannaDecryptor!.exe!WannaDecryptor!.exe v3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2920 -
C:\Windows\SysWOW64\cmd.execmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet4⤵PID:3204
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete5⤵PID:4536
-
C:\Users\Admin\Desktop\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious use of SetWindowsHookEx
PID:4424 -
C:\Users\Admin\Desktop\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4268 -
C:\Users\Admin\Desktop\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3664 -
C:\Users\Admin\Desktop\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3088 -
C:\Users\Admin\Desktop\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1260 -
C:\Users\Admin\Desktop\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1544 -
C:\Users\Admin\Desktop\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4344 -
C:\Users\Admin\Desktop\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:968 -
C:\Users\Admin\Desktop\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2400 -
C:\Users\Admin\Desktop\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4404 -
C:\Users\Admin\Desktop\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5064 -
C:\Users\Admin\Desktop\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3724 -
C:\Users\Admin\Desktop\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4028 -
C:\Users\Admin\Desktop\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1228 -
C:\Users\Admin\Desktop\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1740 -
C:\Users\Admin\Desktop\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1084 -
C:\Users\Admin\Desktop\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4384 -
C:\Users\Admin\Desktop\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4716 -
C:\Users\Admin\Desktop\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3364 -
C:\Users\Admin\Desktop\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4488
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\!Please Read Me!.txt1⤵
- Suspicious use of FindShellTrayWindow
PID:940
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:3320
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"1⤵PID:4156
-
C:\Windows\system32\taskkill.exetaskkill /f be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe2⤵
- Kills process with taskkill
PID:2800 -
C:\Windows\system32\taskkill.exetaskkill /IM be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe /F2⤵
- Kills process with taskkill
PID:1628
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /71⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4556
-
C:\Windows\SysWOW64\werfault.exewerfault.exe /h /shared Global\00ba1acc5588432eb5f91255f3d5d8f3 /t 3892 /p 44241⤵PID:396
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1828
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
336B
MD5044f964e447589507396b6d051700a01
SHA1fff91c26e4602a1da446a4acd2dfcdb24d22c435
SHA256be64bdc41ecc3006c01c0e8778c83418919a41d75f8e7ad616b1dcd9fd96d4d8
SHA512ba54b17b997fe483fa5a87b3e55699eab1d9f0d61ce4c69b47e3fe5639edc822d0fb4387af6a0918ddd763c72aa8e5f0cb6f37fee4bb991327ef5a9928768f10
-
Filesize
264KB
MD51a18c6516286196cf050a0446033a656
SHA1c364027fa9114c65e54358cc3fae74a94e7bf4b9
SHA25623eab7531cc8d808055db1751b0f91f8bf3c105776d47bbd4fd29483725c3e0d
SHA51253153865b6b2ec59c819bf7b5bc31f6b9b5e6cef6ca9262e8605c8553269aee7f7e84f6c0996fd07d3630663852326b06f9ba2fc778901b63e55b46f15f7b8e5
-
Filesize
1KB
MD5d55fe63a1706f2b4747e08111ea64a4b
SHA109b23fd0c36bd16621603ad39e9359fc07463f7e
SHA2569dcb7cffd6197b4b9d8c172065fd45e23a094b2306aefee9459dde1bb6b4e638
SHA512bb822cee519cbfe3e10fc237b4a638411424ba41fc7024982cb875291d1ca3ec03a363dc9738fad51835962ab771893cd3cc0d1426d82422d1320e4b3314e2a9
-
Filesize
870B
MD53210a113f188445a0ec71a1cdf9a7fe1
SHA1c12abb56c0bc7b77fd7914d8c0d351abad82cd3c
SHA256c75a3b598b1372b2fc47d3ce1859fef163b8483729875f6fb501d824572060b7
SHA512fc87166ea079598451ce40c461fb40a2fad72f04aa7d777fb08f01bde7f099b4cfe7e7a815a1c19f7bf3079b2cb7a1590587e9f945c2a494bc42c2500fd02963
-
Filesize
5KB
MD503540582246df1f97dbca0ad891bc03f
SHA13f0bba1175ffbd00ac357313e17ea33b10d2ad1c
SHA25627af1df2a1f3423eddc99f9bb83d9e88ceb1ea18b9c23ca0e323bdc6ba8dafcb
SHA51297d066f82d1d8c6ba6e3f50c5593fd8aa1b146bcea6d48888b016b15299b5f7905e8157fd4f2508ac511846435794ad8f93706e79ec551a2e6d1d613bbbd7f70
-
Filesize
6KB
MD5763aba1855c007f0e23457ad2d476247
SHA1b81eb574a3d333bc1ba46f056189af8a6892d864
SHA256748067a4fdb8f1ad0e8f956ae4e986063abe1b186d7e1c3717e8b319b5d430dd
SHA5129051ccdbd26ead8238591f63829e0c94bf42847cc125a2c9ec3114fc0adf065595d5fbffb6bfde72f7dc82adf7a0082cb6900ff6958a1bd53091b5110dbec475
-
Filesize
6KB
MD5d99f705b8b1fc26f960361c3007cce54
SHA18d38e702941e00d32a352f0e86da002e2591d790
SHA2565af1235a35804321783b611838333da2e6158ebf2d7d498f76a97e429948bbf1
SHA51273944aa8ee06d8df26473f632dbfa94432d20a2a96f75cdfdbd2abf0fd11b22d66978e2c9182be00529a051ad0c3d0384023fd35aead11d89677c1f13d6b3e09
-
Filesize
5KB
MD5bdd768e4e71ecc776c3ca9142cfe8a96
SHA1a22522804bc87169fe66499d09b7fd0a9baca3b8
SHA2560577ebb876f637e752b35c98552fd3a5e695c02eed866ae3dd08bfbc7dd8303b
SHA5126d487834ac70ffa130f3dc083f47be328af3405c53d10cb38e275a98f3d8185ac1686713d80b8012d9f56567dd3bdd43d360811e0ee2292126c0cf2e25f64a5f
-
Filesize
128KB
MD56a26d08ef255693260b6f46022976471
SHA14fcf4e48df0609f7eb60693a98cb15f80ea9b39d
SHA2564b4b53944fb121a8fb2319dbfd51b87282a4171b076c45c6a404093cc422450b
SHA512dd07e7c048c7fcd9f1236e88176e77009203c047cae6fa8befcb58224f1babf60f30dd9400044780faa9267607cc03853ebe927ebe956c1d5392a57e282c86cc
-
Filesize
128KB
MD5c9c97aa87c071f3d5881de862873a7af
SHA11cf37578f0f49eb92017a35cfdceec246e8dd97e
SHA2569eab53d71733ab8a4a6fb2af4f60d0238a47ff3edf0aad369c29af231820dd3a
SHA5126dbabf23eb9ea6c57c0878dbe7c84e8febd96fe5f361d9d4d84fd349008fa4db8fc124d8f0b3e63b9db6e5d22acaab8ae3f98202efaa744605c6b15a85ba4e0b
-
Filesize
128KB
MD59b17ee5b82c75ea274f36eab829eb137
SHA1320af61debfbfc7c968e55b832121756cb7c9914
SHA256e10cd56c1146e3210b745a522b7136176b50f7fd0dac980faf08df4d81e0d62e
SHA512eb2f34ccac29bc02565504092e7d6c9bf4c26f125e967b5fa7911bccc4cff599200504667f37fe0eb1955437f508977f392c6681b4e4cfdb990b6f87a1a899ce
-
Filesize
6B
MD584b1c5ff6f1b1da82df3ed3a20ff9211
SHA11c13a7bf24213cc6919c9a419c792b963457a32d
SHA25640060faf469d2cf91572b5db3ff8d5b5070bacad30c8fbdc13193901be5bd1a5
SHA5124ffc3f2ebb4a401f02fc17d4e420e0b87acc3f3f6562282a7eb5fda3fd44b4971586683cc67eedc993f246b97f72b1e503cd92694636e05bd8e3bbed2e6d0dba
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
797B
MD5afa18cf4aa2660392111763fb93a8c3d
SHA1c219a3654a5f41ce535a09f2a188a464c3f5baf5
SHA256227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0
SHA5124161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b
-
Filesize
588B
MD51aa901ad6a69456fae0b48130472f749
SHA18fa232b17e1c1b8aeb1acfa8e36b79b4aac21899
SHA256b3b89c00ab6b3adba1c3c01586cb5806ba46613f1fe7f913ca9f40cc2944de56
SHA512668ab147b1b36c6067931823b978e59e6d3715f5b42c46677804af01eda4618dc6cefb00bd0c8af34d50939612fce52001f2ab53c6e4a4e44c70f329ad8dc7d7
-
Filesize
276B
MD5ed63d946db84060a48d779749d5f2d95
SHA16889d4adad06bf1383335f1a25a82bd152d4b855
SHA2564b0034ea9c354826f6432a415f6dcc376940661051fb5a06b9445eb061b98310
SHA512beb81351f1fd56baa9bd09095512da0ed41862449d5d1e81f8c9eeedd33bf52ea5567f33f7b874544b77f7b96b78c6a3bf796395fb0310a72fd82ffaa23aadc3
-
Filesize
136B
MD5a14808a85d19d10034dad9c96678dc2d
SHA192062322d726503943d29494c2358362dd75719c
SHA256a74ec0734c269c66d8b52ab32e34238b0a70180fbe10790efe805a2b960cd188
SHA512c84f6c3a23f521d5b51048c8ed302ea2a484ebcb729c5df574948f60694ce2d1f6b2bdbd81fa1350af6a28ea78e94ae2f12c8f2d2329197d3dee816a9d6f4953
-
Filesize
136B
MD57371dcb9784da7a6b94b966a3501e0f8
SHA10ed30a74893e5f98a47de274e35e6355cddb1675
SHA256df758a687d13f1f033164bbd4e97aec03f7cf61d0e61cc97719cc51c6263fba8
SHA5128ac05c3a2faaef4e1f48ebe7d03f06cfe12ce8a5f9b83f5dc7fbc48b9fbc2e6a6e649f436fad620a48cf1dab8b7e7370fcaea987bd369ea03d03f88d73230021
-
Filesize
136B
MD54172c5d71c5e23883a4c8bb4452f7e5a
SHA16d08f2327f38903e7a6b855f6374a557f6ed3afa
SHA256b72d12e2bca26f87bc35795cfb16ec0bb420fe34f437d66b00bdcaa28ba9a85a
SHA5127c211f0d05b7c3cfb5ef3b0494df651a305b29e6c26a2beba8d80cf73d19df8af696fb1184ee51f166be4c335074172a7df8a41544126a3b4efbfa0bcd371afc
-
Filesize
136B
MD5cfd185663a2ade86982975dd2bb7b2c3
SHA16473b2c8ba090f3360261c785b6e72b978394d1b
SHA256101c147b9feb4b2e1cef0a5e01d4e24cbf45a8344ac0dcae546f1fcdd469945a
SHA512c13b8aa235ab03171c2afaadd62073113323dc212a3f9ab007d877634c38d261e7c753abef03657b4a48440748dd41ca8fcdedd51e81806242d4a8a49d595744
-
Filesize
314B
MD5a112cca9dc4d4389853960a4090375ee
SHA1a41ef3b4ca3e316d1bc4095aedf80b07ccc2d045
SHA25616cc3752392a4575db02c89c72f0808bd7e6b37ed5c69490a248b9309907c7b3
SHA512470af17cc72848693327b30794a6f6d00ae77693780645259b5ed02256e3b1a9dd895489eca7e6a0dd558ce40e6e18ee3c3666fe0119935e6a1ca1bcb7e0ccd0
-
Filesize
359KB
MD57db52c773aa4cced07e0e764a525f35a
SHA1f13f80df32828d69e0c1b48d6015a672d095a795
SHA25667b8afc36c3a5c452d2d452eacc7d68ee1f4d1f711bba00210f4fbe5e4be2ee1
SHA5122a60a85cb81607cd961a0e76351b100ba0c74fe899024166f40bd1fad190e87082109fdd0b7f5c8f807b1a0c8c74347ca719ec8686e705d0051d2de612a0164a
-
Filesize
429KB
MD54c0190cdd212673cdebb8fb0c3c74ae9
SHA1cb19418e4566f1e173ff197bb4354ef5eca9de4d
SHA2560a3e92eb50af535a977621edb7225bb292137c00b7a0c62ee703c46602184f18
SHA512b66ee78d75fa34147f180eb5d3b4209bdd9a1dcfce0fc92d11784d89de0404eff1691e6926ef03e0008ab1d4e3ce3f6ad5db4252b4146f8499c07f4ce1f9516b
-
Filesize
592KB
MD5aaee51e61d322426de330fd4407cc595
SHA1010ea6644266ab1e89f681e4c169143fc200cf76
SHA256dcbd6dfaf2fefb2e46f4bc984866581fceb3db062b62302819d43a5358199010
SHA51290a9eff33a6eb5f0e555461768a1e6e8bbcc81ba302f716ebfc5a734965a4e35de835155291757c3d0ff953416c3551511a1d432747b3b5787b37cbc252a729d
-
Filesize
568KB
MD5b9e4996c4d5c637960236c93d7184410
SHA1405a85d6143da74f0ce96f9497e4db9eb5c5c193
SHA2564df48ed1dad854a2275fe2150cf270e7aa4774be47a812cd51c1671b1a62769f
SHA512a5bb16c612151845526614d61434f657408dd8be3af87397d6b3f487ff7b1d153c46a36154ed695c4a4328fb1dd849a21b59695e3b200694c9964e55ed883375
-
Filesize
406KB
MD5f6f13a7998be64489c819e97f9c3f201
SHA155c0e1a76d4c491c3e064f03019a808d4b30e950
SHA256f8b4c358c61c4f8543b38f46d04c0663e4d6faa67022d8631785e898aceeedd3
SHA5125d0f5fc1605783095b56fe9a70047e8e6c621e0bf644acba260e122425dcc9eba5f4de06c4e3e269068f1533872f9df58b47816d92697bd2d591a35d65aebfad
-
Filesize
661KB
MD538146d5fdee41c1509300360811f69ec
SHA146efabd4d6b4e64e6d19fe6dd5f217879d7a7e95
SHA2567254e1507c2664ddfe8c64d6dbed56d440f56fc1d7fdcced8ad17b269122ea2c
SHA51278de66d5f366607913c9b38661bd7d4ecb9b0cefe5880ea86630a28a921031e81924936c4c15ce700db24f29abd39b5718f870600b54160adb34986f56174363
-
Filesize
383KB
MD549bc0ae7f7e30447d41e15b0bd765cd6
SHA1e8e09d2077f9c828422e3572228382b5d6a8aaad
SHA25699aace32f6285a7ab0d4ef784a774f8c231d105b89da6a492a168c40e281d9ef
SHA51207b3ed56ba4f03893f40bdeb479e4fe18e8e7bdf4fb2b05f49c044b045447e865b49b703e305586054b3634637b80837cb11020128fc1a801beac30eab3057c1
-
Filesize
685KB
MD58475c968a14500a694536378a9a2aa13
SHA13c900646b1309a238fe82b51af22b3d36eff69c2
SHA2565f412070e47609b5e2c9cff0b3f8fa499403c035b82294d362311d556eff16e4
SHA512564dfda78a11e53f014b1162e15c9ac4136101c767874c41a265d2bcdb08fd380f34d228d0bf6744d83daedb08549111e114ac4724e7c7a55a9f244d11063f70
-
Filesize
476KB
MD5480edd8581310724f1cbc0942420e4f0
SHA1df0ed462f5ca52b7c5873ba65a620b0497c4601c
SHA256527d1cfb9fa713bb96b31efc4b0de0d77f8f72ede1c8d46d767fe530f2c295b1
SHA512a72778bfe1aadbc6e67ac179fbc5906f1c08ac0749bb583ea8081b375604ef67bec25d4cc27bd5e02c5cb849d489d3e629310baac5720e5ef1ec357ffb960ee7
-
Filesize
452KB
MD5f97aaf7cf5ac486573a17b1da5690c86
SHA1cf2914e5815fec4c47669008cdfcd2477fa0b965
SHA256d35ca796415ab64b1f824749ffa2bdfadbc7b1d6ec3b13e4d46bb8c84114b051
SHA512f0dfa6beb05ecdd48463811a79b284b5552263b1d4f37444afba33d3a4e2673f076c818e53ea216b04425669446b0abd10c61db6954af4f6fe91f925648e422a
-
Filesize
638KB
MD59e6f3c5b4fe606248b973962b137d175
SHA1bd60fac173582137ee29ffe95abe36c44d49bc8b
SHA2564bca27c0bdbf9895edaa84492115226e11a30ea3d22bf9b578bb3853666a3b17
SHA5128d770307ca7ce52aacc437a74d4ca869be26bbec3729f8ac0fabeb8e67b22c0f9d2e3a4d9d5a720731029d0f0da047529c729555c60940c4a7224627d7edb0a8
-
Filesize
952KB
MD5d3cf7a7619038f7455ca73c1400072c5
SHA13161b58437044796c79215802dc9f6d0d8b3c4a5
SHA2560751e15074712502e989009a00730908f3f5344361c1115a7ae8acede6cdf45b
SHA5126cd355521f081453b8dc5e329d4e2b5af05864847e66a1799b7fecc63e33209ce0d3766b3fcaa4ac66fea57a4934178502d4f5d4347c249477bec8b6d384d5df
-
Filesize
545KB
MD58c60f6f755830c85356a24cb29d6c204
SHA1a48725171f982f7d7415e7d02b46025a46c4baed
SHA256848c4a637557643e5f795381752b194d161c0db9bdad61763664897efd3c5da0
SHA512e54e1c89724538b18187c09afc2c179f559afb676251b7217fada7b36067276fd81aa36d804bb2edf2f574dc6a5095dcbd77f5dcd7c42016934b325abd7edce8
-
Filesize
615KB
MD588c94831c7d0e785c38228604630d64b
SHA16f8953bb1bca6a2df214eb27add865b7a67684ee
SHA25629ed4daa91535dbcb7d793199f494931ba2090548ca42a192e730770062d9140
SHA51283385bd9818433a82935e59fd2b7984333f1f4fb094ba41333f6f314b99d9d1410edc3910a70b78b82d6d077256ff88d496087ee9d3dafdf49c9da587af24f5d
-
Filesize
290KB
MD5eb46354b0906a7887de4b132912d62be
SHA137d63d75a8fd91b691ba69dce107d61dd2d9a802
SHA2560d0e7e2d528515ac94619d0d8d44adabdac88d534a91063dd363f08bc48707a7
SHA512b63d921955fd4a3111967829ae4e9b35f456ef2e6eee6a01280decc521b81c99268d950ddb81638754f075b86f365b5e3f2814fd0399436a1b80e344dc8e35e9
-
Filesize
522KB
MD5faba6fc5af53edd6133a82f2264bfb8d
SHA1c568216552370cc2c0db4d1de445624c5ca1a03f
SHA256cfdd4be31efeadc78b7c79a78abc992806eee0d55dbf50ccd47c310ad3b47ca7
SHA5121240f9df217f0e241402c893790876484e04dd9bf8e57d90e15a1417df2b4069e870be08f9274cfd87930f9222c4c15f42d225f9e803a85b1fe1723ca95a851a
-
Filesize
499KB
MD5e3eea12b51db25db2e71aa9ba0d32026
SHA1669565c0704c8b7e1799b6efd756357552c7f065
SHA256864fa6b5b72101706c9697ab9d8d7d1917039945a6a9ab0dd8035c6e114f2162
SHA512d2b42dad8a68a3e0623a12ae5ca00fa7ae1568c0abf77a2d13c7e6c4ea37be09fff5d8912307078c42fa88340a901902a97d0a7f1ed420305388d91b2aaf47d0
-
Filesize
313KB
MD56e1199455e442fd9bd0dcf997c0faa87
SHA189f6dad3bea9aee7f2c9f6306d576d49894cd37c
SHA2565df1ab6155381ac0d2e7427addccefc6d4451a3815874611be4d5e6ef97dc3ba
SHA51279fb7daed72b7fe372c45a618b8befc19ee63080d659611209cefa1472775d6f0c77a57c43b95953699c0ad59461116281d275c93b8201602985c55141340b92
-
Filesize
336KB
MD567fce6684d8a241cbf9f44570f4c0247
SHA1f3e79d9ba322f0a1715da9f694b0efebfbe74d66
SHA2569ace8ef0573059dcc7cd69e6e6b58afbbe295e9134d0b04aa0b1d48810f350c7
SHA512db92e14165e46f598eb0a7b0e8a62a838243c14206d0dc2ad3669d64c74caed0f7bd0b72d09a85ab4cbfb3c2d478c264eda7d2696afdfe7bbb012db3101180ed
-
Filesize
243KB
MD5f7ff424bf42a7ff0324636b977ef6ed9
SHA1b74f6b8dcb3451a727c32a24a2a28e1096b2c505
SHA2561c46fa427a9254721eade2361905d67c7774cbb3fda332adb9677cf60334c7d5
SHA512012c61ed053f81bde8a8627ccd694fafe16fb223d4944c2b80e589fd95e75ebcedd71c237212bd45bf8b6a14ff91c3493e613a5e561f06435b0fd2dc98f0d36a
-
Filesize
267KB
MD544f28bafcc41981ff8154ec14271e06c
SHA194b785f8998d2cb90a7947f4ef5f994192617516
SHA256634412833386740deff1b9275bfa186712522c62b1b2d644923e2032abc41a1f
SHA512c86eec2f91fd60cb5d844babaea38dc4fc06e2a51d23f882eb15104aa5a83c371991aaafed7ea4f95f005fcbda9c2de267112a225ad4380d823ec784e35a2002
-
Filesize
197B
MD567ac56e98bdb0c90862e8472916f11ab
SHA1f961a11be9a04743f3e053a2bf46c12b9471fd28
SHA2566e20336f20c42fc21f30dc362dfea245333b195597a42bb7c87143283be8ea10
SHA51224267afc873e725d2c07bf51ce5b7e40026966a94919624baeb0d605770b9e64164948f9330b7e1910a913651b58132bffc76ceb4f0f8a5cecb9a56349bbc1da
-
Filesize
628B
MD5aa4575a1cd4c84ab72d60eff429bda90
SHA17362da1fb9238f01e056c66552ab480b4acc6d0c
SHA25673786004072d90fa45d81e23d7ddff9d8f7d5426d490741032a3106f5ebaecd7
SHA512bbf2b58a5856f9440f9852290972b8ae4784c4212b86f1eee6f7f3f4cb0b3e5ce34279b737cec649bad8fa0d5e2862a0dddb282f26df74bfb9a64b47cf64d3e1
-
Filesize
534B
MD54b35a56a11f9955cd2a2714770a3164e
SHA18bfd92fc0c0e690fa2bd005611a63bc29543b8fb
SHA25631e2f5742018a512938319fde1820127815f57a493aad4eb0a8272dc4bf54713
SHA5122c941da857b51870c9d5cbdca875eff6f0c9befa2b28806c2ee94e74b2664238e8b05717359436eeaef703d6e5f7ba3f75882b3223c78fab24959f4803b607fb
-
Filesize
42KB
MD5980b08bac152aff3f9b0136b616affa5
SHA12a9c9601ea038f790cc29379c79407356a3d25a3
SHA256402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9
SHA512100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496
-
Filesize
729B
MD5880e6a619106b3def7e1255f67cb8099
SHA18b3a90b2103a92d9facbfb1f64cb0841d97b4de7
SHA256c9e9dc06f500ae39bfeb4671233cc97bb6dab58d97bb94aba4a2e0e509418d35
SHA512c35ca30e0131ae4ee3429610ce4914a36b681d2c406f67816f725aa336969c2996347268cb3d19c22abaa4e2740ae86f4210b872610a38b4fa09ee80fcf36243
-
Filesize
68KB
MD55557ee73699322602d9ae8294e64ce10
SHA11759643cf8bfd0fb8447fd31c5b616397c27be96
SHA256a7dd727b4e0707026186fcab24ff922da50368e1a4825350bd9c4828c739a825
SHA51277740de21603fe5dbb0d9971e18ec438a9df7aaa5cea6bd6ef5410e0ab38a06ce77fbaeb8fc68e0177323e6f21d0cee9410e21b7e77e8d60cc17f7d93fdb3d5e
-
Filesize
236KB
MD5cf1416074cd7791ab80a18f9e7e219d9
SHA1276d2ec82c518d887a8a3608e51c56fa28716ded
SHA25678e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df
SHA5120bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5
-
Filesize
224KB
MD55c7fb0927db37372da25f270708103a2
SHA1120ed9279d85cbfa56e5b7779ffa7162074f7a29
SHA256be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844
SHA512a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e