Analysis
-
max time kernel
112s -
max time network
112s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
27-05-2024 07:35
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Virus/MadMan.exe
Resource
win10v2004-20240508-en
General
-
Target
https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Virus/MadMan.exe
Malware Config
Signatures
-
Chimera 64 IoCs
Ransomware which infects local and network files, often distributed via Dropbox links.
description ioc Process File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\pt-br\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye (1).exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fi-fi\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye (1).exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\it-it\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye (1).exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-gb\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye (1).exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\eu-es\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye (1).exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\it-it\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye (1).exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\fr-fr\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye (1).exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\fi-fi\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye (1).exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\pt-br\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye (1).exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\hr-hr\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye (1).exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ko-kr\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye (1).exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\it-it\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye (1).exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\it-it\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye (1).exe File created C:\Program Files\Microsoft Office\root\fre\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye (1).exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye (1).exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\sv-se\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye (1).exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\en-gb\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye (1).exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\fr-ma\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye (1).exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\fr-fr\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye (1).exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\eu-es\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye (1).exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye (1).exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ko-kr\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye (1).exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ru-ru\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye (1).exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\fi-fi\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye (1).exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\ja-jp\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye (1).exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye (1).exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\nb-no\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye (1).exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\sk-sk\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye (1).exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\zh-cn\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye (1).exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\fr-fr\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye (1).exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye (1).exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\sv-se\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye (1).exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\root\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye (1).exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ko-kr\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye (1).exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\it-it\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye (1).exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\fr-fr\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye (1).exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye (1).exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\fi-fi\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye (1).exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\it-it\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye (1).exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye (1).exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\pt-br\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye (1).exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\zh-cn\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye (1).exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\tr-tr\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye (1).exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ru-ru\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye (1).exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye (1).exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\en-gb\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye (1).exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\fr-fr\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye (1).exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\cs-cz\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye (1).exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye (1).exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\nl-nl\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye (1).exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-gb\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye (1).exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\en-us\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye (1).exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\zh-tw\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye (1).exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\en-ae\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye (1).exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\de-de\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye (1).exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\tr-tr\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye (1).exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\de-de\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye (1).exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\en-ae\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye (1).exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-il\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye (1).exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\uk-ua\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye (1).exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye (1).exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\pl-pl\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye (1).exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\images\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye (1).exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye (1).exe -
Chimera Ransomware Loader DLL 1 IoCs
Drops/unpacks executable file which resembles Chimera's Loader.dll.
resource yara_rule behavioral1/memory/3428-294-0x0000000010000000-0x0000000010010000-memory.dmp chimera_loader_dll -
Renames multiple (3242) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
pid Process 3428 HawkEye (1).exe 4992 HawkEye (1).exe 4520 HawkEye (1).exe 4904 HawkEye (1).exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 27 IoCs
description ioc Process File opened for modification C:\Users\Admin\OneDrive\desktop.ini HawkEye (1).exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini HawkEye (1).exe File opened for modification C:\Users\Admin\Downloads\desktop.ini HawkEye (1).exe File opened for modification C:\Program Files\desktop.ini HawkEye (1).exe File opened for modification C:\Users\Admin\Contacts\desktop.ini HawkEye (1).exe File opened for modification C:\Users\Admin\Pictures\desktop.ini HawkEye (1).exe File opened for modification C:\Users\Public\Downloads\desktop.ini HawkEye (1).exe File opened for modification C:\Users\Public\Libraries\desktop.ini HawkEye (1).exe File opened for modification C:\Users\Admin\Favorites\desktop.ini HawkEye (1).exe File opened for modification C:\Users\Admin\Music\desktop.ini HawkEye (1).exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini HawkEye (1).exe File opened for modification C:\Users\Public\Music\desktop.ini HawkEye (1).exe File opened for modification C:\Users\Admin\Desktop\desktop.ini HawkEye (1).exe File opened for modification C:\Users\Admin\Documents\desktop.ini HawkEye (1).exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini HawkEye (1).exe File opened for modification C:\Users\Admin\Searches\desktop.ini HawkEye (1).exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini HawkEye (1).exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini HawkEye (1).exe File opened for modification C:\Users\Admin\Links\desktop.ini HawkEye (1).exe File opened for modification C:\Users\Admin\Videos\desktop.ini HawkEye (1).exe File opened for modification C:\Users\Admin\3D Objects\desktop.ini HawkEye (1).exe File opened for modification C:\Users\Public\Pictures\desktop.ini HawkEye (1).exe File opened for modification C:\Users\Public\Videos\desktop.ini HawkEye (1).exe File opened for modification C:\Users\Public\desktop.ini HawkEye (1).exe File opened for modification C:\Program Files (x86)\desktop.ini HawkEye (1).exe File opened for modification C:\Users\Public\Desktop\desktop.ini HawkEye (1).exe File opened for modification C:\Users\Public\Documents\desktop.ini HawkEye (1).exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 52 raw.githubusercontent.com 51 raw.githubusercontent.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 66 bot.whatismyipaddress.com -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.targetsize-30.png HawkEye (1).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\accessibilitychecker\main.js HawkEye (1).exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\fi-fi\ui-strings.js HawkEye (1).exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye (1).exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\pt-br\ui-strings.js HawkEye (1).exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\RTC.der HawkEye (1).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Spacer\2px.png HawkEye (1).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNotebookMedTile.scale-150.png HawkEye (1).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-24_altform-unplated.png HawkEye (1).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\AppIcon.targetsize-72_contrast-black.png HawkEye (1).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\OrientationControlFrontIndicatorHover.png HawkEye (1).exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\themes\dark\illustrations_retina.png HawkEye (1).exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\new_icons.png HawkEye (1).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-24_altform-lightunplated.png HawkEye (1).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\AppCS\Assets\DeviceNotFound.png HawkEye (1).exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Yahoo-Light.scale-300.png HawkEye (1).exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\it-it\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye (1).exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] HawkEye (1).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.scale-150_contrast-white.png HawkEye (1).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\import_google_contacts\googleImportNoResults.png HawkEye (1).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\LiveTiles\avatar150x150.png HawkEye (1).exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\BadgeLogo.scale-125.png HawkEye (1).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\153.png HawkEye (1).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNotePageSmallTile.scale-400.png HawkEye (1).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MedTile.scale-200_contrast-white.png HawkEye (1).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-20_altform-unplated.png HawkEye (1).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-16.png HawkEye (1).exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarBadge.scale-100.png HawkEye (1).exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\de-de\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye (1).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-64_altform-unplated.png HawkEye (1).exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsita.xml HawkEye (1).exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\zh-tw\ui-strings.js HawkEye (1).exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\EmptyCalendarSearch.scale-400.png HawkEye (1).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Images\SkypeAppList.targetsize-256_altform-unplated.png HawkEye (1).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-256_contrast-black.png HawkEye (1).exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-32_altform-unplated.png HawkEye (1).exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Yahoo-Light.scale-125.png HawkEye (1).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageSmallTile.scale-100_contrast-white.png HawkEye (1).exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\bg_patterns_header.png HawkEye (1).exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\themes\dark\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye (1).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml HawkEye (1).exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sv-se\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye (1).exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\el_get.svg HawkEye (1).exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\nl-nl\ui-strings.js HawkEye (1).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\FileIcons\FileLogoExtensions.targetsize-48.png HawkEye (1).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.targetsize-256_altform-unplated.png HawkEye (1).exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarMediumTile.scale-125.png HawkEye (1).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\HeroAppTile.xml HawkEye (1).exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\eu-es\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye (1).exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\ar_get.svg HawkEye (1).exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\cs-cz\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye (1).exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ui-strings.js HawkEye (1).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-96_altform-lightunplated_devicefamily-colorfulunplated.png HawkEye (1).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\StoreLogo.scale-150_contrast-black.png HawkEye (1).exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\Doughboy.scale-125.png HawkEye (1).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-80_altform-unplated.png HawkEye (1).exe File opened for modification C:\Program Files\Java\jdk-1.8\jmc.txt HawkEye (1).exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\fr-fr\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye (1).exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ar-ae\ui-strings.js HawkEye (1).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\WideTile.scale-200_contrast-black.png HawkEye (1).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\Icons\jit_moments.png HawkEye (1).exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-40_altform-unplated.png HawkEye (1).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\LiveTiles\avatar310x150.png HawkEye (1).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.scale-200.png HawkEye (1).exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002322fad14fdb874f8edc4f7e0cc1913e0000000002000000000010660000000100002000000009e86b57d09eb576729c5f4165d7fe4eed1a6316b0a5105b6da3441cac4d1aa8000000000e8000000002000020000000b5ec2e734a212da69b053d0d25162c9df70cc35114a974457b5135e5ec120be7200000003d8a60de6dc053259c16611033ee9d5fd25cc28e4240553d3203e6bc50413c1a40000000a91a0f2fae159272a59a0ca566b782ee3b5716a167e6540054a53feefc3e2efee646a0f135cff4411cbf80b38006cad050848ebc9755b50b1c93395b261e199c iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\mega.nz IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\mega.nz\NumberOfSubdomains = "1" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "61" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{DA2F90FB-1BFB-11EF-BA70-7ACDD6433640} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\IESettingSync IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\mega.nz\ = "61" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\mega.nz\Total = "61" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\DOMStorage\mega.nz IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 806377a608b0da01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings msedge.exe -
NTFS ADS 3 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 344023.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 742807.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 701104.crdownload:SmartScreen msedge.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 4500 msedge.exe 4500 msedge.exe 4296 msedge.exe 4296 msedge.exe 2876 identity_helper.exe 2876 identity_helper.exe 1060 msedge.exe 1060 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
pid Process 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 3428 HawkEye (1).exe Token: SeDebugPrivilege 4992 HawkEye (1).exe Token: SeDebugPrivilege 4520 HawkEye (1).exe Token: SeDebugPrivilege 4904 HawkEye (1).exe -
Suspicious use of FindShellTrayWindow 50 IoCs
pid Process 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 392 iexplore.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 392 iexplore.exe 392 iexplore.exe 1988 IEXPLORE.EXE 1988 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4296 wrote to memory of 4728 4296 msedge.exe 81 PID 4296 wrote to memory of 4728 4296 msedge.exe 81 PID 4296 wrote to memory of 4980 4296 msedge.exe 83 PID 4296 wrote to memory of 4980 4296 msedge.exe 83 PID 4296 wrote to memory of 4980 4296 msedge.exe 83 PID 4296 wrote to memory of 4980 4296 msedge.exe 83 PID 4296 wrote to memory of 4980 4296 msedge.exe 83 PID 4296 wrote to memory of 4980 4296 msedge.exe 83 PID 4296 wrote to memory of 4980 4296 msedge.exe 83 PID 4296 wrote to memory of 4980 4296 msedge.exe 83 PID 4296 wrote to memory of 4980 4296 msedge.exe 83 PID 4296 wrote to memory of 4980 4296 msedge.exe 83 PID 4296 wrote to memory of 4980 4296 msedge.exe 83 PID 4296 wrote to memory of 4980 4296 msedge.exe 83 PID 4296 wrote to memory of 4980 4296 msedge.exe 83 PID 4296 wrote to memory of 4980 4296 msedge.exe 83 PID 4296 wrote to memory of 4980 4296 msedge.exe 83 PID 4296 wrote to memory of 4980 4296 msedge.exe 83 PID 4296 wrote to memory of 4980 4296 msedge.exe 83 PID 4296 wrote to memory of 4980 4296 msedge.exe 83 PID 4296 wrote to memory of 4980 4296 msedge.exe 83 PID 4296 wrote to memory of 4980 4296 msedge.exe 83 PID 4296 wrote to memory of 4980 4296 msedge.exe 83 PID 4296 wrote to memory of 4980 4296 msedge.exe 83 PID 4296 wrote to memory of 4980 4296 msedge.exe 83 PID 4296 wrote to memory of 4980 4296 msedge.exe 83 PID 4296 wrote to memory of 4980 4296 msedge.exe 83 PID 4296 wrote to memory of 4980 4296 msedge.exe 83 PID 4296 wrote to memory of 4980 4296 msedge.exe 83 PID 4296 wrote to memory of 4980 4296 msedge.exe 83 PID 4296 wrote to memory of 4980 4296 msedge.exe 83 PID 4296 wrote to memory of 4980 4296 msedge.exe 83 PID 4296 wrote to memory of 4980 4296 msedge.exe 83 PID 4296 wrote to memory of 4980 4296 msedge.exe 83 PID 4296 wrote to memory of 4980 4296 msedge.exe 83 PID 4296 wrote to memory of 4980 4296 msedge.exe 83 PID 4296 wrote to memory of 4980 4296 msedge.exe 83 PID 4296 wrote to memory of 4980 4296 msedge.exe 83 PID 4296 wrote to memory of 4980 4296 msedge.exe 83 PID 4296 wrote to memory of 4980 4296 msedge.exe 83 PID 4296 wrote to memory of 4980 4296 msedge.exe 83 PID 4296 wrote to memory of 4980 4296 msedge.exe 83 PID 4296 wrote to memory of 4500 4296 msedge.exe 84 PID 4296 wrote to memory of 4500 4296 msedge.exe 84 PID 4296 wrote to memory of 4736 4296 msedge.exe 85 PID 4296 wrote to memory of 4736 4296 msedge.exe 85 PID 4296 wrote to memory of 4736 4296 msedge.exe 85 PID 4296 wrote to memory of 4736 4296 msedge.exe 85 PID 4296 wrote to memory of 4736 4296 msedge.exe 85 PID 4296 wrote to memory of 4736 4296 msedge.exe 85 PID 4296 wrote to memory of 4736 4296 msedge.exe 85 PID 4296 wrote to memory of 4736 4296 msedge.exe 85 PID 4296 wrote to memory of 4736 4296 msedge.exe 85 PID 4296 wrote to memory of 4736 4296 msedge.exe 85 PID 4296 wrote to memory of 4736 4296 msedge.exe 85 PID 4296 wrote to memory of 4736 4296 msedge.exe 85 PID 4296 wrote to memory of 4736 4296 msedge.exe 85 PID 4296 wrote to memory of 4736 4296 msedge.exe 85 PID 4296 wrote to memory of 4736 4296 msedge.exe 85 PID 4296 wrote to memory of 4736 4296 msedge.exe 85 PID 4296 wrote to memory of 4736 4296 msedge.exe 85 PID 4296 wrote to memory of 4736 4296 msedge.exe 85 PID 4296 wrote to memory of 4736 4296 msedge.exe 85 PID 4296 wrote to memory of 4736 4296 msedge.exe 85
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Virus/MadMan.exe1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4296 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc4ec546f8,0x7ffc4ec54708,0x7ffc4ec547182⤵PID:4728
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,7134035049684678724,4581287405519317850,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:22⤵PID:4980
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,7134035049684678724,4581287405519317850,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4500
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,7134035049684678724,4581287405519317850,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2840 /prefetch:82⤵PID:4736
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,7134035049684678724,4581287405519317850,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:12⤵PID:4600
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,7134035049684678724,4581287405519317850,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:12⤵PID:3104
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,7134035049684678724,4581287405519317850,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4584 /prefetch:82⤵PID:428
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,7134035049684678724,4581287405519317850,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4584 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2876
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,7134035049684678724,4581287405519317850,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:12⤵PID:2100
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,7134035049684678724,4581287405519317850,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:12⤵PID:4316
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,7134035049684678724,4581287405519317850,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:12⤵PID:3488
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,7134035049684678724,4581287405519317850,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5312 /prefetch:12⤵PID:4064
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2140,7134035049684678724,4581287405519317850,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6028 /prefetch:82⤵PID:3516
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,7134035049684678724,4581287405519317850,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6016 /prefetch:12⤵PID:1512
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2140,7134035049684678724,4581287405519317850,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6304 /prefetch:82⤵PID:4316
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,7134035049684678724,4581287405519317850,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6160 /prefetch:12⤵PID:2816
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2140,7134035049684678724,4581287405519317850,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1792 /prefetch:82⤵PID:3340
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2140,7134035049684678724,4581287405519317850,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5952 /prefetch:82⤵PID:2228
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2140,7134035049684678724,4581287405519317850,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6492 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1060
-
-
C:\Users\Admin\Downloads\HawkEye (1).exe"C:\Users\Admin\Downloads\HawkEye (1).exe"2⤵
- Chimera
- Executes dropped EXE
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3428 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -k "C:\Users\Admin\Music\YOUR_FILES_ARE_ENCRYPTED.HTML"3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:392 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:392 CREDAT:17410 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1988
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1848
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1336
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2880
-
C:\Users\Admin\Downloads\HawkEye (1).exe"C:\Users\Admin\Downloads\HawkEye (1).exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4992
-
C:\Users\Admin\Downloads\HawkEye (1).exe"C:\Users\Admin\Downloads\HawkEye (1).exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4520
-
C:\Users\Admin\Downloads\HawkEye (1).exe"C:\Users\Admin\Downloads\HawkEye (1).exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4904
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5bb83524d0261a715c176def3fa5e7712
SHA14eb6990d74067a813c49b29ea70755bd5b837378
SHA25670df37a98059ede787addbd410145e6f8046b3cb475109d91a723975845b9a50
SHA512f768437ee7aff5553a958b9ad1f6da0bea215fafd3786c7fcc8d3c907ebf94251eddefc8d0de92e3f46c6681bfbd996cffa7d2d0785bd68ec745ed55675a4980
-
Filesize
20B
MD5b3ac9d09e3a47d5fd00c37e075a70ecb
SHA1ad14e6d0e07b00bd10d77a06d68841b20675680b
SHA2567a23c6e7ccd8811ecdf038d3a89d5c7d68ed37324bae2d4954125d9128fa9432
SHA51209b609ee1061205aa45b3c954efc6c1a03c8fd6b3011ff88cf2c060e19b1d7fd51ee0cb9d02a39310125f3a66aa0146261bdee3d804f472034df711bc942e316
-
Filesize
152B
MD556641592f6e69f5f5fb06f2319384490
SHA16a86be42e2c6d26b7830ad9f4e2627995fd91069
SHA25602d4984e590e947265474d592e64edde840fdca7eb881eebde3e220a1d883455
SHA512c75e689b2bbbe07ebf72baf75c56f19c39f45d5593cf47535eb722f95002b3ee418027047c0ee8d63800f499038db5e2c24aff9705d830c7b6eaa290d9adc868
-
Filesize
152B
MD5612a6c4247ef652299b376221c984213
SHA1d306f3b16bde39708aa862aee372345feb559750
SHA2569d8e24c91cff338e56b518a533cb2e49a2803356bbf6e04892fb168a7ce2844a
SHA51234a14d63abb1e3fe0f9927a94393043d458fe0624843e108d290266f554018e6379cba924cb5388735abdd6c5f1e2e318478a673f3f9b762815a758866d10973
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD50b7bd0a0343ad56911434c9637c6670a
SHA1e999f3e410d7ee8c36037332330d5c383f221182
SHA25622348e0eb750221bc89a958b5b595612d36a31b07688f190fc013ab72865fbc1
SHA512ff4bc855ec0c16d228f353d397243c8cedb0d4bc90052e246031c3ab9536121acb48bd03e3a0695673f99f03795fd118f16e46ada31cd25de727f6afcf34d3f6
-
Filesize
579B
MD565fb584b67e9d4b5954709456bc4c315
SHA16c0de0d8ad3ffd005cce777407fe7e3875ffca03
SHA2565cec29dac5bffa8786cdf78db81c40b7f87e809057bc371b756405d58ac03e62
SHA51296d08c027b3e75416aad7a1c614a4ed24f53c444e2df32b75ab2884116cd4a80bc44a1e823d9d64918181dce78f8548e908d8a3e1fe217a7e37deca6e2d5b4fa
-
Filesize
6KB
MD53e7fc35b9d94c8a0013f748eef55b60a
SHA19abb9725fb1bc7086b686afc475ce21bb9943333
SHA256a9dfee5babd9a09122653779eb87211ba32ef9c03fd41ee06029aa73a53abdd6
SHA5128346ae61f212c9fd86959550d385ee7b7d66bea6d9e4de6725469244f5378722f6e0cc11e79891802df5d70b4c1e93ab4830e0248fcf06187d745cb44528e385
-
Filesize
5KB
MD568e5b9e6d084187efa5772348233deb1
SHA12f9d9be022cd0e46437b20e6a4915276d76e116b
SHA25667bb3afdd5d213d55416948b3df8e97341cfb4c8b243a3e15c9c738e015fe328
SHA512421c01426d90c1aebe0f5d748793b2bc4f4560a3a75553b9c52fbab0d43265ef6a28d342388e7cff288f871184bf135d1e0e1ef529708b8170ab94549a4ced5a
-
Filesize
6KB
MD5a3b2f89716701c860b76c5735c08c363
SHA145f465a49d9d45e90e7acc8c1b1842db53b8d43b
SHA2560a343b8baec7db001888ed6698b37556bf134bbf740c1f819f044e8f2ce8b677
SHA5123582fa2f33e2cefc181212cb3b3df1bf48bf0b63b7f9710c33d5a9ff129edf60151651995f0c4b8336fe1c4aa364fb51ea22bcf834e473c796651dd0951d6249
-
Filesize
1KB
MD50229dea7eff6bd798dbbae1a1655c9e0
SHA131876d564aee7ce760807bb4934ba5258258ad98
SHA2564281a91f65d3e9906868f17a53aef38a6786cd7b398c086b79e5a22ef7a3690b
SHA512bc1fb454f128b1a455737e61258f5f373f9e71aef51324b12a7b7809992a3e0d264ecf54e64680ffda9dcf5198a2c5fcec7662bfb4b01387ec2030c31deeeed6
-
Filesize
1KB
MD533a22f893b988c6d0b92522535ae1fb8
SHA1a2ece7a9bf978cd027b350e8fddce8d2818da7ea
SHA256eb8382b2994064699931e8c041cc5103d27935812254a76530341762bc58a9e3
SHA5125ecef0e59d8ec9eee34dc3d35797920de0aa933afa8752d8ed85576993c7d95b6363fc412c0764213e24ce8fa7f8951794bc92fef30250c35a5a5137dccc81d0
-
Filesize
1KB
MD59ff3efe6f596550be94038e3d4d622b6
SHA1ff9f99815f983fe770ced4e9be33351ec53da7a9
SHA256a517d14e26d54338b48fb64e11ec226793d548d74e739aa85d6e1eb7cc89d71d
SHA512fc222258facfc2be509e216b04846a9b14929585ac48320be1899e63127f154564e0fa65d60d57aa94ba07ff761c67adb1bc3cfe97e9e5c82eff5b6d55fd2491
-
Filesize
1KB
MD5b7036449e2d9d7698abf229c5d3fb709
SHA1037179a25aff1548aba0e582493833220bffe91e
SHA256bbc1cc8dac274fcc2033e9312be7a3e1b4132097bee9cf31b5613b6a7fccb571
SHA512e593539de2b81c5063e3397808b872c62816d108da062f50c6ff5c17fec39e746d809d96677a793c0023d268bd307b43ea299a283d785624127f730fa0243b95
-
Filesize
1KB
MD5d3be05ec97149f9641db4e93898c7f8d
SHA126c6ab8c95d6591b38c9c68832bc03b49ec9ecde
SHA256dca423e3c070b33e7ca4083e25e940d417efcbd9525dc0f8b2731b8e833802ea
SHA512151bdc50a3f4872ff5730593f919308f9b40fe396ddb25d6460f7400c92ee3f12d99c251dcdf72c761df7248bae0459ff3383a5c398202cbdfc0930c66631fc8
-
Filesize
874B
MD534a59382b87635219e3e4c4556fbabe5
SHA11a0c94af9cc15ef5cf08699d018b03310d9d2b30
SHA256aae54d3845e660699f6cfbf65648c4e4ae40adf0d5fbe8a4bf64c16c2e35598e
SHA512457df783f706f018daa6afa6f126a4a73c42784577df6e9999dc1126bdd5f8c21feb44c8418511d5a32830d5e5d4cc288029567dccb0b3bba5b84dfbe3654ff8
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
12KB
MD59eac28f6f5804781699057e96855e105
SHA170332524aa6fa38f722f4a2e641c3c9638cdccf7
SHA256573ec52e040cd5ca5f7eab2029a89e2afb6a02ffd1bf6b8b44530b2e0c6d4bf5
SHA512fa4d36e79aea110d7d6aab1515a978f140c166021f088c02bff6d06a089ffc250ffd266545cb819a00f41710d84a35e2dbd45c247fdb4b6322311d6978e2c006
-
Filesize
11KB
MD5751f554adbd9557e7b409085fe138b09
SHA14d83fdda381a8309d0d357b332693d9e533da80a
SHA256f74daada21ab0f855820ad5cd219d291d9172cb9abf7f08f1accdb2bc6a7d84d
SHA51213376ce692b40a67640764504933a8ec64bcabf33ed60cc0d7ff6b355857ffa0a0ec67e63be35d4c6fee695c6c9a482c6ab956eaad82ff6417aaa761601f81e5
-
Filesize
12KB
MD552fa57b777e16669a33791b6b443cffb
SHA1eb61c5f7953046d96a5a18404ed83dbeacb8f986
SHA256181e4df4d77687fea759bf88c6c6165e4ca294f5ea140063dfe4d30c5eedf76b
SHA512f6ae5db4c267a1d6e5955676e61b4f21b1a931ba945e39fd3e8654fa78be99da55fa4261e5ce5d0e83d17814017bc94a639b3796df94d78fc9be6584b999c205
-
Filesize
6KB
MD533595bd6c8b5e7d9e0c823986b23d07a
SHA1c1798bb9e81574fa5299631fa21e7158474fd5fa
SHA256d2d5e56f39c8de8a57e36f480086f7ac584aab5c42cc70444f1dee02f77512ba
SHA5124830a1aec72a0753be38800e2bf285014abe655149fc6eb42080cb68d051c4b020e3ca6eeed90b6b4d1e4a15ada02813b79ddd70322012df218b60945efe26e9
-
Filesize
6KB
MD572f13fa5f987ea923a68a818d38fb540
SHA1f014620d35787fcfdef193c20bb383f5655b9e1e
SHA25637127c1a29c164cdaa75ec72ae685094c2468fe0577f743cb1f307d23dd35ec1
SHA512b66af0b6b95560c20584ed033547235d5188981a092131a7c1749926ba1ac208266193bd7fa8a3403a39eee23fcdd53580e9533803d7f52df5fb01d508e292b3
-
Filesize
2KB
MD5a56d479405b23976f162f3a4a74e48aa
SHA1f4f433b3f56315e1d469148bdfd835469526262f
SHA25617d81134a5957fb758b9d69a90b033477a991c8b0f107d9864dc790ca37e6a23
SHA512f5594cde50ca5235f7759c9350d4054d7a61b5e61a197dffc04eb8cdef368572e99d212dd406ad296484b5f0f880bdc5ec9e155781101d15083c1564738a900a
-
Filesize
232KB
MD560fabd1a2509b59831876d5e2aa71a6b
SHA18b91f3c4f721cb04cc4974fc91056f397ae78faa
SHA2561dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838
SHA5123e842a7d47b32942adb936cae13293eddf1a6b860abcfe7422d0fb73098264cc95656b5c6d9980fad1bf8b5c277cd846c26acaba1bef441582caf34eb1e5295a