Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
307s -
max time network
310s -
platform
windows10-2004_x64 -
resource
win10v2004-20240708-en -
resource tags
-
submitted
08/07/2024, 17:32
Errors
General
-
Target
https://cdn.novafn.dev/Assets/NovaLauncher.Setup.msi
Malware Config
Extracted
C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\_R_E_A_D___T_H_I_S___5PRH6JJ_.txt
cerber
http://xpcx6erilkjced3j.onion/D2C7-244B-A15C-0098-B9D4
http://xpcx6erilkjced3j.1n5mod.top/D2C7-244B-A15C-0098-B9D4
http://xpcx6erilkjced3j.19kdeh.top/D2C7-244B-A15C-0098-B9D4
http://xpcx6erilkjced3j.1mpsnr.top/D2C7-244B-A15C-0098-B9D4
http://xpcx6erilkjced3j.18ey8e.top/D2C7-244B-A15C-0098-B9D4
http://xpcx6erilkjced3j.17gcun.top/D2C7-244B-A15C-0098-B9D4
Signatures
-
Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
-
Floxif, Floodfix
Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
UAC bypass 3 TTPs 1 IoCs
-
Detects Floxif payload 1 IoCs
-
Contacts a large (1115) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 2 IoCs
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 1 IoCs
-
Executes dropped EXE 24 IoCs
-
Loads dropped DLL 11 IoCs
-
UPX packed file 23 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Drops file in System32 directory 38 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Drops file in Program Files directory 21 IoCs
-
Drops file in Windows directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
Program crash 11 IoCs
-
Enumerates system info in registry 2 TTPs 6 IoCs
-
Kills process with taskkill 1 IoCs
-
Modifies data under HKEY_USERS 16 IoCs
-
Modifies registry class 3 IoCs
-
NTFS ADS 6 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 22 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 19 IoCs
-
Suspicious use of AdjustPrivilegeToken 32 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 50 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://cdn.novafn.dev/Assets/NovaLauncher.Setup.msi1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffca019ab58,0x7ffca019ab68,0x7ffca019ab782⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1680 --field-trial-handle=1960,i,13139879600645884274,18136755918152336832,131072 /prefetch:22⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2068 --field-trial-handle=1960,i,13139879600645884274,18136755918152336832,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2248 --field-trial-handle=1960,i,13139879600645884274,18136755918152336832,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3000 --field-trial-handle=1960,i,13139879600645884274,18136755918152336832,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3008 --field-trial-handle=1960,i,13139879600645884274,18136755918152336832,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4644 --field-trial-handle=1960,i,13139879600645884274,18136755918152336832,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4364 --field-trial-handle=1960,i,13139879600645884274,18136755918152336832,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc9f9746f8,0x7ffc9f974708,0x7ffc9f9747182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,2648758410532194135,5830994894724088020,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,2648758410532194135,5830994894724088020,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,2648758410532194135,5830994894724088020,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2848 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2648758410532194135,5830994894724088020,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3500 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2648758410532194135,5830994894724088020,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3532 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2648758410532194135,5830994894724088020,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4512 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2648758410532194135,5830994894724088020,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,2648758410532194135,5830994894724088020,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4328 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,2648758410532194135,5830994894724088020,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4328 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2648758410532194135,5830994894724088020,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3788 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2648758410532194135,5830994894724088020,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3600 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2648758410532194135,5830994894724088020,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4484 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2648758410532194135,5830994894724088020,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2648758410532194135,5830994894724088020,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5604 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2100,2648758410532194135,5830994894724088020,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5032 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2100,2648758410532194135,5830994894724088020,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5648 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2648758410532194135,5830994894724088020,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3784 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2648758410532194135,5830994894724088020,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2648758410532194135,5830994894724088020,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5360 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2100,2648758410532194135,5830994894724088020,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6256 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2648758410532194135,5830994894724088020,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1348 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2100,2648758410532194135,5830994894724088020,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6796 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2100,2648758410532194135,5830994894724088020,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6796 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2100,2648758410532194135,5830994894724088020,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6768 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\Downloads\Mabezat (1).exe"C:\Users\Admin\Downloads\Mabezat (1).exe"2⤵
- Executes dropped EXE
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,2648758410532194135,5830994894724088020,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5944 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2648758410532194135,5830994894724088020,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1292 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2100,2648758410532194135,5830994894724088020,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5964 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2100,2648758410532194135,5830994894724088020,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1956 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\Downloads\Floxif.exe"C:\Users\Admin\Downloads\Floxif.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1168 -s 4323⤵
- Program crash
-
-
-
C:\Users\Admin\Downloads\Floxif.exe"C:\Users\Admin\Downloads\Floxif.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3872 -s 4323⤵
- Program crash
-
-
-
C:\Users\Admin\Downloads\Floxif.exe"C:\Users\Admin\Downloads\Floxif.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 696 -s 4323⤵
- Program crash
-
-
-
C:\Users\Admin\Downloads\Floxif.exe"C:\Users\Admin\Downloads\Floxif.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 464 -s 4323⤵
- Program crash
-
-
-
C:\Users\Admin\Downloads\Floxif.exe"C:\Users\Admin\Downloads\Floxif.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 4323⤵
- Program crash
-
-
-
C:\Users\Admin\Downloads\Floxif.exe"C:\Users\Admin\Downloads\Floxif.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3672 -s 4043⤵
- Program crash
-
-
-
C:\Users\Admin\Downloads\Floxif.exe"C:\Users\Admin\Downloads\Floxif.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4332 -s 4323⤵
- Program crash
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2648758410532194135,5830994894724088020,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6008 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2100,2648758410532194135,5830994894724088020,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5292 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2100,2648758410532194135,5830994894724088020,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4032 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\Downloads\Cerber5.exe"C:\Users\Admin\Downloads\Cerber5.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exeC:\Windows\system32\netsh.exe advfirewall set allprofiles state on3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exeC:\Windows\system32\netsh.exe advfirewall reset3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___O7KKVGM_.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___IJBZ55_.txt3⤵
- Opens file in notepad (likely ransom note)
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /d /c taskkill /f /im "C" > NUL & ping -n 1 127.0.0.1 > NUL & del "C" > NUL && exit3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im "C"4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\PING.EXEping -n 1 127.0.0.14⤵
- Runs ping.exe
-
-
-
-
C:\Users\Admin\Downloads\Cerber5.exe"C:\Users\Admin\Downloads\Cerber5.exe"2⤵
- Executes dropped EXE
- Enumerates connected drives
-
-
C:\Users\Admin\Downloads\Cerber5.exe"C:\Users\Admin\Downloads\Cerber5.exe"2⤵
- Executes dropped EXE
- Enumerates connected drives
-
-
C:\Users\Admin\Downloads\Cerber5.exe"C:\Users\Admin\Downloads\Cerber5.exe"2⤵
- Executes dropped EXE
- Enumerates connected drives
-
-
C:\Users\Admin\Downloads\Cerber5.exe"C:\Users\Admin\Downloads\Cerber5.exe"2⤵
- Executes dropped EXE
- Enumerates connected drives
-
-
C:\Users\Admin\Downloads\Cerber5.exe"C:\Users\Admin\Downloads\Cerber5.exe"2⤵
- Executes dropped EXE
- Enumerates connected drives
-
-
C:\Users\Admin\Downloads\Cerber5.exe"C:\Users\Admin\Downloads\Cerber5.exe"2⤵
- Executes dropped EXE
- Enumerates connected drives
-
-
C:\Users\Admin\Downloads\Cerber5.exe"C:\Users\Admin\Downloads\Cerber5.exe"2⤵
- Executes dropped EXE
- Enumerates connected drives
-
-
C:\Users\Admin\Downloads\Cerber5.exe"C:\Users\Admin\Downloads\Cerber5.exe"2⤵
- Executes dropped EXE
- Enumerates connected drives
-
-
C:\Users\Admin\Downloads\Cerber5.exe"C:\Users\Admin\Downloads\Cerber5.exe"2⤵
- Executes dropped EXE
- Enumerates connected drives
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2648758410532194135,5830994894724088020,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6928 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2100,2648758410532194135,5830994894724088020,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4256 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2648758410532194135,5830994894724088020,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5996 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2100,2648758410532194135,5830994894724088020,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4940 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\Downloads\7ev3n.exe"C:\Users\Admin\Downloads\7ev3n.exe"2⤵
- Executes dropped EXE
- NTFS ADS
-
C:\Users\Admin\AppData\Local\system.exe"C:\Users\Admin\AppData\Local\system.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\del.bat4⤵
-
-
C:\Windows\SysWOW64\SCHTASKS.exeC:\Windows\System32\SCHTASKS.exe /create /SC ONLOGON /TN uac /TR "C:\Users\Admin\AppData\Local\bcd.bat" /RL HIGHEST /f4⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:644⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:645⤵
- Modifies WinLogon for persistence
-
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:644⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:645⤵
- Adds Run key to start application
-
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:644⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:645⤵
-
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:644⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:645⤵
-
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:644⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:645⤵
-
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:644⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:645⤵
- UAC bypass
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "crypted" /t REG_SZ /d 1 /f /reg:644⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "crypted" /t REG_SZ /d 1 /f /reg:645⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c shutdown -r -t 10 -f4⤵
-
C:\Windows\SysWOW64\shutdown.exeshutdown -r -t 10 -f5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1168 -ip 11681⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3872 -ip 38721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 696 -ip 6961⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 464 -ip 4641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 2128 -ip 21281⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3672 -ip 36721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4332 -ip 43321⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Downloads\Floxif.exe"C:\Users\Admin\Downloads\Floxif.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1168 -s 4322⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1168 -ip 11681⤵
-
C:\Users\Admin\Downloads\Floxif.exe"C:\Users\Admin\Downloads\Floxif.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3676 -s 4002⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3676 -ip 36761⤵
-
C:\Users\Admin\Downloads\Floxif.exe"C:\Users\Admin\Downloads\Floxif.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 4002⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4460 -ip 44601⤵
-
C:\Users\Admin\Downloads\Floxif.exe"C:\Users\Admin\Downloads\Floxif.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4104 -s 4002⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4104 -ip 41041⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa38d5855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
2Disable or Modify System Firewall
1Disable or Modify Tools
1Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
72KB
MD5ccf7e487353602c57e2e743d047aca36
SHA199f66919152d67a882685a41b7130af5f7703888
SHA256eaf76e5f1a438478ecf7b678744da34e9d9e5038b128f0c595672ee1dbbfd914
SHA512dde0366658082b142faa6487245bfc8b8942605f0ede65d12f8c368ff3673ca18e416a4bf132c4bee5be43e94aef0531be2008746c24f1e6b2f294a63ab1486c
-
Filesize
1KB
MD5861888c47552bbfb74877f649e81cec4
SHA16b615be154f09ce994f6a9448f5593768e1962b0
SHA256c46572dbd7ced20b0efaeb074cb20f1b29e9e691f760fee6315aabacd69380c8
SHA5129249400881f6902f212362358edffa108bfcf2ac71e32732663cb1e5684f2f83fed9ffa73ad304e9ca7b4f2927217cb18bbbcced8df0ec1a6d58209fe6987bc8
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
6KB
MD57b814625629669639934dcaff4530ea5
SHA14e8fbe3388a8602b154955a6bea249e660eeac42
SHA25625adb65a68cafca75bbefa5f2662228ec7b8bff8efacc07107c6f1097e9245ac
SHA512726305da8ec30c005f51da376ac23bcc1eae914c729ff1dcc258e86bfe9082cc222fb65014880dcd93786c03088d16065c919bf14bba7ef6801e9db8129646c0
-
Filesize
144KB
MD58bbbe52f84aa875e6fb7b51084793195
SHA19c332f0dd687340cf730a50bcee3a25dcb6fb70f
SHA2566c74675df17b99963b85ce6d5b6b42f698cf804cec81a9dd68b8948922739f13
SHA512c3a1489d2ec1afbbeaee8310a64a0a256ec5da499d229662c7ccd60b7c7caab9b042d09c562739e46295fbc989b05f8db9c67d75aab18b893ec0b22eb54e057e
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
152B
MD56ae84fc1e66cbbb7e9d28b0e12d64550
SHA1100430bb653c896c11b94ac0bf2297a389ea5ad8
SHA256856a9c0ac8c29f738a3501b6bd007fd8cbbac211e461b91f4caff52dd41da75c
SHA5127fe7a8639d96118b843e67a6a6d397271b181dc6b049e6f7de77bee9c9214690b1b7f73164f7e463e117406dc978334ea02397fd639140598f60f89c6aaddbe8
-
Filesize
152B
MD597f8be9c465b0ed67c2415868506c354
SHA1cdb221d6debcf55615d3b5f30796e32065046dd9
SHA256b606a1ee10b65eb9077e7d2f3b34a0d7a1ed6a4802a169fe55449c975332ee02
SHA512a0fe0ed30624658127316873137f4fc488a5916005e5e3f1f55b7d6442b54010c08d7037b94d0cf3c3316b1bb4acf91bad9e64ee6d15302e3cdd62bb18730542
-
Filesize
3KB
MD5daf4eb7b384c2649fdfea02aa4fe45f5
SHA18fda78cb96edf8b7c1603243de8aa060c5d206f7
SHA2569eb5832e7e2c17e3759ba79a3e3b9673c7e966be0c7441e77d0952ee5d24dbb8
SHA51257a2b6af8468535aed0c6236aefc0e214301052c83a05f624dddb6b689ec7d3311113e426da3f4ac69aab0e8f8ede482f8364e5cd443c255bbdbf2eb8b8a190b
-
Filesize
3KB
MD5e61661cf431e9208e94c9dfecea4c23a
SHA120c5ac8ad8e4acdb3cb09a7a14eff0f6e0bf6d25
SHA25696370977e2f0a9b52cdfd58b842b880cd4dfabc2ee205eb88f298680b874439d
SHA512c8b20a1e94479aa86b098aecf0bb9a7b7b232ea010c40483547f237ad0901bf8ae10a90fa722ab89f7c9435ae650691f96d4a9e2e4ea43146bb172819e90ab06
-
Filesize
779B
MD5898de08cb9e79526bd2f2bb36a1dd409
SHA1a1c3b86f8265373e44070211f333ba9792d51fa0
SHA256364693dc1c9aa2b1755bec7af0a538e5fc98c94f029088d64f6da31a95031b87
SHA512759fffae5d9fa305b89170258659c88988705429a3b863cb275bb0544e114377edbbb600c9ed2ba5ca4e0fe595d7310f449c957aab89249069819c623bfcbc3b
-
Filesize
862B
MD5316902e91dc29bcec5996f1f9e1d9277
SHA1a7702e556c40ba46d9f9f7130ab85e153f97d7cc
SHA2563c8f3431524e72f65075c7064ef3d8623502f86121fae87688b032f1caf5e89d
SHA51205af55cc75d92862f49a5cc41b7108c9a2f739a67052d8007e2db07d87392abcd0f441be9869adc36f4dddc71c7881de3dc3df1c7e10e2b57f235114def8b959
-
Filesize
6KB
MD5a2995d1aa28abc7fab5c9caef45f65ac
SHA1d5ec6b77eb7ab380a04f4cd8b51aa8dfea15a498
SHA2568a419bd842581a487f24cd0e0a485bf990592e265f6811ec25e6a1fe46b071f3
SHA512a7454473634dbf72e9437eaade9c8f03d624a26e015d12849008191ec58f15ef1c9dd38085075b6a077987d24058b0bb46c420b8bc84221e8a6f6dd49bbe2f84
-
Filesize
7KB
MD5aa2abf1fa7f1107eb284ab9f6e6d6fdc
SHA1b5404c0fdf5740d0cc3b63cb7380e0ef7643975c
SHA2563e6654e9201ec5ff9d047bd816d41dbb5cf08c04e85381d4e9f1ea8e3eacbb69
SHA51261b181ad932a4818db3b4fe1c34e9de8d01df6d765d89dbb3486b699cec0748d3b598a014217a9f88b31b0d278459ee19a64d90f6559e5692c034ea83a2254e4
-
Filesize
6KB
MD5b4371c0216f7051f05bae235da0ea2b4
SHA1b750276be4bd00df7946f25889f8195f434a7ccf
SHA25600a56b6e7a37bedfd48bfb07ab8554a79f75fd33f13c8062cf9a1241643f21a3
SHA512d5eb922011c7b817525c372d443f1df2ca80a417c265c26fbac60991776957feba356cf6378238eb568f2aa3b83fe7c539798d5d7ee706d47aa3089c1d666e6c
-
Filesize
7KB
MD5bd183606c020f4358efc9ed3e0ccf0e9
SHA1c7576f888cd4bedc223021fe6dfe6d4f400640bf
SHA2563221b9fdfc485ebdc58ae483b863f06446a6da0057149e136e44440e49729263
SHA5122a4bf14fe71d837fb07c2d95ae9d42d690c67773d23616107ec61799837bcee6200d26645639b207adfb9f4b48243fa27f32141ffb227aefbe08de3010f8b293
-
Filesize
6KB
MD5ab2be18ed93db38a5ea7496325070cef
SHA11bef679bebae8023cc06eca3664b9fdf425b52a8
SHA25602093c78bb06eea10999128f4d8a4237f70c1770979fd873646820d166b0b1d9
SHA51273c6bc299ede0f4cce22a8e2462c8fb90346c8e745e1435e1068c222bbea483a4bc9f132c2ac559dee4ce3f9891c03e902bea1082285daf952e7cb6e4af7b100
-
Filesize
6KB
MD563b72ee21ea684173b833c0bcda95ab4
SHA1a6bb7a8ad211e9c7dd43c2db719beb461033d599
SHA256168fc665de892456ca81be2e33ceacaf2681178282d63d93b45960244429eec8
SHA512f0dbaca767e3e002dbf416d806c497fec6d79ede9c57bce3abcf206e5ce7a3e0bc8527be12f9ab829742d2ff2ee16a406a20ea00187f6d4db5bb78fa33c2f308
-
Filesize
1KB
MD53e9e6934884c8e3a7a8c843d79b6819b
SHA18e107d91797cafaa16d54649cacfa16c73f6d1e4
SHA256b74df57211fbf042e9d548bd6d18927784308f135429330ca5c2a8b4f5e1d059
SHA51280976058b2f2e3c0c34dbddffa897226cfb4c64291f860f3da8798f12916870ce356097f12b511377c2bd897743a2f8b3423b26561d2b56b0058dacc70256749
-
Filesize
1KB
MD576bef08ee24a02d4c8f1f3205779482d
SHA175877f5ca1db334bd142285c75a8ebd905a2c9ad
SHA2569a9a008b4d6e131603f874f30d145f15cf3b6fd3a26b011ee43b85a9a89ffd60
SHA5128f9b3bf652b0a8f94c44c4ea8171e7e1cd877d8c3ec9c3542e0d4d0ea0ebde1f4f6263b3ee59b72dfc431bf555c3223366309763f01c497e6de72036e75b3580
-
Filesize
1KB
MD58d4926aa2091bde3bab0c95afbe7f49f
SHA1fc18cef04ac7dfbbf78fdd59816e72b32598e3a5
SHA256a9376805d2b15d098b1f5927d5521facfb687e7c471f6fc55e3d1a29697236a3
SHA5124900ec80301e4c848e95e275b373d8a7e4b2e72529667728bb7c86725b162ed3decf656b67118d676c1e1848a5533d3a166916e3e16cd26b34c7fb91713e54e4
-
Filesize
1KB
MD5e270f8bcc541d0f526949fb05d856104
SHA1cd98b20e5c5a5f2d61cf12f0a6c58d23f01baa53
SHA256927ccd87c85d8d8ffb7c8a299d63f0a7f5f4d989266a28f754c90e5a08a80f47
SHA51242cb86440b5a6573988006937e45aa6a1a28d584bf3d6d829b711cdb958cac065217932a6df72d11c90cfeecd1d7177bf0f6bf2fc6e921ce01df5d2da56137b2
-
Filesize
1KB
MD5eddcc655e6f88a41b88c6e798e1508ff
SHA1ce9fc4b05483c9196e3e5b37571f2dc956735799
SHA256a1b6d491c7dd7a6696cf59a2e5b680ae128dd01c2771af54062cb0593fa73442
SHA512c551107ab98a7844a0a6615b1a1e9e4fca58f41accf3b2f5bbcfa61671250708f781dbf3bdd4064bab9a33518b5a8e87e03e5374838402fb6afc5b5a79215195
-
Filesize
1KB
MD573e2ea9438f6371e07a2fb7133039f89
SHA1e0e5fa0094526fbb5dcc6250b40ff988f1ccdf6e
SHA2561198e018e95882064c6a2303b735765e7438cedc35f94e6731d032f8c15afbbe
SHA5124743c3a6a8a2c788352c5bcfa7fc67f2091cc5be435dc9537e368d26d7b7b088af5e541511e6f4c1650081b2e6f5cececa903cbd3f79b542f4bcd79153b09221
-
Filesize
1KB
MD50eb94c011390a8c634938fc4afb0b67b
SHA19e52291b817766aed50b76974052d578f36a3c50
SHA25646a760e508926f216ba603faf0a7b35a33a0404f86bde5152befb06248ae25bc
SHA51206026cb1ad671cec5c9f082372394ae9aed4b5344dfd28a852f4845af95c1d77ba915636e415ac7ba871b9d0f1f1864890a6e027fd2d8e875001237e3d0d0b99
-
Filesize
1KB
MD50166e07d1d19702165aeaa3380fff936
SHA1425281881beaf4f8aadd3b49f688273001d8e57c
SHA256d272821d8491851e6a86b6e31a9603920e83b967486d163d619eaf58a40eeddd
SHA51227849d0c95c087fe65800d2f932c064903202b5a76d7fabf8f409b93cdf3ef2c417edf5d62d2101952d6d5e0e5befb4aecb061dcf4752d4c9a63f19f2624088f
-
Filesize
1KB
MD53e25d8b330d3521d378aed8cd015b64f
SHA1c691215d2b200e0ca0cfd1f197e99fb87affdf31
SHA256955c6eab02909127e035b5189083166eb5087275f7bea07f7652c649fe6b6e0e
SHA512d3195812d06cc70cce7adf92ab4de2fd62847605798d66e0283c8bf908306f9cce33c938503d12aa5b7398b2f652453fb8e55211d69ffdaefc52365a03622a9a
-
Filesize
1KB
MD5c377b0ad68a865e9ee8ab45a42bf793e
SHA11f7ff2c702078817d5d2f68c0081ce4846870ac2
SHA256521d6d80a9caf62b4b82c84389cb22402a12bfa7fb915039ac9b4cc7a7e3ed68
SHA51288cac679f10498898840b57796616d051e593f028b425a43f12abeca70ffd1e9493c1d600afa18df0bb63f970a3269f22f8076e2ac4b67701d4c8225f5890596
-
Filesize
538B
MD5b6fd75c8d3bcf2b615ebfc15955948f1
SHA155a589a5c90cd1b35e0e6794cdb98eb10784d5ed
SHA25621f5d514cfd5ee4e82cd544a11edb38af1275d08306b593c547aba7cba1b73a4
SHA512a445163b3d686d2438d290c0b2765b95c0f1308e907fd116951e08f37f90edf44e82c508b9ee2b26fe33f10f2ba2e5f3ec835d053ecb5a26f2b67daa8d26ed09
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
12KB
MD587b86566c33daed0361b3688a4571b12
SHA11645872fefbc2adeda3f5a8e08db8936ef62eeca
SHA25613f6913bfb23896677d85215c53766db7fb4a0bb6cfd880bdf149c5ad85c5f67
SHA5129b51589ad221a48090549ba93343d4d7245564c713fb7e4070768cb8d74adefe68ad3e4da7427b2a08078496865b63292779c95d83ce1cc6d3f172c613689300
-
Filesize
12KB
MD5c7bedd81643551ae82f0dd4cc65ae0c1
SHA1c6e82510ff8be6261b122067893cc36fb8f8ad48
SHA256796e4110d1994b7fb50416ab401ccd659306a8d1c633217dea4ea729a1d4db1d
SHA512b044962dadb17932c18dc594d31ccb5e0c902ec3be396abad83d69c2159164c9e3f3bb8da01e9cfb5c5124ed65ac7fd9e09c149216cb9636a046704fe36365ae
-
Filesize
12KB
MD5eaafa61f8be42bda27ece5a78b00a1a6
SHA131fd2aad76e498a3cfac99b01f8c0cad72e56710
SHA256643d7fb8668bce42f7d9ac322fb2696d24f79244c27787a33c8a541b371e0fb3
SHA512b1b0299468a684e57c066c30b637e98ed21519caec6eb6bb7a60ec2c7b7970e3fb01ab501aaded22410fb5951c6b38a2048f16c7bc3abb0eddabcc444311ed73
-
Filesize
11KB
MD59137b24b3681d3496d3693b1df826f14
SHA128d5bb57c4f208ec567378c3fadf767471aafc7e
SHA2567701f24395e2fd2b40eaff450903c09ad9c989cdbee9bb6a149abd2f7f880c28
SHA5123c855f4ac9eaf05887d782fa0419dc12de3f74efac794b263b9c17c06732f1b3accd0fba92ab664f126690df2817140c763a723c1951e9e7a87effa1c033e300
-
Filesize
12KB
MD5362664369cb9973a4415368eb146a8e4
SHA136b1d8efe0a524c8a577df67fd06a82cb2ee9beb
SHA25639bd3f7c0550dbfb3ae2d4d40a12ff36e1b116c71e31b7bca0286d45b55ecc88
SHA512d3904911253415627bc1fd6314be5ce4b263eaafdd7da8b100d581bd742b2c08457588ff2b522f421b99a92ca6e6ccd281ff3fbc9f2fff77801758630469d8f3
-
Filesize
75KB
MD5c82d3cb52c8ba621dc66a386abe97b59
SHA1d4a178c3cef34af370dd0c430c403a618000c246
SHA2560bf4e3090d7d80966d4de255e196924f337e3c2c41d8e2f77670a13396ca1fed
SHA512fb7b8ce256fc0d3d982d884b41be221333d4558031e75ee2f8458a799d3b92ab612ad5a3a77b5a67df075ce7bbce78f2c222e4f0a8357baeb855753da7eb0816
-
Filesize
1KB
MD5adfdfeb6ddc465802b5e7aa57f7626f0
SHA107a4c6ebbc313b5c4bdcdbc71fdbfedcac9c2c9d
SHA2566c45f9cb2ae6ce992c3346a234e0e34b267363d43da085a216d312b06a6553ae
SHA5122cfa8eef30a4650e1b056d967f2828330890020fa5941ec31d938d6f7568c1b604326cb9063a9804b79bda684e6991438ae7399a5751f76929aec37a0a2b127b
-
Filesize
315KB
MD59f8bc96c96d43ecb69f883388d228754
SHA161ed25a706afa2f6684bb4d64f69c5fb29d20953
SHA2567d373ccb96d1dbb1856ef31afa87c2112a0c1795a796ab01cb154700288afec5
SHA512550a891c1059f58aa983138caf65a7ea9c326cb1b94c15f3e7594128f6e9f1295b9c2dbc0925637dba7c94e938083fffc6a63dc7c2e5b1e247679931cce505c6
-
Filesize
7B
MD54047530ecbc0170039e76fe1657bdb01
SHA132db7d5e662ebccdd1d71de285f907e3a1c68ac5
SHA25682254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750
SHA5128f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e
-
Filesize
532KB
MD500add4a97311b2b8b6264674335caab6
SHA13688de985909cc9f9fa6e0a4f2e43d986fe6d0ec
SHA256812af0ec9e1dfd8f48b47fd148bafe6eecb42d0a304bc0e4539750dd23820a7f
SHA512aaf5dae929e6b5809b77b6a79ab833e548b66fb628afeb20b554d678947494a6804cb3d59bf6bbcb2b14cede1a0609aa41f8e7fe8a7999d578e8b7af7144cb70
-
Filesize
141KB
MD5de8d08a3018dfe8fd04ed525d30bb612
SHA1a65d97c20e777d04fb4f3c465b82e8c456edba24
SHA2562ae0c4a5f1fedf964e2f8a486bf0ee5d1816aac30c889458a9ac113d13b50ceb
SHA512cc4bbf71024732addda3a30a511ce33ce41cbed2d507dfc7391e8367ddf9a5c4906a57bf8310e3f6535646f6d365835c7e49b95584d1114faf2738dcb1eb451a
-
Filesize
1.1MB
MD50d3d77a419d673cf0a1991a1637db8a3
SHA1e66fa82a521309dcf20e6156be843e7106bc42f6
SHA256a56b702149310f2932cbc55481c2e44e30c622ddf7153a9e94582db5fdcdcc48
SHA5127ccadbef7def2e71e170d60a3a7def2eeafd7e56978f1d523f36b5ca9ee992bff814e91f871c066cbd3452f633ea31c45b081c941752087890176c9cc6d16bfc
-
Filesize
313KB
MD5fe1bc60a95b2c2d77cd5d232296a7fa4
SHA1c07dfdea8da2da5bad036e7c2f5d37582e1cf684
SHA256b3e1e9d97d74c416c2a30dd11858789af5554cf2de62f577c13944a19623777d
SHA512266c541a421878e1e175db5d94185c991cec5825a4bc50178f57264f3556080e6fe984ed0380acf022ce659aa1ca46c9a5e97efc25ff46cbfd67b9385fd75f89
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
468KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
152KB
-
Filesize
204KB
-
Filesize
152KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
468KB
-
Filesize
192KB
-
Filesize
56KB
-
Filesize
192KB
-
Filesize
468KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB