Resubmissions
09-10-2024 19:17
241009-xztfsascjl 309-10-2024 19:14
241009-xxymqawepg 309-10-2024 19:00
241009-xnwf1awdkh 10Analysis
-
max time kernel
495s -
max time network
503s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
09-10-2024 19:00
Errors
General
-
Target
https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/WannaCry.exe
Malware Config
Extracted
C:\Users\Admin\Downloads\!Please Read Me!.txt
wannacry
15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Disables Task Manager via registry modification
-
Downloads MZ/PE file
-
Drops startup file 2 IoCs
-
Executes dropped EXE 18 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Modifies WinLogon 2 TTPs 1 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
-
UPX packed file 5 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 25 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Kills process with taskkill 6 IoCs
-
Modifies Control Panel 64 IoCs
-
Modifies registry class 37 IoCs
-
NTFS ADS 6 IoCs
-
Suspicious behavior: EnumeratesProcesses 22 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 11 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/WannaCry.exe1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9e48d46f8,0x7ff9e48d4708,0x7ff9e48d47182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2020,14968765459805569243,3461896621027044131,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2044 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2020,14968765459805569243,3461896621027044131,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2428 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2020,14968765459805569243,3461896621027044131,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2828 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,14968765459805569243,3461896621027044131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,14968765459805569243,3461896621027044131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2020,14968765459805569243,3461896621027044131,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5136 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2020,14968765459805569243,3461896621027044131,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5136 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,14968765459805569243,3461896621027044131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5132 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,14968765459805569243,3461896621027044131,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,14968765459805569243,3461896621027044131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,14968765459805569243,3461896621027044131,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3476 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2020,14968765459805569243,3461896621027044131,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=1984 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,14968765459805569243,3461896621027044131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3044 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2020,14968765459805569243,3461896621027044131,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6120 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,14968765459805569243,3461896621027044131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6364 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2020,14968765459805569243,3461896621027044131,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5748 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,14968765459805569243,3461896621027044131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6388 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2020,14968765459805569243,3461896621027044131,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6324 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2020,14968765459805569243,3461896621027044131,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5504 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2020,14968765459805569243,3461896621027044131,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6004 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\Downloads\WannaCry.exe"C:\Users\Admin\Downloads\WannaCry.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 253091728500568.bat3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cscript.execscript //nologo c.vbs4⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe f3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im MSExchange*3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Microsoft.Exchange.*3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sqlserver.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sqlwriter.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe c3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c start /b !WannaDecryptor!.exe v3⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe v4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.execmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe3⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Users\Admin\Downloads\ArcticBomb.exe"C:\Users\Admin\Downloads\ArcticBomb.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\Downloads\ArcticBomb.exe"C:\Users\Admin\Downloads\ArcticBomb.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Downloads\ArcticBomb.exe"C:\Users\Admin\Downloads\ArcticBomb.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Downloads\ArcticBomb.exe"C:\Users\Admin\Downloads\ArcticBomb.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Downloads\WannaCry.exe"C:\Users\Admin\Downloads\WannaCry.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\Downloads\WannaCry.exe"C:\Users\Admin\Downloads\WannaCry.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,14968765459805569243,3461896621027044131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2020,14968765459805569243,3461896621027044131,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5580 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2020,14968765459805569243,3461896621027044131,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4908 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2020,14968765459805569243,3461896621027044131,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4836 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,14968765459805569243,3461896621027044131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6844 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2020,14968765459805569243,3461896621027044131,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6008 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2020,14968765459805569243,3461896621027044131,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5100 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\Downloads\FlashKiller.exe"C:\Users\Admin\Downloads\FlashKiller.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5112 -s 2403⤵
- Program crash
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,14968765459805569243,3461896621027044131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3876 /prefetch:12⤵
-
-
C:\Users\Admin\Downloads\FlashKiller.exe"C:\Users\Admin\Downloads\FlashKiller.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 868 -s 2043⤵
- Program crash
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,14968765459805569243,3461896621027044131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5732 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2020,14968765459805569243,3461896621027044131,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6964 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2020,14968765459805569243,3461896621027044131,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7000 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\Downloads\ColorBug.exe"C:\Users\Admin\Downloads\ColorBug.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies Control Panel
-
-
C:\Users\Admin\Downloads\ColorBug.exe"C:\Users\Admin\Downloads\ColorBug.exe"2⤵
- Executes dropped EXE
- Modifies Control Panel
-
-
C:\Users\Admin\Downloads\ColorBug.exe"C:\Users\Admin\Downloads\ColorBug.exe"2⤵
- Executes dropped EXE
- Modifies Control Panel
-
-
C:\Users\Admin\Downloads\ColorBug.exe"C:\Users\Admin\Downloads\ColorBug.exe"2⤵
- Executes dropped EXE
- Modifies Control Panel
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,14968765459805569243,3461896621027044131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6568 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2020,14968765459805569243,3461896621027044131,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4908 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2020,14968765459805569243,3461896621027044131,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4652 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\Downloads\000.exe"C:\Users\Admin\Downloads\000.exe"2⤵
- Executes dropped EXE
- Enumerates connected drives
- Modifies WinLogon
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\windl.bat""3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic useraccount where name='Admin' set FullName='UR NEXT'4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic useraccount where name='Admin' rename 'UR NEXT'4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\shutdown.exeshutdown /f /r /t 04⤵
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 5112 -ip 51121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 868 -ip 8681⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3912055 /state1:0x41c64e6d1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5fab8d8d865e33fe195732aa7dcb91c30
SHA12637e832f38acc70af3e511f5eba80fbd7461f2c
SHA2561b034ffe38e534e2b7a21be7c1f207ff84a1d5f3893207d0b4bb1a509b4185ea
SHA51239a3d43ef7e28fea2cb247a5d09576a4904a43680db8c32139f22a03d80f6ede98708a2452f3f82232b868501340f79c0b3f810f597bcaf5267c3ccfb1704b43
-
Filesize
152B
MD536988ca14952e1848e81a959880ea217
SHA1a0482ef725657760502c2d1a5abe0bb37aebaadb
SHA256d7e96088b37cec1bde202ae8ec2d2f3c3aafc368b6ebd91b3e2985846facf2e6
SHA512d04b2f5afec92eb3d9f9cdc148a3eddd1b615e0dfb270566a7969576f50881d1f8572bccb8b9fd7993724bdfe36fc7633a33381d43e0b96c4e9bbd53fc010173
-
Filesize
1KB
MD5521a1dd26c64e88f8b7a3693d828f7b4
SHA178bf9863e1ed2cf4bfc8e82d4d0469c1726dec88
SHA256db01e54675616ca14d6c0dbec70e6721f07b1a8f719344b1c77d28992c10c6ba
SHA512c7f7ec5134ed77323f867883e90cd0b0a31c152ff2c8b7c9c51efe7e526040dbb5dd02f7e8b260bdac2e3384e108bb66318b37ded0c68622e405753befc42641
-
Filesize
2KB
MD5eaab22e16690676badcb049b77b69ab8
SHA17d6cb3b50671655e51f7b369f1df08f01d85d789
SHA25624f5ec7b948827957f97934c176d5c2cb8ca768bb5786338a561736608818d22
SHA51276a5060bdee55b3aa70d82963e9a6ac813b7a95ad6c56c6e4770bff6977f518de633e4a3598b529c81826ad1cc800fc25d50317f7169fb0d9abd923c5cf0b782
-
Filesize
2KB
MD530d9fa371d7953a3acfd49626f2406eb
SHA1c02d5fecd12119755824399f76e0d99caabcc4b0
SHA256568747a4405fa7bdb118328e242735d71afc00db2fc5e360059c0c8bd6bd33f3
SHA51212254509d7a5083ec9d681d99800164002a1c737c1b256e24d567108a753c232ef542de747d6b2d4bcc34fe82109d4d81e2ad3cdcb7f31ef800d56a2c2e8b1bf
-
Filesize
2KB
MD504ada8608b68576d29bac9ef7987e3cd
SHA1656710e2f8181ddbaf5a2174b26fec2cc0a242be
SHA25677001e46f6aabe4b09628527ca982f04cf3e9bc7a4fadd429433b4c500f45987
SHA512777b8bfd5bf98c4f325120647fa51178eb9f101ba54d28a4d12abe033f42435547c6103019d42c174436b2c8468247153bc0c57b63d4f60bcb94f7f7a4d6e0f6
-
Filesize
579B
MD5a7d1701142cca705f833d70023ef4e1e
SHA11b76853132abfcddb4fefac42bf9df5d013c9815
SHA2566c92f51e7f056e73c407228fc280cb7ca4d00ab02674d1dda4eafd7dc9f070f7
SHA512806b7ccb375cc6116e64a9fa15229d783615d13b54cf40251561d9b664f0925915c5375ad88f5ca8d061e01367de239c29da79adf693559af53eeb7d9b1ba1a0
-
Filesize
6KB
MD5c907fdf895cac5f0a83deca7318a3f98
SHA16d1dd65405503aa17f71b314a0416aafb2612e27
SHA256cc034ac04abc24c8cd6c3c6905fe4eded8503e19143fd3714a2687ebf585c594
SHA512b4f9a91acc5d5f2d9d9c83ffc7110c1555896ae8826cb39b0ec12602312b7b2d7e3a9c177f636893bc83c0d45be70923994f8b0e560e096c195be3c236563559
-
Filesize
6KB
MD5e4b171fbc07c0b472d0b41ec6bbf56d2
SHA1812541a511aca3079f4d2761c9e93a5c288cb104
SHA256b0f803441fc0b0934e50b57dc7e96fc67b545d9aff38b5c3c989c803a80cda22
SHA5129708df6a18c8fb0e6f2087cc864333cfae02069b9aa5d50e5fd281c5c035ea878af71a051b9a6899d960bc4f0710618dd4cf0b60b8476f8102065302ea556261
-
Filesize
6KB
MD5df3460d100313459767de1cabf9490cd
SHA179901d2688b6d5c6dfe99b8cdb93628232162660
SHA2565146a13d487ba1a980eade7e1ea0a7a0a15b131d94808c740088c6e45ffe975d
SHA5123ed4f60daaf3ec3424836263e30170a01da59e95cdf1537f746f8df045ef789380ac493a549192518f1bb079c6dfbf84f62bbff89e04f30fb0c0946165a4d1c7
-
Filesize
6KB
MD574c95816854dd8f6cfc55a6618d197eb
SHA17c377f8ce96a8cddc84ace03c1bf984a240c4b58
SHA2562563d754c3b72cdb68fdf2b6e9a26a834ccc1a20488a6a03fabd6c0d15612257
SHA512bf03fad293f58e25fee31de3e18ba9affd29f903e610526113e51a314496d0a16c4ef2e322849fd2852c94a1124a15a264daeec381c9c9ee3ccdafcdafa7d10c
-
Filesize
1KB
MD50696880d0689fe21dcb2340bcaa22132
SHA1543d70f0a6549e5361ab3eda23329613157de9a8
SHA2568e7c18988fc533f4c3c4aa39329fa0e0909d60f1fa64f23ff25363fc4fb47249
SHA5129dad9d59e245c8026d978677c4da3aa100538e60587c0890eafe6c4e48cc4f11d31a41d00d19129e45f9a5d996ea71dbe97aba4595795624e0b9b97115cc890c
-
Filesize
1KB
MD5e735866d5e791bc81555bea9e7c90964
SHA1f84084765e07e66cc9eb04a20273e5f47f21ec58
SHA256b00968014d36daeed652704bbffda78a356b70ab308fef50264562af8e60ed4d
SHA5128618746a32ede378b31c31daa531d3106ebce2cc64419c80482586eb067fad3a942d3309337e26389ecb4fb9a6687f68e43def88cfc1b7f653f85319c0880e3b
-
Filesize
1KB
MD56760930fa3edfbb3502db0e3173744d4
SHA1ce0c571842539bd5815d9b0d2b8f2637c9e8c219
SHA2567866718dfd9ca51a68f5fb6ab7c21f119c806570a23eec10af503a015488a5e1
SHA512f4b9b92a066b0a063ed24bfe21b8ee64787d96fb3b911eb1acec787077e6b7150b0af604a21573de0074192ecd192cbffeec2355c0644d74d95b53c84adb0a01
-
Filesize
1KB
MD5b766f7a1e97b930a2c3449c45728d1dc
SHA160df96f170f43f520905ae998eccd4f351457bb9
SHA256b39a3b6033cf0168cb7c62264bb249f987d4dc6074f29ac039296253537d2fb1
SHA512a1ba93c713022e85f2cdae958734ca30426e08574fa236d550dbe50a8d70859e3be9188d4a833ea7813853dd2170002032003298792055d65fbd927b2e7b66a4
-
Filesize
1KB
MD59e92f0cdc5c097ac1b00d55a31936ebb
SHA1b60cb74d3fbf18fdc20d4bbc5df6f87e7f04ef11
SHA2563f9df3689d51b32b9b6c1beb29a819127eb7f99d6beeb5555613d7c863b658fa
SHA5126896c90066ca25d858d15ed91575382699a34114f94c7111db47b70acf0197ef25dbaad0d9450601b41153230bc5a149806aa74913322795f1effd4be23d055a
-
Filesize
854B
MD50b1196d672bbcaadca7a05c3d2f75889
SHA10a8f5ae67331abf3b1f6ced3f64e69b9c0a54b9a
SHA2563d517889aa68ff27a1bfc439a209f84524653e93395be6ca3d38ab1cd9497c13
SHA51259ad2b7fd88ac2fd6e37e0798ecbb5a52d8b30740427fa325de407c6382cd54c61d78402ad7c600e6ed7ea83b3a8a4b7f54f6b9fee7b3c083ec3a93e206c5988
-
Filesize
1KB
MD5108a93a658c47e23b8f99c86ea7de548
SHA1805d7937f867da54ac97d62c7eb4e74354f8419c
SHA2563e3ecdcd78480846b30b51d92a42b5a5f29b92a05098bc8558bfe8a757e51189
SHA512e1e14fe09b46fd0492820b761ae6c8df91a66e8915e85b3933ce9a2d1f92638e26d6f74d25e381e769e4acc07a4d89534a2f057b7bf213c6748dd57b58c49309
-
Filesize
1KB
MD56842f32835b3717e229f39982d31c4a4
SHA183a0e6ab58d95efa799620ae663fba9bac3ccd7f
SHA25616c968aca59710da452b8afb1b8598b0cac0feadb6f4e66771e96ffc7525d153
SHA5126709f0791bbb96b61348b96bccc1ee458b8f968513389d14f057641e618651bd7c6982b563ccaf9bb4d8a6caeeff0c33aa7adc68a3683eeb9d086f8884f9a452
-
Filesize
1KB
MD58a648be25a198d3981e46e9603da926a
SHA1b5f968189f67e3fbd5d3dbfd25d523d124450739
SHA2568b8dc03305b0ef7316a957532181afdbdfecad2968ab48c67b91eb2ef948b0a9
SHA512eee60b5a0e697e631cd3f084021c2215757a0eae2fb8d990bed5b743e46266d9e2ab9757c8994d204faef133071cb0c645572d25342681892eb35b647d1b230c
-
Filesize
1KB
MD5e81d0b0026b791ad1b4296e928192ad5
SHA13629905c5d0b498075de2297b1cd607422d8f02f
SHA256771a93aa823611751f862038cd6e421fa602d83b71bbe3e31dc40be341b1100a
SHA51203a11694ddbea8f0d498ff0a981318e255c2747e2cfa001eb37e80939b5e7567e01692cb1a77453b39a7b8a2e98489d0818c82f199418872bce73d356d7e11ea
-
Filesize
1KB
MD59d7f2e03cf6324043da5eeece4a1fad4
SHA1b884c7600dbd71d44290420e2bec284ac47e025c
SHA256cc5e17db097f82cfa33db2197c07ea44e76d5c8f6c1adff0113c0ee1a8c6dc9a
SHA5128919e0ec85073070ef2ed5e4ad6efb45fe3508042ee2278a6abddb7ecedf0f813944fa56284a4787473b625a6e3a91f3c8467edfc127f9239fd193b8f495d642
-
Filesize
1KB
MD52cbb5b9e93169aed6bb4fa32373e1f5e
SHA15f4d2233cfefd1faade5d3c9e9a66a1d1344bd4c
SHA25670c962b730dd4d2a8b5a5db0b56d1e83d10bc0145e502af18bb99c1f6db9fb69
SHA5120bd72f039c10cdf153794cdf3e5326329467e086ab0f9002e3d4db27840ad87b1590bd2839e1d8b61ecd48f5a614f1bf24166f17cce64f4bd335f2339aada121
-
Filesize
1KB
MD56d7893d00bc4475cdfadf6a6b4385d0c
SHA17c12304eab78fdff2c2d0be3d44b50b4fa1ee569
SHA2562d6258b245e7f5e01c3c35fd8eafa084f83c2ebc0ab43efd55cd825829ca32c9
SHA5127513dc1f08e20cd11fc3dd6df10e16b4f24550ecb796851126b2c8059537c1347e18f32c4746333a0339594441183e01ba7536c46407c9db9dede7e3a12f1dd9
-
Filesize
1KB
MD570b2dfa10a70c1208c1212e0b2067cc0
SHA19bca4363900aa69cc6a53881ef06d532fd40f289
SHA2560097d0ef6c4c5d2526410a6eaab2acdad3fe61eb47ee9db096b89745cc99aa77
SHA512b90cb6bb1a2d66eb8777e859d50a1ba280ad9cb6879398175c17a42c17f87690f35a1bcca141c6f01ac25192bed97231526678e8f4b3fea1eaa9758cfe52fba8
-
Filesize
854B
MD56daa52c9c2956cc39449f80229668e4a
SHA1e82978681f95e3e0bd3bca629d739e5c935bd988
SHA2564480849de24f3b40e71f1700510c32ee400d76977f87e8c0f7751dede2cedd94
SHA512f9983833bcc8111713d9355a849617e7d048babe81a607935a36440e72774d87a66ac451fd1144635d2c9af9d69ad5f67a671071a33a7a9c205be1616725cdff
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
16KB
MD59e02552124890dc7e040ce55841d75a4
SHA1f4179e9e3c00378fa4ad61c94527602c70aa0ad9
SHA2567b6e4ce73ddd8b5e7a7c4a94374ac2815d0048a5296879d7659a92ee0b425c77
SHA5123e10237b1bff73f3bb031f108b8de18f1b3c3396d63dfee8eb2401ce650392b9417143a9ef5234831d8386fc12e232b583dd45eada3f2828b3a0a818123dd5cd
-
Filesize
11KB
MD5c7d67a63826259167aa3e55bdc5757a6
SHA1ff0500ef3607ff50c69be22a6dbf95256164c3a3
SHA256965144db0d663ea63e729ca6f185930cc767b2a0cf0025c23aef6916ebf7817a
SHA51268d4461439c63957230f9c298a2f31001ca550431d2e8b70238537acd9789d5ca407d81d3f2fdd736d27d6612540982bd6d8b9926976d4b3a8ef3ad837d81667
-
Filesize
10KB
MD5eae7ec0d23868f412513065a928c2c29
SHA101159a4abe4f051b8cfc611b5ad7faa9be954d19
SHA256a0d48bc56c139a63e6f3554a9868e2a6b1456183dd4fa0b4274da1b56db2f69a
SHA512590ba9ca454e31619cd201938a57d7c38bdee5efe414b06f8a570ee56f212981de985723b2775e8ef100653ef66b3684dfc8e3574fb2f591c21ae68241800690
-
Filesize
11KB
MD5a8b88ea5b14c4e16adef738f8bc5d3d9
SHA11ab271d52b1211c1678a3998fc6a9f3fb836ec52
SHA25604025bc47b24b9b5461429d6a88bcac26846d84d8d1d5803c803bb19f7381c6c
SHA51230826ab464f1718dd927d6503e301de006daa96bff9938f10bcc545cd0c6c724b44bb73c965692eb00092dec85e5374b21a2cae69fa8fc527d05073c7ee69805
-
Filesize
11KB
MD53193d9142fc233bb7032b8037da66cfc
SHA14e7732f515223f4ec68251d973354c16a8983556
SHA256e66a7b0eacf51c5af91ee989f9573a6b24ba42be74d62b823075122e2f57c5e3
SHA512ae83d45ece3375f73c5619f7b1ec7528344bff5b318acf17c13e830f0ee657ce6310b92518df87688f9b5698554e4c40f0c76b6acf8432255a1b4750ed8bacf7
-
Filesize
11KB
MD5beeea4d5cd47b1a0de5e07f72227c7db
SHA1fd25f965d7984e45dc429882788fb680af435f37
SHA2564a5a594db08105db02ba49b9392c6227bdd630bcb12023583f69cc6f480a6d51
SHA512f365d800dcfc886b2d11771b070facbe6279e68b39e19cb3fa9d532be9cdd26d1d9f6361293e378a96edebc6ed70bb750d4a8bd8376a1c516ae966ddadc702b6
-
Filesize
11KB
MD5dd29cc7d8b69f9cd4880a967c6eeb6c1
SHA1ed591b08faae3d2fbd6a39029f30dd2cedc9d47f
SHA256af492d680c119e210e546528fa0d97562d4e2fff169bea7c0d8bfeb89c463c54
SHA51217bb3770e14cc9826f1396b1bb1dbadd2a234d0a2ff93f73cd6524f95749adbe55db8e64c2473dd2221b442a7c6c8ea29d8aea23be27c86f02e4652efbe45bba
-
Filesize
11KB
MD5d716f16da31769e0e812ce349829cca8
SHA1df0b27be94b9d84f280a14a6bcd8f1b9e53e1768
SHA2568edc6ef31020c2876570035ad8d13550f5360b6353caf1471fcc2b3982646d4a
SHA51276dbacfeba9349b0150925c76b808ab0da97342fc000ecbf73fe24d0011adf7c9021eb11c4f5e9f6e19049d8757e241f17a7859c79ba7db1cd30ce8be23d0329
-
Filesize
896KB
MD515d19df1080de47e73b8d9026c26bfe6
SHA1e44f2c30ee2567c7be2fde5bcf78fc1eecb5b892
SHA25625c693c5917ffe36b86fc13933ff5c5cf1dfc07f1941ce50a0042c4bfab024f4
SHA512e0b51ffcbd42232316c035e8642d5fead1270a6c6b5e4c3753108e102b381d0ed85e54b7c8f1a4bce474a63439e8fb71e2a5b77a1ac21cd146960f74f4cf068b
-
Filesize
9KB
MD57050d5ae8acfbe560fa11073fef8185d
SHA15bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b
-
Filesize
396B
MD59037ebf0a18a1c17537832bc73739109
SHA11d951dedfa4c172a1aa1aae096cfb576c1fb1d60
SHA25638c889b5d7bdcb79bbcb55554c520a9ce74b5bfc29c19d1e4cb1419176c99f48
SHA5124fb5c06089524c6dcd48b6d165cedb488e9efe2d27613289ef8834dbb6c010632d2bd5e3ac75f83b1d8024477ebdf05b9e0809602bbe1780528947c36e4de32f
-
Filesize
797B
MD5afa18cf4aa2660392111763fb93a8c3d
SHA1c219a3654a5f41ce535a09f2a188a464c3f5baf5
SHA256227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0
SHA5124161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b
-
Filesize
590B
MD598d0776a300a1eee75fe7101e98ba612
SHA18e35634621ca0b447c2ca4671f15371b9d3dd703
SHA256d3667b3f7fff6836ea7a9b605ad847e2dfd80e6c96dde1f097b9fac3c41f8d47
SHA512c6a22c06dd81298a2269be7c923094b99eb45ac7d0a9f49c2ef407eb945f5a35560483c8b7688ea670e3faabce237685cbc57da1cff37a6ad8b600f59e9dae39
-
Filesize
136B
MD584f9e9221e46f297aa59a791ff396701
SHA1097722f08e28e10a3789f3b1025459a03cc257c1
SHA256b7d3f49bf206f04cc2959e0b693668fe850c68fe54741ef485cab90c04004071
SHA51211e7a3dc0969360747fd1baa2c61b24e221dcb62550620423aebde2ebe85f4492353ec066b6d40684119b9838fae2ab38ee016c7aa54b4063e6ea0f938062f61
-
Filesize
136B
MD5bd22f6e57986ee3201113d131efc40ab
SHA137613a2d8bf4e5376589d37c5a5107d785f48273
SHA25664a74d687d61a9216d5e487b9e82951f3a49c3e97d8800fcf11331ccaa28ba5f
SHA51285176cd14b176b324a0fe577663e013c6f8901ceb080916358c512642cb5a61108d1fe5146bc14097a0908127a1fbd85d008888db2c8efb91c33048b86bebf98
-
Filesize
136B
MD5b4ac8208f4ad3d17710d2c2176400570
SHA124fa76b870dbe68e52db9ba0366afbd708ce4229
SHA256afcb5993e1fff58a593a738b52adfdc86ec569e30a92872a513ad60aad1b6e74
SHA512abf6837bf3e848e8e9e03b34086ebf986da48d0f74f1cc4c41a0080480348ed7b58bceea3d9933a41cc53fc426d3043412a33352c4924bf3e08798cb531b4e1d
-
Filesize
318B
MD5a261428b490a45438c0d55781a9c6e75
SHA1e9eefce11cefcbb7e5168bfb8de8a3c3ac45c41e
SHA2564288d655b7de7537d7ea13fdeb1ba19760bcaf04384cd68619d9e5edb5e31f44
SHA512304887938520ffcc6966da83596ccc8688b7eace9572982c224f3fb9c59e6fb2dcaa021a19d2aae47346e954c0d0d8145c723b7143dece11ac7261dc41ba3d40
-
Filesize
4KB
MD5331973644859575a72f7b08ba0447f2a
SHA1869a4f0c48ed46b8fe107c0368d5206bc8b2efb5
SHA256353df4f186c06a626373b0978d15ec6357510fd0d4ac54b63217b37142ab52d3
SHA512402662eb4d47af234b3e5fbba10c6d77bdfdb9ff8ecfdd9d204f0264b64ea97fc3b5c54469f537173a26c72b3733550854749649d649bc0153c8fe3faacc50a1
-
Filesize
53KB
MD56536b10e5a713803d034c607d2de19e3
SHA1a6000c05f565a36d2250bdab2ce78f505ca624b7
SHA256775ba68597507cf3c24663f5016d257446abeb66627f20f8f832c0860cad84de
SHA51261727cf0b150aad6965b4f118f33fd43600fb23dde5f0a3e780cc9998dfcc038b7542bfae9043ce28fb08d613c2a91ff9166f28a2a449d0e3253adc2cb110018
-
Filesize
7B
MD54047530ecbc0170039e76fe1657bdb01
SHA132db7d5e662ebccdd1d71de285f907e3a1c68ac5
SHA25682254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750
SHA5128f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e
-
Filesize
224KB
MD55c7fb0927db37372da25f270708103a2
SHA1120ed9279d85cbfa56e5b7779ffa7162074f7a29
SHA256be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844
SHA512a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206
-
Filesize
125KB
MD5ea534626d73f9eb0e134de9885054892
SHA1ab03e674b407aecf29c907b39717dec004843b13
SHA256322eb96fc33119d8ed21b45f1cd57670f74fb42fd8888275ca4879dce1c1511c
SHA512c8cda90323fd94387a566641ec48cb086540a400726032f3261151afe8a981730688a4dcd0983d9585355e22833a035ef627dbd1f643c4399f9ddce118a3a851
-
Filesize
6.7MB
MD5f2b7074e1543720a9a98fda660e02688
SHA11029492c1a12789d8af78d54adcb921e24b9e5ca
SHA2564ea1f2ecf7eb12896f2cbf8683dae8546d2b8dc43cf7710d68ce99e127c0a966
SHA51273f9548633bc38bab64b1dd5a01401ef7f5b139163bdf291cc475dbd2613510c4c5e4d7702ecdfa74b49f3c9eaed37ed23b9d8f0064c66123eb0769c8671c6ff
-
Filesize
201B
MD502b937ceef5da308c5689fcdb3fb12e9
SHA1fa5490ea513c1b0ee01038c18cb641a51f459507
SHA2565d57b86aeb52be824875008a6444daf919717408ec45aff4640b5e64610666f1
SHA512843eeae13ac5fdc216b14e40534543c283ecb2b6c31503aba2d25ddd215df19105892e43cf618848742de9c13687d21e8c834eff3f2b69a26df2509a6f992653
-
Filesize
628B
MD541500f0c6c43206c7bd2ac658344d46b
SHA1e482f17c617bdf86d7683ebd7830d0ff3ffe7b28
SHA25667d277b53e90d9901d6a6e1daef44864544831709067a7d4d70d6239fcdf8b6d
SHA512d4cc1b48a56108aa0b071b7d353177efac6c9e1e552096abdf10b6d03e1ede0ce44cdd8417d689197a306b63de3febd01cb5899db4679b21e9c2e2bd9d20c7ea
-
Filesize
42KB
MD5980b08bac152aff3f9b0136b616affa5
SHA12a9c9601ea038f790cc29379c79407356a3d25a3
SHA256402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9
SHA512100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496
-
Filesize
729B
MD5880e6a619106b3def7e1255f67cb8099
SHA18b3a90b2103a92d9facbfb1f64cb0841d97b4de7
SHA256c9e9dc06f500ae39bfeb4671233cc97bb6dab58d97bb94aba4a2e0e509418d35
SHA512c35ca30e0131ae4ee3429610ce4914a36b681d2c406f67816f725aa336969c2996347268cb3d19c22abaa4e2740ae86f4210b872610a38b4fa09ee80fcf36243
-
Filesize
68KB
MD55557ee73699322602d9ae8294e64ce10
SHA11759643cf8bfd0fb8447fd31c5b616397c27be96
SHA256a7dd727b4e0707026186fcab24ff922da50368e1a4825350bd9c4828c739a825
SHA51277740de21603fe5dbb0d9971e18ec438a9df7aaa5cea6bd6ef5410e0ab38a06ce77fbaeb8fc68e0177323e6f21d0cee9410e21b7e77e8d60cc17f7d93fdb3d5e
-
Filesize
236KB
MD5cf1416074cd7791ab80a18f9e7e219d9
SHA1276d2ec82c518d887a8a3608e51c56fa28716ded
SHA25678e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df
SHA5120bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5
-
Filesize
80KB
-
Filesize
336KB
-
Filesize
336KB
-
Filesize
80KB
-
Filesize
72KB
-
Filesize
80KB
-
Filesize
336KB
-
Filesize
336KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
56KB
-
Filesize
224KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
6.7MB
-
Filesize
5.6MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
80KB
-
Filesize
16KB