Analysis
-
max time kernel
1278s -
max time network
1279s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
28-10-2024 15:14
General
-
Target
https://github.com/Da2dalus/The-MALWARE-Repo
Malware Config
Extracted
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\!Please Read Me!.txt
wannacry
15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1
Signatures
-
CryptoLocker
Ransomware family with multiple variants.
-
Cryptolocker family
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Dharma family
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Wannacry family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (519) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Contacts a large (1153) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 2 IoCs
-
Checks computer location settings 2 TTPs 43 IoCs
Looks up country code configured in the registry, likely geofence.
-
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Drops startup file 12 IoCs
-
Executes dropped EXE 60 IoCs
-
Loads dropped DLL 55 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 9 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 4 IoCs
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops desktop.ini file(s) 64 IoCs
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Looks up external IP address via web service 11 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 41 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 64 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
System Location Discovery: System Language Discovery 1 TTPs 27 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 5 IoCs
-
Interacts with shadow copies 3 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Kills process with taskkill 5 IoCs
-
Modifies data under HKEY_USERS 18 IoCs
-
Modifies registry class 2 IoCs
-
NTFS ADS 2 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 2 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 51 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 9 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/Da2dalus/The-MALWARE-Repo1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff86db546f8,0x7ff86db54708,0x7ff86db547182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,14651447745856338439,16381697445509807894,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,14651447745856338439,16381697445509807894,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,14651447745856338439,16381697445509807894,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2676 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,14651447745856338439,16381697445509807894,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,14651447745856338439,16381697445509807894,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,14651447745856338439,16381697445509807894,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5340 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,14651447745856338439,16381697445509807894,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5340 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,14651447745856338439,16381697445509807894,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,14651447745856338439,16381697445509807894,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5560 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,14651447745856338439,16381697445509807894,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4708 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,14651447745856338439,16381697445509807894,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3452 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,14651447745856338439,16381697445509807894,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5844 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2092,14651447745856338439,16381697445509807894,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4960 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,14651447745856338439,16381697445509807894,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6160 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2092,14651447745856338439,16381697445509807894,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4796 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,14651447745856338439,16381697445509807894,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:12⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,14651447745856338439,16381697445509807894,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:12⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2092,14651447745856338439,16381697445509807894,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4652 /prefetch:82⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,14651447745856338439,16381697445509807894,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1260 /prefetch:12⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,14651447745856338439,16381697445509807894,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5856 /prefetch:12⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,14651447745856338439,16381697445509807894,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2332 /prefetch:12⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,14651447745856338439,16381697445509807894,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5048 /prefetch:12⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,14651447745856338439,16381697445509807894,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:12⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,14651447745856338439,16381697445509807894,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5048 /prefetch:12⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,14651447745856338439,16381697445509807894,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5580 /prefetch:12⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,14651447745856338439,16381697445509807894,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2244 /prefetch:12⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,14651447745856338439,16381697445509807894,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5048 /prefetch:12⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,14651447745856338439,16381697445509807894,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:12⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,14651447745856338439,16381697445509807894,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6636 /prefetch:12⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,14651447745856338439,16381697445509807894,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6704 /prefetch:12⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,14651447745856338439,16381697445509807894,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7044 /prefetch:12⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,14651447745856338439,16381697445509807894,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6480 /prefetch:12⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,14651447745856338439,16381697445509807894,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6232 /prefetch:12⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,14651447745856338439,16381697445509807894,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6392 /prefetch:12⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,14651447745856338439,16381697445509807894,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:12⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,14651447745856338439,16381697445509807894,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:12⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,14651447745856338439,16381697445509807894,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6732 /prefetch:12⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2092,14651447745856338439,16381697445509807894,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1260 /prefetch:82⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,14651447745856338439,16381697445509807894,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6172 /prefetch:12⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2092,14651447745856338439,16381697445509807894,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5332 /prefetch:82⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Users\Admin\Downloads\msert.exe"C:\Users\Admin\Downloads\msert.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Downloads\msert.exe"C:\Users\Admin\Downloads\msert.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Downloads\msert.exe"C:\Users\Admin\Downloads\msert.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Downloads\msert.exe"C:\Users\Admin\Downloads\msert.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
-
-
C:\Users\Admin\Downloads\msert.exe"C:\Users\Admin\Downloads\msert.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Drops file in Windows directory
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,14651447745856338439,16381697445509807894,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7084 /prefetch:12⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2092,14651447745856338439,16381697445509807894,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7196 /prefetch:82⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,14651447745856338439,16381697445509807894,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5664 /prefetch:12⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Users\Admin\Downloads\msert.exe"C:\Users\Admin\Downloads\msert.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,14651447745856338439,16381697445509807894,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6436 /prefetch:12⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,14651447745856338439,16381697445509807894,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7316 /prefetch:12⤵
- Executes dropped EXE
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,14651447745856338439,16381697445509807894,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5812 /prefetch:12⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,14651447745856338439,16381697445509807894,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6084 /prefetch:12⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,14651447745856338439,16381697445509807894,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6308 /prefetch:12⤵
- Executes dropped EXE
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,14651447745856338439,16381697445509807894,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4664 /prefetch:12⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,14651447745856338439,16381697445509807894,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=60 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4664 /prefetch:12⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,14651447745856338439,16381697445509807894,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=61 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:12⤵
- Executes dropped EXE
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,14651447745856338439,16381697445509807894,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1256 /prefetch:12⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,14651447745856338439,16381697445509807894,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=64 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6172 /prefetch:12⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,14651447745856338439,16381697445509807894,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=65 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2292 /prefetch:12⤵
- Executes dropped EXE
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,14651447745856338439,16381697445509807894,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=66 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:12⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,14651447745856338439,16381697445509807894,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=68 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4792 /prefetch:12⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,14651447745856338439,16381697445509807894,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=69 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4692 /prefetch:12⤵
- Executes dropped EXE
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,14651447745856338439,16381697445509807894,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=70 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5808 /prefetch:12⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,14651447745856338439,16381697445509807894,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=72 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4876 /prefetch:12⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,14651447745856338439,16381697445509807894,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=73 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5912 /prefetch:12⤵
- Executes dropped EXE
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,14651447745856338439,16381697445509807894,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=74 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5012 /prefetch:12⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,14651447745856338439,16381697445509807894,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=76 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6212 /prefetch:12⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,14651447745856338439,16381697445509807894,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=77 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6384 /prefetch:12⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\CryptoLocker.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\CryptoLocker.exe"1⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe"C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" "/rC:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\CryptoLocker.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe"C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" /w000002283⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\CryptoLocker.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\CryptoLocker.exe"1⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\CryptoWall.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\CryptoWall.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\syswow64\explorer.exe"2⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\svchost.exe-k netsvcs3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\CoronaVirus.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\CoronaVirus.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
-
C:\Windows\system32\mode.commode con cp select=12513⤵
-
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
-
C:\Windows\system32\mode.commode con cp select=12513⤵
-
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
-
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"2⤵
-
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\Cerber5.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\Cerber5.exe"1⤵
- Drops startup file
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exeC:\Windows\system32\netsh.exe advfirewall set allprofiles state on2⤵
- Modifies Windows Firewall
-
-
C:\Windows\SysWOW64\netsh.exeC:\Windows\system32\netsh.exe advfirewall reset2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /d /c taskkill /f /im "C" > NUL & ping -n 1 127.0.0.1 > NUL & del "C" > NUL && exit2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\WINDOWS\SysWOW64\taskkill.exetaskkill /f /im "C"3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\WINDOWS\SysWOW64\PING.EXEping -n 1 127.0.0.13⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\WannaCry.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\WannaCry.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 158181730129092.bat2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cscript.execscript //nologo c.vbs3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\!WannaDecryptor!.exe!WannaDecryptor!.exe f2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im MSExchange*2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Microsoft.Exchange.*2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sqlserver.exe2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sqlwriter.exe2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\!WannaDecryptor!.exe!WannaDecryptor!.exe c2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c start /b !WannaDecryptor!.exe v2⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\!WannaDecryptor!.exe!WannaDecryptor!.exe v3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.execmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Direct Volume Access
1Impair Defenses
1Disable or Modify System Firewall
1Indicator Removal
2File Deletion
2Modify Registry
2Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1Discovery
Browser Information Discovery
1Network Service Discovery
2Peripheral Device Discovery
2Query Registry
6Remote System Discovery
1System Information Discovery
6System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
983B
MD5bfb9738d5e1023388205c22504054342
SHA1b2b8ec2ba6c5163c23629e3983cc5c12ee091ee7
SHA256c574378096527ca74cbbf662178ff939fe40b4cc25f7b418bee60c40c979217b
SHA512b7439a2406f2adfa122a91b493409341a4beb203b5f9a19542e8bb72bcb4c4c2a6f12d8afb9ad982b413b60b9f430350ff68ecd31f3345cc991345b71f9bfc48
-
Filesize
3.2MB
MD53937671d451d77bbabb3651303cf6706
SHA150897fc3f78b7c330377a269d0fafb175833f686
SHA2566b9f597b92227788ad78576bbdeab0787c29068754eb22e44541695207278b0c
SHA512016da5ce3b424ae233e19773dd31b2f8e8da70c1505c007cac532a5d34a12ab6ca60ca31eeb9f0746b00b8c88e17d76f13df275fde0ae57c6d56ad349d169470
-
Filesize
152B
MD56960857d16aadfa79d36df8ebbf0e423
SHA1e1db43bd478274366621a8c6497e270d46c6ed4f
SHA256f40b812ce44e391423eb66602ac0af138a1e948aa8c4116045fef671ef21cd32
SHA5126deb2a63055a643759dd0ae125fb2f68ec04a443dbf8b066a812b42352bbcfa4517382ed0910c190c986a864559c3453c772e153ee2e9432fb2de2e1e49ca7fe
-
Filesize
152B
MD5f426165d1e5f7df1b7a3758c306cd4ae
SHA159ef728fbbb5c4197600f61daec48556fec651c1
SHA256b68dfc21866d0abe5c75d70acc54670421fa9b26baf98af852768676a901b841
SHA5128d437fcb85acb0705bf080141e7a021740901248985a76299ea8c43e46ad78fb88c738322cf302f6a550caa5e79d85b36827e9b329b1094521b17cf638c015b6
-
Filesize
62KB
MD5c3c0eb5e044497577bec91b5970f6d30
SHA1d833f81cf21f68d43ba64a6c28892945adc317a6
SHA256eb48be34490ec9c4f9402b882166cd82cd317b51b2a49aae75cdf9ee035035eb
SHA51283d3545a4ed9eed2d25f98c4c9f100ae0ac5e4bc8828dccadee38553b7633bb63222132df8ec09d32eb37d960accb76e7aab5719fc08cc0a4ef07b053f30cf38
-
Filesize
67KB
MD5fb2f02c107cee2b4f2286d528d23b94e
SHA1d76d6b684b7cfbe340e61734a7c197cc672b1af3
SHA256925dd883d5a2eb44cf1f75e8d71346b98f14c4412a0ea0c350672384a0e83e7a
SHA512be51d371b79f4cc1f860706207d5978d18660bf1dc0ca6706d43ca0375843ec924aa4a8ed44867661a77e3ec85e278c559ab6f6946cba4f43daf3854b838bb82
-
Filesize
19KB
MD576a3f1e9a452564e0f8dce6c0ee111e8
SHA111c3d925cbc1a52d53584fd8606f8f713aa59114
SHA256381396157ed5e8021dd8e660142b35eb71a63aecd33062a1103ce9c709c7632c
SHA512a1156a907649d6f2c3f7256405d9d5c62a626b8d4cd717fa2f29d2fbe91092a2b3fdd0716f8f31e59708fe12274bc2dea6c9ae6a413ea290e70ddf921fe7f274
-
Filesize
63KB
MD5710d7637cc7e21b62fd3efe6aba1fd27
SHA18645d6b137064c7b38e10c736724e17787db6cf3
SHA256c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b
SHA51219aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44
-
Filesize
2KB
MD530c1c6bc5a81b207c42391a04d3955c1
SHA11b58cc68ed8cc297c0a1cd093ce75baeecc63463
SHA256df4e9b56d22e8ee822f5b1b061babe72ff9c93caaec7b491ce7c9f34275ce074
SHA51248fd26a0b5716fe28d69f9ff11e3632a3febfcc283820f4aa87247cf06e42f41f5554d94f71305920bd81aa42a85939505f24342268a730fcb49a29f6cc4bb2e
-
Filesize
2KB
MD5a71a4ea2a9d4dee81d8ffde166221619
SHA1a2b2697aee0fd99cee0320aa095a98c0ab23466c
SHA2566eb6de6b47edadd503f8e3858fcd09fd570bd0066ff13f3dd66ad0d02be3abe3
SHA512e4dc874d4549aa0a67b3f02509b50507b425bf00f27945dfa7e1e52f44b9bfd82a84d75f0f2475a2bf3b3a45e8f93f3ef776e68f92b58dc1e9d379840d6707af
-
Filesize
2KB
MD57d6f301bbac0607f4e00129f407700dd
SHA1f3cecef6b2c72b4b4ae8b6cde86eb74da3b842b5
SHA256d77006efcd0d3d281cd661099e18b8c7b783eb98568293dd480ecbb34e7f9fb4
SHA512c5ce0114ca9241cabeca7df4f727305d3b87ba418e84b1acc004ad325250ab169aa71cee5e6704b29b91572cbfc4ca8ae656fb28a587c74cb3ecf547d636af43
-
Filesize
2KB
MD5f96e790a2469f011f0adbc4f9bae2b28
SHA12e6b98ff41987107adf9e97e4623733b3edfbbd8
SHA256546daa03ae92e3cbf9629f5f1c4efe2d432b77bac12ef7a2653319555f967e39
SHA512cb510b2a079ad0d183fae0decec4d93adde867116c802cb3b33bed11529853b05d54cb530015713067ff94407e65fbc45a19a1c420192ea4fccbbc4e98cf1e77
-
Filesize
573B
MD52cc96e82a1f9e5e496d985b7cfaba79d
SHA1d551d8e0f7133dd9fa9179bbbc88e0dfb9058410
SHA25674dfdd65edd064722a5c267107e0508d6cf9bbf166aa5e1143799f9ce1ff2bb4
SHA51258f8fd724cf943984cde5cceac663d61a24939f9e24fb42581d88c39d25ab256b6efb8f06821ebc690db358333bbb4799c5666c200ab08e1154881967698bcce
-
Filesize
2KB
MD5fc38b30e12eb12e8c9c32880db5e3bd8
SHA19ba933ea0ec830fbdea2b744f90a411f9f2f47f6
SHA2568d24c99ed2793fcede249a0b9ce18ecdc2d6e3834f5490fb975f8d72da0ceeda
SHA5122f02b5b9a170010a057be92cc979cf55db15475ff299a7d828feb2bb23464fdc67b7226241464bdcf345ef0340d44ab1e55c0d8164ae8c0a092c2a6a33b835ad
-
Filesize
7KB
MD51368218b2a3ffd3f8105e80ceb398ec3
SHA1c534e5fd836cc8b4760ddaf11b59533dee03fa0e
SHA256afed98a0d88d1aacd1e0cfb1e153ad6f777e9a613e09215ba513c9baf097bdeb
SHA512ed729ee77f74d8d29b18671196c7e4da3af41560867fcb000127d99e04a0f6b320d20d023ecae20da16c736b38faef55fd01de054ec50a8af8963a8ddd040435
-
Filesize
7KB
MD588ea9d2e6be0245d30648f25c07ba6df
SHA1f97576167f93fae57cb7092ec68ace0513475ce7
SHA2566e7810e569b613eef09ca3c2adb1cdb3c8064b4319c84784fa3bbc013eacea75
SHA5123d6c11eb3a1e40d00956f677d9737ec610cd50d75d4d510d67f16a03c9b7cd21b2bc324b5baa32cc8ea174c3b29007732ff9b72aca954d2b4dba0eced35456fb
-
Filesize
6KB
MD5c4b561702de3d837f3b4ebe4d0e7ea0e
SHA186e88d55ea425e91ae0e159cab8207ca449e65be
SHA2566da04e9c766484e89b3f36ac161a8d150616746d510fd911dcf5b712bdada814
SHA512f8e29c2803d5283d4138bc024a67293b59eafa9d0fd2ae468e7abef82dea2d22aa9bdae1bb5d66d627f22422b522b8e39ed4d4e0a2d7ceb5961d12fba258ba62
-
Filesize
6KB
MD5ce34d6fc82204fed6289fb664b8aef1b
SHA155f2f2636253bc3385997e8b5e87925583e5a768
SHA2566efc22445eba17a59b25f4345245d998575a0454dab37b042be3c82666ddffca
SHA5125abc1e0dc8ec181c19e9ba2833c0f580a01f2c138e2d64697a2186736fda50fddd143b33537cf86f169b260088db9c222b35c6b192ddc1cc7293af26a906ca16
-
Filesize
7KB
MD5158ceb70dae8be5a151a5450556dd026
SHA116d04fa6965ed0c59b1bf854fafdcbf1717a0749
SHA2567a3b8f01329431f14f2a437805134ea9c4de444b25062a484ce5064f26fab831
SHA512b56829c5cbcdd375a657afe4b7a52226ae6f18a44b4c7a7b77c23d619aea0e7b43c6963c6bd26ea11410d697381ad41ed73dbb0a6ac366be9d1655e8614fbe6a
-
Filesize
5KB
MD548066b26ad07a51952ae66302ebd9289
SHA1b0999be6ef46c562e88c3df368f989a58a6b4fcc
SHA256dce3a2bd92c5bd11f7e4ff681dcf62d615f8bd0c90e854552464dd64e7acbd94
SHA512e74215aa4af1d35cc131cd432f9a8a2f53dcbecbd12b31787d004ed6891f619752a11ef48156a4c3a8343794684409fd1b09283c3aa09475b581b10bac669322
-
Filesize
6KB
MD5a82bfb00199c80d093d4cd1781b48237
SHA141df8eec6eaea42f9e54ba1e5c0a25e2087490c7
SHA2565eb73fa00310178ff34d3371b1cc6860661088257b0898480fa68c1f678bbbfa
SHA5121417a837f8b750c84e968e846194a7ae314aaad6a372df3169bc538647239c167c22aead49d1db6bbd7756edee4113f24c3086a2a3d71fa5e9994ce9f87b81b0
-
Filesize
6KB
MD5aeaf4c4ff41a5b7bf2ca00f15d3a7f2d
SHA1df89a0319ff0edaf1bda5d50ec8be5755c85286e
SHA25677450df7a2c73c7ac988a8dea592782f5724133d56a1237f9d8c6a0031383746
SHA5128a693516b2e4c4dd7a174fbc45dabff53439db0040000ce3ad653b8efcb46affd8b1708e1779dca664f325b4ea6ab2e60f83555cf2acf0f71f807e5b2c30475b
-
Filesize
8KB
MD5f6f1577e5664f0fe4d781f912a9c4ecb
SHA142bd831f9dc8728d11b1aac70d406d14ed930364
SHA256db60b365d3d84e8e32324a74c5a2ef316d9698832f5b5f3a76b153bf72f48e6f
SHA512db38dd2d5149a9bac7de311e84a490bfb96726ad560bc9523553ca71ea8ebfcc957f348c91ea909fb3ff048720ef3224f655392ed734d6b32b782cdbc7ee4094
-
Filesize
72B
MD5108e40d75b6044f47c265382173c0e7e
SHA14c6d99a68aabdfef32e66c15993fe5ff10f7c23c
SHA2567595cfc4a8c7e721201ea38c0d3267b241095064fc0ed7a7d1ed9d93578a3bd5
SHA51265a2930d1d2ea918e179d87e0fcf68755fb04386fdcb3450f5d657a5c3f75beac909213746330704dfc933ac5cf9b55e6c8123070e5399c27998f77dd8c12f74
-
Filesize
48B
MD59733d024b52da0bceffe51c025d2bb67
SHA1072a31fa246ca695eaf8420b04051983e017bd61
SHA256a509ab59d7d5f842ebfd83f76151a34c62da0054ac078d336e04653cf687546c
SHA512c7ac924d2328e43ed1cd3265780166223a8062e6e5b79a9efc1e4681c8f19eaa0a81acdd845fd295f0dcdd1b7d93a89eef14f6b9615915521b4929fe80db24db
-
Filesize
874B
MD57421817bf15f3588cc9e98bb38688482
SHA1dad909ff394a78f05fff0b7fe99dc700b54cfaef
SHA25674aac6845669bfd27ba79669f0020a6f1807a076d3cb161b9b22dd69b25b4b64
SHA512060f13a86586223c335c257fb12938ce2e8121b7c311a344141184933bd4df006626fc85d5e6a774598edc28540ff210eb9b251f67936a3dbdb9b23d02361215
-
Filesize
3KB
MD561deccc1bb06a18a5ea7b2db7c8faeb7
SHA10491dcffda0da195fb1bcdfc50a3719c28722c75
SHA256d2fe6d2dd391eb3be97ed2763c002fe9d85654de2e7fb64a5c831bac7b408fd5
SHA512a8b379a31c2ee32a74e7cc0904a0ee68870455948066a9d0def6a4e146059aa363c23e19781e2be18204f833636f445cd7f7e5693d11e68147ed4a5b7eff76c3
-
Filesize
3KB
MD5126c27b6c4f3b98bb098007c821a4731
SHA146cc4c2c051f1b5d9d368ee10faa40d224ade8a7
SHA256fe8b57686435317348d82f765667d8f4e4b6efef782db20625aafc4566ffa8a2
SHA512af60f27a386a2afd93952a716950df151016783fb6e626ed0dd4b6418d63d6fc8a0a46ae8b5eac11148ac3e6e99b73b2ad617fd8f9b889a6b0ba179dbdb4eeb9
-
Filesize
2KB
MD5e93318b6cb72b6d48777d03e54d3b007
SHA10ce86d3c7b6519cdebf73595ef41bd801c3f94db
SHA256bc830d05c53b7ef95280b1be56d3289de0026583d3a578768f1d46cbfaf1d7ea
SHA512a5f7c6ae28063223244a306c1ebc25b81b5cbd10df64310c8349b1441ca95b5b3e34319eb457d3655ea7f57bc10f99aaabeec4bebeae331337e66afa5d7d7dff
-
Filesize
3KB
MD50b6c1540b786720f1386923511d682c1
SHA19038074254f9acc4a2e3a5115fff2825c4539e91
SHA256b9fc5a3c01679c0eef4ad9e774472dd95964468ca772487b3daa553ae5d9ae21
SHA5128ef39049ee9ff306bb0a06e3f53e65e879074f259a9c6954938b44a60329656aba23a41d2f9a7a57f201ab5c38383650a32fd8ed399bc659a6904868d4a7a329
-
Filesize
3KB
MD53b38946111e7825341814880845df8ca
SHA1a77cc782ab72b6f64ad38bc7b6c4af2bee9147f3
SHA256afe34b95be55b1c88cdd850bfb52fdad78003da689a2608ce2b8034b19745613
SHA51213521b6f5bd12245049ba3f672e14676fc0b5fee440d9cdd65abd976e9092102959445199b08b72af2eef6711478cbe24012afa4393918fc8b3ae9fb36f99d6c
-
Filesize
1KB
MD5b58aeeda7b9ede63ebb6ed0ccfb38e7a
SHA16640f0102fea3ff8d3c2652a1f8c9cbb6c8c154e
SHA2566c2606ad365a0688683e69b2e4af2c0086926c7677df41d12ac8d4c613b58041
SHA5122d2a2fd6294f527be4f9e7c10a573419985a1ba0405f7c9d48b784a106c205c451dcfe1c2824eb5dd6bba7b4e5874f39e2d84e28be422f9fd9266e1e4eb8944b
-
Filesize
3KB
MD50df4824fdd1aa52bbde1a865aee31756
SHA195caf7d881f5fff525058bd8722b226d4adc24fe
SHA256651bf19b0660ad6a099b06b5a1d0c2191903f97b75b9561168ce8fa177d5f9e1
SHA51234afeb317cba25a7a62a5fa2e27dabe4e7b9e0d1006eb6f0822416a2ef4482db92510a2a21ef8eed2f03ef57e155f928251f7400d9bef50213cc4ba762032ab8
-
Filesize
1KB
MD577d614e5bae9204e9ad354292e7487c9
SHA100caf49e13173f12c99dce0eec054a80d3630649
SHA256eeb7379401c53eee158d99ed4ed0da7306d57532fda02aa7b39f8229ac1a36ad
SHA5120f882bcde7ccb2ad3d104c37459b4e6e22d1daafd78223e0e17e1daffd1610d377135476d1787bd9e4cbd127bad36def5e8da5b3871cf8504618e8e083e52ec3
-
Filesize
2KB
MD52bff255d4d65cba95ab199b249df5973
SHA10785be23a5f0b39d9a6c82a4250bd054a0ea3343
SHA256441f2084ff752574c59a1426f68f206253f59958b94ac621cb44ed9af59b4fa4
SHA5127495856a6baca8378c09fe2bcd76295cb7337f379c32038d667b253ce6f15761f593a569c29ab41990d8693460ebcf4133e728e5e438a625e54fa9808e902d30
-
Filesize
874B
MD58c4458fa95197244330f2f4927c053fb
SHA112b11c6ebffa0a5899bb1328ff819a7e0a50b34c
SHA2564e0e45d00fb29ee0526b895a7a87b08e1aec4c821e354f715fe8a2be9b554ac8
SHA512b77cf4a6a38c460a092697e71162ce8083437d87d80c7fb6ac9e0e35fe6112e4a3c3f92ec3a1b1edac174d18c1545d8b96dc5633b916d5f61f90268427cfc8ce
-
Filesize
1KB
MD557a0968d95d2a683f35434ab0416ca87
SHA16103b587fc25de953c2a0421b167db63218cfec0
SHA25626868a086583b40dd3fefc36006866952bcf4c1e0e87f3841246cd85969022a1
SHA512c2c18613ad8d921d68f63d10d117fbe4858d22d7a16908c80b6e5b2a4f2200b0b3a464f22535051f897b34d20ca884cf1c6492760e6964fdf934a8be768513d7
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD57f27f1c8af35c7d91d3aa419f5c7b32d
SHA16e83a4e7e704e5fbc6b203015df00a61cca34e5b
SHA2566b5eb630a398f2828205b9bba398a79dcd8f18459cbf9097770a160bad1588bf
SHA512eccb35717c19c7920185f81c3cc9bd15963e09dc241cdd0374363c8c265934b63267468b898fdb3f82700134950388be7f5321901aa38d6f3e51166eeadb4caa
-
Filesize
12KB
MD516e8df3f8f9ec4333a5530b8f02725a1
SHA13c944b6be218def49471b86062944f94d5fbe0dc
SHA2562cc9d042e92c88451f6cac7d73536386875af07b4fb816ba813a7fa2f35f5de5
SHA512d96a266ba06bf1f53f71274b7c5c93813e741ffc3d83e14ee9441199edafcb485bd7c79cecaaae5b844d1db7493ce3039eed7db999cc4c9a4eb8a92996a290b7
-
Filesize
12KB
MD5c845e9c9fcf284a8ab99368b56984896
SHA1a13f399943d32e651ee54c62c889a279834973d1
SHA2564ad2f199c1c006ea7e8a410815959d3eed75a5f71d0052e9ccb3a923c13ef011
SHA5122f9fcdc52d3a909a700d3fbe8788fba765702f0e2411f01ae022c97c13a411764286d1e4e07a36a21890a827608b0ae85e41615dcdde9914ab55decd697339f5
-
Filesize
12KB
MD539bab671810d6654523613cbd2f8303c
SHA105104234206f1b3b3b88a1cc568b96521b0e2e4a
SHA256c220b394bf5a9b7ecaea00a120f178d4a080634e54c699d5445add2dc1edc29d
SHA512ccc30f97c251c775d424f6ab4094dbe2cfa711a377d277631005a7760f6a182f4df8d09ad2565b624e79e22c8b70de950d6ab05940b97fe99833f72fbb68feac
-
Filesize
12KB
MD559b8878a9dd03e4c450812895d01b8ea
SHA10a6ca4bd8a5a4b77e6148a262b650abf847e9384
SHA2567b7020044850ba279fa5f8fa2a896952a3ca1f0599ea745781ed991ce0314269
SHA5129dbc049ac1071cdadb429188312a8f061ba60bba7e81a8064a5fecc76876b67ad2fe04fb178a1337253567e7c2eaf730809a7f6ce4053e3838c5cf680e63d17b
-
Filesize
12KB
MD5edac5a513617da4fd012f243e55b1f7c
SHA1c323bc30a9f1a035d372cb2e280314faddd452d6
SHA25685aa6af092ac9e644b6f9b96bb22d7805790d076aca8868080501afbe7d506e9
SHA512b4b8a30ae63d3a87f8f69bda858cc49a84a709e2396096c402a5fb7f46714f14b891824c0ddc75f32d319b39341fb85eafb8e13e554eb0ec9d96c5bfb6437bb6
-
Filesize
12KB
MD513d481a198d98282787a2786b9f658a0
SHA1edcfec62c956a8b43f6d2eb61224c4fbc593e691
SHA256085e070a6a9c58a57f5125adda92e584e33e03fa98925d6676d7072ddb55535d
SHA5128620cfa74a639fdead0a9a4d9b693f3987088259349aaa31b82a0da7ce83bb3e6cbd2773cf75804d861c08eb32834cc2f0293fc60313a0e3efe25967a5f01fa3
-
Filesize
338KB
MD504fb36199787f2e3e2135611a38321eb
SHA165559245709fe98052eb284577f1fd61c01ad20d
SHA256d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9
SHA512533d6603f6e2a77bd1b2c6591a135c4717753d53317c1be06e43774e896d9543bcd0ea6904a0688aa84b2d8424641d68994b1e7dc4aa46d66c36feecb6145444
-
Filesize
797B
MD5afa18cf4aa2660392111763fb93a8c3d
SHA1c219a3654a5f41ce535a09f2a188a464c3f5baf5
SHA256227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0
SHA5124161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b
-
Filesize
236KB
MD5cf1416074cd7791ab80a18f9e7e219d9
SHA1276d2ec82c518d887a8a3608e51c56fa28716ded
SHA25678e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df
SHA5120bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5
-
Filesize
261KB
MD55af325bda4568a1a07fee2195a80a188
SHA1b235430bf74063ce512a3f2c95013f624dcabece
SHA2563de271e51e33baf258096d572f1ffebf8714af26dbe18b3b4fa98c369c8ed6e1
SHA5120b310e9006954312fad190936bbb9de8087bfe3d4b1c7d14e74f162ab74d5ddabe8680e5c957cab4d958b4e6e6c1f70853859a6b7c182284d6e5c176faad4e88
-
Filesize
16.3MB
MD53045420e24626dc12d9c0db85dcf6895
SHA14ed91a6e82de972c43d93139238cbba2e12ee3e7
SHA256ae4d93971630a3ddbd6b71ce4694350fb38896ccc854327422b2532372e60436
SHA512c901e8a02b8cc4440905c124ed94ac3e90c48653f313b84ea53da4c4bc6157e0e0a40a1a58d443143628325f61d647cb98319b27ce6d8e106a904f27a4f9f04e
-
Filesize
49.2MB
MD5a0800f47e0889c288ab36dd8b5adb89c
SHA12d1a9ee4a5a7275174a5943a19c8436825ccf2eb
SHA25672bde894ad684469a57d4c781f9af8c9a6ef79e1c72c659c33bc1a91a72a2dc0
SHA512d7a4e4762b73b7d2f7f95f8f1bde25766c8f3438a8a4680d5fea52fa4e8333d8fbe9b4c2350faccc40d7ac4ada116a1c507737d4ab3f77f8efa17b0ab17b56a4
-
Filesize
1.4MB
MD59dad4758b01fe2a980efa989ac4d6fac
SHA1acfa9e37ef71025d12b2a4ba978a59ed3d46cc43
SHA256e260272c97a980cba18913af2ed0b52a25e39336812437833a995c7b62337a41
SHA512af72c3f52cf2dfc19b677b7911867951fa973315da2bb6134ad7449f7fc742b0fb1a043802b4fdaadab48e52be19bd51bb78ac6c4cad86615728464bf3b5632c
-
Filesize
18.8MB
MD5807f47f2bbcdb430bc1d9f07a8293540
SHA164b09605338f2b0e73b2fa396f2d8bb41a5ac0ab
SHA25669e24472a2977868a260ba52078cc95cb3ec681c902a6fb9708beaefa6acf283
SHA5121caa8a4316d3855542d31efeb6c02205f6d9e550f0b9c2278e9f74ce4ff13d008c5ef7f1f4c1bf6dae6264680ed7f4eb2c6dc6dcf27b27d33ee0a36cad2ae697
-
Filesize
607KB
MD5a0c4ac6378ce0313955dccfd2d9208a6
SHA17ee2f0f3bf4504f4f7bbc63cb5fa883711c13801
SHA256abbe3285c58c830314f9f0ad2ddc769139c0d808e27893290adc69a535b996b1
SHA51272ea9f0d7399fa5d6865f3f887ffa07098b883b1428b33dcb552a40bb22ca6a461a546736667ca1aa97e5f06dffd10dab765c7f6e3e827dd0335b562b27d2fb5
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
148KB
-
Filesize
148KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
148KB
-
Filesize
72KB