Analysis
-
max time kernel
602s -
max time network
603s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
05-11-2024 12:57
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/Da2dalus/The-MALWARE-Repo/tree/master/Ransomware
Resource
win10v2004-20241007-en
Errors
General
-
Target
https://github.com/Da2dalus/The-MALWARE-Repo/tree/master/Ransomware
Malware Config
Extracted
C:\Users\Admin\README_HOW_TO_UNLOCK.TXT
http://zvnvp2rhe3ljwf2m.onion
Extracted
C:\Users\Admin\Downloads\@[email protected]
wannacry
12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
Signatures
-
CryptoLocker
Ransomware family with multiple variants.
-
Cryptolocker family
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Wannacry family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (63) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Downloads MZ/PE file
-
resource yara_rule behavioral1/files/0x000c000000009dae-2969.dat aspack_v212_v242 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation Rokku.exe -
Drops startup file 5 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDFDBB.tmp WannaCrypt0r.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDFDC2.tmp WannaCrypt0r.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\README_HOW_TO_UNLOCK.TXT.WNCRYT WannaCrypt0r.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\README_HOW_TO_UNLOCK.TXT.WNCRY WannaCrypt0r.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\README_HOW_TO_UNLOCK.TXT WannaCrypt0r.exe -
Executes dropped EXE 64 IoCs
pid Process 112 CryptoLocker.exe 4324 {34184A33-0407-212E-3320-09040709E2C2}.exe 888 {34184A33-0407-212E-3320-09040709E2C2}.exe 5724 Rokku.exe 3696 Satana.exe 3608 Satana.exe 4300 Satana.exe 1960 Satana.exe 2496 Satana.exe 3244 Satana.exe 1532 Seftad.exe 1848 Seftad.exe 5256 Seftad.exe 868 Satana.exe 928 Satana.exe 2944 WannaCrypt0r.exe 5896 taskdl.exe 4344 @[email protected] 6012 @[email protected] 5788 @[email protected] 1316 taskhsvc.exe 5432 taskdl.exe 3704 taskse.exe 5324 @[email protected] 1648 taskdl.exe 968 taskse.exe 532 @[email protected] 3896 taskdl.exe 3264 taskse.exe 4924 @[email protected] 5844 YouAreAnIdiot.exe 1268 YouAreAnIdiot.exe 5504 taskse.exe 3688 @[email protected] 3012 taskdl.exe 5256 Avoid.exe 1508 Avoid.exe 5860 taskse.exe 5776 @[email protected] 3324 taskdl.exe 3660 taskse.exe 2988 @[email protected] 1736 taskdl.exe 5216 taskse.exe 5684 @[email protected] 5980 taskdl.exe 3016 taskse.exe 2728 @[email protected] 5668 taskdl.exe 3788 Magistr.exe 2684 Magistr.exe 5128 Magistr.exe 5772 Magistr.exe 5700 Magistr.exe 5528 Magistr.exe 5420 Magistr.exe 4816 Seftad.exe 4284 Satana.exe 3284 Satana.exe 4240 Rokku.exe 5808 MeltingScreen.exe 5896 MeltingScreen.exe 2704 taskse.exe 1284 @[email protected] -
Loads dropped DLL 7 IoCs
pid Process 1316 taskhsvc.exe 1316 taskhsvc.exe 1316 taskhsvc.exe 1316 taskhsvc.exe 1316 taskhsvc.exe 1316 taskhsvc.exe 1316 taskhsvc.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 4636 icacls.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CryptoLocker = "C:\\Users\\Admin\\AppData\\Roaming\\{34184A33-0407-212E-3320-09040709E2C2}.exe" {34184A33-0407-212E-3320-09040709E2C2}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\hbqpqaznjyrqx231 = "\"C:\\Users\\Admin\\Downloads\\tasksche.exe\"" reg.exe -
File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 62 raw.githubusercontent.com 63 raw.githubusercontent.com -
Writes to the Master Boot Record (MBR) 1 TTPs 5 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PHYSICALDRIVE0 Seftad.exe File opened for modification \??\PHYSICALDRIVE0 Seftad.exe File opened for modification \??\PhysicalDrive0 wusa.exe File opened for modification \??\PHYSICALDRIVE0 Seftad.exe File opened for modification \??\PHYSICALDRIVE0 Seftad.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]" @[email protected] Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]" WannaCrypt0r.exe -
Suspicious use of SetThreadContext 5 IoCs
description pid Process procid_target PID 3696 set thread context of 4300 3696 Satana.exe 174 PID 3608 set thread context of 1960 3608 Satana.exe 177 PID 2496 set thread context of 3244 2496 Satana.exe 182 PID 868 set thread context of 928 868 Satana.exe 195 PID 4284 set thread context of 3284 4284 Satana.exe 279 -
resource yara_rule behavioral1/files/0x000e000000023b9a-495.dat upx behavioral1/memory/5724-528-0x0000000000400000-0x000000000058D000-memory.dmp upx behavioral1/memory/5724-759-0x0000000000400000-0x000000000058D000-memory.dmp upx behavioral1/memory/4240-3469-0x0000000000400000-0x000000000058D000-memory.dmp upx behavioral1/memory/4240-3473-0x0000000000400000-0x000000000058D000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 9 IoCs
pid pid_target Process procid_target 400 4300 WerFault.exe 174 5332 1960 WerFault.exe 177 5980 3244 WerFault.exe 182 3676 928 WerFault.exe 195 744 5844 WerFault.exe 236 428 1268 WerFault.exe 240 3608 3284 WerFault.exe 279 5572 4240 WerFault.exe 280 5172 3768 WerFault.exe 305 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language @[email protected] Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language {34184A33-0407-212E-3320-09040709E2C2}.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Satana.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wusa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xwizard.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language {34184A33-0407-212E-3320-09040709E2C2}.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language @[email protected] Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language @[email protected] Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Seftad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language YouAreAnIdiot.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MeltingScreen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GoldenEye.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Satana.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Seftad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language @[email protected] Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GoldenEye.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language @[email protected] Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Magistr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Magistr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language quickassist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language @[email protected] Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Avoid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Magistr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Magistr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Magistr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CryptoLocker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language YouAreAnIdiot.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language @[email protected] Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskhsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GoldenEye.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Rokku.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Seftad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language @[email protected] Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Magistr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskdl.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings OpenWith.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 4340 reg.exe -
NTFS ADS 16 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 9895.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 175098.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 247389.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 286475.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 495414.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 471419.crdownload:SmartScreen msedge.exe File created C:\Users\Admin\AppData\Roaming\{f07c8dc8-bd45-44f4-9eaa-072378b31bd6}\wusa.exe\:SmartScreen:$DATA GoldenEye.exe File created C:\Users\Admin\AppData\Roaming\{2e999f7d-1650-4a7a-a02b-657ab37065e1}\xwizard.exe\:SmartScreen:$DATA GoldenEye.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 315084.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 509915.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 429042.crdownload:SmartScreen msedge.exe File created C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe\:SmartScreen:$DATA CryptoLocker.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 755769.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 829777.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 560967.crdownload:SmartScreen msedge.exe File created C:\Users\Admin\AppData\Roaming\{66644bc6-3c59-4dce-a2b6-9ae5dd9075fa}\quickassist.exe\:SmartScreen:$DATA GoldenEye.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 40 IoCs
pid Process 1000 msedge.exe 1000 msedge.exe 3164 msedge.exe 3164 msedge.exe 1472 identity_helper.exe 1472 identity_helper.exe 312 msedge.exe 312 msedge.exe 1532 msedge.exe 1532 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 536 msedge.exe 536 msedge.exe 3544 msedge.exe 3544 msedge.exe 5976 msedge.exe 5976 msedge.exe 5960 msedge.exe 5960 msedge.exe 1316 taskhsvc.exe 1316 taskhsvc.exe 1316 taskhsvc.exe 1316 taskhsvc.exe 1316 taskhsvc.exe 1316 taskhsvc.exe 1680 msedge.exe 1680 msedge.exe 2860 msedge.exe 2860 msedge.exe 5568 msedge.exe 5568 msedge.exe 3788 Magistr.exe 3788 Magistr.exe 5188 msedge.exe 5188 msedge.exe 5480 msedge.exe 5480 msedge.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 3332 OpenWith.exe 3164 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 20 IoCs
pid Process 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 5776 WMIC.exe Token: SeSecurityPrivilege 5776 WMIC.exe Token: SeTakeOwnershipPrivilege 5776 WMIC.exe Token: SeLoadDriverPrivilege 5776 WMIC.exe Token: SeSystemProfilePrivilege 5776 WMIC.exe Token: SeSystemtimePrivilege 5776 WMIC.exe Token: SeProfSingleProcessPrivilege 5776 WMIC.exe Token: SeIncBasePriorityPrivilege 5776 WMIC.exe Token: SeCreatePagefilePrivilege 5776 WMIC.exe Token: SeBackupPrivilege 5776 WMIC.exe Token: SeRestorePrivilege 5776 WMIC.exe Token: SeShutdownPrivilege 5776 WMIC.exe Token: SeDebugPrivilege 5776 WMIC.exe Token: SeSystemEnvironmentPrivilege 5776 WMIC.exe Token: SeRemoteShutdownPrivilege 5776 WMIC.exe Token: SeUndockPrivilege 5776 WMIC.exe Token: SeManageVolumePrivilege 5776 WMIC.exe Token: 33 5776 WMIC.exe Token: 34 5776 WMIC.exe Token: 35 5776 WMIC.exe Token: 36 5776 WMIC.exe Token: SeIncreaseQuotaPrivilege 5776 WMIC.exe Token: SeSecurityPrivilege 5776 WMIC.exe Token: SeTakeOwnershipPrivilege 5776 WMIC.exe Token: SeLoadDriverPrivilege 5776 WMIC.exe Token: SeSystemProfilePrivilege 5776 WMIC.exe Token: SeSystemtimePrivilege 5776 WMIC.exe Token: SeProfSingleProcessPrivilege 5776 WMIC.exe Token: SeIncBasePriorityPrivilege 5776 WMIC.exe Token: SeCreatePagefilePrivilege 5776 WMIC.exe Token: SeBackupPrivilege 5776 WMIC.exe Token: SeRestorePrivilege 5776 WMIC.exe Token: SeShutdownPrivilege 5776 WMIC.exe Token: SeDebugPrivilege 5776 WMIC.exe Token: SeSystemEnvironmentPrivilege 5776 WMIC.exe Token: SeRemoteShutdownPrivilege 5776 WMIC.exe Token: SeUndockPrivilege 5776 WMIC.exe Token: SeManageVolumePrivilege 5776 WMIC.exe Token: 33 5776 WMIC.exe Token: 34 5776 WMIC.exe Token: 35 5776 WMIC.exe Token: 36 5776 WMIC.exe Token: SeBackupPrivilege 5676 vssvc.exe Token: SeRestorePrivilege 5676 vssvc.exe Token: SeAuditPrivilege 5676 vssvc.exe Token: SeTcbPrivilege 3704 taskse.exe Token: SeTcbPrivilege 3704 taskse.exe Token: SeTcbPrivilege 968 taskse.exe Token: SeTcbPrivilege 968 taskse.exe Token: SeTcbPrivilege 3264 taskse.exe Token: SeTcbPrivilege 3264 taskse.exe Token: SeTcbPrivilege 5504 taskse.exe Token: SeTcbPrivilege 5504 taskse.exe Token: SeTcbPrivilege 5860 taskse.exe Token: SeTcbPrivilege 5860 taskse.exe Token: SeTcbPrivilege 3660 taskse.exe Token: SeTcbPrivilege 3660 taskse.exe Token: SeTcbPrivilege 5216 taskse.exe Token: SeTcbPrivilege 5216 taskse.exe Token: SeTcbPrivilege 3016 taskse.exe Token: SeTcbPrivilege 3016 taskse.exe Token: SeTcbPrivilege 2704 taskse.exe Token: SeTcbPrivilege 2704 taskse.exe Token: SeTcbPrivilege 4624 taskse.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe -
Suspicious use of SendNotifyMessage 34 IoCs
pid Process 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe 3164 msedge.exe -
Suspicious use of SetWindowsHookEx 37 IoCs
pid Process 3332 OpenWith.exe 3332 OpenWith.exe 3332 OpenWith.exe 3332 OpenWith.exe 3332 OpenWith.exe 3332 OpenWith.exe 3332 OpenWith.exe 3332 OpenWith.exe 3332 OpenWith.exe 3332 OpenWith.exe 3332 OpenWith.exe 3332 OpenWith.exe 3332 OpenWith.exe 3332 OpenWith.exe 3332 OpenWith.exe 3332 OpenWith.exe 3332 OpenWith.exe 3332 OpenWith.exe 3332 OpenWith.exe 1532 Seftad.exe 1848 Seftad.exe 5256 Seftad.exe 4344 @[email protected] 4344 @[email protected] 6012 @[email protected] 5788 @[email protected] 5324 @[email protected] 532 @[email protected] 4924 @[email protected] 3688 @[email protected] 5776 @[email protected] 2988 @[email protected] 5684 @[email protected] 2728 @[email protected] 4816 Seftad.exe 1284 @[email protected] 5348 @[email protected] -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3164 wrote to memory of 2148 3164 msedge.exe 84 PID 3164 wrote to memory of 2148 3164 msedge.exe 84 PID 3164 wrote to memory of 4484 3164 msedge.exe 85 PID 3164 wrote to memory of 4484 3164 msedge.exe 85 PID 3164 wrote to memory of 4484 3164 msedge.exe 85 PID 3164 wrote to memory of 4484 3164 msedge.exe 85 PID 3164 wrote to memory of 4484 3164 msedge.exe 85 PID 3164 wrote to memory of 4484 3164 msedge.exe 85 PID 3164 wrote to memory of 4484 3164 msedge.exe 85 PID 3164 wrote to memory of 4484 3164 msedge.exe 85 PID 3164 wrote to memory of 4484 3164 msedge.exe 85 PID 3164 wrote to memory of 4484 3164 msedge.exe 85 PID 3164 wrote to memory of 4484 3164 msedge.exe 85 PID 3164 wrote to memory of 4484 3164 msedge.exe 85 PID 3164 wrote to memory of 4484 3164 msedge.exe 85 PID 3164 wrote to memory of 4484 3164 msedge.exe 85 PID 3164 wrote to memory of 4484 3164 msedge.exe 85 PID 3164 wrote to memory of 4484 3164 msedge.exe 85 PID 3164 wrote to memory of 4484 3164 msedge.exe 85 PID 3164 wrote to memory of 4484 3164 msedge.exe 85 PID 3164 wrote to memory of 4484 3164 msedge.exe 85 PID 3164 wrote to memory of 4484 3164 msedge.exe 85 PID 3164 wrote to memory of 4484 3164 msedge.exe 85 PID 3164 wrote to memory of 4484 3164 msedge.exe 85 PID 3164 wrote to memory of 4484 3164 msedge.exe 85 PID 3164 wrote to memory of 4484 3164 msedge.exe 85 PID 3164 wrote to memory of 4484 3164 msedge.exe 85 PID 3164 wrote to memory of 4484 3164 msedge.exe 85 PID 3164 wrote to memory of 4484 3164 msedge.exe 85 PID 3164 wrote to memory of 4484 3164 msedge.exe 85 PID 3164 wrote to memory of 4484 3164 msedge.exe 85 PID 3164 wrote to memory of 4484 3164 msedge.exe 85 PID 3164 wrote to memory of 4484 3164 msedge.exe 85 PID 3164 wrote to memory of 4484 3164 msedge.exe 85 PID 3164 wrote to memory of 4484 3164 msedge.exe 85 PID 3164 wrote to memory of 4484 3164 msedge.exe 85 PID 3164 wrote to memory of 4484 3164 msedge.exe 85 PID 3164 wrote to memory of 4484 3164 msedge.exe 85 PID 3164 wrote to memory of 4484 3164 msedge.exe 85 PID 3164 wrote to memory of 4484 3164 msedge.exe 85 PID 3164 wrote to memory of 4484 3164 msedge.exe 85 PID 3164 wrote to memory of 4484 3164 msedge.exe 85 PID 3164 wrote to memory of 1000 3164 msedge.exe 86 PID 3164 wrote to memory of 1000 3164 msedge.exe 86 PID 3164 wrote to memory of 4400 3164 msedge.exe 87 PID 3164 wrote to memory of 4400 3164 msedge.exe 87 PID 3164 wrote to memory of 4400 3164 msedge.exe 87 PID 3164 wrote to memory of 4400 3164 msedge.exe 87 PID 3164 wrote to memory of 4400 3164 msedge.exe 87 PID 3164 wrote to memory of 4400 3164 msedge.exe 87 PID 3164 wrote to memory of 4400 3164 msedge.exe 87 PID 3164 wrote to memory of 4400 3164 msedge.exe 87 PID 3164 wrote to memory of 4400 3164 msedge.exe 87 PID 3164 wrote to memory of 4400 3164 msedge.exe 87 PID 3164 wrote to memory of 4400 3164 msedge.exe 87 PID 3164 wrote to memory of 4400 3164 msedge.exe 87 PID 3164 wrote to memory of 4400 3164 msedge.exe 87 PID 3164 wrote to memory of 4400 3164 msedge.exe 87 PID 3164 wrote to memory of 4400 3164 msedge.exe 87 PID 3164 wrote to memory of 4400 3164 msedge.exe 87 PID 3164 wrote to memory of 4400 3164 msedge.exe 87 PID 3164 wrote to memory of 4400 3164 msedge.exe 87 PID 3164 wrote to memory of 4400 3164 msedge.exe 87 PID 3164 wrote to memory of 4400 3164 msedge.exe 87 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 3676 attrib.exe 3452 attrib.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/tree/master/Ransomware1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3164 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcb55646f8,0x7ffcb5564708,0x7ffcb55647182⤵PID:2148
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,15388217986198374414,7466936887094038035,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:22⤵PID:4484
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,15388217986198374414,7466936887094038035,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1000
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,15388217986198374414,7466936887094038035,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2652 /prefetch:82⤵PID:4400
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15388217986198374414,7466936887094038035,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:12⤵PID:2136
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15388217986198374414,7466936887094038035,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:12⤵PID:4236
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,15388217986198374414,7466936887094038035,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5504 /prefetch:82⤵PID:2124
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,15388217986198374414,7466936887094038035,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5504 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1472
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15388217986198374414,7466936887094038035,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:12⤵PID:4644
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15388217986198374414,7466936887094038035,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:12⤵PID:3340
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15388217986198374414,7466936887094038035,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:12⤵PID:4344
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15388217986198374414,7466936887094038035,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:12⤵PID:2152
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2084,15388217986198374414,7466936887094038035,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5684 /prefetch:82⤵PID:4440
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15388217986198374414,7466936887094038035,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5188 /prefetch:12⤵PID:4908
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2084,15388217986198374414,7466936887094038035,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6224 /prefetch:82⤵PID:3316
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,15388217986198374414,7466936887094038035,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6060 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:312
-
-
C:\Users\Admin\Downloads\CryptoLocker.exe"C:\Users\Admin\Downloads\CryptoLocker.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- NTFS ADS
PID:112 -
C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe"C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" "/rC:\Users\Admin\Downloads\CryptoLocker.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:4324 -
C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe"C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" /w0000021C4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:888
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15388217986198374414,7466936887094038035,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3100 /prefetch:12⤵PID:5540
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2084,15388217986198374414,7466936887094038035,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6464 /prefetch:82⤵PID:5644
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15388217986198374414,7466936887094038035,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4864 /prefetch:12⤵PID:4164
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2084,15388217986198374414,7466936887094038035,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6444 /prefetch:82⤵PID:5324
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15388217986198374414,7466936887094038035,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3472 /prefetch:12⤵PID:5908
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,15388217986198374414,7466936887094038035,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6416 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1532
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,15388217986198374414,7466936887094038035,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6444 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:1608
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15388217986198374414,7466936887094038035,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4652 /prefetch:12⤵PID:4636
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2084,15388217986198374414,7466936887094038035,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6540 /prefetch:82⤵PID:5216
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,15388217986198374414,7466936887094038035,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6032 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:536
-
-
C:\Users\Admin\Downloads\Rokku.exe"C:\Users\Admin\Downloads\Rokku.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5724 -
C:\Windows\SysWOW64\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5776
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\services\VSS" /v Start /t REG_DWORD /d 4 /f3⤵
- System Location Discovery: System Language Discovery
PID:5812
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f3⤵
- System Location Discovery: System Language Discovery
PID:5848
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop vss3⤵PID:3848
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop vss4⤵
- System Location Discovery: System Language Discovery
PID:5296
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop swprv3⤵
- System Location Discovery: System Language Discovery
PID:1640 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop swprv4⤵
- System Location Discovery: System Language Discovery
PID:1108
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop srservice3⤵
- System Location Discovery: System Language Discovery
PID:6044 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop srservice4⤵PID:5584
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15388217986198374414,7466936887094038035,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:12⤵PID:532
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2084,15388217986198374414,7466936887094038035,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3408 /prefetch:82⤵PID:4432
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,15388217986198374414,7466936887094038035,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5852 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3544
-
-
C:\Users\Admin\Downloads\Satana.exe"C:\Users\Admin\Downloads\Satana.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3696 -
C:\Users\Admin\Downloads\Satana.exe"C:\Users\Admin\Downloads\Satana.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4300 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4300 -s 3764⤵
- Program crash
PID:400
-
-
-
-
C:\Users\Admin\Downloads\Satana.exe"C:\Users\Admin\Downloads\Satana.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3608 -
C:\Users\Admin\Downloads\Satana.exe"C:\Users\Admin\Downloads\Satana.exe"3⤵
- Executes dropped EXE
PID:1960 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1960 -s 3404⤵
- Program crash
PID:5332
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2084,15388217986198374414,7466936887094038035,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6504 /prefetch:82⤵PID:5892
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15388217986198374414,7466936887094038035,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6292 /prefetch:12⤵PID:3092
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2084,15388217986198374414,7466936887094038035,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6480 /prefetch:82⤵PID:4816
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,15388217986198374414,7466936887094038035,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6344 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5976
-
-
C:\Users\Admin\Downloads\Seftad.exe"C:\Users\Admin\Downloads\Seftad.exe"2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1532
-
-
C:\Users\Admin\Downloads\Seftad.exe"C:\Users\Admin\Downloads\Seftad.exe"2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1848
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15388217986198374414,7466936887094038035,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5712 /prefetch:12⤵PID:2964
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2084,15388217986198374414,7466936887094038035,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5672 /prefetch:82⤵PID:3256
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,15388217986198374414,7466936887094038035,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6000 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5960
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15388217986198374414,7466936887094038035,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3908 /prefetch:12⤵PID:5452
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2084,15388217986198374414,7466936887094038035,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5156 /prefetch:82⤵PID:3296
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,15388217986198374414,7466936887094038035,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6244 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1680
-
-
C:\Users\Admin\Downloads\YouAreAnIdiot.exe"C:\Users\Admin\Downloads\YouAreAnIdiot.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5844 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5844 -s 12043⤵
- Program crash
PID:744
-
-
-
C:\Users\Admin\Downloads\YouAreAnIdiot.exe"C:\Users\Admin\Downloads\YouAreAnIdiot.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1268 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1268 -s 11723⤵
- Program crash
PID:428
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15388217986198374414,7466936887094038035,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6504 /prefetch:12⤵PID:6040
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2084,15388217986198374414,7466936887094038035,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5852 /prefetch:82⤵PID:4864
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,15388217986198374414,7466936887094038035,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5668 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2860
-
-
C:\Users\Admin\Downloads\Avoid.exe"C:\Users\Admin\Downloads\Avoid.exe"2⤵
- Executes dropped EXE
PID:5256
-
-
C:\Users\Admin\Downloads\Avoid.exe"C:\Users\Admin\Downloads\Avoid.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1508
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15388217986198374414,7466936887094038035,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:12⤵PID:4764
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15388217986198374414,7466936887094038035,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4640 /prefetch:12⤵PID:1084
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2084,15388217986198374414,7466936887094038035,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2948 /prefetch:82⤵PID:4544
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,15388217986198374414,7466936887094038035,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4652 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5568
-
-
C:\Users\Admin\Downloads\Magistr.exe"C:\Users\Admin\Downloads\Magistr.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3788
-
-
C:\Users\Admin\Downloads\Magistr.exe"C:\Users\Admin\Downloads\Magistr.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2684
-
-
C:\Users\Admin\Downloads\Magistr.exe"C:\Users\Admin\Downloads\Magistr.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5128
-
-
C:\Users\Admin\Downloads\Magistr.exe"C:\Users\Admin\Downloads\Magistr.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5772
-
-
C:\Users\Admin\Downloads\Magistr.exe"C:\Users\Admin\Downloads\Magistr.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5700
-
-
C:\Users\Admin\Downloads\Magistr.exe"C:\Users\Admin\Downloads\Magistr.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5528
-
-
C:\Users\Admin\Downloads\Magistr.exe"C:\Users\Admin\Downloads\Magistr.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5420
-
-
C:\Users\Admin\Downloads\Seftad.exe"C:\Users\Admin\Downloads\Seftad.exe"2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
PID:4816
-
-
C:\Users\Admin\Downloads\Satana.exe"C:\Users\Admin\Downloads\Satana.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4284 -
C:\Users\Admin\Downloads\Satana.exe"C:\Users\Admin\Downloads\Satana.exe"3⤵
- Executes dropped EXE
PID:3284 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3284 -s 3404⤵
- Program crash
PID:3608
-
-
-
-
C:\Users\Admin\Downloads\Rokku.exe"C:\Users\Admin\Downloads\Rokku.exe"2⤵
- Executes dropped EXE
PID:4240 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4240 -s 5283⤵
- Program crash
PID:5572
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15388217986198374414,7466936887094038035,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:12⤵PID:2964
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2084,15388217986198374414,7466936887094038035,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5452 /prefetch:82⤵PID:5664
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,15388217986198374414,7466936887094038035,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4816 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5188
-
-
C:\Users\Admin\Downloads\MeltingScreen.exe"C:\Users\Admin\Downloads\MeltingScreen.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5808
-
-
C:\Users\Admin\Downloads\MeltingScreen.exe"C:\Users\Admin\Downloads\MeltingScreen.exe"2⤵
- Executes dropped EXE
PID:5896
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15388217986198374414,7466936887094038035,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3460 /prefetch:12⤵PID:3048
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2084,15388217986198374414,7466936887094038035,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5708 /prefetch:82⤵PID:5936
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,15388217986198374414,7466936887094038035,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6668 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5480
-
-
C:\Users\Admin\Downloads\GoldenEye.exe"C:\Users\Admin\Downloads\GoldenEye.exe"2⤵
- System Location Discovery: System Language Discovery
- NTFS ADS
PID:6092 -
C:\Users\Admin\AppData\Roaming\{f07c8dc8-bd45-44f4-9eaa-072378b31bd6}\wusa.exe"C:\Users\Admin\AppData\Roaming\{f07c8dc8-bd45-44f4-9eaa-072378b31bd6}\wusa.exe"3⤵
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
PID:944
-
-
-
C:\Users\Admin\Downloads\GoldenEye.exe"C:\Users\Admin\Downloads\GoldenEye.exe"2⤵
- System Location Discovery: System Language Discovery
- NTFS ADS
PID:2912 -
C:\Users\Admin\AppData\Roaming\{2e999f7d-1650-4a7a-a02b-657ab37065e1}\xwizard.exe"C:\Users\Admin\AppData\Roaming\{2e999f7d-1650-4a7a-a02b-657ab37065e1}\xwizard.exe"3⤵
- System Location Discovery: System Language Discovery
PID:3768 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3768 -s 5204⤵
- Program crash
PID:5172
-
-
-
-
C:\Users\Admin\Downloads\GoldenEye.exe"C:\Users\Admin\Downloads\GoldenEye.exe"2⤵
- System Location Discovery: System Language Discovery
- NTFS ADS
PID:4000 -
C:\Users\Admin\AppData\Roaming\{66644bc6-3c59-4dce-a2b6-9ae5dd9075fa}\quickassist.exe"C:\Users\Admin\AppData\Roaming\{66644bc6-3c59-4dce-a2b6-9ae5dd9075fa}\quickassist.exe"3⤵
- System Location Discovery: System Language Discovery
PID:5032
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2368
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3308
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:6140
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3332
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5676
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 4300 -ip 43001⤵PID:1448
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1960 -ip 19601⤵PID:1320
-
C:\Users\Admin\Downloads\Satana.exe"C:\Users\Admin\Downloads\Satana.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2496 -
C:\Users\Admin\Downloads\Satana.exe"C:\Users\Admin\Downloads\Satana.exe"2⤵
- Executes dropped EXE
PID:3244 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3244 -s 3483⤵
- Program crash
PID:5980
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 3244 -ip 32441⤵PID:6068
-
C:\Users\Admin\Downloads\Seftad.exe"C:\Users\Admin\Downloads\Seftad.exe"1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5256
-
C:\Users\Admin\Downloads\Satana.exe"C:\Users\Admin\Downloads\Satana.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:868 -
C:\Users\Admin\Downloads\Satana.exe"C:\Users\Admin\Downloads\Satana.exe"2⤵
- Executes dropped EXE
PID:928 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 928 -s 3403⤵
- Program crash
PID:3676
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 928 -ip 9281⤵PID:1060
-
C:\Users\Admin\Downloads\WannaCrypt0r.exe"C:\Users\Admin\Downloads\WannaCrypt0r.exe"1⤵
- Drops startup file
- Executes dropped EXE
- Sets desktop wallpaper using registry
PID:2944 -
C:\Windows\SysWOW64\attrib.exeattrib +h .2⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:3452
-
-
C:\Windows\SysWOW64\icacls.exeicacls . /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:4636
-
-
C:\Users\Admin\Downloads\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5896
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 36241730811719.bat2⤵PID:1684
-
C:\Windows\SysWOW64\cscript.execscript.exe //nologo m.vbs3⤵PID:3668
-
-
-
C:\Windows\SysWOW64\attrib.exeattrib +h +s F:\$RECYCLE2⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:3676
-
-
C:\Users\Admin\Downloads\@[email protected]PID:6012
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c start /b @[email protected] vs2⤵
- System Location Discovery: System Language Discovery
PID:1840 -
C:\Users\Admin\Downloads\@[email protected]3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5788
-
-
-
C:\Users\Admin\Downloads\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5432
-
-
C:\Users\Admin\Downloads\taskse.exetaskse.exe C:\Users\Admin\Downloads\@[email protected]2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3704
-
-
C:\Users\Admin\Downloads\@[email protected]2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5324
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "hbqpqaznjyrqx231" /t REG_SZ /d "\"C:\Users\Admin\Downloads\tasksche.exe\"" /f2⤵
- System Location Discovery: System Language Discovery
PID:1496 -
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "hbqpqaznjyrqx231" /t REG_SZ /d "\"C:\Users\Admin\Downloads\tasksche.exe\"" /f3⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:4340
-
-
-
C:\Users\Admin\Downloads\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1648
-
-
C:\Users\Admin\Downloads\taskse.exetaskse.exe C:\Users\Admin\Downloads\@[email protected]2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:968
-
-
C:\Users\Admin\Downloads\@[email protected]PID:532
-
-
C:\Users\Admin\Downloads\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3896
-
-
C:\Users\Admin\Downloads\taskse.exetaskse.exe C:\Users\Admin\Downloads\@[email protected]2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3264
-
-
C:\Users\Admin\Downloads\@[email protected]2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4924
-
-
C:\Users\Admin\Downloads\taskse.exetaskse.exe C:\Users\Admin\Downloads\@[email protected]2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5504
-
-
C:\Users\Admin\Downloads\@[email protected]PID:3688
-
-
C:\Users\Admin\Downloads\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:3012
-
-
C:\Users\Admin\Downloads\taskse.exetaskse.exe C:\Users\Admin\Downloads\@[email protected]2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5860
-
-
C:\Users\Admin\Downloads\@[email protected]2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5776
-
-
C:\Users\Admin\Downloads\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3324
-
-
C:\Users\Admin\Downloads\taskse.exetaskse.exe C:\Users\Admin\Downloads\@[email protected]2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3660
-
-
C:\Users\Admin\Downloads\@[email protected]2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2988
-
-
C:\Users\Admin\Downloads\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1736
-
-
C:\Users\Admin\Downloads\taskse.exetaskse.exe C:\Users\Admin\Downloads\@[email protected]2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5216
-
-
C:\Users\Admin\Downloads\@[email protected]2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5684
-
-
C:\Users\Admin\Downloads\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5980
-
-
C:\Users\Admin\Downloads\taskse.exetaskse.exe C:\Users\Admin\Downloads\@[email protected]2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3016
-
-
C:\Users\Admin\Downloads\@[email protected]2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2728
-
-
C:\Users\Admin\Downloads\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5668
-
-
C:\Users\Admin\Downloads\taskse.exetaskse.exe C:\Users\Admin\Downloads\@[email protected]2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2704
-
-
C:\Users\Admin\Downloads\@[email protected]PID:1284
-
-
C:\Users\Admin\Downloads\taskdl.exetaskdl.exe2⤵PID:4072
-
-
C:\Users\Admin\Downloads\taskse.exetaskse.exe C:\Users\Admin\Downloads\@[email protected]2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4624
-
-
C:\Users\Admin\Downloads\@[email protected]PID:5348
-
-
C:\Users\Admin\Downloads\taskdl.exetaskdl.exe2⤵PID:5372
-
-
C:\Users\Admin\Downloads\@[email protected]"C:\Users\Admin\Downloads\@[email protected]"1⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4344 -
C:\Users\Admin\Downloads\TaskData\Tor\taskhsvc.exeTaskData\Tor\taskhsvc.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1316
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5844 -ip 58441⤵PID:2264
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1268 -ip 12681⤵PID:5392
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Downloads\README_HOW_TO_UNLOCK.HTML1⤵PID:2188
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffcb55646f8,0x7ffcb5564708,0x7ffcb55647182⤵PID:3896
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3284 -ip 32841⤵PID:876
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4240 -ip 42401⤵PID:4840
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3768 -ip 37681⤵PID:3608
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
File and Directory Permissions Modification
2Windows File and Directory Permissions Modification
1Hide Artifacts
1Hidden Files and Directories
1Indicator Removal
1File Deletion
1Modify Registry
3Pre-OS Boot
1Bootkit
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5b8880802fc2bb880a7a869faa01315b0
SHA151d1a3fa2c272f094515675d82150bfce08ee8d3
SHA256467b8cd4aacac66557712f9843023dcedefcc26efc746f3e44157bc8dac73812
SHA512e1c6dba2579357ba70de58968b167d2c529534d24bff70568144270c48ac18a48ee2af2d58d78ae741e5a36958fa78a57955bd2456f1df00b781fc1002e123d2
-
Filesize
152B
MD5ba6ef346187b40694d493da98d5da979
SHA1643c15bec043f8673943885199bb06cd1652ee37
SHA256d86eec91f295dfda8ed1c5fa99de426f2fe359282c7ebf67e3a40be739475d73
SHA5122e6cc97330be8868d4b9c53be7e12c558f6eb1ac2c4080a611ba6c43561d0c5bb4791b8a11a8c2371599f0ba73ed1d9a7a2ea6dee2ae6a080f1912e0cb1f656c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize2KB
MD5725dc50f5c862739635baf71468799bd
SHA1ebc9122d36b85d8ff398f8c5e12a6190dca4a009
SHA256b3fb55692fdb004df10fd011dc97cd56f7f5230ffced4b68ada3c71c6f4616a0
SHA5128147655c9b1a635f8ffede3e2052fa0bb01e6a3e05439ad4bfdf0776cc4d5230c081b7e2dfb5b2002d5e27576c96868a5a00aea33d27b4e2fd50171ae06ee21b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD52f7a1751176255054058fff6e12b028d
SHA1424a5650e244193a3eb0f584062d5e157b36719c
SHA25635c40c9a03266c41a698bf1c21cf52ff2bb1b1847541bfe4d9f789b13741335f
SHA512657ea99cbea3fd69216747433992a6fc861d7fb860c974d939f1a296b82607e7c8785def9266b63faa5132d7f598b14d36486486a5400876fd6a20dd86ece375
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD5f0e309699c13a677cbe189be99e29856
SHA1ec225b6df4e8d0e8935fb28ddc9c8a859612999d
SHA2564b6c47e69114e8ed0658021b1d44c8b906598260b71dbe877b94f4027eca633e
SHA5129b6cdf5889487c94e0e91c3a72dfffcde2e09c8285dc93900371784b51122385c921c7052ea6c93b65cfc9b55a1816b4eb1c115bc48adfe79dbed6087af3dc7b
-
Filesize
1KB
MD5ea7577a47e2807d355ade85381c0dce4
SHA13304edb10c4d6e5e4000e8aaebe6d9d8a6ef4ef7
SHA2568c78d2922e755eb4766f5de2eeab3f02f38f5b04a4694a77eeb2f293cb4484f5
SHA512efa812a762bacc9bb9e924112130127acb5970effcaa74fd6a9c4df93687c53cf2606189a5f5a37dd82bc77dbdb0c9522b645c103b442b2ce4dec48b4cd30f0c
-
Filesize
579B
MD5a2467ba315551813fa5652163ec9af7d
SHA13472e18b050b70ac923089bf4612b1aabefe970b
SHA256b8f18d1f00c64eddb751149fd06503a5e9c94097bf6636f1af26e92435af0fea
SHA5124a418c595b39a14b923d9c5d85051e5b5910fb18e4f2c6f7196330686bd65c0f71eb560efe89cf3156f8c939f7070bb3e0c815fd404f9173ce77593f1c80061c
-
Filesize
6KB
MD51060061407d6e2e464b9e30e09aec582
SHA1ad15501bee081ef349cc25525205782c33296bc3
SHA256af1291277b0a8a7c732c371e1fcafcb11e06bdbc5c0b49ca638fbebf383f7756
SHA512280bba2faf523659dd2cdd423145415360eea2a81e58a2b7ac7afc438c9a8781cc7c71a28517785db1e2eeee349e6a3e52bb7a1635c7c70b300c7e4938c7e7e6
-
Filesize
7KB
MD5a7d9b5786e65d0f7b2bccbc9bdc7108d
SHA1f984efcabe194b94747933ea46824ef3ebd96cae
SHA2560ea85f1ddc0fd717d31a60eb7e472bb45aca6197f7df39eef0b1f61370f64ac5
SHA512a771d4dfd25f85fab9dba2755ca5968e33930e5f8da2fb8dacdc6ba52445a111399485cf3325fcb35f46978f66ac36778bfdcfe9b20c122e70a1eb61cac53804
-
Filesize
5KB
MD5e73f838005e7bfb1bb12102c02ca705e
SHA13d13bb96f25ec461b20c6202e718077a12d6ecb3
SHA25652695b967ab80f06083ae29eef5ae7b07a342993ff39ca3e0d4a25b5abf9fc74
SHA512ddc9b2a31751dfd33dc59186b856f7343aa57d60eb5ea953b334a5cd34ceb2422eaea9ddfac389645306f885b980015aa2cf745cff523b13c65fb61285157d78
-
Filesize
7KB
MD5e628ada762efe1fd9efa8d583e12003d
SHA17411492b5cc5fe435f914ab0a362a0c821be8f28
SHA2561d86975a1cfe4a9e22b82e737dba1f417932292762a4c874be5b77727cf99e04
SHA51252c96150ce3a07b8ecfaae2c5fc7c82c2b991090e489c37a35e7d89a1374a54348b88a71b0ada2098b47e95c5366a0fca182b4f5e94afa779a4ac0937116b7ef
-
Filesize
6KB
MD5ec0ecd936c514819afbb1612663323bc
SHA1b00d7cc3f310b69a6c827ec7695f5edc808d9a58
SHA256effe072e2e4fa6edfee385210122e158cfcdd0b7130c7bf5d79483ba1ede22d1
SHA512a1e931d6691962d1426f1c69cc4ab81d9c662e6ad718c42e9c34532a5087347013d8389d29b2481749bde14c2290bc80c4ad6b876bb31e0977ecaa00b0e45eb7
-
Filesize
1KB
MD551ceb9ae27738fa25ffcfd2d92454d73
SHA12fb0b4bf4cdba2d58ef958621ca9832f40aae811
SHA25637def950cbdb55320d4c88eb13856d77d3c2d198453771a52a2dd153fb697814
SHA512847b2af4b7eeeb0699255ca489c9a1e510688727e78ea2e95ce42c19935c529d46a79f815e183f8090744536684ad34643b85b955532ccec24773b9a40c9e761
-
Filesize
1KB
MD59ed0a71f109326418afffe2d8d80031d
SHA10dac71703f0834ebb31f0ae10771450975c82eec
SHA256b220e686b0b283f1d1cdc746daa123ceecae089a7c4f16283c64a88b339918d3
SHA51281516275f7f6c21e02bd993f9aae9b00eb43e5130a9c814df0685415f3bd4147beacece458216b007d83d7751af089f15e7c0cc636aea6001960eac60d945686
-
Filesize
1KB
MD5de8dc5e04d8e9fa318236e3cea0e6b00
SHA1298b9410d8ed643e5567ccce099556425f67671f
SHA256a4157cd8d97868a93d58f3046f9f0c0685cc54cf7d2bdcc6e21b455b636b13fc
SHA512ae6fb00b5a22cea90fb5abee0792b1190b96f4ee0f8124f08abb4c06e625bea5a1805754b2f480d6429f5fd0d9335ccf6118828cbeb14bd3a8bce7b8fbadbf31
-
Filesize
1KB
MD57190b9e80d15b80dc486742503cd8972
SHA11736a6d242796ea2d155c670099eb5e5779701d2
SHA2567b0f6194bf99f1c8fa8140a321604216fd0e787706cbaa7c7acd8d3d14509f70
SHA51288b83985c351bd63e1e80e2da8dc2211bb460cbfe363a2a71d9f50e1660431019db72b186f2b0f2eac447c39a6612bcc5f79f0cc96162e7529cf696fdc7bf15b
-
Filesize
1KB
MD56e5aeaccc0aef62667838f696a2c8934
SHA1c03c9989020d76bbc91490b3e6bb0efa28c607af
SHA2567e4b41213b84adf0b260c3931923f187f1eb39f8ec01396d988f29f98edad3af
SHA51293d6c509adb57713eb28313585825e42ba34d505e028cb3c6040bf43c964921f406a6d6026730e9e460fe470caad06768baf6784abfe494a1ee3e458f70a0784
-
Filesize
1KB
MD57ea398a39bcae958a38c19b8e7e71173
SHA121c3b107c2c5566310c120e5d2d53983547bdc2b
SHA2566dc8c13c34ec4a9bdf7b3cdb2f1ab8f32d77eee3ebef2293a845ee7bd1c27870
SHA5124ee47d1055d5b152c317c7fa402dbf514ee54e0522aedc1e0270d09585885bd7273338a73c6a0d99e13c267c8ac27a6b62573cb45e6b2b7ac6e9111cc7401754
-
Filesize
1KB
MD517721675fbb925b9e33b88edbd23d2f5
SHA1badabb795ae364c636211447db648453120fbc3b
SHA2564c700ed8d21a6b3a490e0c5ed31720a0e9608601f5fbb5768eb73eae17a46620
SHA51230e46f59f34c306f0f682844f217def1bdeb05e94d98137dcc8337a344a1c781c4a7baa648ae445fd4fd965c96c20d5517eaf9daf1e200949ef8dbfa52b9e210
-
Filesize
1KB
MD5ba2689767770d11375cdbe1e776715d3
SHA1baa65eb5d7dd6e33cfc7f3db0f6ad5630d295eb5
SHA2569629147a327656265aacfde3bb0824f743f3a2ec4f73cc934dadeb5ae18d3824
SHA5126d7871744e82153511bec93c251e0df821fa5e16941b06204dc13671f3fabea14a6ec1c6b11d66bc17110d3140af72cf1a37bf9c18feef03ad7b6cc713380244
-
Filesize
1KB
MD5ca963d61daae29ec91fbff5cc9fd95cb
SHA10971a52eb14649cb8ad4f342107f1a860c1a9a70
SHA2566ebec5c045296e926e062e1fd5dc83ee1d06b24adc5f42bd4b649ec9eee6d1ed
SHA512d7ad94fefb1e4adce185f01aae85b71708b47a023847fe7521bb6c1965fecec56d33fdadcf472574ca989185fe31a34a3ef5e0fb4b0904daed1b9a84ffb4c2f1
-
Filesize
1KB
MD5becd27b548e8d01070e75953fa5788e6
SHA12eefe905e958c9e6545c2ad96d4c38fda2aa6c12
SHA25695e56505f97aa8d90009d44f502c87ed67b8fd90b315646eb24c6d01b046c8fa
SHA51298951fdf1d02ec6f9c5eeee725c5390a491c54d470f115e763009bb9aeefacc06926d317eaba45ff58d49c3a6c282749fd3efcc80546d80e1d3f709ceb116d33
-
Filesize
1KB
MD51896c0bd1e0e2f002710215bc62f1629
SHA1a93eb0f81ce9ebe751def80b287e9a1c6566fbb7
SHA256ef8cb9bcf0bc3d114c39fa6eb776f689e8afbf9fd34310328a7aaceacfce6f0b
SHA512fc50b68053147aafe65778e6f325d3c0b349faf11fdcb001df524721f5495e3d0313d3c60c16080da0c350acdf9e9717f4e08289c784a1f89165e6044a47ad98
-
Filesize
1KB
MD5a3ceeebd8c95f1de46baa6af45a1dd63
SHA197d0c297f89dc06ea12d58c5c05db296cc6aee99
SHA2567aba206ff737418ffe00a21ef0e1952c83b6b99dda2e932aa920d310330bd2f7
SHA512b00c6162065b7f59a97de871c8ce1eec7b2cd512ea1072234a61c42d55e75a792e0a6a05169e8fd580fd5b286d70652b136df3e0e4f70b576d2ff67c1d946641
-
Filesize
1KB
MD5bcca02baed06f50e795cb6bfa89c0698
SHA1a15b362bed0e1768c1524eb939928354c40eef53
SHA25696a12de4cbe1c677d0be7a3db529c989d8c9591e337190c12924ef41bc783272
SHA512b608d378b5c98db1bea02c75d35debafe6bbf33ac96c3ad6a004d5fafbd0bab82bbc611e0d7ee068fdc9fa0767f4ccb3f7ef22f580de40fc0bbe668e74e73416
-
Filesize
1KB
MD5fc15ed034cf7b7414838519c894d7bc2
SHA122c8a3dce906c0f0306dddc9f9eb65858c648dbb
SHA256d39a50e83b955f8573fd185df31899a0f0c4729e00df12ed776969a9e8cd2e57
SHA512fd72b7c474a4261ca02d21ded060cf9b3dd8d0266c5b3ba7141fe06cb150721c2296d8744a4ea28debfd5bae3481f7832c95d2a91f682255b8778c1bd901fbb2
-
Filesize
1KB
MD5900dd7748420edf6c2b84d3796ff2ace
SHA1e391787fc66acf007fe2927ada2fba56215a5877
SHA256e1e87c1419f2b371196a19907db541546799e724c61cc6a59de43051a9f38053
SHA51277ab6da90193cf62e0637f14ca5a3f95fde83397e765486a9eb4a69a2c1c02cc3b8fd182aad1acef915339a91ba2f5347a58c58c150e57df53797ed7425d2237
-
Filesize
1KB
MD58341e68f7240762312d5298d2cfcb042
SHA127b8d008c904c6121bd9c52507bb23f7a516ddfb
SHA256255f9d2e4b6215a9fdee7adc7d867189426ceab411306084c183b43812db889b
SHA5121042a946dd17b416154b4f547ac23877f2a5fa064914bc3097540518f092f4fb51301f0f413b61873963f889a700403c28a175548ab06bdd76576b238cc937d9
-
Filesize
1KB
MD59fcce5c4cbd792fe0c6d0a60a12e8ec4
SHA1aa10ddb1fe1fe0b053defb94a74dfeed20ba4cf0
SHA2563b6da3d150115e09d02674826c372e123dbfa569d6075b6dd8e0e08edb07d499
SHA5122400b7597f4e63d30996fbeaa0700185a5142629ddebbae20faeea3c5ebdb5ec675bbd052f87e9daa43bccb3984ab21cdc0d59d2372b04cccda8de6377a98138
-
Filesize
1KB
MD5b89e22304e3d7e73227f64056f62cb17
SHA107f18fbad199aba58c068cb13bdbb7c306849b51
SHA2566a40e75874ec7b69e12bd52fbb2089c23bc2da7cd69f95a740bc8a2fc35c03b2
SHA512b8095eac22e562122338df49bc2b9660c8e91ff81b87baa793ab4f29b0988586d58c129f6c7c48b4b140ab1aac123c7bf089c7efa5bb79726b40bcd940b9ae89
-
Filesize
1KB
MD5eb77b7db5574dbb4d0243ff6297dc279
SHA191a303a6645c924987e5e07962236035ee00b088
SHA2565e867ff32d0a6e1352e1b1765ddb5844143897973c4e7e386d1dae41001cf4c0
SHA5128c90f4c525fe68dfa6e134688a4eefa64747fbb2f2667d775661bcbb935493c65b758f5e69e19cf2c177e0a2c3a6cbde4afe233686779ae7f0fde049dcdc34e8
-
Filesize
1KB
MD5b31a0c78eaf7583642e631a09c0eff4d
SHA1fc70aa858def78d723ad3f9517b6b1bbae90599e
SHA25689c6a890397bc8a2274fc2140aa7ae235847ddba6b5373de77f133c8339559d5
SHA512cbca045dee08262ba49e946a484cbc8800c37ede8906617040964bad4dfc36689f641e2fd493cbd62b2e80608bcf4db32e366d511444238220f21a8190f6c09f
-
Filesize
1KB
MD5598c2251416efad45002fabc0ce24cb0
SHA10f30ffa1d35bdea0f989de216ca1b02e8f4cd0fe
SHA256886902cdb24d702bec7f1b2d46d98cb03e6536f1c40ffbc6cf75ee9849c2f528
SHA51261f81872786fe89b8fd7fb7fb05d6d960c5e4561b2fd5c44f29bf8d3e76ee0dcf48421e4c86804dca58684f2525c7a28028d013882ca8de3a355a121ca408c78
-
Filesize
1KB
MD50586e58eae5de1b0d4f14d74ebeeaa4c
SHA1b7ef0cdabc1ee9f087dda9d3df37abe11fcd64fc
SHA25641cbea9850a7518186ea2d50e7176b36d9c69c0f2ffba0f8d21a63de9fd792aa
SHA512f743c6ed416bbe9f6a8481c98b6efb52521e91b0678ef4cef9919de2c4076fa4dd3f9f7a5d583a658ae0e312703296f9e5e219b7e30953d56ececf0e5a326b4a
-
Filesize
1KB
MD56c00672a1583488340ffed35f2900f6c
SHA140fbfd5b86501b364d76ec24b2e1697f1077b5fb
SHA256beffab248ed1b5285a82c4a68dc3cd123bf29ca86d19fb65face24823fe17384
SHA5129d206f47c1501c4eee8553b62d4a31f99cd13629aa05a3c4963961e53b43343c7cc41294793eb6992eb804eced4f488a62011f3907c92a08ced3f6ee83209e96
-
Filesize
1KB
MD58b6f7322cb64b6c5b631e83aac3fcb7e
SHA1c9f315f84a1c0bda6a5b6661a73dbb006cd6ec09
SHA25613c9585b7109e002d49dbb6fa97aed2351947d47fd3e45b28f6abc95895c4484
SHA51214b3d57f079a64e2153f7a3f972b34033f178f24e2949630391e3f38a79481560e24fdd6312ea6107b48ea5d38a78c2c0288441102aae398222c8d84aaa0eb37
-
Filesize
1KB
MD5b1c5f6bf30067edf4b826963dd4d36cf
SHA15310c967da9bf275c25d26dcffde22a59231cfee
SHA256f54b48975384fb658792e6d09ee3135f6da26846679c5bfb35f46ab310911be7
SHA51297ff022fd9a00f398231ffeff50a2e3dcaeba0fde293bd1fee2d817c6613e5e60931d4cb4f14f1aa16de9dd3c3fcf25f4eb070d341992c9742664b5df0dcc1f1
-
Filesize
1KB
MD515190fd705b1999d18b717d92989911f
SHA1d7cf44703ab936d5e527386f472e34d903f4ef37
SHA256ab0ddbc5fde5e2987ec59094071f1309194cd565448261104419c6215644b705
SHA5125bf45ddaff33efe7cef966c58160e8da7a5adae1e422b9880d38ea70e247c8172446642cf72ffa7f2556b7ea7ce236bfa129a306ae1d4cf3e6821c47584181c1
-
Filesize
1KB
MD529d094e4ad00bf9706119c1514be106e
SHA1d18df8c3d91b4959e132e2a63678a7603e0cb9fd
SHA256b291baab9eab8342d4d853c474912ffc55e4fb2093877bbbc0437cec05a8fa61
SHA5122d651585323bbb2b2163265d4b71e5926d0b557e000d4cee4e44a755c1e7d97150c409400f4bcdf4908f28fd6342d617e191bd0c3145c9adb45ae0be18aafc0d
-
Filesize
872B
MD50ad8e3c5f3d37de07f46cb3f50b4746b
SHA1a78c13fd701cdf738000c0cf4a4ff5ee0d41953e
SHA25604d1f4d34a4dbdf8ae21ba721c60e4eb8d364aacba29ea517351459cbf00b667
SHA5129eff762093e82f383be81f403d2ecfe8c7777bdc79c79cdd1ce87dae18fe53d79ec4213b1bd6b597dadd5410afbd08042bb481e4ef58dea783272d242d4b6afc
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
12KB
MD5dc7fc77df30fdcbbcfeb57d2c984d908
SHA1694933d6eb9865650089393fe13473e1a7669458
SHA256754b706302cf7bd17fae7148eb2644681df73557621039480837933e0f86ae7f
SHA5127460281147b73e9d4efc247ccf0d95de33698ebce55380c1a08bb179fcaf4d6b04a49f3e8f0187b5c8ff2e01d9a2fb4086319344b0e83e36dce328e338d2dc27
-
Filesize
12KB
MD5aa8675bfefbcffcdf993872917b85bb0
SHA1c991fbc928fd561ac48794981d35e4f01be733b5
SHA2567fc98cde5af9970015edf7729d8e69378ae7ccc0546495923ead92becbfd36e6
SHA5129d688317b4b3c6ee7e66fec2729bdf56be423821ed95d5c3c0abbb63911d45c74e1fb4e8a462af07baa74a33407044ec8225594269c1e5dd3be8c5f227782e86
-
Filesize
11KB
MD5a5312dfc2207e931eb95b24790f62456
SHA1d608373a416100a9a1cb43b43055626d56aed134
SHA256d1a523ceb28345043b71e1f8f964a82227ebf3a851d035789e9486df7eb00c79
SHA512195234badd55a8d1d36f1aa8c4b1b475e29e7525c53affb3a493513fd9563eb5e307165292bc3796b835b2678cd7778998d243eac833fce64225ce0a80018da0
-
Filesize
12KB
MD5fc6cffeac089d69650628cf5af740394
SHA1fc34f97f4e3dd2f9016a2649be7a34eadae0c0ed
SHA2564fb426303da37085718f420b99bc4f5172f430ebd6b287b232a27106eb940fd6
SHA51203d12b21ffe55111b0babaeef0a2e9ee747a75d276d4d7d711324697228eb9f8d68e415b153edb3fcb085b4ffbd6a898f4818e2cffaf17cd144b3f5f71877bd4
-
Filesize
11KB
MD594033fba1db4e13e019307714d55861c
SHA10d32ded859e39d9aeb85f0ddb700e389780f4672
SHA256d42d61a32814e88dfd49666053f5fc4a9c1fd8a779254f1b0d5a469a33f85126
SHA512afd7b3083e9f3d899825356bbbf7018695e1f67851bbf76d9e1fbd509df28f6d73baabea2b74df6f20b4bed780ea75aad134b08cde82875e3caf5cfd2e7e2235
-
Filesize
12KB
MD54a88a8cdefd8e9f2d382a1fd97f03ff2
SHA1d89cfdf8603c4c24da296347e7b44c559212f69e
SHA25645bfd8d5868c1f8a72834a84a6c12eea3f12138403f9f0925726b22e32e678f7
SHA512043a5ad853a2a6c368a7049552c065f7c6a820fcd9cfefc7ae2aa2d6eb420bbc9d0f3f68244b690b91dcb174e4f8e3be21cf7b2cfbe23971a395478c557698f3
-
Filesize
12KB
MD52b87af10a85ec79b36f3f84abdc05412
SHA1ed7528ac48363e8f06cd266a9a7eb02c6d2b0ce5
SHA2560797e8850ab4695d38b00f827d1fe45670c2baddee5dd7f2903b7e58b709be54
SHA5123ae2d3e93e0d76363a4974fcfc1a30848531daffda9495463e5c56e82cbac153890b16d627212faecb7939259bc92c98a85bfa88a35c85d2322500946a0181b9
-
Filesize
12KB
MD5420ca0a9a4b48794b8f0ed8515ad5e46
SHA138c9a17a6fcf976cf27fc80bea84e19b4bcc1164
SHA256c6a675810195f045ce591b5d782729197c1afe22e9f5959661068a01ee9bdd32
SHA5126f4683022676af2f8398d37ef8506604d1fe1112630fd67647dcf5e035a0e95708c61e48cc6bc55643bdb708e712be0abaa6242c2112e83cf724c1b8ce343dd4
-
Filesize
12KB
MD5600c68714ff8e8358fd3a9d003d06771
SHA1bbce84e5e13c58cc6f0fbafa90e3fcd0d6269461
SHA256634f59ed7aa6e79f8b8a0d73b13ebe44a7a05616166968c8f2739c9c81a332ac
SHA512f5f5fda8898e6e14e46ec541e8aa7eab7bcee592f028afe7a368a113761f5324ff459f87d4b37c310c339a3361511fb2eaf52745d9e05bf702b5860df14881a8
-
Filesize
4.7MB
MD51189fb78a0093be60ff0d11c004ab9d3
SHA1c715d1d0e25246a74fec91c5927f19068fd2c911
SHA256de81ccd10bfd7ed78aca4572490750dc9c446d193ba129046a0d043ed6f68ca4
SHA512412fca74200a645e274009eece1d6c00c349ab0513e1c86c2fd0506a6aa7289e648c01edffe9cdece387b99732ee6585fb550b3eab9635c8ee98de68d341059c
-
C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\@[email protected]
Filesize585B
MD5ec3037f4f79d43f3826baa9dd89ac2fe
SHA1166fc2e9a7110305ae8ab012676f31f2440d52ea
SHA256a4f687d19e09328134718aca5bf6f52df123564a33ad23a122abd088611bff77
SHA512ec036d3b5e49aa58a3cea4ec6e6707c465c25bc819043166e42ddc6277a318f6c2a94f97d5393e3c0befbe06e8f734f4a634a4af47e97b1a1be575d5afae5708
-
C:\Users\Admin\Downloads\@[email protected]
Filesize933B
MD57a2726bb6e6a79fb1d092b7f2b688af0
SHA1b3effadce8b76aee8cd6ce2eccbb8701797468a2
SHA256840ab19c411c918ea3e7526d0df4b9cb002de5ea15e854389285df0d1ea9a8e5
SHA5124e107f661e6be183659fdd265e131a64cce2112d842226305f6b111d00109a970fda0b5abfb1daa9f64428e445e3b472332392435707c9aebbfe94c480c72e54
-
C:\Users\Admin\Downloads\@[email protected]
Filesize240KB
MD57bf2b57f2a205768755c07f238fb32cc
SHA145356a9dd616ed7161a3b9192e2f318d0ab5ad10
SHA256b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25
SHA51291a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9
-
Filesize
333KB
MD5d15c20fc4391f6580ac28d75c738f696
SHA1f7e47fd9a9a0b8ec491df299d11f584e00294ae0
SHA2565b3a1b4497c80679b28d579d5155540be7bbc65883c99892acb9fd6f9685a5ba
SHA512ab2019b0d2e8bbf423868b825279305319508cece32f51ceebbdfd1e3bf58fad9b6264628dbe4e234541fc683eaeaf9df40927b86656fd979f5476b430b07537
-
Filesize
368KB
MD52adfd2f14b430a03c048daf9d4027b21
SHA10614342dafce3045b59d912f9bbd5f5682470abe
SHA25605f01be815dcd16fcf8fc0af5f571b8c3d3179786f2b0cac77b06c6c2ee98b0e
SHA51291ef84a69ee25d584ac5e0e6061c27cffc91618259fad7a1301e458ea02d3e8ee74f8f61dfe5a3dcfe768fa9fba2ffca0f5607315dd4e6a12ddbb02c6c80c5a2
-
Filesize
521KB
MD5e47573b41827f0a5ea553fdccc2f2778
SHA1b7ec7636290974e3e05526e6fa730afa1f80913c
SHA2564590c8574fa940a2f499c925f65f3e552141c07f5efe0c33e1d28173ed12acc5
SHA5129afc179932c725212534bf2eca6ff1e33ddc95e99d32e7e937ec90b5af60b7f0b7af5af9b6e1ed81bc904ece7d456f90ea4f501dcc269669f10465c58f251386
-
Filesize
473KB
MD517c25c8a7c141195ee887de905f33d7b
SHA17fa8079e8dca773574d01839efc623d3cd8e6a47
SHA256e079fa28ea51fa98644164caf585ae3231d25372fccca1245902fb57488d4660
SHA512de95f18101b99d159fe459c5e5651e0db2b1c76e02c9c2741bfd920decc970abc6dc0b41651be0471b4c7c3deb8b5e9a6e956c6515f268f9dfee7b76087a1e2b
-
Filesize
3.0MB
MD5fe7eb54691ad6e6af77f8a9a0b6de26d
SHA153912d33bec3375153b7e4e68b78d66dab62671a
SHA256e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb
SHA5128ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f
-
Filesize
132KB
MD5919034c8efb9678f96b47a20fa6199f2
SHA1747070c74d0400cffeb28fbea17b64297f14cfbd
SHA256e036d68b8f8b7afc6c8b6252876e1e290f11a26d4ad18ac6f310662845b2c734
SHA512745a81c50bbfd62234edb9788c83a22e0588c5d25c00881901923a02d7096c71ef5f0cd5b73f92ad974e5174de064b0c5ea8044509039aab14b2aed83735a7c4
-
Filesize
248KB
MD520d2c71d6d9daf4499ffc4a5d164f1c3
SHA138e5dcd93f25386d05a34a5b26d3fba1bf02f7c8
SHA2563ac8cc58dcbceaec3dab046aea050357e0e2248d30b0804c738c9a5b037c220d
SHA5128ffd56fb3538eb60da2dde9e3d6eee0dac8419c61532e9127f47c4351b6e53e01143af92b2e26b521e23cdbbf15d7a358d3757431e572e37a1eede57c7d39704
-
Filesize
17KB
MD54784e42c3b15d1a141a5e0c8abc1205c
SHA148c958deba25a4763ef244ac87e87983c6534179
SHA2569d355e4f9a51536b05269f696b304859155985957ba95eb575f3f38c599d913c
SHA512d63d20a38602d4d228367b6596454a0f5b2884c831e3a95237d23b882abd624de59ea47835636b06a96e216f1decf8c468caacd45e5d3b16a5eb9e87bc69eb97
-
Filesize
48KB
MD586a3a3ce16360e01933d71d0bf1f2c37
SHA1af54089e3601c742d523b507b3a0793c2b6e60be
SHA2562ebe23ba9897d9c127b9c0a737ba63af8d0bcd76ec866610cc0b5de2f62b87bd
SHA51265a3571cf5b057d2c3ce101346947679f162018fa5eadf79c5a6af6c0a3bc9b12731ff13f27629b14983ef8bc73fa9782cc0a9e6c44b0ffc2627da754c324d6e
-
Filesize
424KB
MD5e263c5b306480143855655233f76dc5a
SHA1e7dcd6c23c72209ee5aa0890372de1ce52045815
SHA2561f69810b8fe71e30a8738278adf09dd982f7de0ab9891d296ce7ea61b3fa4f69
SHA512e95981eae02d0a8bf44493c64cca8b7e50023332e91d75164735a1d0e38138f358100c93633ff3a0652e1c12a5155cba77d81e01027422d7d5f71000eafb4113
-
Filesize
338KB
MD504fb36199787f2e3e2135611a38321eb
SHA165559245709fe98052eb284577f1fd61c01ad20d
SHA256d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9
SHA512533d6603f6e2a77bd1b2c6591a135c4717753d53317c1be06e43774e896d9543bcd0ea6904a0688aa84b2d8424641d68994b1e7dc4aa46d66c36feecb6145444
-
Filesize
254KB
MD5e3b7d39be5e821b59636d0fe7c2944cc
SHA100479a97e415e9b6a5dfb5d04f5d9244bc8fbe88
SHA256389a7d395492c2da6f8abf5a8a7c49c3482f7844f77fe681808c71e961bcae97
SHA5128f977c60658063051968049245512b6aea68dd89005d0eefde26e4b2757210e9e95aabcef9aee173f57614b52cfbac924d36516b7bc7d3a5cc67daae4dee3ad5
-
Filesize
3.4MB
MD584c82835a5d21bbcf75a61706d8ab549
SHA15ff465afaabcbf0150d1a3ab2c2e74f3a4426467
SHA256ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
SHA51290723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244
-
Filesize
107KB
MD59890349fe3c68f5923b29347bba021a4
SHA1fa080a50486b205b75833a6b5c9505abb1e3b4df
SHA256068f2ee28af7645dbf2a1684f0a5fc5ccb6aa1027f71da4468e0cba56c65e058
SHA512aedd86837987cbe8c0b1cf3b4ca0c3a875e4cc9bcc8097c160d0d6070427ad9e1d871d5339ea95cc03499c39a6536b5a6b6d43372a49eeaf2e87bf755a3d3367
-
Filesize
666KB
MD597512f4617019c907cd0f88193039e7c
SHA124cfa261ee30f697e7d1e2215eee1c21eebf4579
SHA256438888ef36bad1079af79daf152db443b4472c5715a7b3da0ba24cc757c53499
SHA512cfbb8dd91434f917d507cb919aa7e6b16b7b2056d56185f6ad5b6149e05629325cdb3df907f58bb3f634b17a9989bf5b6d6b81f5396a3a556431742ed742ac4a
-
Filesize
7B
MD54047530ecbc0170039e76fe1657bdb01
SHA132db7d5e662ebccdd1d71de285f907e3a1c68ac5
SHA25682254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750
SHA5128f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e
-
Filesize
49KB
MD546bfd4f1d581d7c0121d2b19a005d3df
SHA15b063298bbd1670b4d39e1baef67f854b8dcba9d
SHA256683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96
SHA512b52aa090f689765d099689700be7e18922137e7a860a00113e3f72aa6553e94a870bbb741e52de9617506a236a2a59198fb224fcd128576d76642eec9d715df5
-
Filesize
53KB
MD587ccd6f4ec0e6b706d65550f90b0e3c7
SHA1213e6624bff6064c016b9cdc15d5365823c01f5f
SHA256e79f164ccc75a5d5c032b4c5a96d6ad7604faffb28afe77bc29b9173fa3543e4
SHA512a72403d462e2e2e181dbdabfcc02889f001387943571391befed491aaecba830b0869bdd4d82bca137bd4061bbbfb692871b1b4622c4a7d9f16792c60999c990
-
Filesize
1.4MB
MD5c17170262312f3be7027bc2ca825bf0c
SHA1f19eceda82973239a1fdc5826bce7691e5dcb4fb
SHA256d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa
SHA512c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c
-
Filesize
780B
MD58124a611153cd3aceb85a7ac58eaa25d
SHA1c1d5cd8774261d810dca9b6a8e478d01cd4995d6
SHA2560ceb451c1dbefaa8231eeb462e8ce639863eb5b8ae4fa63a353eb6e86173119e
SHA512b9c8dfb5d58c95628528cc729d2394367c5e205328645ca6ef78a3552d9ad9f824ae20611a43a6e01daaffeffdc9094f80d772620c731e4192eb0835b8ed0f17
-
Filesize
46KB
MD595673b0f968c0f55b32204361940d184
SHA181e427d15a1a826b93e91c3d2fa65221c8ca9cff
SHA25640b37e7b80cf678d7dd302aaf41b88135ade6ddf44d89bdba19cf171564444bd
SHA5127601f1883edbb4150a9dc17084012323b3bfa66f6d19d3d0355cf82b6a1c9dce475d758da18b6d17a8b321bf6fca20915224dbaedcb3f4d16abfaf7a5fc21b92
-
Filesize
53KB
MD50252d45ca21c8e43c9742285c48e91ad
SHA15c14551d2736eef3a1c1970cc492206e531703c1
SHA256845d0e178aeebd6c7e2a2e9697b2bf6cf02028c50c288b3ba88fe2918ea2834a
SHA5121bfcf6c0e7c977d777f12bd20ac347630999c4d99bd706b40de7ff8f2f52e02560d68093142cc93722095657807a1480ce3fb6a2e000c488550548c497998755
-
Filesize
77KB
MD52efc3690d67cd073a9406a25005f7cea
SHA152c07f98870eabace6ec370b7eb562751e8067e9
SHA2565c7f6ad1ec4bc2c8e2c9c126633215daba7de731ac8b12be10ca157417c97f3a
SHA5120766c58e64d9cda5328e00b86f8482316e944aa2c26523a3c37289e22c34be4b70937033bebdb217f675e40db9fecdce0a0d516f9065a170e28286c2d218487c
-
Filesize
38KB
MD517194003fa70ce477326ce2f6deeb270
SHA1e325988f68d327743926ea317abb9882f347fa73
SHA2563f33734b2d34cce83936ce99c3494cd845f1d2c02d7f6da31d42dfc1ca15a171
SHA512dcf4ccf0b352a8b271827b3b8e181f7d6502ca0f8c9dda3dc6e53441bb4ae6e77b49c9c947cc3ede0bf323f09140a0c068a907f3c23ea2a8495d1ad96820051c
-
Filesize
37KB
MD535c2f97eea8819b1caebd23fee732d8f
SHA1e354d1cc43d6a39d9732adea5d3b0f57284255d2
SHA2561adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e
SHA512908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf
-
Filesize
1KB
MD5c784d96ca311302c6f2f8f0bee8c725b
SHA1dc68b518ce0eef4f519f9127769e3e3fa8edce46
SHA256a7836550412b0e0963d16d8442b894a1148326b86d119e4d30f1b11956380ef0
SHA512f97891dc3c3f15b9bc3446bc9d5913431f374aa54cced33d2082cf14d173a8178e29a8d9487c2a1ab87d2f6abf37e915f69f45c0d8b747ad3f17970645c35d98
-
Filesize
330B
MD504b892b779d04f3a906fde1a904d98bb
SHA11a0d6cb6f921bc06ba9547a84b872ef61eb7e8a5
SHA256eb22c6ecfd4d7d0fcea5063201ccf5e7313780e007ef47cca01f1369ee0e6be0
SHA512e946aa4ac3ec9e5a178eac6f4c63a98f46bc85bed3efd6a53282d87aa56e53b4c11bb0d1c58c6c670f9f4ad9952b5e7fd1bb310a8bd7b5b04e7c607d1b74238a