Analysis
-
max time kernel
501s -
max time network
503s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
07-11-2024 16:09
General
-
Target
https://cdn.discordapp.com/attachments/1292106055740031067/1304088121750589511/Setup.rar?ex=672e1e35&is=672cccb5&hm=16956a7ba3dbb0b46c0f52c30540b8ed209222f1b2512ae5c5f77d9af335974a&
Malware Config
Extracted
https://github.com/Mohmmmasdasd/asdas/raw/refs/heads/main/Windows.Security.exe
Extracted
xworm
here-thinking.gl.at.ply.gg:50161
-
Install_directory
%LocalAppData%
-
install_file
WindowsSecurity.exe
Signatures
-
Detect Xworm Payload 2 IoCs
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Blocklisted process makes network request 4 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 2 IoCs
-
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE 16 IoCs
-
Loads dropped DLL 7 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
-
Drops file in System32 directory 11 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
-
Modifies registry class 22 IoCs
-
NTFS ADS 4 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 20 IoCs
-
Suspicious use of AdjustPrivilegeToken 33 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 32 IoCs
-
Suspicious use of SetWindowsHookEx 16 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://cdn.discordapp.com/attachments/1292106055740031067/1304088121750589511/Setup.rar?ex=672e1e35&is=672cccb5&hm=16956a7ba3dbb0b46c0f52c30540b8ed209222f1b2512ae5c5f77d9af335974a&1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffef75646f8,0x7ffef7564708,0x7ffef75647182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,18043494788401835420,10464902043691123094,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,18043494788401835420,10464902043691123094,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,18043494788401835420,10464902043691123094,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2820 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,18043494788401835420,10464902043691123094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2216 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,18043494788401835420,10464902043691123094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,18043494788401835420,10464902043691123094,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5244 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,18043494788401835420,10464902043691123094,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5244 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2148,18043494788401835420,10464902043691123094,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5024 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,18043494788401835420,10464902043691123094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5360 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2148,18043494788401835420,10464902043691123094,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5604 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,18043494788401835420,10464902043691123094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3516 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,18043494788401835420,10464902043691123094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5952 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,18043494788401835420,10464902043691123094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3584 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,18043494788401835420,10464902043691123094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3476 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,18043494788401835420,10464902043691123094,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5148 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,18043494788401835420,10464902043691123094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3588 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,18043494788401835420,10464902043691123094,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3540 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,18043494788401835420,10464902043691123094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5804 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,18043494788401835420,10464902043691123094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5792 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2148,18043494788401835420,10464902043691123094,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6432 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2148,18043494788401835420,10464902043691123094,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6428 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\Downloads\winrar-x64-710b1.exe"C:\Users\Admin\Downloads\winrar-x64-710b1.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Downloads\winrar-x64-710b1.exe"C:\Users\Admin\Downloads\winrar-x64-710b1.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,18043494788401835420,10464902043691123094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2148,18043494788401835420,10464902043691123094,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5908 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2148,18043494788401835420,10464902043691123094,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1956 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\Downloads\winrar-x64-710b1 (1).exe"C:\Users\Admin\Downloads\winrar-x64-710b1 (1).exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,18043494788401835420,10464902043691123094,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3500 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,18043494788401835420,10464902043691123094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,18043494788401835420,10464902043691123094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6308 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,18043494788401835420,10464902043691123094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6996 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2148,18043494788401835420,10464902043691123094,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7028 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2148,18043494788401835420,10464902043691123094,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5828 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\Downloads\7z2408-x64.exe"C:\Users\Admin\Downloads\7z2408-x64.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,18043494788401835420,10464902043691123094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3148 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,18043494788401835420,10464902043691123094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6976 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2148,18043494788401835420,10464902043691123094,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7048 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2148,18043494788401835420,10464902043691123094,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6312 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,18043494788401835420,10464902043691123094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7052 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,18043494788401835420,10464902043691123094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7044 /prefetch:12⤵
-
-
C:\Users\Admin\Downloads\Windows.Security.exe"C:\Users\Admin\Downloads\Windows.Security.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Downloads\Windows.Security.exe"C:\Users\Admin\Downloads\Windows.Security.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\5e4511ed0e6b44d2b7f67b496a7f4bd0 /t 5880 /p 58761⤵
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\d954bacb04c34e6f8eb2000bf751cc0d /t 5980 /p 59761⤵
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\c6d3ee626547461dbf4e79ca8d6190ec /t 6044 /p 60401⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Setup\" -spe -an -ai#7zMap13858:72:7zEvent150241⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Setup\" -an -ai#7zMap2305:84:7zEvent288341⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Setup\Setup\Start.bat" "1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -NoProfile -ExecutionPolicy Bypass -File "C:\Users\Admin\Downloads\Setup\Setup\First.ps1"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hhsipff1\hhsipff1.cmdline"3⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2DA4.tmp" "c:\Users\Admin\AppData\Local\Temp\hhsipff1\CSC3EEA02A5A014EB8BAC353AF263E9A13.TMP"4⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\Windows.Security.exe"C:\Users\Admin\AppData\Local\Temp\Windows.Security.exe"3⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Windows.Security.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows.Security.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\WindowsSecurity.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WindowsSecurity.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WindowsSecurity" /tr "C:\Users\Admin\AppData\Local\WindowsSecurity.exe"4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Setup\Setup\Start.bat" "1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -NoProfile -ExecutionPolicy Bypass -File "C:\Users\Admin\Downloads\Setup\Setup\First.ps1"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Downloads\Setup\Setup\See.png" /ForceBootstrapPaint3D1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\WindowsSecurity.exeC:\Users\Admin\AppData\Local\WindowsSecurity.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc1⤵
- Drops file in System32 directory
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"1⤵
-
C:\Windows\system32\NETSTAT.EXEnetstat2⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\WindowsSecurity.exeC:\Users\Admin\AppData\Local\WindowsSecurity.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap674:72:7zEvent79541⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Setup\" -an -ai#7zMap19073:84:7zEvent72351⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\notepad.exe"C:\Windows\System32\notepad.exe" "C:\Users\Admin\Downloads\Setup\Setup\First.ps1"1⤵
- Opens file in notepad (likely ransom note)
-
C:\Users\Admin\AppData\Local\WindowsSecurity.exeC:\Users\Admin\AppData\Local\WindowsSecurity.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\WindowsSecurity.exeC:\Users\Admin\AppData\Local\WindowsSecurity.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\Setup\Setup\Start.bat"1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -NoProfile -ExecutionPolicy Bypass -File "C:\Users\Admin\Downloads\Setup\Setup\First.ps1"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4hlktads\4hlktads.cmdline"3⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5BAB.tmp" "c:\Users\Admin\AppData\Local\Temp\4hlktads\CSC8277093C1C5E4349A3B7490D31DDC1F.TMP"4⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\Windows.Security.exe"C:\Users\Admin\AppData\Local\Temp\Windows.Security.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Setup\Setup\You can operate it while the protection is working.txt1⤵
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
2PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Component Object Model Hijacking
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Component Object Model Hijacking
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
99KB
MD5d346530e648e15887ae88ea34c82efc9
SHA15644d95910852e50a4b42375bddfef05f6b3490f
SHA256f972b164d9a90821be0ea2f46da84dd65f85cd0f29cd1abba0c8e9a7d0140902
SHA51262db21717f79702cbdd805109f30f51a7f7ff5f751dc115f4c95d052c5405eb34d5e8c5a83f426d73875591b7d463f00f686c182ef3850db2e25989ae2d83673
-
Filesize
1.8MB
MD51143c4905bba16d8cc02c6ba8f37f365
SHA1db38ac221275acd087cf87ebad393ef7f6e04656
SHA256e79ddfb6319dbf9bac6382035d23597dad979db5e71a605d81a61ee817c1e812
SHA512b918ae107c179d0b96c8fb14c2d5f019cad381ba4dcdc760c918dfcd5429d1c9fb6ce23f4648823a0449cb8a842af47f25ede425a4e37a7b67eb291ce8cce894
-
Filesize
692KB
MD54159ff3f09b72e504e25a5f3c7ed3a5b
SHA1b79ab2c83803e1d6da1dcd902f41e45d6cd26346
SHA2560163ec83208b4902a2846de998a915de1b9e72aba33d98d5c8a14a8fbf0f6101
SHA51248f54f0ab96be620db392b4c459a49a0fa8fbe95b1c1b7df932de565cf5f77adfaae98ef1e5998f326172b5ae4ffa9896aeac0f7b98568fcde6f7b1480df4e2d
-
Filesize
1KB
MD525d7ac29d798600ddc5fd880b162958b
SHA1a2ba91e14155cfa5c26670e17ac606f3f28b0be2
SHA2563c6d5ecae46dd9f6756e444bc51635cdd9696f3ed9fe0601cf41059a04085f88
SHA512d91a9028c0fdf3761edbccddaa460573281b7d390efc7dfe3ebef46ce5ede53d36a7148c523e312b5daedc91c11cdb2cc8d0f8b475339cd35dba044595778d45
-
Filesize
152B
MD5b8880802fc2bb880a7a869faa01315b0
SHA151d1a3fa2c272f094515675d82150bfce08ee8d3
SHA256467b8cd4aacac66557712f9843023dcedefcc26efc746f3e44157bc8dac73812
SHA512e1c6dba2579357ba70de58968b167d2c529534d24bff70568144270c48ac18a48ee2af2d58d78ae741e5a36958fa78a57955bd2456f1df00b781fc1002e123d2
-
Filesize
152B
MD5ba6ef346187b40694d493da98d5da979
SHA1643c15bec043f8673943885199bb06cd1652ee37
SHA256d86eec91f295dfda8ed1c5fa99de426f2fe359282c7ebf67e3a40be739475d73
SHA5122e6cc97330be8868d4b9c53be7e12c558f6eb1ac2c4080a611ba6c43561d0c5bb4791b8a11a8c2371599f0ba73ed1d9a7a2ea6dee2ae6a080f1912e0cb1f656c
-
Filesize
62KB
MD5c3c0eb5e044497577bec91b5970f6d30
SHA1d833f81cf21f68d43ba64a6c28892945adc317a6
SHA256eb48be34490ec9c4f9402b882166cd82cd317b51b2a49aae75cdf9ee035035eb
SHA51283d3545a4ed9eed2d25f98c4c9f100ae0ac5e4bc8828dccadee38553b7633bb63222132df8ec09d32eb37d960accb76e7aab5719fc08cc0a4ef07b053f30cf38
-
Filesize
67KB
MD5fb2f02c107cee2b4f2286d528d23b94e
SHA1d76d6b684b7cfbe340e61734a7c197cc672b1af3
SHA256925dd883d5a2eb44cf1f75e8d71346b98f14c4412a0ea0c350672384a0e83e7a
SHA512be51d371b79f4cc1f860706207d5978d18660bf1dc0ca6706d43ca0375843ec924aa4a8ed44867661a77e3ec85e278c559ab6f6946cba4f43daf3854b838bb82
-
Filesize
19KB
MD52e86a72f4e82614cd4842950d2e0a716
SHA1d7b4ee0c9af735d098bff474632fc2c0113e0b9c
SHA256c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f
SHA5127a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1
-
Filesize
63KB
MD5710d7637cc7e21b62fd3efe6aba1fd27
SHA18645d6b137064c7b38e10c736724e17787db6cf3
SHA256c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b
SHA51219aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44
-
Filesize
3KB
MD5e885c512d78589b397a52828d4408de5
SHA1e27f33debd59f4ab493e0e98f57f3d6cc3d03280
SHA256cf96c757a591bfd4d3312fdceeaa1c6576aa4026084734ae8036ae5afe50f0ce
SHA5120ec30d09bd7315e3d9a93a740f2cbc6fb88d710c1a24c6d313fefc73823fbaa55ea09444f0e9865dff8b4959c3050986cb8daf37fa60ab4269ac504a51bd2a37
-
Filesize
1KB
MD57e2678ec110a9c99cc63806fdf4e8251
SHA1f33979e17681f0c70ab0566e9bf25ee7bc3ae3f1
SHA2563fc8d586a50fbea032c7359f3ecee7eebb4c47adfd7bb1b10efc87682d4cc6cf
SHA51250c62f34fdf050c2c4d2bc4ed16acae4ab27ea88c3956ae263559d419afaeb57fac3678819ecb4951147e1b15b6205ba69a4290601bcff2ba5ad0cbdd171bb6e
-
Filesize
536B
MD567dc638836d8d115ca29b412e8324add
SHA1d7df6e0346f0f0c162d5e65ae84ab64e69e261e1
SHA25643c69086dee16af7957f87df12b982b44df2beaf201a303a1e0d263e902f8de4
SHA51225db26779c0c97bd3db60c255438c6237c52cc41f651bd22f6eb0a9c510a7292165f6f1e605f1b2fdaf86da31b619d8db60505fb70c162c063fb4f7c9f7fc5c5
-
Filesize
757B
MD5ffc23ae212901f1e8c45b1368b559fd4
SHA1f76757e176bc060715c1d0797edf5ad409dc1992
SHA2562395a8306d71032a9faf33869964899b9ccb04e35a9d24f4a18f7c17ecc164b0
SHA51215e3064fd04dd6d87a7c49e752c72d2b8e96bbea6f3250bc66f768b5c348d86e0d00737c4052439420a718a5da17b1e5f202af292a5a1bd2e32e92cd770e5245
-
Filesize
988B
MD509f651fd5c971fa4de105ae17d74cf2a
SHA163cae5ec4f6e8680cd8e329e9e9339bcc43471b0
SHA25636253eb007213ca7b2d065f5824971998a0d0e741e4749532d949a3144183dd9
SHA512597417a418be0e2447dcf3aeefc341be97ac3aa7da62e10e38cfb011dab6d24f458b1aeda20302985f1e66b1bc7783f68d25f6a43fcb21c76654a89a47dc9117
-
Filesize
6KB
MD573ea368b1104067a4b22bf6a92750562
SHA1c3b5b1bbf2cfd8540178b0073340f01bcb7f3ed9
SHA25662a216c20194d6e2be02ff4303429f65253bcc2c2f9f0c48f65534d451569bca
SHA5121201c806319d090600aa9f9806e67c67f7038ae86c69298757269684da522c61593341dce797956952729dba50f21066a238ae051b4450721d3201e4583b0262
-
Filesize
6KB
MD5fd90a63870808bc211e002c9047128af
SHA13bcfe278051b66bfe21bb4a7b04d83c6ba9bf32e
SHA25635b237712acc5d746e454effaec7578fdf41d1d201e843a46d772b58af243889
SHA512ec1adfd01ad6938e6108b0dec73c7b111fdc7bade044b843e9243e05f23327bdda9ba21d5ac0a256c15cbc6aa799aabccb3237c52ac1f4f3861e860ff8f6b0e3
-
Filesize
7KB
MD53ddc69258193275482e77bff73d88fa3
SHA12b07bca7b1ea86185b1377ec0e51f04c42a050c1
SHA2568f6ed9ba1e0fb8814dec4b9a618fa3014282da6457d3dcd1b82a6b73adba8c7e
SHA5129d542365118689303e161affbcd34699e44c5b12f4dfc8f834c733f493aa6cc72ede8c79d126a7ef9c74c4fc97d8de3e38e76a24493150e7efcea0330cb8163e
-
Filesize
8KB
MD561b7756be169b9707e48da144047f661
SHA19b614b226c5816ff56642851fdd84b2d7c44f1b5
SHA256366eebc2128c0567f4f6b4a6a91f0ce2e84c67a540ffd5fb4ed94c4b8b20f28f
SHA512f5110dc1676f137908343849bc377cd990d92785f08e0d33b2f72447356f5b80b0933c0f85a53cd14290950d70e4e8572b1a07518bab6ae2407032efa981c8aa
-
Filesize
5KB
MD519e62de7ffe9e52c4d2b4392d9bfc652
SHA19b2f169f5ed979cf26b05c73f9dbeaff4c0f2301
SHA256911e9f1fb46ddbc4b64158b101c077c2a5ec80cda8715b42d21823b6086c4ee6
SHA512a9322087612899ae226858b267828c73bc40120158917875382ccab5a8f6257a2077fdc85d2575c219323f99950aae757f0237f5bc825c27120048e6a67aab57
-
Filesize
6KB
MD5c301d7ae1f91a778e6dfef9bb5f792af
SHA1ac1daee491e46a81aa064780a2a863588eb3c538
SHA2568037b3783252b0230cb349b6d6ba6f0333a5e01f71de0f279aef4567549c585f
SHA5124e5e783e78b6dbfe9b5263bdb0f8cead561844cbce93e3147dc4d66d103a8c7f34d1d40c5f60a277a8db04dc9a8461e71f15ed3805eb873c2b6ca864767eafc8
-
Filesize
6KB
MD54efe00740f403d66925384634cc5fda6
SHA114e456685206603c2480910c895fcbff847d43a4
SHA25673996778448c80825241e8fd10ff6aa7e04a879eddbf7959dfc6bd7e2fc0506d
SHA5123bcdc048561914b64eaf10ebcc92ab0a22cb01ef38346f4fb7cc5c1962681da22be18cf50a08dd83ca257c226f9054f770a6be809e69103ed128842881545b42
-
Filesize
703B
MD553aab02891cb8f498482be7be79697b7
SHA114d67b80a38751866f7cb9450fa33bbcedd0d299
SHA256bfdaaaed94cd5f9034c01148fb4a6536347db815d045b4086776e01022847e26
SHA512cc22b9804d3ddf7a2ae72c26272143f3aeb1f2609e805deb959aa3a3542545a1667ca4e90c77222a38cb51eaae5832cd4488b5e63cf4ebd3414ea88ee0fe6009
-
Filesize
1KB
MD5ae03aa69d112139d134f87163dd488a7
SHA1a768d09184001f6396d5ff1ec79b46143ba7faba
SHA256fba3e2bd63f2e8039a1dba3681771e783fc976488b2d5a236e657342fc1d4eaa
SHA5125bd464cb040234d088abc6ec30ec1aef78bd2dbb8fbf02253b1595a17ae2398322888ad62da382e28d0d21bc94310d5a32f899bda6c86b5f215e19efd904dbe2
-
Filesize
1KB
MD5522bf4f60b521dd3c4ee3be971d63c08
SHA1196c6b223917868095d7323a9858215e4d7761d7
SHA256ca2728e05977e0d705b6526d7b51c8adeb89dc4d3f5a0ad7b154a38e2358ec40
SHA5120a4411da60a456d07b32800d4d2b0f1acef39ca60fed20919c9266cffd0de82890a8e608271b8853b301f377295fe699dc94e65de3973b3ef2fadb20561f386c
-
Filesize
703B
MD56149813d8c2b9f4f6570a893ad1f5c49
SHA1934944b3d3afa56238506506c90e5bf3f3fe211f
SHA256167b68269a6a9db633cb4d2b3fda9146dc0df163cfcb1ee5c5fe5e736cfeaa60
SHA5121e95911692bf75212ef26a477bc73651a3608e63d58d4b1b8924dbb72c21ed96b06ca6abc249a150540e38297acd17927dfc430173f261a426dfcb68efbd3bca
-
Filesize
868B
MD58509683b7218ffd8cdafef0851b0d113
SHA1954cb9fdab719bb0dd5464dffb601f3bb9cbd534
SHA2569c1c9e30efdd3a4abf3f5c66a26d68434153bf5de62e31f17ebd379aa4441e7e
SHA512407f8e1bf5058cade1ea43d90c96dc3df16efed8002af147ff9a73016bcd3a6af9a15e00c6569767a7fdd43c23acd3a0099d039323a25ebb17e29df5b161fc5a
-
Filesize
701B
MD5aaa0bc8941a6b2a02d215d8e76817f00
SHA195d9191d1786c0e990e7d0e9cc1479cd4474530f
SHA2560b4359ea084ae6bc646094f273139c842ecd2e137b10004d0cb4b0addc5bad15
SHA512aec94bed6f694fe36f1614b20415e6f08e24e5f76ddafdfabf40444d64f09a79941312edda648c153487ab42782ecc974dc89181153105fcb807a1d2e94708ec
-
Filesize
703B
MD5781c3f7524774fabaaee2d3079a40abd
SHA1e28bead4bad4b2704fefd275a354aa5187aa5f35
SHA2561b40585f62a6da1faf6ad301ab29103c7b6e1af06c79c32029d95aa58842a647
SHA5125dbbbe3c0cfb0cb95a598626eb39ab717e3c1d4f29c6e5068a2d22f7163efe07bdb6c9d2fd7f35039afac8125634b2b749ef4a5c1ca4b7ff0341e416baaba80a
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
10KB
MD5e8f09bd2d5454b760d386272792edfd2
SHA1ad345fc55bbeec64a6c524f221c594bb754dd257
SHA25636c3655596e2f647a5c01073911644124a188d11d36f88d57c47517abf261ba2
SHA51290b232160c65047ca542bd4d9da581e11e178e01b11ace948424e9c59aadc39c7f7a6b8ae4e2534bf01c0e3afd6dabaf2acd53b56a11b26e0c715410ba829b9c
-
Filesize
10KB
MD5111c7d77ee95927a2e3089ec515ecbed
SHA1196df2ae0517d796302058075371272d325d3570
SHA2562ad3290c44409976f381fca0602342f4188819f28b0b9fa1b03e3ab327e43d8e
SHA512a249f4ee22833141bd235a9d16026630ceffa29cd114cff749df82612eabf68eb3b56552cbab4ab9168a8340cd09a8fdc77d8ca0c415d3ef7a9bb7c3223142ff
-
Filesize
10KB
MD50c033bab6b7f8890ed7eda6aa44957f3
SHA1165a10593d92511b5b9cf78424769928f40977af
SHA2567f1dd9c312d3c4be73c1858938072e068d4c6680bdebdc691679b33f51a9c9ee
SHA512309a8c357cecd42bd5f5e071fe40e0af2966ea586f4b3cbac8fbd38f69ea43d67d8a1a61cfd6b1f8cbfa346f55f3c99891cca1503b48293f49f726ddb675ce5c
-
Filesize
11KB
MD589bf6170fd22db2aea483e420fd99d66
SHA14cf0e7febd8455b5a1f826e3e679891d3b4af0ee
SHA256e4eb779199afb123794c9491308cffac61254869bcab29835a58549c6309c953
SHA512da2cddd7507704c0ff65a07fbbec80f59c7ad06e955b06c6a90a5f64fcc8a3f00e767332468716d06a27d71e8d1906bab8ee74e6f10cdd2b9cb507d0c0430556
-
Filesize
11KB
MD59ccef33a6daa48486b2f34de97425874
SHA155ab6a76ebc72dc5783a6ff75a4f49d754a40454
SHA256fc4627f4af8c5af21ed7597cfe53cb4c86f0153715b188d8092e6765be15070c
SHA5120b504d7e30d6ea3261415cf5da99ea2837bfc5ab5245646b3440ef3e66541fa8c20b809a5ae33351ce24304e32329beb308a877bbd772f2223a2a8113f3186d8
-
Filesize
64B
MD5446dd1cf97eaba21cf14d03aebc79f27
SHA136e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7
-
Filesize
944B
MD596ff1ee586a153b4e7ce8661cabc0442
SHA1140d4ff1840cb40601489f3826954386af612136
SHA2560673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8
SHA5123404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569
-
Filesize
944B
MD560945d1a2e48da37d4ce8d9c56b6845a
SHA183e80a6acbeb44b68b0da00b139471f428a9d6c1
SHA256314b91c00997034d6e015f40230d90ebbf57de5dc938b62c1a214d591793dbe3
SHA5125d068f1d6443e26ae3cad1c80f969e50e5860967b314153c4d3b6efd1cfa39f0907c6427bec7fa43db079f258b6357e4e9a1b0b1a36b1481d2049ea0e67909ed
-
Filesize
944B
MD5499298c8da8c8b6e630c889b60905388
SHA1b3b519bebf9861bcdad6e2e6426c2e8a96fd8056
SHA2562e5392338aeb35e2d1ca8c95cde814389a76808da33de106e860c5659c6823ca
SHA5129da91784102b7fcd981d9cd84e787b4609d6c55f359df1bc8bf27759233a8be461552c370f13a21dd953c3f1254b15fe33b6ab89745cb36e7b382934487eb069
-
Filesize
1KB
MD51d78440de929512c2c81427409c08cc0
SHA151f1ddba369d2ecb8cfc2fa49dbccd779c6ae524
SHA256b2ed378989fade7a29dfbf0e9baf5436ac554ebc571b89305a63998391126fe5
SHA5124351c1abe9b21d7acde1759c049eaa1ca8b1723a1ad385255c880221de1e6eca3c6da8de3ffcb664a1eb2587cb905f1c37c7b507ef9142fa0d9a0bb6ea1f4e08
-
Filesize
1KB
MD5a10471a1948fa6955da68fdd739a70b5
SHA1d537436c829c81bef6becefb6eea3e95ebcbb1ce
SHA256f291f752c1eff3b71f4f18c9f3ce89423b97606997000886f1e66616e17795ef
SHA51289ba9c14e3d7fa58de055735927da463eb098abf83503adeabccd2ae84d3b863c11e035dc6ca57ec1d6c1d6a30964bcad67efdd83ca64c0db1cd3bf642099c97
-
Filesize
69KB
MD50dda7546fa4191f63d9e6ec287737048
SHA16a787a4bafae5cf50cf1226a3b19981b89f144d8
SHA256496df744057714699bed70787c5419937099f52a0e6f382172cb26b2e510197c
SHA512d4dee4c9269ea7834ed831e802307d58eb82b7b86d67deb868748f51dbe9f138dfb29e046edda8f938c31728ecd9bfbd581b89a8670e32ca542cb275eccdc47f
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
3KB
MD5efafbae42e2ac0e2dcf2ae3504b979e0
SHA103ba6e42fb6639bf0330a951c0679410c169387a
SHA2561b82b3d7f0702053484107f7d4cf3ea6df292b95ece0ed6b58c5b8d5b64d318c
SHA512190d50bcda550fedb62ff3b818a3e15fbb5ea97ecccd2b53421d7e07ca25ff333b21f292c8b49200155c0e76aa36287de639e38af45fe6c5a2932bcec1e7846d
-
Filesize
9KB
MD51e561bf3ef507029f629f889b480df49
SHA1321f3eef5966bb94d64c54bcabac7b77b94ec7f0
SHA25673438a436c1d3d686aed6e5ddb7c600408d8880fe2b3b41fce27b537bc22c599
SHA512650ed657d89eaf20e3794d32dc9fc4fa8c4112f19f9e9dda0804c227a164129596828ffb428d48d52248e4b5f274eb7aa2e31ea4d9300a0afef50e4c1fadbc86
-
Filesize
9KB
MD58c834fc5abf30749a5aaed9147d65b05
SHA143367f4867984aef058d5bef58a9232905806b17
SHA256077366d860515232bbe70b8c528742d8f9e7f43c4a9b6e38a6e5ec9163cc302f
SHA51274b463402deb7b17e3c3ab252fa5f1aee73d689dd5be96424dde1a2308c821e1cb852da7a4df1f3c0c29549ea5b80af087230c36ccb01f1501153f83f4026457
-
Filesize
1KB
MD5355758fa44771365dfe136f62ad45d7b
SHA16201b4545c3593ab65d49d41609ac722166a6563
SHA256ec083e27ff17a38cba680f48e6468cbdadb4ee45561f58b8a941cc3452c9ac11
SHA5123cbecf52f2132398ae72e7ad074a6f4bb69dabc2666e07826b6b35f3853cdbb1881e8848e0fe46897496b50c9de81618865e5cdd1cb03a723ef24d9a888fd4d1
-
Filesize
7KB
MD5cd9c8bff1f67588eec3d2d64c45134e7
SHA1054c2bd24a213050ed6d9369ce75bcb334555a55
SHA2566d4961be8343308ffded0d7f954824688d66e9b4eb14151d1f9ce68c630241e6
SHA5126c670416596ac78e38dab31ad1922cdaa735b89a5f00dc8a4c5ecc4a9a48d88f1179ab331e2ad893fca29afc94fe48abe5fe19b5925103bb8ad273df75090d49
-
Filesize
129B
MD5db38c6d364840c2f07293c6e126b4861
SHA1d373ea5202039fa1abde76abd7cf42757a68b431
SHA256af95ba5eb54db6ae3708b77d2f1f317fb0e723fc837ca800409554333060461e
SHA5129dcd53d90cf7a1bd9cea90ba5663734cda59266a7176421474f3f1cbdcfdba0b8a4230b14d16c68a550e88c91e5b82b9cce207025cb69eac3ebf369d4e24f6b8
-
Filesize
1.5MB
MD50330d0bd7341a9afe5b6d161b1ff4aa1
SHA186918e72f2e43c9c664c246e62b41452d662fbf3
SHA25667cb9d3452c9dd974b04f4a5fd842dbcba8184f2344ff72e3662d7cdb68b099b
SHA512850382414d9d33eab134f8bd89dc99759f8d0459b7ad48bd9588405a3705aeb2cd727898529e3f71d9776a42e141c717e844e0b5c358818bbeac01d096907ad1
-
Filesize
3.6MB
MD55c8ae313b5f6329769c21cded103caac
SHA165261932399cc2db5cd3bf2cab55c897d9a2b2f3
SHA256d480fcef571d66ac00fd0982b01008dd7981ae570692cd1321577238a53c809d
SHA512c02ae0a7e3cdb2ec6ca795211854cf199bd7b4b45a6fe054d5d3413bdcb56fafb948285fd6cf4780c4a14b830aca9b1591c744e4b7c35420807a876aad839faf
-
Filesize
652B
MD55a861ac010a5fa1646ca36cde09d393c
SHA13c5114d515262ceffca49b47c4029fe1d1ed0c25
SHA256cd4a5f002675fb7a21eb2d288e13ccf113edb1d59b840d72242445bebc5d27ff
SHA512ed30f46e77445726230e7cf003fb7b6a9208c98645a4d8635ee15131bf1cb504725d6d7518bb8ec6a49078ac51e3424e5a024bfc0a8d9a31dbb42010ad1dbd64
-
Filesize
298B
MD5d2dd7b143c5631aa598407bbe81ef5db
SHA1a5c77b81db6300d7a7eb424875c96e2611d42d83
SHA256b3ccd5d9083909c89f8201c421434ec38280c051597b5414559c1df7fcf31cfe
SHA512bd2cc89e16b2d9ffee6e8e32c9474acd2ba1f9db187b26aa0c9dbde8b7e58476e96756cb6d6d46e8b18b7e1c936d4febc093196e690e35f2002c7da6331fbb62
-
Filesize
369B
MD537c2d0cdd5f502ce176117615bafe6b2
SHA1013a9f187c8e6cbf9a1b449a0d254e2ced7e2f44
SHA256de786d1a615555b7af96de34a572eeb6c89981559398a9acb80ce932225ea624
SHA5126d40e946e274816aeada9265bb8170bc509ebe7371f8416d52849f15d6bc66b63f85b4b69fec160e35e8bedf258ea4509a9f7cf68ef9e659aba30f7ceab930bb
-
Filesize
32KB
-
Filesize
136KB
-
Filesize
96KB
-
Filesize
704KB
-
Filesize
5.2MB
-
Filesize
48KB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
32KB
