Analysis
-
max time kernel
16s -
max time network
35s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
24-11-2024 00:24
Static task
static1
Behavioral task
behavioral1
Sample
ComputerRaper.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
ComputerRaper.exe
Resource
win10v2004-20241007-en
General
-
Target
ComputerRaper.exe
-
Size
85.4MB
-
MD5
bdb24ed9f869fcd462b316148514fc5b
-
SHA1
83935122b626378a3149e9036cd751514add4b52
-
SHA256
83875ea85b183c609c5ddcd92afe62265745192a417b80524f12741fc028aca0
-
SHA512
12fdb77a75debeacbc4b98cac45d09a7bcc378bd9bd51bbc035838b99c1d595660d5c0961a2d041b2e8359f3b5b096f589d39453ada9874436411b94b8b0d611
-
SSDEEP
1572864:NUkskQ1oOZrCqix58TkbajhXBFEQT9VotzcJ97:N/NQbCbmXXEUvoM97
Malware Config
Extracted
C:\Users\QWYXODCYVL-MANUAL.txt
gandcrab
http://gandcrabmfe6mnef.onion/42eb3d0753fcf297
Extracted
C:\Users\Public\Pictures\_R_E_A_D___T_H_I_S___NHTGWHH3_.txt
cerber
http://xpcx6erilkjced3j.onion/CF01-DC0A-6411-0098-BE31
http://xpcx6erilkjced3j.1n5mod.top/CF01-DC0A-6411-0098-BE31
http://xpcx6erilkjced3j.19kdeh.top/CF01-DC0A-6411-0098-BE31
http://xpcx6erilkjced3j.1mpsnr.top/CF01-DC0A-6411-0098-BE31
http://xpcx6erilkjced3j.18ey8e.top/CF01-DC0A-6411-0098-BE31
http://xpcx6erilkjced3j.17gcun.top/CF01-DC0A-6411-0098-BE31
Signatures
-
Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
-
Cerber family
-
Chimera
Ransomware which infects local and network files, often distributed via Dropbox links.
-
Chimera Ransomware Loader DLL 1 IoCs
Drops/unpacks executable file which resembles Chimera's Loader.dll.
resource yara_rule behavioral1/memory/1928-55-0x0000000010000000-0x0000000010010000-memory.dmp chimera_loader_dll -
Chimera family
-
CryptoLocker
Ransomware family with multiple variants.
-
Cryptolocker family
-
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
Gandcrab family
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Roaming\\Birele.exe" Birele.exe -
Troldesh family
-
Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Disables RegEdit via registry modification 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Krotten.exe -
Disables Task Manager via registry modification
-
Modifies Windows Firewall 2 TTPs 2 IoCs
pid Process 2424 netsh.exe 2560 netsh.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LOGON.exe DeriaLock.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9bf0c776.exe explorer.exe -
Executes dropped EXE 42 IoCs
pid Process 2652 AgentTesla.exe 1928 HawkEye.exe 2788 butterflyondesktop.exe 2692 $uckyLocker.exe 2804 7ev3n.exe 2780 butterflyondesktop.tmp 2680 Annabelle.exe 2576 BadRabbit.exe 2188 Birele.exe 1660 Cerber5.exe 1268 CoronaVirus.exe 1952 CryptoLocker.exe 2748 CryptoWall.exe 1744 DeriaLock.exe 328 CryptoLocker.exe 2204 Dharma.exe 1288 Fantom.exe 1704 GandCrab.exe 1396 Krotten.exe 1072 InfinityCrypt.exe 1508 NoMoreRansom.exe 2232 Petya.A.exe 2208 PowerPoint.exe 1572 NotPetya.exe 1384 PolyRansom.exe 1664 nc123.exe 1608 RedBoot.exe 2220 mScIAEMI.exe 2660 RedEye.exe 308 PowerPoint.exe 2844 Rensenware.exe 1504 Rokku.exe 2480 Satana.exe 2612 gAcQAQwg.exe 1720 protect.exe 3056 Seftad.exe 2576 assembler.exe 1756 SporaRansomware.exe 1136 mssql.exe 1596 PowerPoint.exe 2796 PowerPoint.exe 1532 mssql2.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend Birele.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc Birele.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power Birele.exe -
Loads dropped DLL 21 IoCs
pid Process 2788 butterflyondesktop.exe 3036 ComputerRaper.exe 2204 Dharma.exe 2204 Dharma.exe 2204 Dharma.exe 2204 Dharma.exe 2780 butterflyondesktop.tmp 2780 butterflyondesktop.tmp 1384 PolyRansom.exe 1384 PolyRansom.exe 1384 PolyRansom.exe 1384 PolyRansom.exe 1608 RedBoot.exe 1608 RedBoot.exe 1608 RedBoot.exe 2204 Dharma.exe 2204 Dharma.exe 2204 Dharma.exe 2204 Dharma.exe 2204 Dharma.exe 1780 cmd.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 3872 icacls.exe -
Adds Run key to start application 2 TTPs 13 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\mScIAEMI.exe = "C:\\Users\\Admin\\YmEYAIYQ\\mScIAEMI.exe" PolyRansom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gAcQAQwg.exe = "C:\\ProgramData\\NOgAgsAI\\gAcQAQwg.exe" gAcQAQwg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\9bf0c77 = "C:\\9bf0c776\\9bf0c776.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\9bf0c776 = "C:\\Users\\Admin\\AppData\\Roaming\\9bf0c776.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*bf0c776 = "C:\\Users\\Admin\\AppData\\Roaming\\9bf0c776.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" NoMoreRansom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVPCC = "C:\\WINDOWS\\Cursors\\avp.exe" Krotten.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\mScIAEMI.exe = "C:\\Users\\Admin\\YmEYAIYQ\\mScIAEMI.exe" mScIAEMI.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gAcQAQwg.exe = "C:\\ProgramData\\NOgAgsAI\\gAcQAQwg.exe" PolyRansom.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Users\\Admin\\AppData\\Roaming\\Birele.exe" Birele.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\CryptoLocker = "C:\\Users\\Admin\\AppData\\Roaming\\CryptoLocker.exe" CryptoLocker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*bf0c77 = "C:\\9bf0c776\\9bf0c776.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\WINDOWS\\Web\\rundll32.exe" Krotten.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\g: Cerber5.exe File opened (read-only) \??\i: Cerber5.exe File opened (read-only) \??\A: GandCrab.exe File opened (read-only) \??\G: GandCrab.exe File opened (read-only) \??\R: GandCrab.exe File opened (read-only) \??\S: GandCrab.exe File opened (read-only) \??\Y: GandCrab.exe File opened (read-only) \??\Z: GandCrab.exe File opened (read-only) \??\r: Cerber5.exe File opened (read-only) \??\y: Cerber5.exe File opened (read-only) \??\H: GandCrab.exe File opened (read-only) \??\T: GandCrab.exe File opened (read-only) \??\V: GandCrab.exe File opened (read-only) \??\W: GandCrab.exe File opened (read-only) \??\h: Cerber5.exe File opened (read-only) \??\k: Cerber5.exe File opened (read-only) \??\l: Cerber5.exe File opened (read-only) \??\t: Cerber5.exe File opened (read-only) \??\w: Cerber5.exe File opened (read-only) \??\J: GandCrab.exe File opened (read-only) \??\O: GandCrab.exe File opened (read-only) \??\U: GandCrab.exe File opened (read-only) \??\b: Cerber5.exe File opened (read-only) \??\o: Cerber5.exe File opened (read-only) \??\u: Cerber5.exe File opened (read-only) \??\E: GandCrab.exe File opened (read-only) \??\I: GandCrab.exe File opened (read-only) \??\m: Cerber5.exe File opened (read-only) \??\n: Cerber5.exe File opened (read-only) \??\B: GandCrab.exe File opened (read-only) \??\Q: GandCrab.exe File opened (read-only) \??\e: Cerber5.exe File opened (read-only) \??\z: Cerber5.exe File opened (read-only) \??\K: GandCrab.exe File opened (read-only) \??\j: Cerber5.exe File opened (read-only) \??\v: Cerber5.exe File opened (read-only) \??\M: GandCrab.exe File opened (read-only) \??\P: GandCrab.exe File opened (read-only) \??\X: GandCrab.exe File opened (read-only) \??\a: Cerber5.exe File opened (read-only) \??\p: Cerber5.exe File opened (read-only) \??\q: Cerber5.exe File opened (read-only) \??\s: Cerber5.exe File opened (read-only) \??\x: Cerber5.exe File opened (read-only) \??\L: GandCrab.exe File opened (read-only) \??\N: GandCrab.exe -
File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 5 bot.whatismyipaddress.com 7 ip-addr.es 16 myexternalip.com -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "DANGER" Krotten.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Äëÿ òîãî ÷òîáû âîññòàíîâèòü íîðìàëüíóþ ðàáîòó ñâîåãî êîìïüþòåðà íå ïîòåðÿâ ÂÑÞ èíôîðìàöèþ! È ñ ýêîíîìèâ äåíüãè, ïðèøëè ìíå íà e-mail [email protected] êîä ïîïîëíåíèÿ ñ÷åòà êèåâñòàð íà 25 ãðèâåíü.  îòâåò â òå÷åíèå äâåíàäöàòè ÷àñîâ íà ñâîé e-mail òû ïîëó÷èøü ôàèë äëÿ óäàëåíèÿ ýòîé ïðîãðàììû." Krotten.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 4 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PHYSICALDRIVE0 PowerPoint.exe File opened for modification \??\PhysicalDrive0 rundll32.exe File opened for modification \??\PhysicalDrive0 Petya.A.exe File opened for modification \??\PHYSICALDRIVE0 PowerPoint.exe -
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/1608-420-0x00000000013C0000-0x000000000164E000-memory.dmp autoit_exe behavioral1/memory/1608-725-0x00000000013C0000-0x000000000164E000-memory.dmp autoit_exe -
resource yara_rule behavioral1/files/0x0006000000016210-74.dat upx behavioral1/memory/2188-81-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral1/memory/2188-78-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral1/files/0x000500000001946a-418.dat upx behavioral1/memory/1608-420-0x00000000013C0000-0x000000000164E000-memory.dmp upx behavioral1/memory/2188-480-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral1/files/0x000500000001a4a6-488.dat upx behavioral1/memory/1504-501-0x0000000000400000-0x000000000058D000-memory.dmp upx behavioral1/memory/1608-725-0x00000000013C0000-0x000000000164E000-memory.dmp upx behavioral1/memory/1504-940-0x0000000000400000-0x000000000058D000-memory.dmp upx -
Drops file in Program Files directory 30 IoCs
description ioc Process File created C:\Program Files (x86)\Briano\UWPHook\SharpSteam.dll AgentTesla.exe File created C:\Program Files (x86)\Briano\UWPHook\UWPHook.exe AgentTesla.exe File created C:\Program Files (x86)\Briano\UWPHook\UWPHook.exe.config AgentTesla.exe File created C:\Program Files\53fcf57a53fcf29a710.lock GandCrab.exe File opened for modification C:\Program Files\FindRemove.ppsm GandCrab.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\QWYXODCYVL-MANUAL.txt GandCrab.exe File opened for modification C:\Program Files\RedoCopy.aif GandCrab.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\53fcf57a53fcf29a710.lock GandCrab.exe File created C:\Program Files (x86)\Briano\UWPHook\MaterialDesignColors.dll AgentTesla.exe File created C:\Program Files (x86)\Briano\UWPHook\System.Management.Automation.xml AgentTesla.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\53fcf57a53fcf29a710.lock GandCrab.exe File created C:\Program Files (x86)\Briano\UWPHook\MaterialDesignThemes.Wpf.dll AgentTesla.exe File created C:\Program Files (x86)\Briano\UWPHook\MaterialDesignThemes.Wpf.xml AgentTesla.exe File opened for modification C:\Program Files\SaveResolve.vsx GandCrab.exe File created C:\Program Files (x86)\53fcf57a53fcf29a710.lock GandCrab.exe File created C:\Program Files (x86)\Briano\UWPHook\VDFParser.dll AgentTesla.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\QWYXODCYVL-MANUAL.txt GandCrab.exe File opened for modification C:\Program Files\CloseUnprotect.png GandCrab.exe File opened for modification C:\Program Files\ConvertToDeny.m4a GandCrab.exe File opened for modification C:\Program Files\SwitchUnblock.odt GandCrab.exe File created C:\Program Files (x86)\QWYXODCYVL-MANUAL.txt GandCrab.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\QWYXODCYVL-MANUAL.txt GandCrab.exe File created C:\Program Files\QWYXODCYVL-MANUAL.txt GandCrab.exe File opened for modification C:\Program Files\PingDeny.MTS GandCrab.exe File opened for modification C:\Program Files\UnprotectUnpublish.raw GandCrab.exe File created C:\Program Files (x86)\Briano\UWPHook\Microsoft.Management.Infrastructure.dll AgentTesla.exe File created C:\Program Files (x86)\Briano\UWPHook\System.Management.Automation.dll AgentTesla.exe File opened for modification C:\Program Files\JoinSuspend.jpeg GandCrab.exe File opened for modification C:\Program Files\ShowInstall.pcx GandCrab.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\53fcf57a53fcf29a710.lock GandCrab.exe -
Drops file in Windows directory 7 IoCs
description ioc Process File created C:\Windows\perfc rundll32.exe File created C:\Windows\cscc.dat rundll32.exe File created C:\Windows\infpub.dat BadRabbit.exe File opened for modification C:\WINDOWS\Web Krotten.exe File created C:\Windows\perfc.dat NotPetya.exe File opened for modification C:\Windows\infpub.dat rundll32.exe File opened for modification C:\Windows\perfc.dat rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
Program crash 3 IoCs
pid pid_target Process procid_target 616 2532 WerFault.exe 104 4044 1548 WerFault.exe 105 4032 3056 WerFault.exe 81 -
System Location Discovery: System Language Discovery 1 TTPs 40 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HawkEye.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gAcQAQwg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SporaRansomware.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CryptoLocker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GandCrab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NotPetya.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PowerPoint.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Satana.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mScIAEMI.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7ev3n.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language butterflyondesktop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Birele.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DeriaLock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PolyRansom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nc123.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language protect.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language $uckyLocker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CoronaVirus.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CryptoWall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Krotten.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NoMoreRansom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Rokku.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AgentTesla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cerber5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fantom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language InfinityCrypt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language butterflyondesktop.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dharma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RedBoot.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BadRabbit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CryptoLocker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PowerPoint.exe -
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 GandCrab.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString GandCrab.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier GandCrab.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 InfinityCrypt.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString InfinityCrypt.exe -
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2104 vssadmin.exe -
Kills process with taskkill 1 IoCs
pid Process 2620 taskkill.exe -
Modifies Control Panel 6 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\International Krotten.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\International\sTimeFormat = "ÕÓÉ" Krotten.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop Krotten.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\WallpaperOriginX = "210" Krotten.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\WallpaperOriginY = "187" Krotten.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\MenuShowDelay = "9999" Krotten.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Window title = ":::::::::::::::::: ÌÎÉ ÕÓÉ ÏÐÎÒÓÕ À ÏÈÇÄÀ ÃÍÈÅÒ ::::::::::::::::::" Krotten.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main Krotten.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Window title = ":::::::::::::::::: ÌÎÉ ÕÓÉ ÏÐÎÒÓÕ À ÏÈÇÄÀ ÃÍÈÅÒ ::::::::::::::::::" Krotten.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main Krotten.exe -
Modifies Internet Explorer start page 1 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Start Page = "http://poetry.rotten.com/lightning/" Krotten.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://poetry.rotten.com/lightning/" Krotten.exe -
Modifies registry class 1 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\REGFILE\SHELL\OPEN\COMMAND Krotten.exe -
Modifies registry key 1 TTPs 9 IoCs
pid Process 3604 reg.exe 3288 reg.exe 3432 reg.exe 3444 reg.exe 3424 reg.exe 1924 reg.exe 3316 reg.exe 3364 reg.exe 3460 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1704 GandCrab.exe 1704 GandCrab.exe 1384 PolyRansom.exe 1508 NoMoreRansom.exe 1508 NoMoreRansom.exe 2068 rundll32.exe 1384 PolyRansom.exe 1984 rundll32.exe 1720 protect.exe 1720 protect.exe 1720 protect.exe 1720 protect.exe 1720 protect.exe 1720 protect.exe 1720 protect.exe 1720 protect.exe 1720 protect.exe 1720 protect.exe 1720 protect.exe 1720 protect.exe 1720 protect.exe 1720 protect.exe 1720 protect.exe 1720 protect.exe 1720 protect.exe 1720 protect.exe 1720 protect.exe 1720 protect.exe 1720 protect.exe 1720 protect.exe 1720 protect.exe 1720 protect.exe 1720 protect.exe 1720 protect.exe 1720 protect.exe 1720 protect.exe 1720 protect.exe 1720 protect.exe 1720 protect.exe 1720 protect.exe 1720 protect.exe 1720 protect.exe 1720 protect.exe 1720 protect.exe 1720 protect.exe 1720 protect.exe 1720 protect.exe 1720 protect.exe 1720 protect.exe 1720 protect.exe 1720 protect.exe 1720 protect.exe 1720 protect.exe 1720 protect.exe 1720 protect.exe 1720 protect.exe 1720 protect.exe 1720 protect.exe 1720 protect.exe 1720 protect.exe 1720 protect.exe 1720 protect.exe 1720 protect.exe 1720 protect.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 2748 CryptoWall.exe 1820 explorer.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeDebugPrivilege 1928 HawkEye.exe Token: SeDebugPrivilege 2620 taskkill.exe Token: SeSystemtimePrivilege 1396 Krotten.exe Token: SeDebugPrivilege 1288 Fantom.exe Token: SeShutdownPrivilege 2232 Petya.A.exe Token: SeShutdownPrivilege 2068 rundll32.exe Token: SeDebugPrivilege 2068 rundll32.exe Token: SeTcbPrivilege 2068 rundll32.exe Token: SeShutdownPrivilege 1984 rundll32.exe Token: SeDebugPrivilege 1984 rundll32.exe Token: SeTcbPrivilege 1984 rundll32.exe Token: SeDebugPrivilege 1744 DeriaLock.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 1660 Cerber5.exe 1508 NoMoreRansom.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3036 wrote to memory of 2652 3036 ComputerRaper.exe 30 PID 3036 wrote to memory of 2652 3036 ComputerRaper.exe 30 PID 3036 wrote to memory of 2652 3036 ComputerRaper.exe 30 PID 3036 wrote to memory of 2652 3036 ComputerRaper.exe 30 PID 3036 wrote to memory of 1928 3036 ComputerRaper.exe 31 PID 3036 wrote to memory of 1928 3036 ComputerRaper.exe 31 PID 3036 wrote to memory of 1928 3036 ComputerRaper.exe 31 PID 3036 wrote to memory of 1928 3036 ComputerRaper.exe 31 PID 3036 wrote to memory of 2788 3036 ComputerRaper.exe 32 PID 3036 wrote to memory of 2788 3036 ComputerRaper.exe 32 PID 3036 wrote to memory of 2788 3036 ComputerRaper.exe 32 PID 3036 wrote to memory of 2788 3036 ComputerRaper.exe 32 PID 3036 wrote to memory of 2788 3036 ComputerRaper.exe 32 PID 3036 wrote to memory of 2788 3036 ComputerRaper.exe 32 PID 3036 wrote to memory of 2788 3036 ComputerRaper.exe 32 PID 3036 wrote to memory of 2692 3036 ComputerRaper.exe 33 PID 3036 wrote to memory of 2692 3036 ComputerRaper.exe 33 PID 3036 wrote to memory of 2692 3036 ComputerRaper.exe 33 PID 3036 wrote to memory of 2692 3036 ComputerRaper.exe 33 PID 3036 wrote to memory of 2804 3036 ComputerRaper.exe 34 PID 3036 wrote to memory of 2804 3036 ComputerRaper.exe 34 PID 3036 wrote to memory of 2804 3036 ComputerRaper.exe 34 PID 3036 wrote to memory of 2804 3036 ComputerRaper.exe 34 PID 2788 wrote to memory of 2780 2788 butterflyondesktop.exe 35 PID 2788 wrote to memory of 2780 2788 butterflyondesktop.exe 35 PID 2788 wrote to memory of 2780 2788 butterflyondesktop.exe 35 PID 2788 wrote to memory of 2780 2788 butterflyondesktop.exe 35 PID 2788 wrote to memory of 2780 2788 butterflyondesktop.exe 35 PID 2788 wrote to memory of 2780 2788 butterflyondesktop.exe 35 PID 2788 wrote to memory of 2780 2788 butterflyondesktop.exe 35 PID 3036 wrote to memory of 2680 3036 ComputerRaper.exe 36 PID 3036 wrote to memory of 2680 3036 ComputerRaper.exe 36 PID 3036 wrote to memory of 2680 3036 ComputerRaper.exe 36 PID 3036 wrote to memory of 2576 3036 ComputerRaper.exe 37 PID 3036 wrote to memory of 2576 3036 ComputerRaper.exe 37 PID 3036 wrote to memory of 2576 3036 ComputerRaper.exe 37 PID 3036 wrote to memory of 2576 3036 ComputerRaper.exe 37 PID 3036 wrote to memory of 2576 3036 ComputerRaper.exe 37 PID 3036 wrote to memory of 2576 3036 ComputerRaper.exe 37 PID 3036 wrote to memory of 2576 3036 ComputerRaper.exe 37 PID 1928 wrote to memory of 2652 1928 HawkEye.exe 30 PID 1928 wrote to memory of 2652 1928 HawkEye.exe 30 PID 3036 wrote to memory of 2188 3036 ComputerRaper.exe 39 PID 3036 wrote to memory of 2188 3036 ComputerRaper.exe 39 PID 3036 wrote to memory of 2188 3036 ComputerRaper.exe 39 PID 3036 wrote to memory of 2188 3036 ComputerRaper.exe 39 PID 2576 wrote to memory of 2068 2576 BadRabbit.exe 40 PID 2576 wrote to memory of 2068 2576 BadRabbit.exe 40 PID 2576 wrote to memory of 2068 2576 BadRabbit.exe 40 PID 2576 wrote to memory of 2068 2576 BadRabbit.exe 40 PID 2576 wrote to memory of 2068 2576 BadRabbit.exe 40 PID 2576 wrote to memory of 2068 2576 BadRabbit.exe 40 PID 2576 wrote to memory of 2068 2576 BadRabbit.exe 40 PID 3036 wrote to memory of 1660 3036 ComputerRaper.exe 41 PID 3036 wrote to memory of 1660 3036 ComputerRaper.exe 41 PID 3036 wrote to memory of 1660 3036 ComputerRaper.exe 41 PID 3036 wrote to memory of 1660 3036 ComputerRaper.exe 41 PID 2188 wrote to memory of 2620 2188 Birele.exe 42 PID 2188 wrote to memory of 2620 2188 Birele.exe 42 PID 2188 wrote to memory of 2620 2188 Birele.exe 42 PID 2188 wrote to memory of 2620 2188 Birele.exe 42 PID 3036 wrote to memory of 1268 3036 ComputerRaper.exe 43 PID 3036 wrote to memory of 1268 3036 ComputerRaper.exe 43 PID 3036 wrote to memory of 1268 3036 ComputerRaper.exe 43 -
System policy modification 1 TTPs 37 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMMyPictures = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMyMusic = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoThemesTab = "1" Krotten.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Uninstall Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPrinters = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuPinnedList = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSaveSettings = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Uninstall\NoAddRemovePrograms = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktop = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLogOff = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoToolbarCustomize = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPrinterTabs = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoManageMyComputerVerb = "1" Krotten.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{20D04FE0-3AEA-1069-A2D8-08002B30309D} = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives = "1044" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecentDocsMenu = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoUserNameInStartMenu = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetHood = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{450D8FBA-AD25-11D0-98A8-0800361B1103} = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewOnDrive = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMMyDocs = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMHelp = "1" Krotten.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMFUprogramsList = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuSubFolders = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFavoritesMenu = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispCPL = "1" Krotten.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer Krotten.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 3864 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ComputerRaper.exe"C:\Users\Admin\AppData\Local\Temp\ComputerRaper.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Users\Admin\AppData\Roaming\AgentTesla.exe"C:\Users\Admin\AppData\Roaming\AgentTesla.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2652
-
-
C:\Users\Admin\AppData\Roaming\HawkEye.exe"C:\Users\Admin\AppData\Roaming\HawkEye.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1928
-
-
C:\Users\Admin\AppData\Roaming\butterflyondesktop.exe"C:\Users\Admin\AppData\Roaming\butterflyondesktop.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Users\Admin\AppData\Local\Temp\is-3KHC0.tmp\butterflyondesktop.tmp"C:\Users\Admin\AppData\Local\Temp\is-3KHC0.tmp\butterflyondesktop.tmp" /SL5="$301A8,2719719,54272,C:\Users\Admin\AppData\Roaming\butterflyondesktop.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2780
-
-
-
C:\Users\Admin\AppData\Roaming\$uckyLocker.exe"C:\Users\Admin\AppData\Roaming\$uckyLocker.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2692
-
-
C:\Users\Admin\AppData\Roaming\7ev3n.exe"C:\Users\Admin\AppData\Roaming\7ev3n.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2804 -
C:\Users\Admin\AppData\Local\system.exe"C:\Users\Admin\AppData\Local\system.exe"3⤵PID:3448
-
-
-
C:\Users\Admin\AppData\Roaming\Annabelle.exe"C:\Users\Admin\AppData\Roaming\Annabelle.exe"2⤵
- Executes dropped EXE
PID:2680
-
-
C:\Users\Admin\AppData\Roaming\BadRabbit.exe"C:\Users\Admin\AppData\Roaming\BadRabbit.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 153⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2068 -
C:\Windows\SysWOW64\cmd.exe/c schtasks /Delete /F /TN rhaegal4⤵PID:980
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 2818321691 && exit"4⤵PID:3964
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 00:43:004⤵PID:3280
-
-
C:\Windows\DC2C.tmp"C:\Windows\DC2C.tmp" \\.\pipe\{ED5B6E11-D0B5-4D22-879E-6D7B49AC2AA0}4⤵PID:3508
-
-
-
-
C:\Users\Admin\AppData\Roaming\Birele.exe"C:\Users\Admin\AppData\Roaming\Birele.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM explorer.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2620
-
-
-
C:\Users\Admin\AppData\Roaming\Cerber5.exe"C:\Users\Admin\AppData\Roaming\Cerber5.exe"2⤵
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
PID:1660 -
C:\Windows\SysWOW64\netsh.exeC:\Windows\system32\netsh.exe advfirewall set allprofiles state on3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2424
-
-
C:\Windows\SysWOW64\netsh.exeC:\Windows\system32\netsh.exe advfirewall reset3⤵
- Modifies Windows Firewall
PID:2560
-
-
-
C:\Users\Admin\AppData\Roaming\CoronaVirus.exe"C:\Users\Admin\AppData\Roaming\CoronaVirus.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1268
-
-
C:\Users\Admin\AppData\Roaming\CryptoLocker.exe"C:\Users\Admin\AppData\Roaming\CryptoLocker.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1952 -
C:\Users\Admin\AppData\Roaming\CryptoLocker.exe"C:\Users\Admin\AppData\Roaming\CryptoLocker.exe" /w000000C83⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:328
-
-
-
C:\Users\Admin\AppData\Roaming\CryptoWall.exe"C:\Users\Admin\AppData\Roaming\CryptoWall.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
PID:2748 -
C:\Windows\syswow64\explorer.exe"C:\Windows\syswow64\explorer.exe"3⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
PID:1820 -
C:\Windows\syswow64\svchost.exe-k netsvcs4⤵
- System Location Discovery: System Language Discovery
PID:2360
-
-
C:\Windows\syswow64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet4⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
PID:2104
-
-
-
-
C:\Users\Admin\AppData\Roaming\DeriaLock.exe"C:\Users\Admin\AppData\Roaming\DeriaLock.exe"2⤵
- Drops startup file
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1744
-
-
C:\Users\Admin\AppData\Roaming\Dharma.exe"C:\Users\Admin\AppData\Roaming\Dharma.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2204 -
C:\Users\Admin\AppData\Local\Temp\ac\nc123.exe"C:\Users\Admin\AppData\Local\Temp\ac\nc123.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1664 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cls4⤵PID:2148
-
-
-
C:\Users\Admin\AppData\Local\Temp\ac\mssql.exe"C:\Users\Admin\AppData\Local\Temp\ac\mssql.exe"3⤵
- Executes dropped EXE
PID:1136
-
-
C:\Users\Admin\AppData\Local\Temp\ac\mssql2.exe"C:\Users\Admin\AppData\Local\Temp\ac\mssql2.exe"3⤵
- Executes dropped EXE
PID:1532
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\ac\Shadow.bat" "3⤵PID:1968
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\ac\systembackup.bat" "3⤵PID:2808
-
-
-
C:\Users\Admin\AppData\Roaming\Fantom.exe"C:\Users\Admin\AppData\Roaming\Fantom.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1288
-
-
C:\Users\Admin\AppData\Roaming\GandCrab.exe"C:\Users\Admin\AppData\Roaming\GandCrab.exe"2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1704
-
-
C:\Users\Admin\AppData\Roaming\InfinityCrypt.exe"C:\Users\Admin\AppData\Roaming\InfinityCrypt.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
PID:1072
-
-
C:\Users\Admin\AppData\Roaming\Krotten.exe"C:\Users\Admin\AppData\Roaming\Krotten.exe"2⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1396
-
-
C:\Users\Admin\AppData\Roaming\NoMoreRansom.exe"C:\Users\Admin\AppData\Roaming\NoMoreRansom.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
PID:1508
-
-
C:\Users\Admin\AppData\Roaming\NotPetya.exe"C:\Users\Admin\AppData\Roaming\NotPetya.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1572 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Windows\perfc.dat #13⤵
- Writes to the Master Boot Record (MBR)
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1984 -
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST 01:284⤵PID:1784
-
-
C:\Users\Admin\AppData\Local\Temp\D9DB.tmp"C:\Users\Admin\AppData\Local\Temp\D9DB.tmp" \\.\pipe\{EBB75BE4-5DE7-48EF-98D6-B9E484897EA7}4⤵PID:2708
-
-
-
-
C:\Users\Admin\AppData\Roaming\Petya.A.exe"C:\Users\Admin\AppData\Roaming\Petya.A.exe"2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
PID:2232
-
-
C:\Users\Admin\AppData\Roaming\PolyRansom.exe"C:\Users\Admin\AppData\Roaming\PolyRansom.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1384 -
C:\Users\Admin\YmEYAIYQ\mScIAEMI.exe"C:\Users\Admin\YmEYAIYQ\mScIAEMI.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2220
-
-
C:\ProgramData\NOgAgsAI\gAcQAQwg.exe"C:\ProgramData\NOgAgsAI\gAcQAQwg.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2612
-
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Roaming\PolyRansom"3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1780 -
C:\Users\Admin\AppData\Roaming\PolyRansom.exeC:\Users\Admin\AppData\Roaming\PolyRansom4⤵PID:2668
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Roaming\PolyRansom"5⤵PID:3720
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 15⤵
- Modifies registry key
PID:3424
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 25⤵
- Modifies registry key
PID:3460
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f5⤵
- Modifies registry key
PID:3604
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\EgoEQMUk.bat" "C:\Users\Admin\AppData\Roaming\PolyRansom.exe""5⤵PID:3772
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 13⤵
- Modifies registry key
PID:1924
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 23⤵
- Modifies registry key
PID:3288
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f3⤵
- Modifies registry key
PID:3432
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\cQgEEYUU.bat" "C:\Users\Admin\AppData\Roaming\PolyRansom.exe""3⤵PID:2984
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
PID:2208 -
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
PID:308 -
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"4⤵
- Executes dropped EXE
PID:2796
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"4⤵PID:952
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"4⤵PID:1804
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"3⤵
- Executes dropped EXE
PID:1596
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"3⤵PID:2024
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"3⤵PID:2156
-
-
-
C:\Users\Admin\AppData\Roaming\RedBoot.exe"C:\Users\Admin\AppData\Roaming\RedBoot.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1608 -
C:\Users\Admin\94902035\protect.exe"C:\Users\Admin\94902035\protect.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1720
-
-
C:\Users\Admin\94902035\assembler.exe"C:\Users\Admin\94902035\assembler.exe" -f bin "C:\Users\Admin\94902035\boot.asm" -o "C:\Users\Admin\94902035\boot.bin"3⤵
- Executes dropped EXE
PID:2576
-
-
-
C:\Users\Admin\AppData\Roaming\RedEye.exe"C:\Users\Admin\AppData\Roaming\RedEye.exe"2⤵
- Executes dropped EXE
PID:2660
-
-
C:\Users\Admin\AppData\Roaming\Rensenware.exe"C:\Users\Admin\AppData\Roaming\Rensenware.exe"2⤵
- Executes dropped EXE
PID:2844 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 3843⤵PID:3916
-
-
-
C:\Users\Admin\AppData\Roaming\Rokku.exe"C:\Users\Admin\AppData\Roaming\Rokku.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1504
-
-
C:\Users\Admin\AppData\Roaming\Satana.exe"C:\Users\Admin\AppData\Roaming\Satana.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2480 -
C:\Users\Admin\AppData\Roaming\Satana.exe"C:\Users\Admin\AppData\Roaming\Satana.exe"3⤵PID:3792
-
-
-
C:\Users\Admin\AppData\Roaming\Seftad.exe"C:\Users\Admin\AppData\Roaming\Seftad.exe"2⤵
- Executes dropped EXE
PID:3056 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3056 -s 2243⤵
- Program crash
PID:4032
-
-
-
C:\Users\Admin\AppData\Roaming\SporaRansomware.exe"C:\Users\Admin\AppData\Roaming\SporaRansomware.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1756
-
-
C:\Users\Admin\AppData\Roaming\ViraLock.exe"C:\Users\Admin\AppData\Roaming\ViraLock.exe"2⤵PID:2512
-
C:\Users\Admin\tIIkEEwU\KWwoEgIM.exe"C:\Users\Admin\tIIkEEwU\KWwoEgIM.exe"3⤵PID:2532
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2532 -s 364⤵
- Program crash
PID:616
-
-
-
C:\ProgramData\DuAEsgUs\fmEIoUAk.exe"C:\ProgramData\DuAEsgUs\fmEIoUAk.exe"3⤵PID:1548
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1548 -s 364⤵
- Program crash
PID:4044
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Roaming\ViraLock"3⤵PID:3620
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 13⤵
- Modifies registry key
PID:3316
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 23⤵
- Modifies registry key
PID:3364
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f3⤵
- Modifies registry key
PID:3444
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\WwsAIwMk.bat" "C:\Users\Admin\AppData\Roaming\ViraLock.exe""3⤵PID:3496
-
-
-
C:\Users\Admin\AppData\Roaming\WannaCry.exe"C:\Users\Admin\AppData\Roaming\WannaCry.exe"2⤵PID:2984
-
-
C:\Users\Admin\AppData\Roaming\WannaCrypt0r.exe"C:\Users\Admin\AppData\Roaming\WannaCrypt0r.exe"2⤵PID:2664
-
C:\Windows\SysWOW64\attrib.exeattrib +h .3⤵
- Views/modifies file attributes
PID:3864
-
-
C:\Windows\SysWOW64\icacls.exeicacls . /grant Everyone:F /T /C /Q3⤵
- Modifies file permissions
PID:3872
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Direct Volume Access
1File and Directory Permissions Modification
2Windows File and Directory Permissions Modification
1Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
2Disable or Modify System Firewall
1Safe Mode Boot
1Indicator Removal
2File Deletion
2Modify Registry
7Pre-OS Boot
1Bootkit
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
76KB
MD5efd8cb58e0430d4d4d4fd84cf13d239f
SHA12fbc96ac52333813443a79dcc9492f122ec782cd
SHA256c0855e38aa228e8a82148fb6c53eb71564ae3903c8697769ea08a83e85316f10
SHA512eb4942a6fe37c002a34ee3f1ce26c0c6b4164f8a2c1b15613ed11f856ac77235d08148db1425c1360a57260dd13a324a5682974ff25edb7c5ec1556078a90522
-
Filesize
199KB
MD53b05ced94cff6162486cfd64f3abf1f7
SHA1e05b346c60658bec73fc25991f435be904fbc11b
SHA256100a36054a8c20dcbe212dd3ba64cd0bf302f73cfd52feb519a3a1e6ce088144
SHA5123d93fe59282a2d7a5923c389f855da955418e157fcc89434b39034501f26a45d1226345d21fa080b934b8c5b4c45c6c596df89e233d31ffd6fdf013ea63cbc50
-
Filesize
589KB
MD57e3cea1f686207563c8369f64ea28e5b
SHA1a1736fd61555841396b0406d5c9ca55c4b6cdf41
SHA2562a5305369edb9c2d7354b2f210e91129e4b8c546b0adf883951ea7bf7ee0f2b2
SHA5124629bc32094bdb030e6c9be247068e7295599203284cb95921c98fcbe3ac60286670be7e5ee9f0374a4017286c7af9db211bd831e3ea871d31a509d7bbc1d6a3
-
Filesize
4B
MD503f02239e3407a5fff7fead3e67d4f62
SHA1eba6b2007633c970eaffcf65794b91888793891e
SHA256b03480b167f675a2d786514241b6bdb954cc74780b378f169d2507cd6007bb25
SHA5124c5ee88d31eca7d77c250d4fb389fd0a1e788190286c393e7888d983556622aee0dd63e85d9669350c4bb642dc57fc82944ae42a4d23dede88e2303ea237fa84
-
Filesize
1.3MB
MD56ca170ece252721ed6cc3cfa3302d6f0
SHA1cf475d6e172b54633479b3587e90dd82824ff051
SHA256f3a23e5e9a7caefcc81cfe4ed8df93ff84d5d32c6c63cdbb09f41d84f56a4126
SHA51265b6ceee14b6b5bd7baee12c808d02aeb3af5f5e832d33dcdb32df44c1bfbc1896678dcc517cf90377020ba64af2ccad1790d58f67531196bbd5222f07694c1d
-
Filesize
28B
MD5df8394082a4e5b362bdcb17390f6676d
SHA15750248ff490ceec03d17ee9811ac70176f46614
SHA256da3f155cfb98ce0add29a31162d23da7596da44ba2391389517fe1a2790da878
SHA5128ce519dc5c2dd0bbb9f7f48bedf01362c56467800ac0029c8011ee5d9d19e3b3f2eff322e7306acf693e2edb9cf75caaf7b85eb8b2b6c3101ff7e1644950303d
-
Filesize
10.2MB
MD5f6a3d38aa0ae08c3294d6ed26266693f
SHA19ced15d08ffddb01db3912d8af14fb6cc91773f2
SHA256c522e0b5332cac67cde8fc84080db3b8f2e0fe85f178d788e38b35bbe4d464ad
SHA512814b1130a078dcb6ec59dbfe657724e36aa3db64ed9b2f93d8559b6a50e512365c8596240174141d6977b5ddcf7f281add7886c456dc7463c97f432507e73515
-
Filesize
6.7MB
MD5f7d94750703f0c1ddd1edd36f6d0371d
SHA1cc9b95e5952e1c870f7be55d3c77020e56c34b57
SHA256659e441cadd42399fc286b92bbc456ff2e9ecb24984c0586acf83d73c772b45d
SHA512af0ced00dc6eeaf6fb3336d9b3abcc199fb42561b8ce24ff2e6199966ad539bc2387ba83a4838301594e50e36844796e96c30a9aa9ad5f03cf06860f3f44e0fa
-
Filesize
125KB
MD5597de376b1f80c06d501415dd973dcec
SHA1629c9649ced38fd815124221b80c9d9c59a85e74
SHA256f47e3555461472f23ab4766e4d5b6f6fd260e335a6abc31b860e569a720a5446
SHA512072565912208e97cc691e1a102e32fd6c243b5a3f8047a159e97aabbe302bddc36f3c52cecde3b506151bc89e0f3b5acf6552a82d83dac6e0180c873d36d3f6b
-
Filesize
674KB
MD5b2233d1efb0b7a897ea477a66cd08227
SHA1835a198a11c9d106fc6aabe26b9b3e59f6ec68fd
SHA2565fd17e3b8827b5bb515343bc4066be0814f6466fb4294501becac284a378c0da
SHA5126ca61854db877d767ce587ac3d7526cda8254d937a159fd985e0475d062d07ae83e7ff4f9f42c7e1e1cad5e1f408f6849866aa4e9e48b29d80510e5c695cee37
-
Filesize
1KB
MD5b4b2f1a6c7a905781be7d877487fc665
SHA17ee27672d89940e96bcb7616560a4bef8d8af76c
SHA2566246b0045ca11da483e38317421317dc22462a8d81e500dee909a5269c086b5f
SHA512f883cea56a9ac5dcb838802753770494ce7b1de9d7da6a49b878d534810f9c87170f04e0b8b516ae19b9492f40635a72b3e8a4533d39312383c520abe00c5ae6
-
Filesize
112B
MD5bae1095f340720d965898063fede1273
SHA1455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA5124e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024
-
Filesize
688KB
MD5c765336f0dcf4efdcc2101eed67cd30c
SHA1fa0279f59738c5aa3b6b20106e109ccd77f895a7
SHA256c5177fdc6031728e10141745cd69edbc91c92d14411a2dec6e8e8caa4f74ab28
SHA51206a67ac37c20897967e2cad453793a6ef1c7804d4c578404f845daa88c859b15b0acb51642e6ad23ca6ba6549b02d5f6c98b1fa402004bdbf9d646abab7ec891
-
Filesize
4B
MD5be7400077d5e89412ba779ce01f5ac9d
SHA15e5b649bacd56b344cb08bee4c81c89ce6625ff2
SHA256ca2336c56b7f20e9f0226d11d02fa18257ee834c299fb96e7c72e42510891d72
SHA51209e0aa8205fd25155b3e63cf1f9c1f744ebb3870a12d3521f62cc956fa77500c3280237c00dc9533d5c9e2ad1f32ca322e653036c49f4b8de0526f3e784e6a90
-
Filesize
414KB
MD5c850f942ccf6e45230169cc4bd9eb5c8
SHA151c647e2b150e781bd1910cac4061a2cee1daf89
SHA25686e0eac8c5ce70c4b839ef18af5231b5f92e292b81e440193cdbdc7ed108049f
SHA5122b3890241b8c8690aab0aed347daa778aba20f29f76e8b79b02953b6252324317520b91ea60d3ef73e42ad403f7a6e0e3f2a057799f21ed447dae7096b2f47d9
-
Filesize
315KB
MD59f8bc96c96d43ecb69f883388d228754
SHA161ed25a706afa2f6684bb4d64f69c5fb29d20953
SHA2567d373ccb96d1dbb1856ef31afa87c2112a0c1795a796ab01cb154700288afec5
SHA512550a891c1059f58aa983138caf65a7ea9c326cb1b94c15f3e7594128f6e9f1295b9c2dbc0925637dba7c94e938083fffc6a63dc7c2e5b1e247679931cce505c6
-
Filesize
2.8MB
MD5cce284cab135d9c0a2a64a7caec09107
SHA1e4b8f4b6cab18b9748f83e9fffd275ef5276199e
SHA25618aab0e981eee9e4ef8e15d4b003b14b3a1b0bfb7233fade8ee4b6a22a5abbb9
SHA512c45d021295871447ce60250ff9cbeba2b2a16a23371530da077d6235cfe5005f10fa228071542df3621462d913ad2f58236dc0c0cb390779eef86a10bba8429f
-
Filesize
431KB
MD5fbbdc39af1139aebba4da004475e8839
SHA1de5c8d858e6e41da715dca1c019df0bfb92d32c0
SHA256630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
SHA51274eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87
-
Filesize
116KB
MD541789c704a0eecfdd0048b4b4193e752
SHA1fb1e8385691fa3293b7cbfb9b2656cf09f20e722
SHA256b2dcfdf9e7b09f2aa5004668370e77982963ace820e7285b2e264a294441da23
SHA51276391ac85fdc3be75441fcd6e19bed08b807d3946c7281c647f16a3be5388f7be307e6323fac8502430a4a6d800d52a88709592a49011ecc89de4f19102435ea
-
Filesize
313KB
MD5fe1bc60a95b2c2d77cd5d232296a7fa4
SHA1c07dfdea8da2da5bad036e7c2f5d37582e1cf684
SHA256b3e1e9d97d74c416c2a30dd11858789af5554cf2de62f577c13944a19623777d
SHA512266c541a421878e1e175db5d94185c991cec5825a4bc50178f57264f3556080e6fe984ed0380acf022ce659aa1ca46c9a5e97efc25ff46cbfd67b9385fd75f89
-
Filesize
1.0MB
MD5055d1462f66a350d9886542d4d79bc2b
SHA1f1086d2f667d807dbb1aa362a7a809ea119f2565
SHA256dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0
SHA5122c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1
-
Filesize
338KB
MD504fb36199787f2e3e2135611a38321eb
SHA165559245709fe98052eb284577f1fd61c01ad20d
SHA256d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9
SHA512533d6603f6e2a77bd1b2c6591a135c4717753d53317c1be06e43774e896d9543bcd0ea6904a0688aa84b2d8424641d68994b1e7dc4aa46d66c36feecb6145444
-
Filesize
132KB
MD5919034c8efb9678f96b47a20fa6199f2
SHA1747070c74d0400cffeb28fbea17b64297f14cfbd
SHA256e036d68b8f8b7afc6c8b6252876e1e290f11a26d4ad18ac6f310662845b2c734
SHA512745a81c50bbfd62234edb9788c83a22e0588c5d25c00881901923a02d7096c71ef5f0cd5b73f92ad974e5174de064b0c5ea8044509039aab14b2aed83735a7c4
-
Filesize
484KB
MD50a7b70efba0aa93d4bc0857b87ac2fcb
SHA101a6c963b2f5f36ff21a1043587dcf921ae5f5cd
SHA2564f5bff64160044d9a769ab277ff85ba954e2a2e182c6da4d0672790cf1d48309
SHA5122033f9637b8d023242c93f54c140dd561592a3380a15a9fdc8ebfa33385ff4fc569d66c846a01b4ac005f0521b3c219e87f4b1ed2a83557f9d95fa066ad25e14
-
Filesize
11.5MB
MD5928e37519022745490d1af1ce6f336f7
SHA1b7840242393013f2c4c136ac7407e332be075702
SHA2566fb303dd8ba36381948127d44bd8541e4a1ab8af07b46526ace08458f2498850
SHA5128040195ab2b2e15c9d5ffa13a47a61c709738d1cf5e2108e848fedf3408e5bad5f2fc5f523f170f6a80cb33a4f5612d3d60dd343d028e55cfc08cd2f6ed2947c
-
Filesize
261KB
MD57d80230df68ccba871815d68f016c282
SHA1e10874c6108a26ceedfc84f50881824462b5b6b6
SHA256f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b
SHA51264d02b3e7ed82a64aaac1f74c34d6b6e6feaac665ca9c08911b93eddcec66595687024ec576e74ea09a1193ace3923969c75de8733859835fef45335cf265540
-
Filesize
291KB
MD5e6b43b1028b6000009253344632e69c4
SHA1e536b70e3ffe309f7ae59918da471d7bf4cadd1c
SHA256bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a
SHA51207da214314673407a7d3978ee6e1d20bf1e02f135bf557e86b50489ecc146014f2534515c1b613dba96e65489d8c82caaa8ed2e647684d61e5e86bd3e8251adf
-
Filesize
232KB
MD560fabd1a2509b59831876d5e2aa71a6b
SHA18b91f3c4f721cb04cc4974fc91056f397ae78faa
SHA2561dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838
SHA5123e842a7d47b32942adb936cae13293eddf1a6b860abcfe7422d0fb73098264cc95656b5c6d9980fad1bf8b5c277cd846c26acaba1bef441582caf34eb1e5295a
-
Filesize
211KB
MD5b805db8f6a84475ef76b795b0d1ed6ae
SHA17711cb4873e58b7adcf2a2b047b090e78d10c75b
SHA256f5d002bfe80b48386a6c99c41528931b7f5df736cd34094463c3f85dde0180bf
SHA51262a2c329b43d186c4c602c5f63efc8d2657aa956f21184334263e4f6d0204d7c31f86bda6e85e65e3b99b891c1630d805b70997731c174f6081ecc367ccf9416
-
Filesize
53KB
MD587ccd6f4ec0e6b706d65550f90b0e3c7
SHA1213e6624bff6064c016b9cdc15d5365823c01f5f
SHA256e79f164ccc75a5d5c032b4c5a96d6ad7604faffb28afe77bc29b9173fa3543e4
SHA512a72403d462e2e2e181dbdabfcc02889f001387943571391befed491aaecba830b0869bdd4d82bca137bd4061bbbfb692871b1b4622c4a7d9f16792c60999c990
-
Filesize
1.4MB
MD563210f8f1dde6c40a7f3643ccf0ff313
SHA157edd72391d710d71bead504d44389d0462ccec9
SHA2562aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f
SHA51287a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11
-
Filesize
390KB
MD55b7e6e352bacc93f7b80bc968b6ea493
SHA1e686139d5ed8528117ba6ca68fe415e4fb02f2be
SHA25663545fa195488ff51955f09833332b9660d18f8afb16bdf579134661962e548a
SHA5129d24af0cb00fb8a5e61e9d19cd603b5541a22ae6229c2acf498447e0e7d4145fee25c8ab9d5d5f18f554e6cbf8ca56b7ca3144e726d7dfd64076a42a25b3dfb6
-
Filesize
225KB
MD5af2379cc4d607a45ac44d62135fb7015
SHA139b6d40906c7f7f080e6befa93324dddadcbd9fa
SHA25626b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739
SHA51269899c47d0b15f92980f79517384e83373242e045ca696c6e8f930ff6454219bf609e0d84c2f91d25dfd5ef3c28c9e099c4a3a918206e957be806a1c2e0d3e99
-
Filesize
220KB
MD53ed3fb296a477156bc51aba43d825fc0
SHA19caa5c658b1a88fee149893d3a00b34a8bb8a1a6
SHA2561898f2cae1e3824cb0f7fd5368171a33aba179e63501e480b4da9ea05ebf0423
SHA512dc3d6e409cee4d54f48d1a25912243d07e2f800578c8e0e348ce515a047ecf5fa3089b46284e0956bbced345957a000eecdc082e6f3060971759d70a14c1c97e
-
Filesize
136KB
MD570108103a53123201ceb2e921fcfe83c
SHA1c71799a6a6d09ee758b04cdf90a4ab76fbd2a7e3
SHA2569c3f8df80193c085912c9950c58051ae77c321975784cc069ceacd4f57d5861d
SHA512996701c65eee7f781c2d22dce63f4a95900f36b97a99dcf833045bce239a08b3c2f6326b3a808431cdab92d59161dd80763e44126578e160d79b7095175d276b
-
Filesize
1.2MB
MD5e0340f456f76993fc047bc715dfdae6a
SHA1d47f6f7e553c4bc44a2fe88c2054de901390b2d7
SHA2561001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887
SHA512cac10c675d81630eefca49b2ac4cc83f3eb29115ee28a560db4d6c33f70bf24980e48bb48ce20375349736e3e6b23a1ca504b9367917328853fffc5539626bbc
-
Filesize
10.6MB
MD5e9e5596b42f209cc058b55edc2737a80
SHA1f30232697b3f54e58af08421da697262c99ec48b
SHA2569ac9f207060c28972ede6284137698ce0769e3695c7ad98ab320605d23362305
SHA512e542319beb6f81b493ad80985b5f9c759752887dc3940b77520a3569cd5827de2fcae4c2357b7f9794b382192d4c0b125746df5cf08f206d07b2b473b238d0c7
-
Filesize
96KB
MD560335edf459643a87168da8ed74c2b60
SHA161f3e01174a6557f9c0bfc89ae682d37a7e91e2e
SHA2567bf5623f0a10dfa148a35bebd899b7758612f1693d2a9910f716cf15a921a76a
SHA512b4e5e4d4f0b4a52243d6756c66b4fe6f4b39e64df7790072046e8a3dadad3a1be30b8689a1bab8257cc35cb4df652888ddf62b4e1fccb33e1bbf1f5416d73efb
-
Filesize
666KB
MD597512f4617019c907cd0f88193039e7c
SHA124cfa261ee30f697e7d1e2215eee1c21eebf4579
SHA256438888ef36bad1079af79daf152db443b4472c5715a7b3da0ba24cc757c53499
SHA512cfbb8dd91434f917d507cb919aa7e6b16b7b2056d56185f6ad5b6149e05629325cdb3df907f58bb3f634b17a9989bf5b6d6b81f5396a3a556431742ed742ac4a
-
Filesize
49KB
MD546bfd4f1d581d7c0121d2b19a005d3df
SHA15b063298bbd1670b4d39e1baef67f854b8dcba9d
SHA256683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96
SHA512b52aa090f689765d099689700be7e18922137e7a860a00113e3f72aa6553e94a870bbb741e52de9617506a236a2a59198fb224fcd128576d76642eec9d715df5
-
Filesize
1KB
MD5370a789f1879f35ba741ec57c61f8b02
SHA19ecf12d01cb7449f795163f5f755755ad659db81
SHA256a0a51d57f44af91a35b7ddbc32a9618ed324b693efa01d9e8b0ef9db66675896
SHA512749cd9018117a2e25f22931595de8627c5193194e3ac4d4a7b400766e4bf189cc9cd2fbac2997cec9184f4a5baa414d146b9f4a690ffd5e0a300457738172740
-
Filesize
194KB
MD58803d517ac24b157431d8a462302b400
SHA1b56afcad22e8cda4d0e2a98808b8e8c5a1059d4e
SHA256418395efd269bc6534e02c92cb2c568631ada6e54bc55ade4e4a5986605ff786
SHA51238fdfe0bc873e546b05a8680335526eec61ccc8cf3f37c60eee0bc83ec54570077f1dc1da26142488930eabcc21cb7a33c1b545a194cbfb4c87e430c4b2bfb50
-
Filesize
2.8MB
MD51535aa21451192109b86be9bcc7c4345
SHA11af211c686c4d4bf0239ed6620358a19691cf88c
SHA2564641af6a0071e11e13ad3b1cd950e01300542c2b9efb6ae92ffecedde974a4a6
SHA5121762b29f7b26911a7e6d244454eac7268235e2e0c27cd2ca639b8acdde2528c9ddf202ed59ca3155ee1d6ad3deba559a6eaf4ed74624c68688761e3e404e54da
-
Filesize
37KB
MD535c2f97eea8819b1caebd23fee732d8f
SHA1e354d1cc43d6a39d9732adea5d3b0f57284255d2
SHA2561adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e
SHA512908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf
-
Filesize
192KB
MD560334f56ae92025f90456e9aa2d6c53a
SHA18ecdf71605695973dc76a37d7ebbf40d034b7a77
SHA2561fdb6c40dd46174c58018589e3f1bc5f0e3ede792cf757a001dd74321be45001
SHA512272fbe2f864377dd81c07a02127fd5167767191720a8bef4e523ab82fcb9a846c29444363b3c4d62850b6bc5d6d1846692eab64df9910139f1e0e6513bd12ead
-
Filesize
1KB
MD5fa39b219ba5cebfd99059756a35d3990
SHA17327d9c4dab1da544019c8862619e52e63ba7834
SHA256d6e1164f220eb1c9aed5bdfd168bf1866714d0c5fe5a8153ab20caee8f1850a1
SHA512dbf373f2f3b46136105b5a82f8adeb1c44d4ba430598a1f2dfc07997f2e8076282487755239292098c1a811d3aa6d006cd6ddd23270b783724db79bcf25c16a9
-
Filesize
8KB
MD518daa2fe7841ef59e438a9c423453d56
SHA1fed84dadceafefe26139a030b483c5f19f63eae6
SHA256f14034446bf8c881d94c997d5256f19c905dbe9ba1721bed708a35f329ee9c2e
SHA5129c1adc96f2af689ee95ad31e58e0b93cfe2a6fac4916005946ed85c18a9ee7da22d15f29918f7af95fcc4a46a8e6d953d4c5a2f62f27d864ade4ddabb2d622d9
-
Filesize
60KB
MD5c7ca77d847f1802502ef3b9228d388e4
SHA180ab09116d877b924dfec5b6e8eb6d3dde35869e
SHA256fdef2f6da8c5e8002fa5822e8e4fea278fba66c22df9e13b61c8a95c2f9d585f
SHA512b5c23209597ecddbcde6cd8e72392721c3c2848385ad3f4c644024979f777fd11f2dd19e763f443c4759bb339b047034997fb06566ce7d4574cf3e4b75f51b7d
-
Filesize
401KB
MD51d724f95c61f1055f0d02c2154bbccd3
SHA179116fe99f2b421c52ef64097f0f39b815b20907
SHA256579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648
SHA512f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113
-
Filesize
353KB
MD571b6a493388e7d0b40c83ce903bc6b04
SHA134f917aaba5684fbe56d3c57d48ef2a1aa7cf06d
SHA256027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745
SHA512072205eca5099d9269f358fe534b370ff21a4f12d7938d6d2e2713f69310f0698e53b8aff062849f0b2a521f68bee097c1840993825d2a5a3aa8cf4145911c6f
-
Filesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
Filesize
15.9MB
MD50f743287c9911b4b1c726c7c7edcaf7d
SHA19760579e73095455fcbaddfe1e7e98a2bb28bfe0
SHA256716335ba5cd1e7186c40295b199190e2b6655e48f1c1cbe12139ba67faa5e1ac
SHA5122a6dd6288303700ef9cb06ae1efeb1e121c89c97708e5ecd15ed9b2a35d0ecff03d8da58b30daeadad89bd38dc4649521ada149fb457408e5a2bdf1512f88677