Analysis
-
max time kernel
7s -
max time network
41s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24-11-2024 00:24
Static task
static1
Behavioral task
behavioral1
Sample
ComputerRaper.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
ComputerRaper.exe
Resource
win10v2004-20241007-en
Errors
General
-
Target
ComputerRaper.exe
-
Size
85.4MB
-
MD5
bdb24ed9f869fcd462b316148514fc5b
-
SHA1
83935122b626378a3149e9036cd751514add4b52
-
SHA256
83875ea85b183c609c5ddcd92afe62265745192a417b80524f12741fc028aca0
-
SHA512
12fdb77a75debeacbc4b98cac45d09a7bcc378bd9bd51bbc035838b99c1d595660d5c0961a2d041b2e8359f3b5b096f589d39453ada9874436411b94b8b0d611
-
SSDEEP
1572864:NUkskQ1oOZrCqix58TkbajhXBFEQT9VotzcJ97:N/NQbCbmXXEUvoM97
Malware Config
Signatures
-
BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
-
Badrabbit family
-
Chimera
Ransomware which infects local and network files, often distributed via Dropbox links.
-
Chimera Ransomware Loader DLL 1 IoCs
Drops/unpacks executable file which resembles Chimera's Loader.dll.
resource yara_rule behavioral2/memory/2948-68-0x0000000010000000-0x0000000010010000-memory.dmp chimera_loader_dll -
Chimera family
-
CryptoLocker
Ransomware family with multiple variants.
-
Cryptolocker family
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
Mimikatz family
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Roaming\\Birele.exe" Birele.exe -
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
mimikatz is an open source tool to dump credentials on Windows 1 IoCs
resource yara_rule behavioral2/files/0x0007000000023caf-708.dat mimikatz -
Disables Task Manager via registry modification
-
Modifies Windows Firewall 2 TTPs 4 IoCs
pid Process 3124 netsh.exe 3156 netsh.exe 5800 NetSh.exe 4088 NetSh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation ComputerRaper.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d43c3227.exe explorer.exe -
Executes dropped EXE 19 IoCs
pid Process 1008 AgentTesla.exe 2948 HawkEye.exe 4992 butterflyondesktop.exe 5028 $uckyLocker.exe 3076 7ev3n.exe 4304 butterflyondesktop.tmp 4868 Annabelle.exe 1992 BadRabbit.exe 1100 Birele.exe 544 Cerber5.exe 4696 CoronaVirus.exe 2612 CryptoLocker.exe 3852 CryptoWall.exe 3760 DeriaLock.exe 3772 system.exe 2368 CryptoLocker.exe 4100 Dharma.exe 1456 Fantom.exe 4936 GandCrab.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys Birele.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc Birele.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power Birele.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys Birele.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc Birele.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager Birele.exe -
Loads dropped DLL 1 IoCs
pid Process 4688 rundll32.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CryptoLocker = "C:\\Users\\Admin\\AppData\\Roaming\\CryptoLocker.exe" CryptoLocker.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d43c322 = "C:\\d43c3227\\d43c3227.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*43c322 = "C:\\d43c3227\\d43c3227.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d43c3227 = "C:\\Users\\Admin\\AppData\\Roaming\\d43c3227.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*43c3227 = "C:\\Users\\Admin\\AppData\\Roaming\\d43c3227.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Users\\Admin\\AppData\\Roaming\\Birele.exe" Birele.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\a: Cerber5.exe File opened (read-only) \??\j: Cerber5.exe File opened (read-only) \??\r: Cerber5.exe File opened (read-only) \??\u: Cerber5.exe File opened (read-only) \??\v: Cerber5.exe File opened (read-only) \??\y: Cerber5.exe File opened (read-only) \??\g: Cerber5.exe File opened (read-only) \??\h: Cerber5.exe File opened (read-only) \??\k: Cerber5.exe File opened (read-only) \??\s: Cerber5.exe File opened (read-only) \??\w: Cerber5.exe File opened (read-only) \??\z: Cerber5.exe File opened (read-only) \??\e: Cerber5.exe File opened (read-only) \??\m: Cerber5.exe File opened (read-only) \??\n: Cerber5.exe File opened (read-only) \??\p: Cerber5.exe File opened (read-only) \??\t: Cerber5.exe File opened (read-only) \??\x: Cerber5.exe File opened (read-only) \??\b: Cerber5.exe File opened (read-only) \??\i: Cerber5.exe File opened (read-only) \??\l: Cerber5.exe File opened (read-only) \??\o: Cerber5.exe File opened (read-only) \??\q: Cerber5.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 23 bot.whatismyipaddress.com 33 ip-addr.es -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/5892-1128-0x00000000004B0000-0x000000000073E000-memory.dmp autoit_exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\Desktop\Wallpaper = "0" $uckyLocker.exe -
resource yara_rule behavioral2/files/0x0007000000023c8a-97.dat upx behavioral2/memory/1100-124-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/1100-113-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/5892-823-0x00000000004B0000-0x000000000073E000-memory.dmp upx behavioral2/files/0x0007000000023cbe-785.dat upx behavioral2/files/0x0007000000023d03-1076.dat upx behavioral2/memory/5892-1128-0x00000000004B0000-0x000000000073E000-memory.dmp upx behavioral2/memory/5468-1107-0x0000000000400000-0x000000000058D000-memory.dmp upx behavioral2/memory/1100-984-0x0000000000400000-0x0000000000438000-memory.dmp upx -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\dispci.exe rundll32.exe File created C:\Windows\infpub.dat BadRabbit.exe File opened for modification C:\Windows\infpub.dat rundll32.exe File created C:\Windows\cscc.dat rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 19 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BadRabbit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language butterflyondesktop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cerber5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CryptoLocker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language $uckyLocker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language butterflyondesktop.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Birele.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DeriaLock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AgentTesla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HawkEye.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CoronaVirus.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fantom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7ev3n.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CryptoWall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CryptoLocker.exe -
Interacts with shadow copies 3 TTPs 6 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 5432 vssadmin.exe 5964 vssadmin.exe 5676 vssadmin.exe 5864 vssadmin.exe 5076 vssadmin.exe 4672 vssadmin.exe -
Kills process with taskkill 1 IoCs
pid Process 4084 taskkill.exe -
Modifies registry key 1 TTPs 3 IoCs
pid Process 6020 reg.exe 6028 reg.exe 6036 reg.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4276 SCHTASKS.exe 4532 schtasks.exe 6004 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4688 rundll32.exe 4688 rundll32.exe 4688 rundll32.exe 4688 rundll32.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 3852 CryptoWall.exe 448 explorer.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2948 HawkEye.exe Token: SeShutdownPrivilege 4688 rundll32.exe Token: SeDebugPrivilege 4688 rundll32.exe Token: SeTcbPrivilege 4688 rundll32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2016 wrote to memory of 1008 2016 ComputerRaper.exe 83 PID 2016 wrote to memory of 1008 2016 ComputerRaper.exe 83 PID 2016 wrote to memory of 1008 2016 ComputerRaper.exe 83 PID 2016 wrote to memory of 2948 2016 ComputerRaper.exe 84 PID 2016 wrote to memory of 2948 2016 ComputerRaper.exe 84 PID 2016 wrote to memory of 2948 2016 ComputerRaper.exe 84 PID 2016 wrote to memory of 4992 2016 ComputerRaper.exe 85 PID 2016 wrote to memory of 4992 2016 ComputerRaper.exe 85 PID 2016 wrote to memory of 4992 2016 ComputerRaper.exe 85 PID 2016 wrote to memory of 5028 2016 ComputerRaper.exe 86 PID 2016 wrote to memory of 5028 2016 ComputerRaper.exe 86 PID 2016 wrote to memory of 5028 2016 ComputerRaper.exe 86 PID 2016 wrote to memory of 3076 2016 ComputerRaper.exe 87 PID 2016 wrote to memory of 3076 2016 ComputerRaper.exe 87 PID 2016 wrote to memory of 3076 2016 ComputerRaper.exe 87 PID 4992 wrote to memory of 4304 4992 butterflyondesktop.exe 88 PID 4992 wrote to memory of 4304 4992 butterflyondesktop.exe 88 PID 4992 wrote to memory of 4304 4992 butterflyondesktop.exe 88 PID 2948 wrote to memory of 1008 2948 HawkEye.exe 83 PID 2948 wrote to memory of 1008 2948 HawkEye.exe 83 PID 2016 wrote to memory of 4868 2016 ComputerRaper.exe 89 PID 2016 wrote to memory of 4868 2016 ComputerRaper.exe 89 PID 2016 wrote to memory of 1992 2016 ComputerRaper.exe 90 PID 2016 wrote to memory of 1992 2016 ComputerRaper.exe 90 PID 2016 wrote to memory of 1992 2016 ComputerRaper.exe 90 PID 2016 wrote to memory of 1100 2016 ComputerRaper.exe 92 PID 2016 wrote to memory of 1100 2016 ComputerRaper.exe 92 PID 2016 wrote to memory of 1100 2016 ComputerRaper.exe 92 PID 2016 wrote to memory of 544 2016 ComputerRaper.exe 93 PID 2016 wrote to memory of 544 2016 ComputerRaper.exe 93 PID 2016 wrote to memory of 544 2016 ComputerRaper.exe 93 PID 2016 wrote to memory of 4696 2016 ComputerRaper.exe 94 PID 2016 wrote to memory of 4696 2016 ComputerRaper.exe 94 PID 2016 wrote to memory of 4696 2016 ComputerRaper.exe 94 PID 2016 wrote to memory of 2612 2016 ComputerRaper.exe 95 PID 2016 wrote to memory of 2612 2016 ComputerRaper.exe 95 PID 2016 wrote to memory of 2612 2016 ComputerRaper.exe 95 PID 2016 wrote to memory of 3852 2016 ComputerRaper.exe 96 PID 2016 wrote to memory of 3852 2016 ComputerRaper.exe 96 PID 2016 wrote to memory of 3852 2016 ComputerRaper.exe 96 PID 1992 wrote to memory of 4688 1992 BadRabbit.exe 97 PID 1992 wrote to memory of 4688 1992 BadRabbit.exe 97 PID 1992 wrote to memory of 4688 1992 BadRabbit.exe 97 PID 2016 wrote to memory of 3760 2016 ComputerRaper.exe 99 PID 2016 wrote to memory of 3760 2016 ComputerRaper.exe 99 PID 2016 wrote to memory of 3760 2016 ComputerRaper.exe 99 PID 3852 wrote to memory of 448 3852 CryptoWall.exe 98 PID 3852 wrote to memory of 448 3852 CryptoWall.exe 98 PID 3852 wrote to memory of 448 3852 CryptoWall.exe 98 PID 3076 wrote to memory of 3772 3076 7ev3n.exe 100 PID 3076 wrote to memory of 3772 3076 7ev3n.exe 100 PID 3076 wrote to memory of 3772 3076 7ev3n.exe 100 PID 2612 wrote to memory of 2368 2612 CryptoLocker.exe 101 PID 2612 wrote to memory of 2368 2612 CryptoLocker.exe 101 PID 2612 wrote to memory of 2368 2612 CryptoLocker.exe 101 PID 4688 wrote to memory of 1860 4688 rundll32.exe 102 PID 4688 wrote to memory of 1860 4688 rundll32.exe 102 PID 4688 wrote to memory of 1860 4688 rundll32.exe 102 PID 3772 wrote to memory of 4932 3772 system.exe 103 PID 3772 wrote to memory of 4932 3772 system.exe 103 PID 3772 wrote to memory of 4932 3772 system.exe 103 PID 3772 wrote to memory of 4276 3772 system.exe 104 PID 3772 wrote to memory of 4276 3772 system.exe 104 PID 3772 wrote to memory of 4276 3772 system.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\ComputerRaper.exe"C:\Users\Admin\AppData\Local\Temp\ComputerRaper.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Users\Admin\AppData\Roaming\AgentTesla.exe"C:\Users\Admin\AppData\Roaming\AgentTesla.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1008
-
-
C:\Users\Admin\AppData\Roaming\HawkEye.exe"C:\Users\Admin\AppData\Roaming\HawkEye.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2948
-
-
C:\Users\Admin\AppData\Roaming\butterflyondesktop.exe"C:\Users\Admin\AppData\Roaming\butterflyondesktop.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4992 -
C:\Users\Admin\AppData\Local\Temp\is-9DHTO.tmp\butterflyondesktop.tmp"C:\Users\Admin\AppData\Local\Temp\is-9DHTO.tmp\butterflyondesktop.tmp" /SL5="$70044,2719719,54272,C:\Users\Admin\AppData\Roaming\butterflyondesktop.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4304
-
-
-
C:\Users\Admin\AppData\Roaming\$uckyLocker.exe"C:\Users\Admin\AppData\Roaming\$uckyLocker.exe"2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
PID:5028
-
-
C:\Users\Admin\AppData\Roaming\7ev3n.exe"C:\Users\Admin\AppData\Roaming\7ev3n.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3076 -
C:\Users\Admin\AppData\Local\system.exe"C:\Users\Admin\AppData\Local\system.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3772 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\del.bat4⤵PID:4932
-
-
C:\Windows\SysWOW64\SCHTASKS.exeC:\Windows\System32\SCHTASKS.exe /create /SC ONLOGON /TN uac /TR "C:\Users\Admin\AppData\Local\bcd.bat" /RL HIGHEST /f4⤵
- Scheduled Task/Job: Scheduled Task
PID:4276
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:644⤵PID:3800
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:645⤵PID:2940
-
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:644⤵PID:4816
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:645⤵PID:1708
-
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:644⤵PID:1556
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:645⤵PID:920
-
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:644⤵PID:1952
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:645⤵PID:4124
-
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:644⤵PID:4408
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:645⤵PID:3936
-
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:644⤵PID:3136
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:645⤵PID:6040
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Annabelle.exe"C:\Users\Admin\AppData\Roaming\Annabelle.exe"2⤵
- Executes dropped EXE
PID:4868 -
C:\Windows\SYSTEM32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:5864
-
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:5676
-
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:5964
-
-
C:\Windows\SYSTEM32\NetSh.exeNetSh Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
PID:4088
-
-
-
C:\Users\Admin\AppData\Roaming\BadRabbit.exe"C:\Users\Admin\AppData\Roaming\BadRabbit.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 153⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4688 -
C:\Windows\SysWOW64\cmd.exe/c schtasks /Delete /F /TN rhaegal4⤵PID:1860
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /F /TN rhaegal5⤵PID:5520
-
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 355692445 && exit"4⤵PID:3516
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 355692445 && exit"5⤵
- Scheduled Task/Job: Scheduled Task
PID:6004
-
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 00:43:004⤵PID:5220
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 00:43:005⤵
- Scheduled Task/Job: Scheduled Task
PID:4532
-
-
-
C:\Windows\C033.tmp"C:\Windows\C033.tmp" \\.\pipe\{2E7869C2-1E8F-48CA-A883-5EDB41C0B178}4⤵PID:5256
-
-
C:\Windows\SysWOW64\cmd.exe/c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:4⤵PID:5908
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Delete /F /TN drogon4⤵PID:5744
-
-
-
-
C:\Users\Admin\AppData\Roaming\Birele.exe"C:\Users\Admin\AppData\Roaming\Birele.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1100 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM explorer.exe3⤵
- Kills process with taskkill
PID:4084
-
-
-
C:\Users\Admin\AppData\Roaming\Cerber5.exe"C:\Users\Admin\AppData\Roaming\Cerber5.exe"2⤵
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
PID:544 -
C:\Windows\SysWOW64\netsh.exeC:\Windows\system32\netsh.exe advfirewall set allprofiles state on3⤵
- Modifies Windows Firewall
PID:3124
-
-
C:\Windows\SysWOW64\netsh.exeC:\Windows\system32\netsh.exe advfirewall reset3⤵
- Modifies Windows Firewall
PID:3156
-
-
-
C:\Users\Admin\AppData\Roaming\CoronaVirus.exe"C:\Users\Admin\AppData\Roaming\CoronaVirus.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4696
-
-
C:\Users\Admin\AppData\Roaming\CryptoLocker.exe"C:\Users\Admin\AppData\Roaming\CryptoLocker.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Users\Admin\AppData\Roaming\CryptoLocker.exe"C:\Users\Admin\AppData\Roaming\CryptoLocker.exe" /w0000021C3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2368
-
-
-
C:\Users\Admin\AppData\Roaming\CryptoWall.exe"C:\Users\Admin\AppData\Roaming\CryptoWall.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3852 -
C:\Windows\SysWOW64\explorer.exe"C:\Windows\syswow64\explorer.exe"3⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
PID:448 -
C:\Windows\SysWOW64\svchost.exe-k netsvcs4⤵
- System Location Discovery: System Language Discovery
PID:2012
-
-
-
-
C:\Users\Admin\AppData\Roaming\DeriaLock.exe"C:\Users\Admin\AppData\Roaming\DeriaLock.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3760
-
-
C:\Users\Admin\AppData\Roaming\Dharma.exe"C:\Users\Admin\AppData\Roaming\Dharma.exe"2⤵
- Executes dropped EXE
PID:4100
-
-
C:\Users\Admin\AppData\Roaming\Fantom.exe"C:\Users\Admin\AppData\Roaming\Fantom.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1456
-
-
C:\Users\Admin\AppData\Roaming\GandCrab.exe"C:\Users\Admin\AppData\Roaming\GandCrab.exe"2⤵
- Executes dropped EXE
PID:4936
-
-
C:\Users\Admin\AppData\Roaming\InfinityCrypt.exe"C:\Users\Admin\AppData\Roaming\InfinityCrypt.exe"2⤵PID:2408
-
-
C:\Users\Admin\AppData\Roaming\Krotten.exe"C:\Users\Admin\AppData\Roaming\Krotten.exe"2⤵PID:2964
-
-
C:\Users\Admin\AppData\Roaming\NoMoreRansom.exe"C:\Users\Admin\AppData\Roaming\NoMoreRansom.exe"2⤵PID:2616
-
-
C:\Users\Admin\AppData\Roaming\NotPetya.exe"C:\Users\Admin\AppData\Roaming\NotPetya.exe"2⤵PID:4372
-
-
C:\Users\Admin\AppData\Roaming\Petya.A.exe"C:\Users\Admin\AppData\Roaming\Petya.A.exe"2⤵PID:4488
-
-
C:\Users\Admin\AppData\Roaming\PolyRansom.exe"C:\Users\Admin\AppData\Roaming\PolyRansom.exe"2⤵PID:4576
-
C:\Users\Admin\WUcgcggI\DyswYAQE.exe"C:\Users\Admin\WUcgcggI\DyswYAQE.exe"3⤵PID:5508
-
-
C:\ProgramData\AEAUEQUs\soEUUsYM.exe"C:\ProgramData\AEAUEQUs\soEUUsYM.exe"3⤵PID:5580
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\PolyRansom"3⤵PID:5680
-
C:\Users\Admin\AppData\Roaming\PolyRansom.exeC:\Users\Admin\AppData\Roaming\PolyRansom4⤵PID:1812
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 13⤵
- Modifies registry key
PID:6036
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 23⤵
- Modifies registry key
PID:6028
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f3⤵
- Modifies registry key
PID:6020
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mmEUoscI.bat" "C:\Users\Admin\AppData\Roaming\PolyRansom.exe""3⤵PID:6092
-
-
-
C:\Users\Admin\AppData\Roaming\PowerPoint.exe"C:\Users\Admin\AppData\Roaming\PowerPoint.exe"2⤵PID:3232
-
C:\Users\Admin\AppData\Local\Temp\sys3.exeC:\Users\Admin\AppData\Local\Temp\\sys3.exe3⤵PID:2720
-
-
-
C:\Users\Admin\AppData\Roaming\RedBoot.exe"C:\Users\Admin\AppData\Roaming\RedBoot.exe"2⤵PID:5892
-
-
C:\Users\Admin\AppData\Roaming\RedEye.exe"C:\Users\Admin\AppData\Roaming\RedEye.exe"2⤵PID:6124
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:5432
-
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:4672
-
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:5076
-
-
C:\Windows\SYSTEM32\NetSh.exeNetSh Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
PID:5800
-
-
-
C:\Users\Admin\AppData\Roaming\Rensenware.exe"C:\Users\Admin\AppData\Roaming\Rensenware.exe"2⤵PID:4588
-
-
C:\Users\Admin\AppData\Roaming\Rokku.exe"C:\Users\Admin\AppData\Roaming\Rokku.exe"2⤵PID:5468
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa392c855 /state1:0x41c64e6d1⤵PID:5556
Network
MITRE ATT&CK Enterprise v15
Execution
Scheduled Task/Job
1Scheduled Task
1Windows Management Instrumentation
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Direct Volume Access
1Impair Defenses
2Disable or Modify System Firewall
1Safe Mode Boot
1Indicator Removal
2File Deletion
2Modify Registry
4Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\icudtl.dat.62D7BA854C61DA17F04364138306B5BAA2766D5690753EE4D8F5B86020388CC2
Filesize16B
MD50a9cfa02e05a43c3dc4b1f9fe6f5556c
SHA179111ee05a76be93fd56be59b58489d8ef6962c6
SHA25639524dbcab80e58111f93acc259f1ad62a16110b87bb8b374451bffbcd3457a6
SHA512b0f6ef3b7b62589a9e109f27af4e4ddbc2599e92745fefb171ab9c5cac54fc81819b83ecdd36fd453fd4ab09059d0b72aea24531ff77be9b4ee3b1c9eef7b338
-
C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_US\YOUR_FILES_ARE_ENCRYPTED.HTML.62D7BA854C61DA17F04364138306B5BAA2766D5690753EE4D8F5B86020388CC2
Filesize4KB
MD5853c5cd4db6d935717a53a50820fb8e0
SHA15b74065e920db2d7d22e74069c9e72c88b8e95cc
SHA256c6d1714a5a6893409e8b3b9940f7ee1489acce74a184a101faa402cd211f5f06
SHA5126903ffb0f3ca9656969cd10d72c74d7db585365dc72eeba8ff479069659bbf88ae651c4065844d5209aedef9f1dd41a9adbf11184b71c43620904c6f5e9738f9
-
Filesize
4KB
MD5e454844b50388dbc6fbb7aaba07e1332
SHA1704e012d5366a8f270833a55f6296b2992a784e2
SHA256f09877e5ee1f6e067528341435064823dc0c1ca1b8e32546d7fec2f0eb0e918b
SHA5125f7c3c91cd744a677f334f1e38962784aab63b290d54aafa9396126649964eb2c340634c50ff022028bac9bcf8f114fcc254e22e100288b3a3065581db7c6c99
-
Filesize
200KB
MD570aff22820d5831b22154d8b0d25b2e3
SHA11a59cfabd99ab933b09d7996b5af4c7c1dff72e7
SHA256fe30c8008962fb2c3e065dd5c17266683ea904bb4bdf6870feb37e75e69c8cfc
SHA512ccdada4aa38bcb35efa0566b62c23b9133f92941d266436e153eecd8deff58fb2b52eb106570e20edc73f333fafcdf4f36b78f260cb5c4c3b2744d2390788a35
-
C:\ProgramData\Microsoft\Windows\SystemData\S-1-5-21-2878641211-696417878-3864914810-1000\ReadOnly\LockScreen_O\LockScreen___1280_0720_notdimmed.jpg
Filesize262KB
MD5b5a72e6858a81624a2cee304ff3af1c0
SHA1b980f55cd0aadfcdec56cd6585d6e3b263aade0d
SHA25658276922ba7ac25acedb100d01453c14ae7b8990c057595da68c2e2354702875
SHA5129c23b71e324e6aa7767de064809375d7ada7c678327433af4016d8a95c71dc2ee6012a067bda87cdfec4676adf64dfe93a056202d990c4774cebae275fa2f974
-
Filesize
688KB
MD5c765336f0dcf4efdcc2101eed67cd30c
SHA1fa0279f59738c5aa3b6b20106e109ccd77f895a7
SHA256c5177fdc6031728e10141745cd69edbc91c92d14411a2dec6e8e8caa4f74ab28
SHA51206a67ac37c20897967e2cad453793a6ef1c7804d4c578404f845daa88c859b15b0acb51642e6ad23ca6ba6549b02d5f6c98b1fa402004bdbf9d646abab7ec891
-
Filesize
45B
MD58fcca01e206307217ed9887f2f2f6d0b
SHA1d1799bc509d781dd030834a3da1bcbe941ca979c
SHA256b48d5d1e1f5adf9cc38025a94df37f3a41549cd08fd14cf0ace5d67d2bd14ac7
SHA5126c8854439b9ff024c13edee933cef9d800e9d8c577e4335c70b1effa042a0bd8edafab03ba4801e9697fc43b72a9f347fb78dcd0749364711a6f92ca5ff50e8a
-
Filesize
315KB
MD55ff135f767de6f021c19980ca1e0166e
SHA1c7ae6e1fc1caf99f71832806d08b50f73fb0de29
SHA2568108966fb52114ef364735a6aa10c4451211cd92aab095c9d391e18adccc3a0d
SHA512a516b64b7aba99df36daa767438c5175a84f6387566856be573c610a2a70aa4b996694f0aa1e4eb6e9fc451d25a7a6fcde4e81eb757bd6d1411e86b66c2ac38c
-
Filesize
414KB
MD5c850f942ccf6e45230169cc4bd9eb5c8
SHA151c647e2b150e781bd1910cac4061a2cee1daf89
SHA25686e0eac8c5ce70c4b839ef18af5231b5f92e292b81e440193cdbdc7ed108049f
SHA5122b3890241b8c8690aab0aed347daa778aba20f29f76e8b79b02953b6252324317520b91ea60d3ef73e42ad403f7a6e0e3f2a057799f21ed447dae7096b2f47d9
-
Filesize
315KB
MD59f8bc96c96d43ecb69f883388d228754
SHA161ed25a706afa2f6684bb4d64f69c5fb29d20953
SHA2567d373ccb96d1dbb1856ef31afa87c2112a0c1795a796ab01cb154700288afec5
SHA512550a891c1059f58aa983138caf65a7ea9c326cb1b94c15f3e7594128f6e9f1295b9c2dbc0925637dba7c94e938083fffc6a63dc7c2e5b1e247679931cce505c6
-
Filesize
2.8MB
MD5cce284cab135d9c0a2a64a7caec09107
SHA1e4b8f4b6cab18b9748f83e9fffd275ef5276199e
SHA25618aab0e981eee9e4ef8e15d4b003b14b3a1b0bfb7233fade8ee4b6a22a5abbb9
SHA512c45d021295871447ce60250ff9cbeba2b2a16a23371530da077d6235cfe5005f10fa228071542df3621462d913ad2f58236dc0c0cb390779eef86a10bba8429f
-
Filesize
15.9MB
MD50f743287c9911b4b1c726c7c7edcaf7d
SHA19760579e73095455fcbaddfe1e7e98a2bb28bfe0
SHA256716335ba5cd1e7186c40295b199190e2b6655e48f1c1cbe12139ba67faa5e1ac
SHA5122a6dd6288303700ef9cb06ae1efeb1e121c89c97708e5ecd15ed9b2a35d0ecff03d8da58b30daeadad89bd38dc4649521ada149fb457408e5a2bdf1512f88677
-
Filesize
431KB
MD5fbbdc39af1139aebba4da004475e8839
SHA1de5c8d858e6e41da715dca1c019df0bfb92d32c0
SHA256630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
SHA51274eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87
-
Filesize
116KB
MD541789c704a0eecfdd0048b4b4193e752
SHA1fb1e8385691fa3293b7cbfb9b2656cf09f20e722
SHA256b2dcfdf9e7b09f2aa5004668370e77982963ace820e7285b2e264a294441da23
SHA51276391ac85fdc3be75441fcd6e19bed08b807d3946c7281c647f16a3be5388f7be307e6323fac8502430a4a6d800d52a88709592a49011ecc89de4f19102435ea
-
Filesize
313KB
MD5fe1bc60a95b2c2d77cd5d232296a7fa4
SHA1c07dfdea8da2da5bad036e7c2f5d37582e1cf684
SHA256b3e1e9d97d74c416c2a30dd11858789af5554cf2de62f577c13944a19623777d
SHA512266c541a421878e1e175db5d94185c991cec5825a4bc50178f57264f3556080e6fe984ed0380acf022ce659aa1ca46c9a5e97efc25ff46cbfd67b9385fd75f89
-
Filesize
1.0MB
MD5055d1462f66a350d9886542d4d79bc2b
SHA1f1086d2f667d807dbb1aa362a7a809ea119f2565
SHA256dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0
SHA5122c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1
-
Filesize
338KB
MD504fb36199787f2e3e2135611a38321eb
SHA165559245709fe98052eb284577f1fd61c01ad20d
SHA256d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9
SHA512533d6603f6e2a77bd1b2c6591a135c4717753d53317c1be06e43774e896d9543bcd0ea6904a0688aa84b2d8424641d68994b1e7dc4aa46d66c36feecb6145444
-
Filesize
132KB
MD5919034c8efb9678f96b47a20fa6199f2
SHA1747070c74d0400cffeb28fbea17b64297f14cfbd
SHA256e036d68b8f8b7afc6c8b6252876e1e290f11a26d4ad18ac6f310662845b2c734
SHA512745a81c50bbfd62234edb9788c83a22e0588c5d25c00881901923a02d7096c71ef5f0cd5b73f92ad974e5174de064b0c5ea8044509039aab14b2aed83735a7c4
-
Filesize
484KB
MD50a7b70efba0aa93d4bc0857b87ac2fcb
SHA101a6c963b2f5f36ff21a1043587dcf921ae5f5cd
SHA2564f5bff64160044d9a769ab277ff85ba954e2a2e182c6da4d0672790cf1d48309
SHA5122033f9637b8d023242c93f54c140dd561592a3380a15a9fdc8ebfa33385ff4fc569d66c846a01b4ac005f0521b3c219e87f4b1ed2a83557f9d95fa066ad25e14
-
Filesize
11.5MB
MD5928e37519022745490d1af1ce6f336f7
SHA1b7840242393013f2c4c136ac7407e332be075702
SHA2566fb303dd8ba36381948127d44bd8541e4a1ab8af07b46526ace08458f2498850
SHA5128040195ab2b2e15c9d5ffa13a47a61c709738d1cf5e2108e848fedf3408e5bad5f2fc5f523f170f6a80cb33a4f5612d3d60dd343d028e55cfc08cd2f6ed2947c
-
Filesize
261KB
MD57d80230df68ccba871815d68f016c282
SHA1e10874c6108a26ceedfc84f50881824462b5b6b6
SHA256f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b
SHA51264d02b3e7ed82a64aaac1f74c34d6b6e6feaac665ca9c08911b93eddcec66595687024ec576e74ea09a1193ace3923969c75de8733859835fef45335cf265540
-
Filesize
291KB
MD5e6b43b1028b6000009253344632e69c4
SHA1e536b70e3ffe309f7ae59918da471d7bf4cadd1c
SHA256bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a
SHA51207da214314673407a7d3978ee6e1d20bf1e02f135bf557e86b50489ecc146014f2534515c1b613dba96e65489d8c82caaa8ed2e647684d61e5e86bd3e8251adf
-
Filesize
232KB
MD560fabd1a2509b59831876d5e2aa71a6b
SHA18b91f3c4f721cb04cc4974fc91056f397ae78faa
SHA2561dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838
SHA5123e842a7d47b32942adb936cae13293eddf1a6b860abcfe7422d0fb73098264cc95656b5c6d9980fad1bf8b5c277cd846c26acaba1bef441582caf34eb1e5295a
-
Filesize
211KB
MD5b805db8f6a84475ef76b795b0d1ed6ae
SHA17711cb4873e58b7adcf2a2b047b090e78d10c75b
SHA256f5d002bfe80b48386a6c99c41528931b7f5df736cd34094463c3f85dde0180bf
SHA51262a2c329b43d186c4c602c5f63efc8d2657aa956f21184334263e4f6d0204d7c31f86bda6e85e65e3b99b891c1630d805b70997731c174f6081ecc367ccf9416
-
Filesize
53KB
MD587ccd6f4ec0e6b706d65550f90b0e3c7
SHA1213e6624bff6064c016b9cdc15d5365823c01f5f
SHA256e79f164ccc75a5d5c032b4c5a96d6ad7604faffb28afe77bc29b9173fa3543e4
SHA512a72403d462e2e2e181dbdabfcc02889f001387943571391befed491aaecba830b0869bdd4d82bca137bd4061bbbfb692871b1b4622c4a7d9f16792c60999c990
-
Filesize
181KB
MD50826df3aaa157edff9c0325f298850c2
SHA1ed35b02fa029f1e724ed65c2de5de6e5c04f7042
SHA2562e4319ff62c03a539b2b2f71768a0cfc0adcaedbcca69dbf235081fe2816248b
SHA512af6c5734fd02b9ad3f202e95f9ff4368cf0dfdaffe0d9a88b781b196a0a3c44eef3d8f7c329ec6e3cbcd3e6ab7c49df7d715489539e631506ca1ae476007a6a6
-
Filesize
1.4MB
MD563210f8f1dde6c40a7f3643ccf0ff313
SHA157edd72391d710d71bead504d44389d0462ccec9
SHA2562aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f
SHA51287a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11
-
Filesize
390KB
MD55b7e6e352bacc93f7b80bc968b6ea493
SHA1e686139d5ed8528117ba6ca68fe415e4fb02f2be
SHA25663545fa195488ff51955f09833332b9660d18f8afb16bdf579134661962e548a
SHA5129d24af0cb00fb8a5e61e9d19cd603b5541a22ae6229c2acf498447e0e7d4145fee25c8ab9d5d5f18f554e6cbf8ca56b7ca3144e726d7dfd64076a42a25b3dfb6
-
Filesize
225KB
MD5af2379cc4d607a45ac44d62135fb7015
SHA139b6d40906c7f7f080e6befa93324dddadcbd9fa
SHA25626b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739
SHA51269899c47d0b15f92980f79517384e83373242e045ca696c6e8f930ff6454219bf609e0d84c2f91d25dfd5ef3c28c9e099c4a3a918206e957be806a1c2e0d3e99
-
Filesize
220KB
MD53ed3fb296a477156bc51aba43d825fc0
SHA19caa5c658b1a88fee149893d3a00b34a8bb8a1a6
SHA2561898f2cae1e3824cb0f7fd5368171a33aba179e63501e480b4da9ea05ebf0423
SHA512dc3d6e409cee4d54f48d1a25912243d07e2f800578c8e0e348ce515a047ecf5fa3089b46284e0956bbced345957a000eecdc082e6f3060971759d70a14c1c97e
-
Filesize
136KB
MD570108103a53123201ceb2e921fcfe83c
SHA1c71799a6a6d09ee758b04cdf90a4ab76fbd2a7e3
SHA2569c3f8df80193c085912c9950c58051ae77c321975784cc069ceacd4f57d5861d
SHA512996701c65eee7f781c2d22dce63f4a95900f36b97a99dcf833045bce239a08b3c2f6326b3a808431cdab92d59161dd80763e44126578e160d79b7095175d276b
-
Filesize
1.2MB
MD5e0340f456f76993fc047bc715dfdae6a
SHA1d47f6f7e553c4bc44a2fe88c2054de901390b2d7
SHA2561001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887
SHA512cac10c675d81630eefca49b2ac4cc83f3eb29115ee28a560db4d6c33f70bf24980e48bb48ce20375349736e3e6b23a1ca504b9367917328853fffc5539626bbc
-
Filesize
10.6MB
MD5e9e5596b42f209cc058b55edc2737a80
SHA1f30232697b3f54e58af08421da697262c99ec48b
SHA2569ac9f207060c28972ede6284137698ce0769e3695c7ad98ab320605d23362305
SHA512e542319beb6f81b493ad80985b5f9c759752887dc3940b77520a3569cd5827de2fcae4c2357b7f9794b382192d4c0b125746df5cf08f206d07b2b473b238d0c7
-
Filesize
96KB
MD560335edf459643a87168da8ed74c2b60
SHA161f3e01174a6557f9c0bfc89ae682d37a7e91e2e
SHA2567bf5623f0a10dfa148a35bebd899b7758612f1693d2a9910f716cf15a921a76a
SHA512b4e5e4d4f0b4a52243d6756c66b4fe6f4b39e64df7790072046e8a3dadad3a1be30b8689a1bab8257cc35cb4df652888ddf62b4e1fccb33e1bbf1f5416d73efb
-
Filesize
666KB
MD597512f4617019c907cd0f88193039e7c
SHA124cfa261ee30f697e7d1e2215eee1c21eebf4579
SHA256438888ef36bad1079af79daf152db443b4472c5715a7b3da0ba24cc757c53499
SHA512cfbb8dd91434f917d507cb919aa7e6b16b7b2056d56185f6ad5b6149e05629325cdb3df907f58bb3f634b17a9989bf5b6d6b81f5396a3a556431742ed742ac4a
-
Filesize
2.8MB
MD51535aa21451192109b86be9bcc7c4345
SHA11af211c686c4d4bf0239ed6620358a19691cf88c
SHA2564641af6a0071e11e13ad3b1cd950e01300542c2b9efb6ae92ffecedde974a4a6
SHA5121762b29f7b26911a7e6d244454eac7268235e2e0c27cd2ca639b8acdde2528c9ddf202ed59ca3155ee1d6ad3deba559a6eaf4ed74624c68688761e3e404e54da
-
Filesize
1KB
MD5c50440f3e9eefa1857e73728bcff0d53
SHA1789d0847aaaa1f17fbfccfc5a7a968fad8d2959f
SHA25640b87abbbe14d39543fb4f0b11ecb28ff92d36e24efb46c2ee02d7401348ccd7
SHA512f40bea96adbb0d97c135bfd37e489ed0db262b84dd98ed759d9d3f58cf62d65cb176c0a3ea56b7ff29d1d67e959746f2a19614db3ec461ad2bbdbedd079f9758
-
Filesize
16B
MD552488ef3f42a79048b8cbb5503816741
SHA156651900d95ee36de389c29b7a7e6dedbb421eff
SHA2569ce5f9abb2fb204df9fc5db071bdfe0fefeb86da178d8c7b8e4ea29784c48154
SHA512d42a0c76a4d24d930a9b6ee15205a02a6edec97ca16e9febc6eb47d05ff7d6f2af7c3d430d416bf464dc561289428d412acc856718aa5ead58de51b1e8facd5e
-
Filesize
182KB
MD5ef76a7c9b86cd9e6af56e197fe7d8efc
SHA142cc899a0e95bf61e03a999a0455b76e063fb9f7
SHA256a5ce282d8fe5285d9e50dd0d8d89f1b57fa85f89bcdb1d07341d177a13e2058f
SHA512b6d84682a9e257d0fd157179348a6b3d848227e6017b8971889ff0cfc20bf09e9f697f285334f8848facf962801b3764c18bfdae65eda3665f7538878488f45f
-
Filesize
60KB
MD5347ac3b6b791054de3e5720a7144a977
SHA1413eba3973a15c1a6429d9f170f3e8287f98c21c
SHA256301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c
SHA5129a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787
-
Filesize
401KB
MD5c29d6253d89ee9c0c872dd377a7a8454
SHA146be3800684f6b208e0a8c7b120ef8614c22c4b0
SHA25603f4198a279ea4c36a62cd271d3b2d796547013548666006fbef45e20bb920cb
SHA51250141de5e0a827688251161353932b677c85e0d6e6831293c9a0044543e541fe8bd4e62fa403abc06df9d220fd843aa58ff9cc37abf46be3e06ae14905c24a5e