Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
646s -
max time network
653s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
22/12/2024, 20:50
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/NotReal96/Malware/blob/master/MrsMajor.md
Resource
win11-20241007-en
General
-
Target
https://github.com/NotReal96/Malware/blob/master/MrsMajor.md
Malware Config
Extracted
C:\Users\Admin\Downloads\WannaCry\@[email protected]
wannacry
12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wscript.exe -
Wannacry
WannaCry is a ransomware cryptoworm.
-
Wannacry family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Downloads MZ/PE file
-
Drops startup file 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD84A3.tmp WannaCrypt0r.exe -
Executes dropped EXE 63 IoCs
pid Process 2116 NRVP.exe 572 WannaCrypt0r.exe 4980 taskdl.exe 5008 @[email protected] 872 @[email protected] 4840 taskhsvc.exe 4524 WannaCrypt0r.exe 1008 WannaCrypt0r.exe 1672 taskdl.exe 952 taskse.exe 2728 @[email protected] 1144 taskdl.exe 2560 taskse.exe 3152 @[email protected] 4784 taskse.exe 4576 @[email protected] 1536 taskdl.exe 4512 taskse.exe 4208 @[email protected] 3636 taskdl.exe 2616 taskse.exe 4876 @[email protected] 2328 taskdl.exe 3944 taskse.exe 616 @[email protected] 5112 taskdl.exe 2056 taskse.exe 1388 @[email protected] 1880 taskdl.exe 1256 NRVP (2).exe 3556 taskse.exe 3836 @[email protected] 4056 taskdl.exe 816 taskse.exe 2356 @[email protected] 2068 taskdl.exe 2456 MrsMajor 3.0.exe 2760 eulascr.exe 840 taskse.exe 4884 @[email protected] 2072 taskdl.exe 3772 taskse.exe 3748 @[email protected] 1164 taskdl.exe 2404 taskse.exe 3044 @[email protected] 3996 taskdl.exe 2740 @[email protected] 1932 taskse.exe 3136 taskdl.exe 3240 MLG.exe 2136 taskse.exe 2340 @[email protected] 1308 taskdl.exe 1784 taskse.exe 2760 @[email protected] 1488 taskdl.exe 2328 taskse.exe 1388 @[email protected] 756 taskdl.exe 4884 taskse.exe 2064 @[email protected] 3004 taskdl.exe -
Loads dropped DLL 8 IoCs
pid Process 4840 taskhsvc.exe 4840 taskhsvc.exe 4840 taskhsvc.exe 4840 taskhsvc.exe 4840 taskhsvc.exe 4840 taskhsvc.exe 4840 taskhsvc.exe 2760 eulascr.exe -
Modifies file permissions 1 TTPs 3 IoCs
pid Process 3404 icacls.exe 3008 icacls.exe 1964 icacls.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
resource yara_rule behavioral1/memory/2760-2852-0x00000000003D0000-0x00000000003FA000-memory.dmp agile_net -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\bgesnwjhsz761 = "\"C:\\Users\\Admin\\Downloads\\WannaCry\\tasksche.exe\"" reg.exe -
File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs
flow ioc 39 drive.google.com 40 drive.google.com 114 drive.google.com 139 drive.google.com 16 camo.githubusercontent.com 16 drive.google.com 26 camo.githubusercontent.com 28 camo.githubusercontent.com -
Sets desktop wallpaper using registry 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]" @[email protected] Set value (str) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wallpaper.bmp" MLG.exe Set value (str) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]" WannaCrypt0r.exe Set value (str) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]" @[email protected] -
resource yara_rule behavioral1/files/0x001900000002abda-223.dat upx behavioral1/memory/2116-237-0x00007FF606C30000-0x00007FF606C3C000-memory.dmp upx behavioral1/memory/2116-250-0x00007FF606C30000-0x00007FF606C3C000-memory.dmp upx behavioral1/memory/1256-2553-0x00007FF7AB740000-0x00007FF7AB74C000-memory.dmp upx behavioral1/memory/1256-2557-0x00007FF7AB740000-0x00007FF7AB74C000-memory.dmp upx -
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 2 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
description ioc Process File opened for modification C:\Users\Admin\Downloads\NRVP.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\NRVP (2).exe:Zone.Identifier msedge.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language @[email protected] Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WannaCrypt0r.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language @[email protected] Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language @[email protected] Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language @[email protected] Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language @[email protected] Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskhsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WannaCrypt0r.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language @[email protected] Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language @[email protected] Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WannaCrypt0r.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language @[email protected] Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language @[email protected] Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language @[email protected] Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language @[email protected] Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language @[email protected] Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language @[email protected] Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language @[email protected] Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language @[email protected] Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskse.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString POWERPNT.EXE -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU POWERPNT.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Modifies Control Panel 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Control Panel\Desktop\WallpaperStyle = "2" MLG.exe Set value (str) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Control Panel\Desktop\TileWallpaper = "0" MLG.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION NRVP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\NRVP.exe = "11000" NRVP.exe Key created \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION NRVP (2).exe Set value (int) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\NRVP (2).exe = "11000" NRVP (2).exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings msedge.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 3820 reg.exe -
NTFS ADS 8 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\WannaCry.7z:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\NRVP.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 856037.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\MrsMajor 3.0.7z:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 882554.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\NRVP (2).exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\MLG.rar:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 667507.crdownload:SmartScreen msedge.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3588 POWERPNT.EXE -
Suspicious behavior: EnumeratesProcesses 28 IoCs
pid Process 4572 msedge.exe 4572 msedge.exe 2308 msedge.exe 2308 msedge.exe 792 identity_helper.exe 792 identity_helper.exe 4904 msedge.exe 4904 msedge.exe 2076 msedge.exe 2076 msedge.exe 3424 msedge.exe 3424 msedge.exe 2268 msedge.exe 2268 msedge.exe 2268 msedge.exe 2268 msedge.exe 4840 taskhsvc.exe 4840 taskhsvc.exe 4840 taskhsvc.exe 4840 taskhsvc.exe 4840 taskhsvc.exe 4840 taskhsvc.exe 4768 msedge.exe 4768 msedge.exe 2560 msedge.exe 2560 msedge.exe 436 msedge.exe 436 msedge.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2728 @[email protected] -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 30 IoCs
pid Process 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeRestorePrivilege 2888 7zG.exe Token: 35 2888 7zG.exe Token: SeSecurityPrivilege 2888 7zG.exe Token: SeSecurityPrivilege 2888 7zG.exe Token: SeRestorePrivilege 4736 7zG.exe Token: 35 4736 7zG.exe Token: SeSecurityPrivilege 4736 7zG.exe Token: SeSecurityPrivilege 4736 7zG.exe Token: SeIncreaseQuotaPrivilege 3920 WMIC.exe Token: SeSecurityPrivilege 3920 WMIC.exe Token: SeTakeOwnershipPrivilege 3920 WMIC.exe Token: SeLoadDriverPrivilege 3920 WMIC.exe Token: SeSystemProfilePrivilege 3920 WMIC.exe Token: SeSystemtimePrivilege 3920 WMIC.exe Token: SeProfSingleProcessPrivilege 3920 WMIC.exe Token: SeIncBasePriorityPrivilege 3920 WMIC.exe Token: SeCreatePagefilePrivilege 3920 WMIC.exe Token: SeBackupPrivilege 3920 WMIC.exe Token: SeRestorePrivilege 3920 WMIC.exe Token: SeShutdownPrivilege 3920 WMIC.exe Token: SeDebugPrivilege 3920 WMIC.exe Token: SeSystemEnvironmentPrivilege 3920 WMIC.exe Token: SeRemoteShutdownPrivilege 3920 WMIC.exe Token: SeUndockPrivilege 3920 WMIC.exe Token: SeManageVolumePrivilege 3920 WMIC.exe Token: 33 3920 WMIC.exe Token: 34 3920 WMIC.exe Token: 35 3920 WMIC.exe Token: 36 3920 WMIC.exe Token: SeIncreaseQuotaPrivilege 3920 WMIC.exe Token: SeSecurityPrivilege 3920 WMIC.exe Token: SeTakeOwnershipPrivilege 3920 WMIC.exe Token: SeLoadDriverPrivilege 3920 WMIC.exe Token: SeSystemProfilePrivilege 3920 WMIC.exe Token: SeSystemtimePrivilege 3920 WMIC.exe Token: SeProfSingleProcessPrivilege 3920 WMIC.exe Token: SeIncBasePriorityPrivilege 3920 WMIC.exe Token: SeCreatePagefilePrivilege 3920 WMIC.exe Token: SeBackupPrivilege 3920 WMIC.exe Token: SeRestorePrivilege 3920 WMIC.exe Token: SeShutdownPrivilege 3920 WMIC.exe Token: SeDebugPrivilege 3920 WMIC.exe Token: SeSystemEnvironmentPrivilege 3920 WMIC.exe Token: SeRemoteShutdownPrivilege 3920 WMIC.exe Token: SeUndockPrivilege 3920 WMIC.exe Token: SeManageVolumePrivilege 3920 WMIC.exe Token: 33 3920 WMIC.exe Token: 34 3920 WMIC.exe Token: 35 3920 WMIC.exe Token: 36 3920 WMIC.exe Token: SeBackupPrivilege 1520 vssvc.exe Token: SeRestorePrivilege 1520 vssvc.exe Token: SeAuditPrivilege 1520 vssvc.exe Token: SeTcbPrivilege 952 taskse.exe Token: SeTcbPrivilege 952 taskse.exe Token: SeTcbPrivilege 2560 taskse.exe Token: SeTcbPrivilege 2560 taskse.exe Token: SeTcbPrivilege 4784 taskse.exe Token: SeTcbPrivilege 4784 taskse.exe Token: SeTcbPrivilege 4512 taskse.exe Token: SeTcbPrivilege 4512 taskse.exe Token: SeTcbPrivilege 2616 taskse.exe Token: SeTcbPrivilege 2616 taskse.exe Token: SeTcbPrivilege 3944 taskse.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2888 7zG.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 4736 7zG.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe 2308 msedge.exe -
Suspicious use of SetWindowsHookEx 33 IoCs
pid Process 2116 NRVP.exe 2116 NRVP.exe 5008 @[email protected] 5008 @[email protected] 872 @[email protected] 872 @[email protected] 2728 @[email protected] 2728 @[email protected] 3152 @[email protected] 4576 @[email protected] 4208 @[email protected] 3588 POWERPNT.EXE 3588 POWERPNT.EXE 3588 POWERPNT.EXE 3588 POWERPNT.EXE 3588 POWERPNT.EXE 4876 @[email protected] 616 @[email protected] 1388 @[email protected] 1256 NRVP (2).exe 1256 NRVP (2).exe 3836 @[email protected] 2356 @[email protected] 2356 @[email protected] 2456 MrsMajor 3.0.exe 4884 @[email protected] 3748 @[email protected] 3044 @[email protected] 2740 @[email protected] 2340 @[email protected] 2760 @[email protected] 1388 @[email protected] 2064 @[email protected] -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2308 wrote to memory of 1444 2308 msedge.exe 77 PID 2308 wrote to memory of 1444 2308 msedge.exe 77 PID 2308 wrote to memory of 3320 2308 msedge.exe 78 PID 2308 wrote to memory of 3320 2308 msedge.exe 78 PID 2308 wrote to memory of 3320 2308 msedge.exe 78 PID 2308 wrote to memory of 3320 2308 msedge.exe 78 PID 2308 wrote to memory of 3320 2308 msedge.exe 78 PID 2308 wrote to memory of 3320 2308 msedge.exe 78 PID 2308 wrote to memory of 3320 2308 msedge.exe 78 PID 2308 wrote to memory of 3320 2308 msedge.exe 78 PID 2308 wrote to memory of 3320 2308 msedge.exe 78 PID 2308 wrote to memory of 3320 2308 msedge.exe 78 PID 2308 wrote to memory of 3320 2308 msedge.exe 78 PID 2308 wrote to memory of 3320 2308 msedge.exe 78 PID 2308 wrote to memory of 3320 2308 msedge.exe 78 PID 2308 wrote to memory of 3320 2308 msedge.exe 78 PID 2308 wrote to memory of 3320 2308 msedge.exe 78 PID 2308 wrote to memory of 3320 2308 msedge.exe 78 PID 2308 wrote to memory of 3320 2308 msedge.exe 78 PID 2308 wrote to memory of 3320 2308 msedge.exe 78 PID 2308 wrote to memory of 3320 2308 msedge.exe 78 PID 2308 wrote to memory of 3320 2308 msedge.exe 78 PID 2308 wrote to memory of 3320 2308 msedge.exe 78 PID 2308 wrote to memory of 3320 2308 msedge.exe 78 PID 2308 wrote to memory of 3320 2308 msedge.exe 78 PID 2308 wrote to memory of 3320 2308 msedge.exe 78 PID 2308 wrote to memory of 3320 2308 msedge.exe 78 PID 2308 wrote to memory of 3320 2308 msedge.exe 78 PID 2308 wrote to memory of 3320 2308 msedge.exe 78 PID 2308 wrote to memory of 3320 2308 msedge.exe 78 PID 2308 wrote to memory of 3320 2308 msedge.exe 78 PID 2308 wrote to memory of 3320 2308 msedge.exe 78 PID 2308 wrote to memory of 3320 2308 msedge.exe 78 PID 2308 wrote to memory of 3320 2308 msedge.exe 78 PID 2308 wrote to memory of 3320 2308 msedge.exe 78 PID 2308 wrote to memory of 3320 2308 msedge.exe 78 PID 2308 wrote to memory of 3320 2308 msedge.exe 78 PID 2308 wrote to memory of 3320 2308 msedge.exe 78 PID 2308 wrote to memory of 3320 2308 msedge.exe 78 PID 2308 wrote to memory of 3320 2308 msedge.exe 78 PID 2308 wrote to memory of 3320 2308 msedge.exe 78 PID 2308 wrote to memory of 3320 2308 msedge.exe 78 PID 2308 wrote to memory of 4572 2308 msedge.exe 79 PID 2308 wrote to memory of 4572 2308 msedge.exe 79 PID 2308 wrote to memory of 1352 2308 msedge.exe 80 PID 2308 wrote to memory of 1352 2308 msedge.exe 80 PID 2308 wrote to memory of 1352 2308 msedge.exe 80 PID 2308 wrote to memory of 1352 2308 msedge.exe 80 PID 2308 wrote to memory of 1352 2308 msedge.exe 80 PID 2308 wrote to memory of 1352 2308 msedge.exe 80 PID 2308 wrote to memory of 1352 2308 msedge.exe 80 PID 2308 wrote to memory of 1352 2308 msedge.exe 80 PID 2308 wrote to memory of 1352 2308 msedge.exe 80 PID 2308 wrote to memory of 1352 2308 msedge.exe 80 PID 2308 wrote to memory of 1352 2308 msedge.exe 80 PID 2308 wrote to memory of 1352 2308 msedge.exe 80 PID 2308 wrote to memory of 1352 2308 msedge.exe 80 PID 2308 wrote to memory of 1352 2308 msedge.exe 80 PID 2308 wrote to memory of 1352 2308 msedge.exe 80 PID 2308 wrote to memory of 1352 2308 msedge.exe 80 PID 2308 wrote to memory of 1352 2308 msedge.exe 80 PID 2308 wrote to memory of 1352 2308 msedge.exe 80 PID 2308 wrote to memory of 1352 2308 msedge.exe 80 PID 2308 wrote to memory of 1352 2308 msedge.exe 80 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wscript.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Views/modifies file attributes 1 TTPs 4 IoCs
pid Process 2776 attrib.exe 4152 attrib.exe 3956 attrib.exe 4928 attrib.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/NotReal96/Malware/blob/master/MrsMajor.md1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc3bd03cb8,0x7ffc3bd03cc8,0x7ffc3bd03cd82⤵PID:1444
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,2323642806716243858,15092397582516240846,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1924 /prefetch:22⤵PID:3320
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1916,2323642806716243858,15092397582516240846,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2408 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4572
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1916,2323642806716243858,15092397582516240846,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2756 /prefetch:82⤵PID:1352
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2323642806716243858,15092397582516240846,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:12⤵PID:4968
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2323642806716243858,15092397582516240846,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:12⤵PID:1144
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1916,2323642806716243858,15092397582516240846,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4956 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:792
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1916,2323642806716243858,15092397582516240846,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4588 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4904
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2323642806716243858,15092397582516240846,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5240 /prefetch:12⤵PID:3900
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2323642806716243858,15092397582516240846,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5724 /prefetch:12⤵PID:1488
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2323642806716243858,15092397582516240846,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:12⤵PID:2148
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2323642806716243858,15092397582516240846,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5752 /prefetch:12⤵PID:1896
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1916,2323642806716243858,15092397582516240846,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4000 /prefetch:82⤵PID:3964
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1916,2323642806716243858,15092397582516240846,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3280 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:2076
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1916,2323642806716243858,15092397582516240846,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5632 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:3424
-
-
C:\Users\Admin\Downloads\NRVP.exe"C:\Users\Admin\Downloads\NRVP.exe"2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2116
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2323642806716243858,15092397582516240846,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5816 /prefetch:12⤵PID:4748
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1916,2323642806716243858,15092397582516240846,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5656 /prefetch:82⤵PID:4164
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2323642806716243858,15092397582516240846,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5384 /prefetch:12⤵PID:4908
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2323642806716243858,15092397582516240846,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6316 /prefetch:12⤵PID:840
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2323642806716243858,15092397582516240846,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:12⤵PID:3092
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2323642806716243858,15092397582516240846,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6640 /prefetch:12⤵PID:3148
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2323642806716243858,15092397582516240846,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5984 /prefetch:12⤵PID:1552
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2323642806716243858,15092397582516240846,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:12⤵PID:2412
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2323642806716243858,15092397582516240846,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3112 /prefetch:12⤵PID:3028
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2323642806716243858,15092397582516240846,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2616 /prefetch:12⤵PID:404
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1916,2323642806716243858,15092397582516240846,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5896 /prefetch:82⤵PID:3148
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,2323642806716243858,15092397582516240846,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6720 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:2268
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2323642806716243858,15092397582516240846,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2552 /prefetch:12⤵PID:1592
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2323642806716243858,15092397582516240846,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4768 /prefetch:12⤵PID:3952
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2323642806716243858,15092397582516240846,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6484 /prefetch:12⤵PID:4128
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2323642806716243858,15092397582516240846,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2504 /prefetch:12⤵PID:5020
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1916,2323642806716243858,15092397582516240846,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6864 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:4768
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2323642806716243858,15092397582516240846,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5384 /prefetch:12⤵PID:4012
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2323642806716243858,15092397582516240846,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6300 /prefetch:12⤵PID:1396
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1916,2323642806716243858,15092397582516240846,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4736 /prefetch:82⤵PID:1524
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1916,2323642806716243858,15092397582516240846,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6628 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:2560
-
-
C:\Users\Admin\Downloads\NRVP (2).exe"C:\Users\Admin\Downloads\NRVP (2).exe"2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1256
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2323642806716243858,15092397582516240846,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6656 /prefetch:12⤵PID:4916
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2323642806716243858,15092397582516240846,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1992 /prefetch:12⤵PID:3268
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2323642806716243858,15092397582516240846,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6652 /prefetch:12⤵PID:1756
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2323642806716243858,15092397582516240846,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6472 /prefetch:12⤵PID:2072
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2323642806716243858,15092397582516240846,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6792 /prefetch:12⤵PID:464
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2323642806716243858,15092397582516240846,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1688 /prefetch:12⤵PID:4128
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2323642806716243858,15092397582516240846,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1636 /prefetch:12⤵PID:4172
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2323642806716243858,15092397582516240846,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6168 /prefetch:12⤵PID:4848
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2323642806716243858,15092397582516240846,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:12⤵PID:3728
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1916,2323642806716243858,15092397582516240846,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3848 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:436
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3508
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4520
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3152
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\WannaCry\" -spe -an -ai#7zMap24933:76:7zEvent42251⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2888
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\WannaCry\" -spe -an -ai#7zMap7767:76:7zEvent287461⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4736
-
C:\Users\Admin\Downloads\WannaCry\WannaCrypt0r.exe"C:\Users\Admin\Downloads\WannaCry\WannaCrypt0r.exe"1⤵
- Drops startup file
- Executes dropped EXE
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
PID:572 -
C:\Windows\SysWOW64\attrib.exeattrib +h .2⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2776
-
-
C:\Windows\SysWOW64\icacls.exeicacls . /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:3404
-
-
C:\Users\Admin\Downloads\WannaCry\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4980
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 20411734900779.bat2⤵
- System Location Discovery: System Language Discovery
PID:4356 -
C:\Windows\SysWOW64\cscript.execscript.exe //nologo m.vbs3⤵
- System Location Discovery: System Language Discovery
PID:1888
-
-
-
C:\Windows\SysWOW64\attrib.exeattrib +h +s F:\$RECYCLE2⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:4152
-
-
C:\Users\Admin\Downloads\WannaCry\@[email protected]2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5008 -
C:\Users\Admin\Downloads\WannaCry\TaskData\Tor\taskhsvc.exeTaskData\Tor\taskhsvc.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4840
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c start /b @[email protected] vs2⤵
- System Location Discovery: System Language Discovery
PID:4660 -
C:\Users\Admin\Downloads\WannaCry\@[email protected]3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:872 -
C:\Windows\SysWOW64\cmd.execmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet4⤵
- System Location Discovery: System Language Discovery
PID:1284 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3920
-
-
-
-
-
C:\Users\Admin\Downloads\WannaCry\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1672
-
-
C:\Users\Admin\Downloads\WannaCry\taskse.exetaskse.exe C:\Users\Admin\Downloads\WannaCry\@[email protected]2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:952
-
-
C:\Users\Admin\Downloads\WannaCry\@[email protected]2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2728
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "bgesnwjhsz761" /t REG_SZ /d "\"C:\Users\Admin\Downloads\WannaCry\tasksche.exe\"" /f2⤵
- System Location Discovery: System Language Discovery
PID:4544 -
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "bgesnwjhsz761" /t REG_SZ /d "\"C:\Users\Admin\Downloads\WannaCry\tasksche.exe\"" /f3⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:3820
-
-
-
C:\Users\Admin\Downloads\WannaCry\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1144
-
-
C:\Users\Admin\Downloads\WannaCry\taskse.exetaskse.exe C:\Users\Admin\Downloads\WannaCry\@[email protected]2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2560
-
-
C:\Users\Admin\Downloads\WannaCry\@[email protected]PID:3152
-
-
C:\Users\Admin\Downloads\WannaCry\taskse.exetaskse.exe C:\Users\Admin\Downloads\WannaCry\@[email protected]2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4784
-
-
C:\Users\Admin\Downloads\WannaCry\@[email protected]2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4576
-
-
C:\Users\Admin\Downloads\WannaCry\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1536
-
-
C:\Users\Admin\Downloads\WannaCry\taskse.exetaskse.exe C:\Users\Admin\Downloads\WannaCry\@[email protected]2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4512
-
-
C:\Users\Admin\Downloads\WannaCry\@[email protected]PID:4208
-
-
C:\Users\Admin\Downloads\WannaCry\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3636
-
-
C:\Users\Admin\Downloads\WannaCry\taskse.exetaskse.exe C:\Users\Admin\Downloads\WannaCry\@[email protected]2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2616
-
-
C:\Users\Admin\Downloads\WannaCry\@[email protected]2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4876
-
-
C:\Users\Admin\Downloads\WannaCry\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:2328
-
-
C:\Users\Admin\Downloads\WannaCry\taskse.exetaskse.exe C:\Users\Admin\Downloads\WannaCry\@[email protected]2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3944
-
-
C:\Users\Admin\Downloads\WannaCry\@[email protected]2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:616
-
-
C:\Users\Admin\Downloads\WannaCry\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5112
-
-
C:\Users\Admin\Downloads\WannaCry\taskse.exetaskse.exe C:\Users\Admin\Downloads\WannaCry\@[email protected]2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2056
-
-
C:\Users\Admin\Downloads\WannaCry\@[email protected]2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1388
-
-
C:\Users\Admin\Downloads\WannaCry\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1880
-
-
C:\Users\Admin\Downloads\WannaCry\taskse.exetaskse.exe C:\Users\Admin\Downloads\WannaCry\@[email protected]2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3556
-
-
C:\Users\Admin\Downloads\WannaCry\@[email protected]PID:3836
-
-
C:\Users\Admin\Downloads\WannaCry\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4056
-
-
C:\Users\Admin\Downloads\WannaCry\taskse.exetaskse.exe C:\Users\Admin\Downloads\WannaCry\@[email protected]2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:816
-
-
C:\Users\Admin\Downloads\WannaCry\@[email protected]2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2356
-
-
C:\Users\Admin\Downloads\WannaCry\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2068
-
-
C:\Users\Admin\Downloads\WannaCry\taskse.exetaskse.exe C:\Users\Admin\Downloads\WannaCry\@[email protected]2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:840
-
-
C:\Users\Admin\Downloads\WannaCry\@[email protected]2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4884
-
-
C:\Users\Admin\Downloads\WannaCry\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2072
-
-
C:\Users\Admin\Downloads\WannaCry\taskse.exetaskse.exe C:\Users\Admin\Downloads\WannaCry\@[email protected]2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3772
-
-
C:\Users\Admin\Downloads\WannaCry\@[email protected]2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3748
-
-
C:\Users\Admin\Downloads\WannaCry\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1164
-
-
C:\Users\Admin\Downloads\WannaCry\taskse.exetaskse.exe C:\Users\Admin\Downloads\WannaCry\@[email protected]2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2404
-
-
C:\Users\Admin\Downloads\WannaCry\@[email protected]2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3044
-
-
C:\Users\Admin\Downloads\WannaCry\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3996
-
-
C:\Users\Admin\Downloads\WannaCry\taskse.exetaskse.exe C:\Users\Admin\Downloads\WannaCry\@[email protected]2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1932
-
-
C:\Users\Admin\Downloads\WannaCry\@[email protected]PID:2740
-
-
C:\Users\Admin\Downloads\WannaCry\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3136
-
-
C:\Users\Admin\Downloads\WannaCry\taskse.exetaskse.exe C:\Users\Admin\Downloads\WannaCry\@[email protected]2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2136
-
-
C:\Users\Admin\Downloads\WannaCry\@[email protected]2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2340
-
-
C:\Users\Admin\Downloads\WannaCry\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1308
-
-
C:\Users\Admin\Downloads\WannaCry\taskse.exetaskse.exe C:\Users\Admin\Downloads\WannaCry\@[email protected]2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1784
-
-
C:\Users\Admin\Downloads\WannaCry\@[email protected]2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2760
-
-
C:\Users\Admin\Downloads\WannaCry\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1488
-
-
C:\Users\Admin\Downloads\WannaCry\taskse.exetaskse.exe C:\Users\Admin\Downloads\WannaCry\@[email protected]2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2328
-
-
C:\Users\Admin\Downloads\WannaCry\@[email protected]2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1388
-
-
C:\Users\Admin\Downloads\WannaCry\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:756
-
-
C:\Users\Admin\Downloads\WannaCry\taskse.exetaskse.exe C:\Users\Admin\Downloads\WannaCry\@[email protected]2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4884
-
-
C:\Users\Admin\Downloads\WannaCry\@[email protected]2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2064
-
-
C:\Users\Admin\Downloads\WannaCry\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3004
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1520
-
C:\Users\Admin\Downloads\WannaCry\WannaCrypt0r.exe"C:\Users\Admin\Downloads\WannaCry\WannaCrypt0r.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4524 -
C:\Windows\SysWOW64\attrib.exeattrib +h .2⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:3956
-
-
C:\Windows\SysWOW64\icacls.exeicacls . /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:3008
-
-
C:\Users\Admin\Downloads\WannaCry\WannaCrypt0r.exe"C:\Users\Admin\Downloads\WannaCry\WannaCrypt0r.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1008 -
C:\Windows\SysWOW64\attrib.exeattrib +h .2⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:4928
-
-
C:\Windows\SysWOW64\icacls.exeicacls . /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:1964
-
-
C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /n "C:\Users\Admin\Downloads\JoinCheckpoint.potx"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3588
-
C:\Windows\system32\NOTEPAD.EXEPID:4376
-
C:\Windows\SysWOW64\werfault.exewerfault.exe /h /shared Global\a5023ff4ff0b4f759914c68187a152a1 /t 3232 /p 27281⤵PID:2672
-
C:\Windows\System32\DataExchangeHost.exeC:\Windows\System32\DataExchangeHost.exe -Embedding1⤵PID:1336
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\MrsMajor 3.0\" -spe -an -ai#7zMap9614:80:7zEvent223931⤵PID:4604
-
C:\Users\Admin\Desktop\MrsMajor 3.0\MrsMajor 3.0.exe"C:\Users\Admin\Desktop\MrsMajor 3.0\MrsMajor 3.0.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2456 -
C:\Windows\system32\wscript.exe"C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\4BD.tmp\4BE.tmp\4BF.vbs //Nologo2⤵
- UAC bypass
- System policy modification
PID:3860 -
C:\Users\Admin\AppData\Local\Temp\4BD.tmp\eulascr.exe"C:\Users\Admin\AppData\Local\Temp\4BD.tmp\eulascr.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2760
-
-
-
C:\Windows\System32\DataExchangeHost.exeC:\Windows\System32\DataExchangeHost.exe -Embedding1⤵PID:1556
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\MLG\" -spe -an -ai#7zMap7525:64:7zEvent40631⤵PID:3252
-
C:\Users\Admin\Desktop\MLG\MLG.exe"C:\Users\Admin\Desktop\MLG\MLG.exe"1⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Modifies Control Panel
PID:3240
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004E0 0x00000000000004D01⤵PID:4556
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1File and Directory Permissions Modification
2Windows File and Directory Permissions Modification
1Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
1Disable or Modify Tools
1Indicator Removal
1File Deletion
1Modify Registry
6Subvert Trust Controls
1SIP and Trust Provider Hijacking
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\@[email protected]
Filesize684B
MD57e5e8c3f992f09c033f8a983cfd22a03
SHA1de1dc7326654153861fcfd3d8f9495f7443c11b3
SHA25618a13ebd9f9df56ade482dac692aa2bd5d150311f7e51fa89fe8ed7b4d06f8c8
SHA5126522745ec2523fbd6634c8cc1de6572e9e7937abee95ccd1ec9109b6ef72d12f4583f3a0ec501a9f714647d16d1ccb7bad06852ced2c4a4b7043d76e7cfeacf7
-
Filesize
152B
MD53d68c7edc2a288ee58e6629398bb9f7c
SHA16c1909dea9321c55cae38b8f16bd9d67822e2e51
SHA256dfd733ed3cf4fb59f2041f82fdf676973783ffa75b9acca095609c7d4f73587b
SHA5120eda66a07ec4cdb46b0f27d6c8cc157415d803af610b7430adac19547e121f380b9c6a2840f90fe49eaea9b48fa16079d93833c2bcf4b85e3c401d90d464ad2f
-
Filesize
152B
MD5c03d23a8155753f5a936bd7195e475bc
SHA1cdf47f410a3ec000e84be83a3216b54331679d63
SHA2566f5f7996d9b0e131dc2fec84859b7a8597c11a67dd41bdb5a5ef21a46e1ae0ca
SHA5126ea9a631b454d7e795ec6161e08dbe388699012dbbc9c8cfdf73175a0ecd51204d45cf28a6f1706c8d5f1780666d95e46e4bc27752da9a9d289304f1d97c2f41
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\14cd1971-12ee-478a-a176-8ca96bd43356.tmp
Filesize6KB
MD5f07240ee7fa942d2777902e50b9329f1
SHA1a4de92eda895be40f1266e4b29afcbc6a84d414d
SHA2563368f99ad8e279abd28f232ae5fdcf075b53914c1da9ca991195f444d694916d
SHA5120d078dd6dc12cb019370b595330c5c68dd20b0c020b4dac7afa9d016159b92bf3f0f5b64784f3765a44ae76361e37826cb012cced6625acce6dd6cf286b924b5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\96c92441-4a30-432d-9d03-ff8ee8d7e22b.tmp
Filesize5KB
MD541b030411f15c4f0ac4a91283333606b
SHA172644ae9c07731e478adcf238074e0d320f9b62d
SHA25614102af3eac88a216fcde235127d9799d5f4642a6f26caf2baaeceba16c4b953
SHA5129daceffddc8adfe1169056bfef95fdf9442fb24157cba6de385a04a574d34697f6388873c679d2849534d1dfeb022199e7ad50fdaa5cd71ecec007578f389bd6
-
Filesize
45KB
MD5f5d67637a72e7f1d04e194f936160a98
SHA12e5de8f54b39822d240f8c886e0837dc810f5103
SHA25604fd727cf78a025d1b7f6883131742a14a73d717348ce029eca43d26d776320a
SHA51205e39d8d22fefb42ca71eb718c694c995a487251315c6e889239f4e1df4d98465cd18f83421b8ea9a92655206dbfb5d0cb59ee6a88a346e7fee2029c0742e9b1
-
Filesize
20KB
MD50b17fd0bdcec9ca5b4ed99ccf5747f50
SHA1003930a2232e9e12d2ca83e83570e0ffd3b7c94e
SHA256c6e08c99de09f0e65e8dc2fae28b8a1709dd30276579e3bf39be70813f912f1d
SHA51249c093af7533b8c64ad6a20f82b42ad373d0c788d55fa114a77cea92a80a4ce6f0efcad1b4bf66cb2631f1517de2920e94b8fc8cc5b30d45414d5286a1545c28
-
Filesize
37KB
MD556690d717897cfa9977a6d3e1e2c9979
SHA1f46c07526baaf297c664edc59ed4993a6759a4a3
SHA2567c3de14bb18f62f0506feac709df9136c31bd9b327e431445e2c7fbc6d64752e
SHA512782ec47d86276a6928d699706524753705c40e25490240da92446a0efbfcb8714aa3650d9860f9b404badf98230ff3eb6a07378d8226c08c4ee6d3fe3c873939
-
Filesize
18KB
MD57d54dd3fa3c51a1609e97e814ed449a0
SHA1860bdd97dcd771d4ce96662a85c9328f95b17639
SHA2567a258cd27f674e03eafc4f11af7076fb327d0202ce7a0a0e95a01fb33c989247
SHA51217791e03584e77f2a6a03a7e3951bdc3220cd4c723a1f3be5d9b8196c5746a342a85226fcd0dd60031d3c3001c6bdfee0dcc21d7921ea2912225054d7f75c896
-
Filesize
38KB
MD5c7b82a286eac39164c0726b1749636f1
SHA1dd949addbfa87f92c1692744b44441d60b52226d
SHA2568bf222b1dd4668c4ffd9f9c5f5ab155c93ad11be678f37dd75b639f0ead474d0
SHA512be7b1c64b0f429a54a743f0618ffbc8f44ede8bc514d59acd356e9fe9f682da50a2898b150f33d1de198e8bcf82899569325c587a0c2a7a57e57f728156036e5
-
Filesize
108KB
MD5826fcef324d65bd4a1b93dc7af769869
SHA14074d8fc7df0cf0cb5c3e138c5df35f1735e97f6
SHA256a54dfae13e9513450a112297c99be623f1a28b67054241ca7f8ccf377c01f85b
SHA51202f36af602df751ba533518478ecb035a1051612414e09745358a4c6d6c269bfd2aee3a8a13367ee81edd306abf36c7c0acb0901cfc7a682a3e48ed031e978c1
-
Filesize
18KB
MD58bd66dfc42a1353c5e996cd88dc1501f
SHA1dc779a25ab37913f3198eb6f8c4d89e2a05635a6
SHA256ef8772f5b2cf54057e1cfb7cb2e61f09cbd20db5ee307133caf517831a5df839
SHA512203a46b2d09da788614b86480d81769011c7d42e833fa33a19e99c86a987a3bd8755b89906b9fd0497a80a5cf27f1c5e795a66fe3d1c4a921667ec745ccf22f6
-
Filesize
18KB
MD5f1dceb6be9699ca70cc78d9f43796141
SHA16b80d6b7d9b342d7921eae12478fc90a611b9372
SHA2565898782f74bbdeaa5b06f660874870e1d4216bb98a7f6d9eddfbc4f7ae97d66f
SHA512b02b9eba24a42caea7d408e6e4ae7ad35c2d7f163fd754b7507fc39bea5d5649e54d44b002075a6a32fca4395619286e9fb36b61736c535a91fe2d9be79048de
-
Filesize
58KB
MD56c1e6f2d0367bebbd99c912e7304cc02
SHA1698744e064572af2e974709e903c528649bbaf1d
SHA256d33c23a0e26d8225eeba52a018b584bb7aca1211cdebfffe129e7eb6c0fe81d8
SHA512ebb493bef015da8da5e533b7847b0a1c5a96aa1aeef6aed3319a5b006ed9f5ef973bea443eaf5364a2aaf1b60611a2427b4f4f1388f8a44fdd7a17338d03d64a
-
Filesize
26KB
MD573fc3bb55f1d713d2ee7dcbe4286c9e2
SHA1b0042453afe2410b9439a5e7be24a64e09cf2efa
SHA25660b367b229f550b08fabc0c9bbe89d8f09acd04a146f01514d48e0d03884523f
SHA512d2dc495291fd3529189457ab482532026c0134b23ff50aa4417c9c7ca11c588421b655602a448515f206fa4f1e52ee67538559062263b4470abd1eccf2a1e86b
-
Filesize
105KB
MD5b8b23ac46d525ba307835e6e99e7db78
SHA126935a49afb51e235375deb9b20ce2e23ca2134c
SHA2566934d9e0917335e04ff86155762c27fa4da8cc1f5262cb5087184827004525b6
SHA512205fb09096bfb0045483f2cbfe2fc367aa0372f9a99c36a7d120676820f9f7a98851ee2d1e50919a042d50982c24b459a9c1b411933bf750a14a480e063cc7f6
-
Filesize
39KB
MD5a2a3a58ca076236fbe0493808953292a
SHA1b77b46e29456d5b2e67687038bd9d15714717cda
SHA25636302a92ccbf210dcad9031810929399bbbaa9df4a390518892434b1055b5426
SHA51294d57a208100dd029ea07bea8e1a2a7f1da25b7a6e276f1c7ca9ba3fe034be67fab2f3463d75c8edd319239155349fd65c0e8feb5847b828157c95ce8e63b607
-
Filesize
53KB
MD52ee3f4b4a3c22470b572f727aa087b7e
SHA16fe80bf7c2178bd2d17154d9ae117a556956c170
SHA25653d7e3962cad0b7f5575be02bd96bd27fcf7fb30ac5b4115bb950cf086f1a799
SHA512b90ae8249108df7548b92af20fd93f926248b31aedf313ef802381df2587a6bba00025d6d99208ab228b8c0bb9b6559d8c5ec7fa37d19b7f47979f8eb4744146
-
Filesize
20KB
MD5b9cc0ef4a29635e419fcb41bb1d2167b
SHA1541b72c6f924baacea552536391d0f16f76e06c4
SHA2566fded6ba2dd0fc337db3615f6c19065af5c62fcd092e19ca2c398d9b71cd84bf
SHA512f0f1a0f4f8df4268732946d4d720da1f5567660d31757d0fc5e44bf1264dfa746092a557417d56c8a167e30b461b8d376b92fbe0931012121fac2558d52c662e
-
Filesize
88KB
MD576d82c7d8c864c474936304e74ce3f4c
SHA18447bf273d15b973b48937326a90c60baa2903bf
SHA2563329378951655530764aaa1f820b0db86aa0f00834fd7f51a48ad752610d60c8
SHA512a0fc55af7f35ad5f8ac24cea6b9688698909a2e1345460d35e7133142a918d9925fc260e08d0015ec6fa7721fbeae90a4457caa97d6ce01b4ff46109f4cd5a46
-
Filesize
65KB
MD50c3ecdd95c2f73c55c7e223bdd76a64a
SHA1e2cfcf25c29ac990426ef168678f3718d9bebd0e
SHA256f6b14fb731c0874a973319ecb9f91d7c4bb4876fb2bc5c3c78717ed64c6beee5
SHA51265bed963b5fe8b8ab24b154f891a9aabb2f44dc7c4ba39574dfd472432f52a65049d03013099c0d7db58d6b79c793178178865829e7c7c076dc774d2930899fc
-
Filesize
16KB
MD55615a54ce197eef0d5acc920e829f66f
SHA17497dded1782987092e50cada10204af8b3b5869
SHA256b0ba6d78aad79eaf1ae10f20ac61d592ad800095f6472cfac490411d4ab05e26
SHA512216595fb60cc9cfa6fef6475a415825b24e87854f13f2ee4484b290ac4f3e77628f56f42cb215cd8ea3f70b10eebd9bc50edeb042634777074b49c129146ef6a
-
Filesize
349KB
MD5820e418adaba48f77758a4b1aa5ddd6b
SHA180ea0ccbdec0db588e7f29abbc54f8ee3e0f5eae
SHA25699ed73cda6a71ca33baff2c7fb5e49dba8b343fd84c8d8d927f36694ae7b6cfd
SHA5122d46c05dbcf6070ed5e99828b5c585cb7e84f676824b9fcc7bfecaa31ff294de7e3db36caee8e81fad80fa5da99a00b6748cb3787832039418899d53d8278160
-
Filesize
78KB
MD5f14db10e5d1616efa4ab1ef7292e2887
SHA15cda4534aab33d8aad06b6484fa351126ee0952a
SHA25643e9d2e09d219c4ef3538586d5debf7fd55243f1cd5fb3084bb5c4ccc8108573
SHA5127826ebae5be9611006a14530ef2f253ad6b41119a2f65b3463f9734da6c0f6d5d37c2c79a22fe99f12f13a3083c03ad38d1b98e4d9465f2f508e9a00cb6a1bf5
-
Filesize
706KB
MD58da8465b4947a26c1565fef278db8296
SHA1e194a2f442133440d9402af1f615551106bd7e97
SHA2565a123b56f99a6384500b67fce28bcb0e18da99e3159714cbc9fd6da01e8a52bc
SHA512f148317acbdc77a0d852917aff758c23295ae8ff41aedb9ceb7e4d8d3f185fd5ebf4fb0c294a2357a925b1116b41a04e3ce15442b28decb0022496fd76eedd0e
-
Filesize
38KB
MD5300ab1d3d1d01c71825202e5cbf514b6
SHA19bf3b940af192a501b9f6e1b988bebee5bdd01db
SHA256c9901d0166e1832e564f7eebd860ab37db44c88aa61b3dcc5ba1d5ee3b282598
SHA5124f8b3839db58fe596b66be553c193c4cf836d49be068c6ccb485f63729ceed5e06a405b6c1b41e6a3c106585fef47b805311e64042652d0e2deeea2cad01e602
-
Filesize
38KB
MD56f9bcbd9790889389f52578f0c27177e
SHA1941fcd07ce8c21efda837ce99c2c0c532a153115
SHA256f83e87421cda34647dbbbd00cd215a7f86445af8b2e550fc88413a757b89caa6
SHA5128e20dee4c862b915790779e05fbb8bcb61d686c6f11f9bf74f459ebb97979e590c5fa4aec6bd83d9eaa68b2cfd6629144b4123c2a9c6757f777593dad313a0bc
-
Filesize
70KB
MD562119404de7c6215befaf75fee22a40e
SHA1f023f66fb888f2bcd4600780ac68b53c00bc83f1
SHA256d5dea790d41be3eb001ca64fc6c25fd2e90b674cadc3a9e8c1a2471ab9e80cf2
SHA5121c6c00a5288224375a7b7edb257ff63c4d10c1b17fb74b7511bb4e601af6354fef515e2032fdb754b2f948fc113ccbd8c3042715c47e06a071bcb9bd45d5b525
-
Filesize
71KB
MD5aad3e1a4cf7688c7de5d579cd0ba0454
SHA1db595849febaabfa8513c1791dda0e88da29a6d2
SHA256504f2b59bc83e538cce2f9a9fc2ba87a351686498b6418e64040d0c794967bae
SHA5123f9b4c13bff9fb421dec7b1e59814bf14a3916c59b92912078c72db71cc2e35438b14f7d505bb41f48196fe468e9a0ec872f0179835939a8705cd56b0f1833a3
-
Filesize
94KB
MD53bb391dbccd515298ac16d20f19f51db
SHA10b6f884794058959737af3daf017ff0a26255dd0
SHA25655f8a7ecd5be730a6974b9676b82fa54adbcb8517fbed2ca81d14c89438edc6f
SHA512e69a822ca247f4e847fac35ebcd8eb4723a5a8331c80b4be3037618e29b2ef95b6a70f0f969a4e30b0f22d3cfc9275b309f01c787913a861678d1ea9d0dbefd0
-
Filesize
279KB
MD549ba2b8097734a24c5cfeb11fb1e5e75
SHA1f625327085373a80b847491a5ef94c4d21083a6d
SHA256fbeb1fb9c77dd730c9222d7e8665adc9b4c5cebe0ba05e8208e5b9e5e526846c
SHA512a428bd534773894d8f0a5685b7ae1e4db2e164439ef433c89e7762f648436c9d7e9f0e6da212cdf729d9e4b232c9f79c56e368515376636587e0c1977fa11283
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize2KB
MD5aeb93936ea6657f2b67067de2b5cf2e3
SHA185842aeb84d1a2830314d3a3c5dff76ebf7ef58d
SHA2562effb450d4f1a3283e5b4a452082baf97aa95fa1c5c3133d715058c6e8d6c4c0
SHA512950e173e94f3a91bf53daeefcc9c882a3bec31e231b7f6fcaac1d453ff99dace8a4cf4f14aa1062f268861bc338de2947305e712fd6bc34e1fe2a4b4228f4621
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize2KB
MD540801057a2eadf42b5947df9a58e458f
SHA14a8ef7b0b2c070f6ebeb2091492b8ea7f09e66ec
SHA256a057d6200fef403a72c90065e8d0ed542156b7e00da381eb4e6163b86720d65b
SHA5129feb95e9ae4717d698ef6a4dd6056f3f35b6af1636f314d4f857db3f7834c4903c5b75f51c1473795ce169b0b646111ff30a3ab80aed8f5a304f72bc749d4b57
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize2KB
MD510b9b766b13cd0d4df1e3c16b527d316
SHA14b038ace2fef2105de12d4284d1198fbd7a5cc47
SHA256f11cec86cc7045b9388e987aee7b83cddfa03a9b93fbfd76597b0a8baff77f60
SHA51255144516434ffe2e6c173069c60b84982fc54835e1ff6b327118ec874738c58744d29846a44cf7cc479c19dd9fe3a60dddd1e04726d5937a1500f9f7650bab9b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize2KB
MD584b130be3a3b20a4900d0a3a1ea90c0f
SHA15587d1e663015b17991fea65277ab7471879f53e
SHA256726bb75531390482827c01eeeec61d53717c91b07b437801cccc9d439537444a
SHA5128487e0efb6771ee12c609fb7aa4b4df747cb440e924131515987cbb2039d2b1888fe3c2cf4d960183714a51f82d13b1a6084b3ed9af400e6f3e40bfeeef384c1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize2KB
MD5dafed60abf2489a376d88bfb88141e8f
SHA1f5dfbd71ccf33c3f53c84ea53f3b9cc5e750fc55
SHA256af96e477cce31422a84a45c02fcaf7a9368903d38cbb872161224478cf06e069
SHA5123c25920cdffa55fd4285a4b42d1113374bd373e4828d5b69ba3f633fc9f8cebd33085c3e9a7833c19a505e43dd1776b986ff91192fd4a9643754f4c1fe7452e3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD5e16a9d6d63743fca56f65465d9f859bb
SHA1c92787bfa1c8dde1309475747ee84575e86dd3d2
SHA25677842059a6e0287705194bb0bad2bcb43e3d9dfb0316471fe6a662cee33f3a9f
SHA512c6fbe07bdadd90561bef4d4be159fda6e34f7389575f0a16e5dffc826b648129e9215f75aaf9c5ed45314a27c32b8638e9595853629ab35e3482ddc3a11dd70a
-
Filesize
4KB
MD5a7caf73d643bc3a994e5022be51d2afa
SHA1197df07bfca5a61b193e409604f4613e7dbe625c
SHA2563300a20f48d05da7f6ec25b07b343273e7e5ad8fae2fc32dfd8d9492aa617d44
SHA512c69ec0ec84744e9ff5e3678754248dd872d6b53c4a707b7ffeb8e8667488b57276a4fd0f7b49b3f90c1caf8d8201d3329bf23fa43397c3b45ca766ebc6c526f7
-
Filesize
4KB
MD5492d6cc5b9336f020471ebffc050e3e4
SHA1bbef9051ccd0c52c4bc94f1d760e1df5997a7e2f
SHA2566ebe5a833a036bf1b9669705e60044561c28f916dc0fe01103462ea450ed5e26
SHA5129be6eb27c79b091953a45edaf7d4baf9d4c4b3d87a3797708538975f1ebc6f6733a91eb5457dedc14ac30634f6b812b26221d17448eadbbd25cff6107006927b
-
Filesize
1KB
MD58b831c3bc9dfa5cc91cba3c39d3b35ba
SHA117bd436f3f0a4c901cb853aaa08d139ecf90bea8
SHA2562b20d7645bd63354d1620eabaa2eade4c0cc9a05004e6b893a51d884956049eb
SHA5121cd29805d2faa3f90c5f8503907b884bb2dfb3fdd33558e4d65b9b0e6b9c76f501e8b6c4ed7bebc9fafc08a52b154d2a7e4aa322e9f444bc53d344e0c10aae5e
-
Filesize
4KB
MD5d2e57f7be833b3efe8632a41c6a9279e
SHA121fe8455bd1a365c4bd2bd2ef898ff03bc26f5b0
SHA256aa68a47f0f5a50ed1e85610b79e0e8af67d4cefc0551e2cc8c240c620e72c5ff
SHA5129b20ab59a03878c17cea590b4b1129a950aa659558f51713b0f2d599035ac813c27c8f06d167d06497d7f2178fa34f85aa77ad896bb21ea94d6ee1dd8ccd974a
-
Filesize
4KB
MD5c9d5cc7ae813bccd0d6baa97931efdd6
SHA1838496543c605cf9b7167bdb2718a220cdc5e10d
SHA256865c0e8af9b1a8273076ac3cff1ab0fa893b37eda6a180bd00ebf3755718b5d1
SHA5128f30db9bf56d6c1924d5ceb0aba9e3846e8cbfc46d2d34a47118218d6a6746da6549b188d2acf32f9a2b0acafecbcb04e389a3c7798d8ebc40e62554686de7b9
-
Filesize
4KB
MD5d24444620a10cc7892d00d2fd425e19a
SHA1178ae327d59130b033a6014bbabce309670067f3
SHA25689db84fec00b4668edb48852463f9bd16f0784e7227e210cf19c31a39d91cbac
SHA512e8a7d67af25f250ceed2497b44ea8ff6d06dc5828c0a79c955e3385c2caf8e9d0ae9b8aafd1e8b7e8ab1a0a1de66ab28dfcbff9a3199c4107feacd0b57c2c6a4
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
4KB
MD568561e32e11f1f308fb970875a945c05
SHA15e8b6f0de60d57a7e6d56a295b601dbeb29bd903
SHA256268e2447666461615172bba7c62420162fa1eaebcef14d10da30c4a2a87453ef
SHA5121be58757d0f0a68d628bd3c0b07ad59e94a4912adb35e65d441fb3ea5a9be858ed595fe92ba1f9f49d19913645501bc9f10b5bbd896d2ae9eb0c2f2f6233e4ad
-
Filesize
7KB
MD528b2429734f8a5a78946d18e466596fa
SHA170a21580ed1b864e35cff46d2e540bbd0311b7e8
SHA256865f767a3cb5372690f5cf8c9857aabf99d769a288542600ba468669ffdcec11
SHA51282425483a050afc057d325c94f351a87c07b1a3beb8e3702d312810641c5d98e15bb87c78eb894487d33e7dcb2f201ee7de1cc98256cd43a2bb4f65dbc5554c9
-
Filesize
7KB
MD55721453aab52ee737e8e9546365563e0
SHA1d6348df3f26246b2cbc630bceb1549fcc7099b09
SHA25628120b7fbaa1101363806ee9d9e33399940f3a23787309cf20328b325344c1f4
SHA512768b8c4876c6d013e5d6e4676ba134a16abdb51961993cd1cd753ef7ccac7294f20bf4cde637176120dd20c6a839e8ac3392782d9ba2c4a4d80276feaa58f1a5
-
Filesize
7KB
MD5d40d6b74dab9a6f59c2ef6d257166e31
SHA1991ce5f79b296d9de675b4959d4573ea49467b71
SHA2569736d948e6eb9c5d1e0e88f1f9f997f788eed5888754ac9a926ac1ff0f149eea
SHA512cd969030eba8d39bbddb53687b834535dfe737f090d79ca479f811b46013ee839e3e0b68821348fbafddbd0239e5fa11232d058b57cdda259b481c5ab20a95b8
-
Filesize
7KB
MD52ed6333a255a7bddb6e0750b4c10fdfe
SHA1fcb29c651f71be9bf4d7c855e1e7f31057a9365d
SHA256713ac092c7af1914093bf7bd8c54f9e86ca17c5f4182d56e8ef0b9a95787b745
SHA512ef6ade19a4cd6934c86b5bb4c05e2fb6077c2725302e541df3e95364f0a0b9ca516ed814cc3cba3432fa5ee54ff76da3cac0992448b2bb9eff0b5093fe547458
-
Filesize
7KB
MD5bee10acb897edea484f8c4a734a76339
SHA1de31065fc72013cdcd9a3eef56558d3d757a8036
SHA256daf9cd42f3a6ce2e86c01bb8b5fd8fa8154f96d66c66f4ec20118a959f44b500
SHA5120a6a3af37cb6a5fdffcd8a25f5f962f0288880f560e41d2b8135afd890ea88a0174227c528be518b13402ea872bc6fa2e32003779d8c0a3a7690bb423d8898d9
-
Filesize
7KB
MD51631a6950f2896980d40eddcbc827843
SHA1f86534458a8d6189f2c803dffe8f9cdbd103ebda
SHA256a2e833dee5a302b816bd490e46c9259b88394647405cc1b05ac93aee3778e9e2
SHA51203339b26db4b10c3564b1260a72d7aeec9931843c2c4eb1361f223ff1f7641a15c496218bcba274b652ebace1c350b57b7c0f12740c7aa71184ddf65d7c85170
-
Filesize
6KB
MD51042ed30e24b4491356febaf30342afe
SHA1f59fcfeacbda1df5a6bc4eaf58080a7376634473
SHA25644bf407edcf2313e6fe8b305871648c6a7cb2310919e37229dc358607be040f4
SHA51254d7ebc7f49569491998930d85bb2635738fd1c7dfb7b1eb79d3870a9a9af00730c2d2e725a23e0753cc4a33aba3df7171394a043bb305ccda34e7ea0c37367c
-
Filesize
2KB
MD57ff4eb23fa3ff8d0eeb2b34b4e686d62
SHA18a62c86ffb25a3e788b96ffaf7853a06f8fb9955
SHA2564997f46c27748e186fb5ebb974c2967e1faca156cc067723ecbdb972b4d726f9
SHA51293575b40a2f5fc5b5dc186238492d3d14d7c4d00245b6793569b140edef59839bd78a1438c702756a2aac6754f138c58b5693662b3ebd3f9b08c4724380bc74e
-
Filesize
2KB
MD574edc97ea4cda98728304c21cbc92bb5
SHA1f9d83a45438740ca748291f62503551f8b489ca1
SHA256e332e13aa10606240adbdd0c4da9c75da80b5f4b90b1b2405bea738d559dd74c
SHA5129ab6c704d6f672966f40919673a24ecf44e5c7124fe16cd2951c51d0c53390d7c843899ed902ddac07591d1a2c61a5303b0242be359c9f133fd5a9665f73d5a4
-
Filesize
2KB
MD589931643f7bb426ac6efbcd2b66ebf7a
SHA1654f383784c0b7b7e1f114f63a8975d2749d31d1
SHA256f7bbbba78c089fca2a16c32123226477e281e9484b1b3be6593a341bf0464f5d
SHA512904c5947fd5765d78e0dfa6414506b883a8ef3576afa81a85ec4efb9dbf8c8a6e15e2b334d0896103912d03e060dee4f7ffb984154f265a8cb09b4a74875e011
-
Filesize
2KB
MD5f0dbaf640f52c7b3a51cff1e66230992
SHA181270b55c2868a43722cdaa3d4a7daa9e332ebdc
SHA2562aa95ff1710e455451e35f4ea54777a0310afd51ab706efe7b2eb512526d8076
SHA5121d3ea6460d993337d0c6cc038d5b7eb93db1117fa855960fbeb19e74d402520f16ebbc0c1268c8a851133c703a31a78e6d66770e786b1862351c8dc224b0cc6f
-
Filesize
1KB
MD5861c4d80a7769e2d8721a99e66146644
SHA1f1dd6516ec3a8e90f59b46721bb0148a6d8028b8
SHA2567d33bb7ab14e7def4fbff5703bb70d80a1d71dc9af853dfec5d31d88bceac9f5
SHA5122cc44b17a4a9e7130bad80212630b5e4b32c28f06e08f42f878c2130f44b101c108f74cc19855aeed6fe5d4c9dd2d295e3f141553ed929726c26320a1e9f62d3
-
Filesize
2KB
MD5741fc408902c572cf667d19808192717
SHA1d8f7dcf65c4884bc24d1dbf57f0b2c05434d2ede
SHA256e4e0737b40be61ac7763e960c4478977d540b8597de1c53e68d253c553f0af76
SHA5124e32fbd0186dd0d35ad63e39c191b2a05f54b11c1232a2d09acfd8166f4122c5352cf0e48f69c6edcd3b79ce749454f03f91e7d0c4f36a52f5272c257fa2b56f
-
Filesize
2KB
MD587e5beee942203a8d4de33aa3707a5f0
SHA1b661dd62ab02aa5c777d718b2ad818c4654c6854
SHA256673090817890e2b932a14b76ef05481387f602ca6115b9fda67377b7cb105e26
SHA512fd0ebd3bde4586a19f3d591e76ef91cfa9293e2061ae8871cf900c31acf8969f6a1245c226dc2286ee304571b7038a4a870271e2d7361767024be26f0772a869
-
Filesize
2KB
MD50471c6bd64052c310f24d088cd62021d
SHA1256053e47fe0dc9a4e62bcb1f9ee2a4470c82d58
SHA2568dacdba499350eae1725795675dec01bc2b4aeb4ff3c6d0d377a323b03fa4246
SHA5127706c4878cff73420694cc6b13ff86b082a271a58e20396fa1b33aaf99369d2923c6a2f7d6f338c771afcbf89b0773c5bf5e40df629f0efbe19ff8c3896c18ae
-
Filesize
2KB
MD5337649c5b797259c51ec9466932c403b
SHA1629cc7a26dd98cd460dccc3d5fc54934e98eca5b
SHA2562f728d6df70ded4dad81e56e2d2f523e9677a569606dca65c549b6c89e7ee7aa
SHA512fee42f47561e490dc26d9b495158e29d667b401499e1266ef7e7da0bf20693bab1fe3f6a0c060a9d99941471e0d4e25d5eed76cda0accce936cf410892a1bcb6
-
Filesize
2KB
MD51446f73aef0be352e89e44b9e879ac1e
SHA1343ce287a7c460ec47216942053aaff7c52663d2
SHA256cd1099c11cb1a2c4675cb7374dd5378e4ccfcc87124ac3cd92b0eb5119d3be1a
SHA5129b1efe4fc0285969f0f2c71e41aad72c6e990e9387c52ee28ee539d727d3515e0b86d8a74b4e819ff8988a4f93b8783ff6b4e08b8985d806b813009ef84ebecf
-
Filesize
1KB
MD5efc7f250b0fc727e7de64acd423e1c21
SHA10839611ceccbf05927dae80bf76ae2259dac0bd1
SHA256e5fe014e4f1d5ce2597da93f43ecb9fa27e2792e224b35fa1cf4959d5d7ac416
SHA512407011502d83894a4d4ad7414d381c580399b748216c1bd96f0c831bbc47850bda23475b38ece84e4d8e7d614ac76f0d66b7fc11c9745a01f8a4921d797829e0
-
Filesize
1KB
MD5e467b8af38685958a6ececbf7dd4eb7c
SHA134c684f62988b26ad042d359423f68c933323425
SHA25693dc7521c8c13bddd391ce67b581af9bdf35bd41905f15dfc0f0cfd94fbea1a6
SHA51280390685473dee8a2d177d17fafca4652343676311f5a059e1f510f6d6eedc88abeb2c5e0b0acc52f7ad1987b5ba70a8ed2ff4852325bab22b8fe7610e187ea1
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\f7ecd55b-2000-4e58-b569-87791d8268ed.tmp
Filesize4KB
MD518afccbfb8c1755c9528f0ff642b7655
SHA150cf9f24e53882b1d038763d042f2ea1cbb8f087
SHA256212e1d377ab7b5259524809ebf1fbadfd06fc5b5f644c90a9827965e8d6e06d8
SHA51217b7b6fd602b4e87c3cd990748545b1ad08a25b9f88601c1343503bf87887f8ad0a81cba1fc529fa4aa31830aec426f0db45c4f037757422da1a3bc26d10c6cc
-
Filesize
11KB
MD52dc2948874f73283f17747e01ff32a5d
SHA1e2d2c9435613b1ee2019de85316432a6f6af0892
SHA2569b8dddc525b5c651ffb7accfccf29856d6eaa8302f2efa092d786c217326165f
SHA5122107dd6e1106c2ae2128a547145b9474733934151df1b2bfb6588d8660fd8c09990964d90dd5d9f1e94534b1c571431d58f247c871db14ba333d09e6dfa0c6f7
-
Filesize
10KB
MD56ed9e54f62defc98f60117066c2556d3
SHA16faf5432a5ebef168b91a02bedc7dbfa36838e78
SHA256ceca6416d9efc12ade90d7b0b904335ab7a81f28497b3199d2c62a720caec15f
SHA5127f0da2ee1bd269c283a978c1c621d2279f00fb59015d6bcdbc1084f9b668cd8f361b6edf647afd3076159bf16f5e37338d7323f18d05b45dbc81066ea66bf90d
-
Filesize
11KB
MD57718eb57c82021ae97b0ae071b6232e5
SHA140cb30b875a15ad651612648f7c9303492cd8fde
SHA256074b261e471a62acb6c9e440a37b186ab6a473efdc73e08b4e23448066b7f014
SHA512b4ad62f1ce50e7650b64244dd368b9041aeec63f79846df5850f707d0b9e913f0a428d4a4e5766102d70a464af539c5371a4e5df10d87c5e75f930aa85c532cb
-
Filesize
11KB
MD5f018d12e5dc31d7f0f74b15c403fc057
SHA1cf1b6ee296a69c2d6468c5de9bdfbd1ab65014ca
SHA2567291e049a0e8bcad984034a6063a529faf2f04dc8bc968e6126144ced1371f98
SHA512e838a27e6bda40782f9f838fe15b73a6b3baaa363df78aec7dcfa148853383155754e1c1257987ed1499e33e46e1a05137f17d9b5763780480974982a038c0de
-
Filesize
10KB
MD551aff88ccf341e0fe48b8065ebfa9ac5
SHA1b14c2e2e9b4ce7879fed5f0e3669ac1435a1658f
SHA25641090b06ab7e4fdbba43096665d7d0c8042b3e37296d006d1faa5794d68fa5ba
SHA512ba527cae75ed364d50b2cc90f02f2a60fa48fd11310f798c8c9d3f61e110a45276678234f13ada9a255a86d598e3e25706db9a0c7a80a76480cb1b652bc92780
-
Filesize
11KB
MD53d0889b506f932b84bb7d0945f902a05
SHA129eb06254004ffac01535149bfc6a52d9ed6d041
SHA2564da85024f5cfa35c9619e5a603368b3ee87173263924722c982ee25fcf8cd3e7
SHA5126bafa47660f16f4a68396df97f5244c513d9569d81eadd1f111f8006b7fc8bb4ff1e69b43582b0bfd0d2eeb3057ade77b27845f32a1f4c5081505ad68d4c72af
-
Filesize
10KB
MD5faf2304e6e77406ff8e95c3c034d669c
SHA14393b0de558722369998a8091867449e958a7c37
SHA256b3a524fa854abd67ecd95a68295032301b99e24a785ef5256e574025bc2d3589
SHA512ce6b65114895103eea63d1c93c7f5a0a7bd73e8db84dda318ef3f70af54428bdc71ca19b1d918afb01398446ed9de4a66d97d5f8ea517af37a95b0f5effac63c
-
Filesize
75KB
MD542b2c266e49a3acd346b91e3b0e638c0
SHA12bc52134f03fcc51cb4e0f6c7cf70646b4df7dd1
SHA256adeed015f06efa363d504a18acb671b1db4b20b23664a55c9bc28aef3283ca29
SHA512770822fd681a1d98afe03f6fbe5f116321b54c8e2989fb07491811fd29fca5b666f1adf4c6900823af1271e342cacc9293e9db307c4eef852d1a253b00347a81
-
Filesize
21.3MB
MD5c98bd129db79a4ab5fd46c4bb4ee1652
SHA1491af8a8800d7faaa4d6a0ff58ee1a33a352a615
SHA25656cabe0e0ca3db2b45a88664a4b321ed3d55c539ee61bd62ceab0c21ada4791d
SHA5127f7b0d896591958f7b1d169d1e8b4415d1fe9287f499c8bd70438772e25574567d159b3ae40eb157b6833f2beec421e3eb380961dcb865e9b66b49cc0087fe0a
-
Filesize
9KB
MD5f7349874043c175bee2d0ff66438cbf0
SHA1da371495289e25e92ad5d73dff6f29beea422427
SHA256f852b9baeeefde61a20e5de4751b978594a9bf3b34514bc652d01224ee76da1b
SHA512878f4bc1ab1b84b993725bcf2e98b1b9dcb72f75a20e34287d13016cc72f1df0334ac630aa8604a3d25b9569be2541c8f18f4f644f5f31ff31dd2d3fedd6d1ad
-
Filesize
615B
MD57f34592061365a84511bef10d286ba81
SHA17a1f56bd6d63b9b93be4778a154c78cfa503c04e
SHA2563ad9b804757b8e45a435ee48748365330c1eea91b448b67b6c0bd694ad7882ca
SHA512a354c85fffc424de977a1c595902fd732be5f6e948904e7a8791041a1b116f72abaa991b1b8b3cbe10b5f73ba12ee2b77777a90e14db3431e5a0d0396f088ff8
-
Filesize
10.9MB
MD57c7fb86210ab287c5b1b8da0e493818e
SHA1fd0c9501f63ab40ad21b18f744c0ab126407b305
SHA256adad0eaee2468fbff99e0089b10b1afec28044a67c100bc70c90f24782a778fe
SHA512d5e19368b06b73700e1f5b1bbd962ee5ef0293c8eea6f70ef2fe38681c2101f22b5ef6ad42208a0a1439e0435dd830cd94f673cb1756f0a078a181d94e7ec90b
-
Filesize
234KB
MD5fedb45ddbd72fc70a81c789763038d81
SHA1f1ed20c626d0a7ca2808ed768e7d7b319bc4c84a
SHA256eacd5ed86a8ddd368a1089c7b97b791258e3eeb89c76c6da829b58d469f654b2
SHA512813c0367f3aeceea9be02ffad4bfa8092ea44b428e68db8f3f33e45e4e5e53599d985fa79a708679b6957cbd04d9b9d67b288137fa71ac5a59e917b8792c8298
-
Filesize
3.3MB
MD53d578d30f8947a0e4ca0b6e340c6f9d7
SHA1d581d6caec9ebe4aef2e0d365c8163116d18383d
SHA2566d8e3047582dfcece9e3284538ff46a16e1809de18b1a7543e2082ad0a009237
SHA512ccca55db5214f271d94a6d24596f74ae08e0d5ab053b9fedce6670d817ca0cf9065a5db76216362045e0133e6644139e73c72129c165c337898594c5d385da37
-
Filesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
C:\Users\Admin\Downloads\WannaCry\@[email protected]
Filesize933B
MD57a2726bb6e6a79fb1d092b7f2b688af0
SHA1b3effadce8b76aee8cd6ce2eccbb8701797468a2
SHA256840ab19c411c918ea3e7526d0df4b9cb002de5ea15e854389285df0d1ea9a8e5
SHA5124e107f661e6be183659fdd265e131a64cce2112d842226305f6b111d00109a970fda0b5abfb1daa9f64428e445e3b472332392435707c9aebbfe94c480c72e54
-
C:\Users\Admin\Downloads\WannaCry\@[email protected]
Filesize240KB
MD57bf2b57f2a205768755c07f238fb32cc
SHA145356a9dd616ed7161a3b9192e2f318d0ab5ad10
SHA256b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25
SHA51291a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9
-
Filesize
3.0MB
MD5fe7eb54691ad6e6af77f8a9a0b6de26d
SHA153912d33bec3375153b7e4e68b78d66dab62671a
SHA256e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb
SHA5128ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f
-
Filesize
3.4MB
MD584c82835a5d21bbcf75a61706d8ab549
SHA15ff465afaabcbf0150d1a3ab2c2e74f3a4426467
SHA256ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
SHA51290723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244
-
Filesize
1.4MB
MD5c17170262312f3be7027bc2ca825bf0c
SHA1f19eceda82973239a1fdc5826bce7691e5dcb4fb
SHA256d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa
SHA512c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c
-
Filesize
780B
MD58124a611153cd3aceb85a7ac58eaa25d
SHA1c1d5cd8774261d810dca9b6a8e478d01cd4995d6
SHA2560ceb451c1dbefaa8231eeb462e8ce639863eb5b8ae4fa63a353eb6e86173119e
SHA512b9c8dfb5d58c95628528cc729d2394367c5e205328645ca6ef78a3552d9ad9f824ae20611a43a6e01daaffeffdc9094f80d772620c731e4192eb0835b8ed0f17
-
Filesize
46KB
MD595673b0f968c0f55b32204361940d184
SHA181e427d15a1a826b93e91c3d2fa65221c8ca9cff
SHA25640b37e7b80cf678d7dd302aaf41b88135ade6ddf44d89bdba19cf171564444bd
SHA5127601f1883edbb4150a9dc17084012323b3bfa66f6d19d3d0355cf82b6a1c9dce475d758da18b6d17a8b321bf6fca20915224dbaedcb3f4d16abfaf7a5fc21b92
-
Filesize
53KB
MD50252d45ca21c8e43c9742285c48e91ad
SHA15c14551d2736eef3a1c1970cc492206e531703c1
SHA256845d0e178aeebd6c7e2a2e9697b2bf6cf02028c50c288b3ba88fe2918ea2834a
SHA5121bfcf6c0e7c977d777f12bd20ac347630999c4d99bd706b40de7ff8f2f52e02560d68093142cc93722095657807a1480ce3fb6a2e000c488550548c497998755
-
Filesize
77KB
MD52efc3690d67cd073a9406a25005f7cea
SHA152c07f98870eabace6ec370b7eb562751e8067e9
SHA2565c7f6ad1ec4bc2c8e2c9c126633215daba7de731ac8b12be10ca157417c97f3a
SHA5120766c58e64d9cda5328e00b86f8482316e944aa2c26523a3c37289e22c34be4b70937033bebdb217f675e40db9fecdce0a0d516f9065a170e28286c2d218487c
-
Filesize
38KB
MD517194003fa70ce477326ce2f6deeb270
SHA1e325988f68d327743926ea317abb9882f347fa73
SHA2563f33734b2d34cce83936ce99c3494cd845f1d2c02d7f6da31d42dfc1ca15a171
SHA512dcf4ccf0b352a8b271827b3b8e181f7d6502ca0f8c9dda3dc6e53441bb4ae6e77b49c9c947cc3ede0bf323f09140a0c068a907f3c23ea2a8495d1ad96820051c
-
Filesize
39KB
MD5537efeecdfa94cc421e58fd82a58ba9e
SHA13609456e16bc16ba447979f3aa69221290ec17d0
SHA2565afa4753afa048c6d6c39327ce674f27f5f6e5d3f2a060b7a8aed61725481150
SHA512e007786ffa09ccd5a24e5c6504c8de444929a2faaafad3712367c05615b7e1b0fbf7fbfff7028ed3f832ce226957390d8bf54308870e9ed597948a838da1137b
-
Filesize
36KB
MD52c5a3b81d5c4715b7bea01033367fcb5
SHA1b548b45da8463e17199daafd34c23591f94e82cd
SHA256a75bb44284b9db8d702692f84909a7e23f21141866adf3db888042e9109a1cb6
SHA512490c5a892fac801b853c348477b1140755d4c53ca05726ac19d3649af4285c93523393a3667e209c71c80ac06ffd809f62dd69ae65012dcb00445d032f1277b3
-
Filesize
36KB
MD57a8d499407c6a647c03c4471a67eaad7
SHA1d573b6ac8e7e04a05cbbd6b7f6a9842f371d343b
SHA2562c95bef914da6c50d7bdedec601e589fbb4fda24c4863a7260f4f72bd025799c
SHA512608ef3ff0a517fe1e70ff41aeb277821565c5a9bee5103aa5e45c68d4763fce507c2a34d810f4cd242d163181f8341d9a69e93fe32aded6fbc7f544c55743f12
-
Filesize
36KB
MD5fe68c2dc0d2419b38f44d83f2fcf232e
SHA16c6e49949957215aa2f3dfb72207d249adf36283
SHA25626fd072fda6e12f8c2d3292086ef0390785efa2c556e2a88bd4673102af703e5
SHA512941fa0a1f6a5756ed54260994db6158a7ebeb9e18b5c8ca2f6530c579bc4455918df0b38c609f501ca466b3cc067b40e4b861ad6513373b483b36338ae20a810
-
Filesize
36KB
MD508b9e69b57e4c9b966664f8e1c27ab09
SHA12da1025bbbfb3cd308070765fc0893a48e5a85fa
SHA256d8489f8c16318e524b45de8b35d7e2c3cd8ed4821c136f12f5ef3c9fc3321324
SHA512966b5ed68be6b5ccd46e0de1fa868cfe5432d9bf82e1e2f6eb99b2aef3c92f88d96f4f4eec5e16381b9c6db80a68071e7124ca1474d664bdd77e1817ec600cb4
-
Filesize
37KB
MD535c2f97eea8819b1caebd23fee732d8f
SHA1e354d1cc43d6a39d9732adea5d3b0f57284255d2
SHA2561adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e
SHA512908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf
-
Filesize
37KB
MD54e57113a6bf6b88fdd32782a4a381274
SHA10fccbc91f0f94453d91670c6794f71348711061d
SHA2569bd38110e6523547aed50617ddc77d0920d408faeed2b7a21ab163fda22177bc
SHA5124f1918a12269c654d44e9d394bc209ef0bc32242be8833a2fba437b879125177e149f56f2fb0c302330dec328139b34982c04b3fefb045612b6cc9f83ec85aa9
-
Filesize
36KB
MD53d59bbb5553fe03a89f817819540f469
SHA126781d4b06ff704800b463d0f1fca3afd923a9fe
SHA2562adc900fafa9938d85ce53cb793271f37af40cf499bcc454f44975db533f0b61
SHA51295719ae80589f71209bb3cb953276538040e7111b994d757b0a24283aefe27aadbbe9eef3f1f823ce4cabc1090946d4a2a558607ac6cac6faca5971529b34dac
-
Filesize
47KB
MD5fb4e8718fea95bb7479727fde80cb424
SHA11088c7653cba385fe994e9ae34a6595898f20aeb
SHA256e13cc9b13aa5074dc45d50379eceb17ee39a0c2531ab617d93800fe236758ca9
SHA51224db377af1569e4e2b2ebccec42564cea95a30f1ff43bcaf25a692f99567e027bcef4aacef008ec5f64ea2eef0c04be88d2b30bcadabb3919b5f45a6633940cb
-
Filesize
36KB
MD53788f91c694dfc48e12417ce93356b0f
SHA1eb3b87f7f654b604daf3484da9e02ca6c4ea98b7
SHA25623e5e738aad10fb8ef89aa0285269aff728070080158fd3e7792fe9ed47c51f4
SHA512b7dd9e6dc7c2d023ff958caf132f0544c76fae3b2d8e49753257676cc541735807b4befdf483bcae94c2dcde3c878c783b4a89dca0fecbc78f5bbf7c356f35cd
-
Filesize
36KB
MD530a200f78498990095b36f574b6e8690
SHA1c4b1b3c087bd12b063e98bca464cd05f3f7b7882
SHA25649f2c739e7d9745c0834dc817a71bf6676ccc24a4c28dcddf8844093aab3df07
SHA512c0da2aae82c397f6943a0a7b838f60eeef8f57192c5f498f2ecf05db824cfeb6d6ca830bf3715da7ee400aa8362bd64dc835298f3f0085ae7a744e6e6c690511
-
Filesize
79KB
MD5b77e1221f7ecd0b5d696cb66cda1609e
SHA151eb7a254a33d05edf188ded653005dc82de8a46
SHA2567e491e7b48d6e34f916624c1cda9f024e86fcbec56acda35e27fa99d530d017e
SHA512f435fd67954787e6b87460db026759410fbd25b2f6ea758118749c113a50192446861a114358443a129be817020b50f21d27b1ebd3d22c7be62082e8b45223fc
-
Filesize
89KB
MD56735cb43fe44832b061eeb3f5956b099
SHA1d636daf64d524f81367ea92fdafa3726c909bee1
SHA256552aa0f82f37c9601114974228d4fc54f7434fe3ae7a276ef1ae98a0f608f1d0
SHA51260272801909dbba21578b22c49f6b0ba8cd0070f116476ff35b3ac8347b987790e4cc0334724244c4b13415a246e77a577230029e4561ae6f04a598c3f536c7e
-
Filesize
40KB
MD5c33afb4ecc04ee1bcc6975bea49abe40
SHA1fbea4f170507cde02b839527ef50b7ec74b4821f
SHA256a0356696877f2d94d645ae2df6ce6b370bd5c0d6db3d36def44e714525de0536
SHA5120d435f0836f61a5ff55b78c02fa47b191e5807a79d8a6e991f3115743df2141b3db42ba8bdad9ad259e12f5800828e9e72d7c94a6a5259312a447d669b03ec44
-
Filesize
36KB
MD5ff70cc7c00951084175d12128ce02399
SHA175ad3b1ad4fb14813882d88e952208c648f1fd18
SHA256cb5da96b3dfcf4394713623dbf3831b2a0b8be63987f563e1c32edeb74cb6c3a
SHA512f01df3256d49325e5ec49fd265aa3f176020c8ffec60eb1d828c75a3fa18ff8634e1de824d77dfdd833768acff1f547303104620c70066a2708654a07ef22e19
-
Filesize
38KB
MD5e79d7f2833a9c2e2553c7fe04a1b63f4
SHA13d9f56d2381b8fe16042aa7c4feb1b33f2baebff
SHA256519ad66009a6c127400c6c09e079903223bd82ecc18ad71b8e5cd79f5f9c053e
SHA512e0159c753491cac7606a7250f332e87bc6b14876bc7a1cf5625fa56ab4f09c485f7b231dd52e4ff0f5f3c29862afb1124c0efd0741613eb97a83cbe2668af5de
-
Filesize
37KB
MD5fa948f7d8dfb21ceddd6794f2d56b44f
SHA1ca915fbe020caa88dd776d89632d7866f660fc7a
SHA256bd9f4b3aedf4f81f37ec0a028aabcb0e9a900e6b4de04e9271c8db81432e2a66
SHA5120d211bfb0ae953081dca00cd07f8c908c174fd6c47a8001fadc614203f0e55d9fbb7fa9b87c735d57101341ab36af443918ee00737ed4c19ace0a2b85497f41a
-
Filesize
50KB
MD5313e0ececd24f4fa1504118a11bc7986
SHA1e1b9ae804c7fb1d27f39db18dc0647bb04e75e9d
SHA25670c0f32ed379ae899e5ac975e20bbbacd295cf7cd50c36174d2602420c770ac1
SHA512c7500363c61baf8b77fce796d750f8f5e6886ff0a10f81c3240ea3ad4e5f101b597490dea8ab6bd9193457d35d8fd579fce1b88a1c8d85ebe96c66d909630730
-
Filesize
46KB
MD5452615db2336d60af7e2057481e4cab5
SHA1442e31f6556b3d7de6eb85fbac3d2957b7f5eac6
SHA25602932052fafe97e6acaaf9f391738a3a826f5434b1a013abbfa7a6c1ade1e078
SHA5127613dc329abe7a3f32164c9a6b660f209a84b774ab9c008bf6503c76255b30ea9a743a6dc49a8de8df0bcb9aea5a33f7408ba27848d9562583ff51991910911f
-
Filesize
40KB
MD5c911aba4ab1da6c28cf86338ab2ab6cc
SHA1fee0fd58b8efe76077620d8abc7500dbfef7c5b0
SHA256e64178e339c8e10eac17a236a67b892d0447eb67b1dcd149763dad6fd9f72729
SHA5123491ed285a091a123a1a6d61aafbb8d5621ccc9e045a237a2f9c2cf6049e7420eb96ef30fdcea856b50454436e2ec468770f8d585752d73fafd676c4ef5e800a
-
Filesize
36KB
MD58d61648d34cba8ae9d1e2a219019add1
SHA12091e42fc17a0cc2f235650f7aad87abf8ba22c2
SHA25672f20024b2f69b45a1391f0a6474e9f6349625ce329f5444aec7401fe31f8de1
SHA51268489c33ba89edfe2e3aebaacf8ef848d2ea88dcbef9609c258662605e02d12cfa4ffdc1d266fc5878488e296d2848b2cb0bbd45f1e86ef959bab6162d284079
-
Filesize
37KB
MD5c7a19984eb9f37198652eaf2fd1ee25c
SHA106eafed025cf8c4d76966bf382ab0c5e1bd6a0ae
SHA256146f61db72297c9c0facffd560487f8d6a2846ecec92ecc7db19c8d618dbc3a4
SHA51243dd159f9c2eac147cbff1dda83f6a83dd0c59d2d7acac35ba8b407a04ec9a1110a6a8737535d060d100ede1cb75078cf742c383948c9d4037ef459d150f6020
-
Filesize
41KB
MD5531ba6b1a5460fc9446946f91cc8c94b
SHA1cc56978681bd546fd82d87926b5d9905c92a5803
SHA2566db650836d64350bbde2ab324407b8e474fc041098c41ecac6fd77d632a36415
SHA512ef25c3cf4343df85954114f59933c7cc8107266c8bcac3b5ea7718eb74dbee8ca8a02da39057e6ef26b64f1dfccd720dd3bf473f5ae340ba56941e87d6b796c9
-
Filesize
91KB
MD58419be28a0dcec3f55823620922b00fa
SHA12e4791f9cdfca8abf345d606f313d22b36c46b92
SHA2561f21838b244c80f8bed6f6977aa8a557b419cf22ba35b1fd4bf0f98989c5bdf8
SHA5128fca77e54480aea3c0c7a705263ed8fb83c58974f5f0f62f12cc97c8e0506ba2cdb59b70e59e9a6c44dd7cde6adeeec35b494d31a6a146ff5ba7006136ab9386
-
Filesize
864B
MD53e0020fc529b1c2a061016dd2469ba96
SHA1c3a91c22b63f6fe709e7c29cafb29a2ee83e6ade
SHA256402751fa49e0cb68fe052cb3db87b05e71c1d950984d339940cf6b29409f2a7c
SHA5125ca3c134201ed39d96d72911c0498bae6f98701513fd7f1dc8512819b673f0ea580510fa94ed9413ccc73da18b39903772a7cbfa3478176181cee68c896e14cf
-
Filesize
64KB
MD55dcaac857e695a65f5c3ef1441a73a8f
SHA17b10aaeee05e7a1efb43d9f837e9356ad55c07dd
SHA25697ebce49b14c46bebc9ec2448d00e1e397123b256e2be9eba5140688e7bc0ae6
SHA51206eb5e49d19b71a99770d1b11a5bb64a54bf3352f36e39a153469e54205075c203b08128dc2317259db206ab5323bdd93aaa252a066f57fb5c52ff28deedb5e2