Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
164s -
max time network
167s -
platform
windows11-21h2_x64 -
resource
win11-20241023-en -
resource tags
arch:x64arch:x86image:win11-20241023-enlocale:en-usos:windows11-21h2-x64system -
submitted
19/01/2025, 11:39
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
http://example.com
Resource
win11-20241023-en
Errors
General
-
Target
http://example.com
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
wannacry
115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Wannacry family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDACB2.tmp [email protected] File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDAC9C.tmp [email protected] -
Executes dropped EXE 8 IoCs
pid Process 2428 taskdl.exe 4268 @[email protected] 3444 @[email protected] 1896 taskhsvc.exe 4704 taskdl.exe 1708 taskse.exe 3140 @[email protected] 5300 taskhsvc.exe -
Loads dropped DLL 8 IoCs
pid Process 1896 taskhsvc.exe 1896 taskhsvc.exe 1896 taskhsvc.exe 1896 taskhsvc.exe 1896 taskhsvc.exe 1896 taskhsvc.exe 1896 taskhsvc.exe 1896 taskhsvc.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 1272 icacls.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mhxddduoei124 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Temp1_WannaCrypt0r.zip\\tasksche.exe\"" reg.exe -
File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 30 raw.githubusercontent.com 58 raw.githubusercontent.com -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]" [email protected] Set value (str) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]" @[email protected] -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 18 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language @[email protected] Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskhsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language @[email protected] Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language [email protected] Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language @[email protected] -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00 LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "65" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268" LogonUI.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings msedge.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 4616 reg.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\WannaCrypt0r.zip:Zone.Identifier msedge.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 1984 msedge.exe 1984 msedge.exe 4924 msedge.exe 4924 msedge.exe 1860 identity_helper.exe 1860 identity_helper.exe 3916 msedge.exe 3916 msedge.exe 4420 msedge.exe 4420 msedge.exe 1896 msedge.exe 1896 msedge.exe 1896 msedge.exe 1896 msedge.exe 1896 taskhsvc.exe 1896 taskhsvc.exe 1896 taskhsvc.exe 1896 taskhsvc.exe 1896 taskhsvc.exe 1896 taskhsvc.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs
pid Process 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe -
Suspicious use of AdjustPrivilegeToken 47 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 3184 WMIC.exe Token: SeSecurityPrivilege 3184 WMIC.exe Token: SeTakeOwnershipPrivilege 3184 WMIC.exe Token: SeLoadDriverPrivilege 3184 WMIC.exe Token: SeSystemProfilePrivilege 3184 WMIC.exe Token: SeSystemtimePrivilege 3184 WMIC.exe Token: SeProfSingleProcessPrivilege 3184 WMIC.exe Token: SeIncBasePriorityPrivilege 3184 WMIC.exe Token: SeCreatePagefilePrivilege 3184 WMIC.exe Token: SeBackupPrivilege 3184 WMIC.exe Token: SeRestorePrivilege 3184 WMIC.exe Token: SeShutdownPrivilege 3184 WMIC.exe Token: SeDebugPrivilege 3184 WMIC.exe Token: SeSystemEnvironmentPrivilege 3184 WMIC.exe Token: SeRemoteShutdownPrivilege 3184 WMIC.exe Token: SeUndockPrivilege 3184 WMIC.exe Token: SeManageVolumePrivilege 3184 WMIC.exe Token: 33 3184 WMIC.exe Token: 34 3184 WMIC.exe Token: 35 3184 WMIC.exe Token: 36 3184 WMIC.exe Token: SeIncreaseQuotaPrivilege 3184 WMIC.exe Token: SeSecurityPrivilege 3184 WMIC.exe Token: SeTakeOwnershipPrivilege 3184 WMIC.exe Token: SeLoadDriverPrivilege 3184 WMIC.exe Token: SeSystemProfilePrivilege 3184 WMIC.exe Token: SeSystemtimePrivilege 3184 WMIC.exe Token: SeProfSingleProcessPrivilege 3184 WMIC.exe Token: SeIncBasePriorityPrivilege 3184 WMIC.exe Token: SeCreatePagefilePrivilege 3184 WMIC.exe Token: SeBackupPrivilege 3184 WMIC.exe Token: SeRestorePrivilege 3184 WMIC.exe Token: SeShutdownPrivilege 3184 WMIC.exe Token: SeDebugPrivilege 3184 WMIC.exe Token: SeSystemEnvironmentPrivilege 3184 WMIC.exe Token: SeRemoteShutdownPrivilege 3184 WMIC.exe Token: SeUndockPrivilege 3184 WMIC.exe Token: SeManageVolumePrivilege 3184 WMIC.exe Token: 33 3184 WMIC.exe Token: 34 3184 WMIC.exe Token: 35 3184 WMIC.exe Token: 36 3184 WMIC.exe Token: SeBackupPrivilege 4136 vssvc.exe Token: SeRestorePrivilege 4136 vssvc.exe Token: SeAuditPrivilege 4136 vssvc.exe Token: SeTcbPrivilege 1708 taskse.exe Token: SeTcbPrivilege 1708 taskse.exe -
Suspicious use of FindShellTrayWindow 33 IoCs
pid Process 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe 4924 msedge.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 4268 @[email protected] 3444 @[email protected] 4268 @[email protected] 3444 @[email protected] 3140 @[email protected] 3140 @[email protected] 4304 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4924 wrote to memory of 872 4924 msedge.exe 77 PID 4924 wrote to memory of 872 4924 msedge.exe 77 PID 4924 wrote to memory of 1996 4924 msedge.exe 78 PID 4924 wrote to memory of 1996 4924 msedge.exe 78 PID 4924 wrote to memory of 1996 4924 msedge.exe 78 PID 4924 wrote to memory of 1996 4924 msedge.exe 78 PID 4924 wrote to memory of 1996 4924 msedge.exe 78 PID 4924 wrote to memory of 1996 4924 msedge.exe 78 PID 4924 wrote to memory of 1996 4924 msedge.exe 78 PID 4924 wrote to memory of 1996 4924 msedge.exe 78 PID 4924 wrote to memory of 1996 4924 msedge.exe 78 PID 4924 wrote to memory of 1996 4924 msedge.exe 78 PID 4924 wrote to memory of 1996 4924 msedge.exe 78 PID 4924 wrote to memory of 1996 4924 msedge.exe 78 PID 4924 wrote to memory of 1996 4924 msedge.exe 78 PID 4924 wrote to memory of 1996 4924 msedge.exe 78 PID 4924 wrote to memory of 1996 4924 msedge.exe 78 PID 4924 wrote to memory of 1996 4924 msedge.exe 78 PID 4924 wrote to memory of 1996 4924 msedge.exe 78 PID 4924 wrote to memory of 1996 4924 msedge.exe 78 PID 4924 wrote to memory of 1996 4924 msedge.exe 78 PID 4924 wrote to memory of 1996 4924 msedge.exe 78 PID 4924 wrote to memory of 1996 4924 msedge.exe 78 PID 4924 wrote to memory of 1996 4924 msedge.exe 78 PID 4924 wrote to memory of 1996 4924 msedge.exe 78 PID 4924 wrote to memory of 1996 4924 msedge.exe 78 PID 4924 wrote to memory of 1996 4924 msedge.exe 78 PID 4924 wrote to memory of 1996 4924 msedge.exe 78 PID 4924 wrote to memory of 1996 4924 msedge.exe 78 PID 4924 wrote to memory of 1996 4924 msedge.exe 78 PID 4924 wrote to memory of 1996 4924 msedge.exe 78 PID 4924 wrote to memory of 1996 4924 msedge.exe 78 PID 4924 wrote to memory of 1996 4924 msedge.exe 78 PID 4924 wrote to memory of 1996 4924 msedge.exe 78 PID 4924 wrote to memory of 1996 4924 msedge.exe 78 PID 4924 wrote to memory of 1996 4924 msedge.exe 78 PID 4924 wrote to memory of 1996 4924 msedge.exe 78 PID 4924 wrote to memory of 1996 4924 msedge.exe 78 PID 4924 wrote to memory of 1996 4924 msedge.exe 78 PID 4924 wrote to memory of 1996 4924 msedge.exe 78 PID 4924 wrote to memory of 1996 4924 msedge.exe 78 PID 4924 wrote to memory of 1996 4924 msedge.exe 78 PID 4924 wrote to memory of 1984 4924 msedge.exe 79 PID 4924 wrote to memory of 1984 4924 msedge.exe 79 PID 4924 wrote to memory of 796 4924 msedge.exe 80 PID 4924 wrote to memory of 796 4924 msedge.exe 80 PID 4924 wrote to memory of 796 4924 msedge.exe 80 PID 4924 wrote to memory of 796 4924 msedge.exe 80 PID 4924 wrote to memory of 796 4924 msedge.exe 80 PID 4924 wrote to memory of 796 4924 msedge.exe 80 PID 4924 wrote to memory of 796 4924 msedge.exe 80 PID 4924 wrote to memory of 796 4924 msedge.exe 80 PID 4924 wrote to memory of 796 4924 msedge.exe 80 PID 4924 wrote to memory of 796 4924 msedge.exe 80 PID 4924 wrote to memory of 796 4924 msedge.exe 80 PID 4924 wrote to memory of 796 4924 msedge.exe 80 PID 4924 wrote to memory of 796 4924 msedge.exe 80 PID 4924 wrote to memory of 796 4924 msedge.exe 80 PID 4924 wrote to memory of 796 4924 msedge.exe 80 PID 4924 wrote to memory of 796 4924 msedge.exe 80 PID 4924 wrote to memory of 796 4924 msedge.exe 80 PID 4924 wrote to memory of 796 4924 msedge.exe 80 PID 4924 wrote to memory of 796 4924 msedge.exe 80 PID 4924 wrote to memory of 796 4924 msedge.exe 80 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 4732 attrib.exe 4084 attrib.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://example.com1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4924 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff3a0b3cb8,0x7fff3a0b3cc8,0x7fff3a0b3cd82⤵PID:872
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,10487553058153972017,11941640283134499705,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2080 /prefetch:22⤵PID:1996
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,10487553058153972017,11941640283134499705,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1984
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2060,10487553058153972017,11941640283134499705,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2468 /prefetch:82⤵PID:796
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,10487553058153972017,11941640283134499705,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:12⤵PID:4708
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,10487553058153972017,11941640283134499705,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:12⤵PID:5008
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,10487553058153972017,11941640283134499705,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5744 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1860
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2060,10487553058153972017,11941640283134499705,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5556 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3916
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,10487553058153972017,11941640283134499705,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5816 /prefetch:12⤵PID:1032
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,10487553058153972017,11941640283134499705,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5924 /prefetch:12⤵PID:3820
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,10487553058153972017,11941640283134499705,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:12⤵PID:3688
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,10487553058153972017,11941640283134499705,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4040 /prefetch:12⤵PID:4580
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,10487553058153972017,11941640283134499705,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:12⤵PID:4804
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,10487553058153972017,11941640283134499705,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:12⤵PID:2864
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2060,10487553058153972017,11941640283134499705,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5428 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:4420
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,10487553058153972017,11941640283134499705,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:12⤵PID:4616
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,10487553058153972017,11941640283134499705,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:12⤵PID:2376
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,10487553058153972017,11941640283134499705,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6372 /prefetch:12⤵PID:2388
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,10487553058153972017,11941640283134499705,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6284 /prefetch:12⤵PID:1784
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,10487553058153972017,11941640283134499705,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4820 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:1896
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1432
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1764
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2824
-
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\[email protected]"C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\[email protected]"1⤵
- Drops startup file
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
PID:1280 -
C:\Windows\SysWOW64\attrib.exeattrib +h .2⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:4732
-
-
C:\Windows\SysWOW64\icacls.exeicacls . /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:1272
-
-
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2428
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 303191737286923.bat2⤵
- System Location Discovery: System Language Discovery
PID:948 -
C:\Windows\SysWOW64\cscript.execscript.exe //nologo m.vbs3⤵
- System Location Discovery: System Language Discovery
PID:2008
-
-
-
C:\Windows\SysWOW64\attrib.exeattrib +h +s F:\$RECYCLE2⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:4084
-
-
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4268 -
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\TaskData\Tor\taskhsvc.exeTaskData\Tor\taskhsvc.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1896
-
-
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\TaskData\Tor\taskhsvc.exeTaskData\Tor\taskhsvc.exe3⤵
- Executes dropped EXE
PID:5300
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c start /b @[email protected] vs2⤵
- System Location Discovery: System Language Discovery
PID:1728 -
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3444 -
C:\Windows\SysWOW64\cmd.execmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet4⤵
- System Location Discovery: System Language Discovery
PID:3996 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3184
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4704
-
-
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1708
-
-
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3140
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "mhxddduoei124" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\tasksche.exe\"" /f2⤵
- System Location Discovery: System Language Discovery
PID:1116 -
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "mhxddduoei124" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\tasksche.exe\"" /f3⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:4616
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4136
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3a23855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4304
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
File and Directory Permissions Modification
2Windows File and Directory Permissions Modification
1Hide Artifacts
1Hidden Files and Directories
1Indicator Removal
1File Deletion
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\@[email protected]
Filesize1KB
MD564f25e171c12a2dc5af2e9dd981000fc
SHA18babd9890775a333f60949429dc30542ec217daf
SHA25606e4d0b26cd90c767eb0ad6e11901c29be90af3bde18d752da9211cc48f3d6e6
SHA512c8f119b35d0cc1c1cb6c9eebaf7d24f0b548b8ea863f6834203869d888b5d3ddf21230f697e6e37005a68f23f828660ced9eb9c938123d33a69e8a3bd7119bd1
-
Filesize
152B
MD55431d6602455a6db6e087223dd47f600
SHA127255756dfecd4e0afe4f1185e7708a3d07dea6e
SHA2567502d9453168c86631fb40ec90567bf80404615d387afc7ec2beb7a075bcc763
SHA512868f6dcf32ef80459f3ea122b0d2c79191193b5885c86934a97bfec7e64250e10c23e4d00f34c6c2387a04a15f3f266af96e571bbe37077fb374d6d30f35b829
-
Filesize
152B
MD57bed1eca5620a49f52232fd55246d09a
SHA1e429d9d401099a1917a6fb31ab2cf65fcee22030
SHA25649c484f08c5e22ee6bec6d23681b26b0426ee37b54020f823a2908ab7d0d805e
SHA512afc8f0b5b95d593f863ad32186d1af4ca333710bcfba86416800e79528616e7b15f8813a20c2cfa9d13688c151bf8c85db454a9eb5c956d6e49db84b4b222ee8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize3KB
MD53146c4b7112b82ffa18496d48df3ca84
SHA101abc9e3848d37a7df64b02b9487e07acec6d2b6
SHA2567862e00d048235cf885804335e5c59519798ba117ae7ea371c0cbe8c0afc83cc
SHA51282fe7629519ee17fec6032ea68f884ddc3135dba713a4329e932c7a3bbf74437a83d78f13b645f40006ef2f06ee4efc8e643cb912fe99137f310e43dde1fd0f6
-
Filesize
1KB
MD5fdf4cf1fedae03381614c15dbb602800
SHA143ab46484bace63ecfabb55d34a243b389635a67
SHA256cce2a58c7e8a99c87f77e7e98e7fa7e01e4b77ae6e5bcc4115cd58f9fa38b8f5
SHA512a58dc93b158088d8ee8d64c23caf488cb0fc7b31feddcb16be709a1112925622e7df38bc161c031bba2b1c8a046bbdf49ff2bcfccb42cfa579fc072ad29e3a7f
-
Filesize
5KB
MD5bee33c4b5e245ee9bb85d899d9341422
SHA10384398ec3785c9ae7fc3c77992b59757a71530e
SHA256b31f0ee203ed24aeb7034e6aac99032d3db16d3d955c8489c8f1f38b8546f213
SHA5124c2477c8a89ba7de366c1d70779b78f1873c308faa69a6c411bd1228a211d9dcbb18d96ad6f145d94d22f22cf6d00296683968ee2968c5aef91560bae5d4ffc4
-
Filesize
6KB
MD5423a8a64d0d65543bf17df4b950b0653
SHA1fee26bf43146d1772d5c94efc6c8fb87aa972a7a
SHA256fc617cca3ac83346522a3c1993f589ff0c0eb97932e5f7fd674fb2ae6d811c0b
SHA5129f8098871c1fba04768599686273d9818dab67c41b85c4fc11ae26ff4d46011008a1b22c00666710ee7715c02004d150d994eb2af86d7b1b23e91763c25b6545
-
Filesize
6KB
MD598e5308f05c828c0a9449ec14d1464df
SHA1367f61f80e64ed7e121d25295973691c610bcc83
SHA2564fa4cab64e689da5e83077b573eaa4c5ab3ed073cca556a5ce598ef4709deaaa
SHA512312c08e620c98552695eaf055075aa4df2af80f8971ed38eb70e1fb0ccc97da221b300038ee0728f62fa781eafa94bd13fc88e0732f753cdbc83100a3db0ec47
-
Filesize
6KB
MD5eb2f73c5f24d4206f3a64bcfeb80ace4
SHA1f4abe3330cef6ebea0a68d3258e3dbd57e870f01
SHA256e45043f893e87be4fa65bd424fd3cad5aa8e4af65137dc1a5250b9693979a5b1
SHA512d657a01dbaa362d3f58ca5969e7d3d23ab14e036a425ecb52777ba700b2473ad60f63127465953c8d7ee6b8360216050308018a7c039587a4941db9d6c24071e
-
Filesize
1KB
MD50c03ff177053fd30bdb8bf74a2511127
SHA196136d92911232d3bb6c010b35330a7b55473949
SHA256f77339c5ac6b58db8fc230967127249b51498b9262a297b76ee41fa27ac66f31
SHA512b366e800d1e477954a0c8992f17434eac366f3112fb0fef5fed0796f1fcba3263d6cc5e5bb593a288c85e77c10b5347ddb652033957f871eb5ca99b741b3c587
-
Filesize
1KB
MD571442b65561b15f757a4f86e9e70981a
SHA10a5de3c8632515804be1131a657797649f8d440b
SHA2563b72fe80182855a0e6f1a765a9d2576e9f59bb306a192d978ef09af9967f933f
SHA512d70bf24bc7f7cf333f6469d9b982ef438feb896c708251f539a78b732268d4f17642355ad6f28a43ccd356bebe01f69d496b4a70324fa40cbd8eef54c2b48d5f
-
Filesize
1KB
MD5a5d6e9eb6a814268ae854b4890063073
SHA1547351d20365324baa808d92bd692f6b40223b56
SHA256a01990e91d9f3b819421f5bb763fba959980c5ba95a235843cf8932f0c4e0404
SHA5129b4d7710ddadc19b8828e48bdeeab680c736465a2e5c63751170b742338a2e69effb808c8dc8511fd98fb4551d8025df8d0ee020919e6f71701eea2ea5b7a85f
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
10KB
MD5365d3cf348ad5513812d5b078fda0898
SHA16075ccdaf052ba3eb19bab8683d9084d8065ad17
SHA2567474f198eb4fedd20110c8acf7a747fdeac01ec303581962b8785f7cff168542
SHA5120586906f6893df94696bbd00668191d106aa9c5102a60348f3aa78b35e3889b18e20015336e684bb4e956bb94ac049ce0fa86bd013c98572d4f9f0ed36025f71
-
Filesize
10KB
MD5cf0683e4e85da7fda407da9b73b8fe45
SHA1d233a392914b1151035bb60173caa95e2ebda431
SHA256517894bd686494771928d0f78f28c4c9460477d0996c98590b3261d6e5fbf0b6
SHA5121c9cdea15b881a0352c52f8349fe67ac9c3829545b0d819dfab1ac98652a8f70978442cff4a43a396b762d512aa2a3a26d4c5e3a3f8ee4391b967e94d2354e69
-
Filesize
10KB
MD5f4859ef80a0b348049a003f44dde0c0d
SHA1c02f53e08cfedc069afa20b4cc2392882dd4df6f
SHA2561d168ca49f970ad339f834a850b08ea3bddc31a6bc5b5d4c87f849aa0356b781
SHA512c1b3089f6fe7fdb5b582a0fdf33eb981c2e642ee3a840004bf1c0cb93edc02c50c7e60cfd7a560ae43183677317a3395ab2e61c9b972d7b5b1545ea7d7be7997
-
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
Filesize933B
MD5f97d2e6f8d820dbd3b66f21137de4f09
SHA1596799b75b5d60aa9cd45646f68e9c0bd06df252
SHA2560e5ece918132a2b1a190906e74becb8e4ced36eec9f9d1c70f5da72ac4c6b92a
SHA512efda21d83464a6a32fdeef93152ffd32a648130754fdd3635f7ff61cc1664f7fc050900f0f871b0ddd3a3846222bf62ab5df8eed42610a76be66fff5f7b4c4c0
-
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
Filesize240KB
MD57bf2b57f2a205768755c07f238fb32cc
SHA145356a9dd616ed7161a3b9192e2f318d0ab5ad10
SHA256b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25
SHA51291a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9
-
Filesize
3.0MB
MD5fe7eb54691ad6e6af77f8a9a0b6de26d
SHA153912d33bec3375153b7e4e68b78d66dab62671a
SHA256e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb
SHA5128ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f
-
Filesize
1.4MB
MD5c17170262312f3be7027bc2ca825bf0c
SHA1f19eceda82973239a1fdc5826bce7691e5dcb4fb
SHA256d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa
SHA512c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c
-
Filesize
780B
MD5383a85eab6ecda319bfddd82416fc6c2
SHA12a9324e1d02c3e41582bf5370043d8afeb02ba6f
SHA256079ce1041cbffe18ff62a2b4a33711eda40f680d0b1d3b551db47e39a6390b21
SHA512c661e0b3c175d31b365362e52d7b152267a15d59517a4bcc493329be20b23d0e4eb62d1ba80bb96447eeaf91a6901f4b34bf173b4ab6f90d4111ea97c87c1252
-
Filesize
46KB
MD595673b0f968c0f55b32204361940d184
SHA181e427d15a1a826b93e91c3d2fa65221c8ca9cff
SHA25640b37e7b80cf678d7dd302aaf41b88135ade6ddf44d89bdba19cf171564444bd
SHA5127601f1883edbb4150a9dc17084012323b3bfa66f6d19d3d0355cf82b6a1c9dce475d758da18b6d17a8b321bf6fca20915224dbaedcb3f4d16abfaf7a5fc21b92
-
Filesize
53KB
MD50252d45ca21c8e43c9742285c48e91ad
SHA15c14551d2736eef3a1c1970cc492206e531703c1
SHA256845d0e178aeebd6c7e2a2e9697b2bf6cf02028c50c288b3ba88fe2918ea2834a
SHA5121bfcf6c0e7c977d777f12bd20ac347630999c4d99bd706b40de7ff8f2f52e02560d68093142cc93722095657807a1480ce3fb6a2e000c488550548c497998755
-
Filesize
77KB
MD52efc3690d67cd073a9406a25005f7cea
SHA152c07f98870eabace6ec370b7eb562751e8067e9
SHA2565c7f6ad1ec4bc2c8e2c9c126633215daba7de731ac8b12be10ca157417c97f3a
SHA5120766c58e64d9cda5328e00b86f8482316e944aa2c26523a3c37289e22c34be4b70937033bebdb217f675e40db9fecdce0a0d516f9065a170e28286c2d218487c
-
Filesize
38KB
MD517194003fa70ce477326ce2f6deeb270
SHA1e325988f68d327743926ea317abb9882f347fa73
SHA2563f33734b2d34cce83936ce99c3494cd845f1d2c02d7f6da31d42dfc1ca15a171
SHA512dcf4ccf0b352a8b271827b3b8e181f7d6502ca0f8c9dda3dc6e53441bb4ae6e77b49c9c947cc3ede0bf323f09140a0c068a907f3c23ea2a8495d1ad96820051c
-
Filesize
39KB
MD5537efeecdfa94cc421e58fd82a58ba9e
SHA13609456e16bc16ba447979f3aa69221290ec17d0
SHA2565afa4753afa048c6d6c39327ce674f27f5f6e5d3f2a060b7a8aed61725481150
SHA512e007786ffa09ccd5a24e5c6504c8de444929a2faaafad3712367c05615b7e1b0fbf7fbfff7028ed3f832ce226957390d8bf54308870e9ed597948a838da1137b
-
Filesize
37KB
MD535c2f97eea8819b1caebd23fee732d8f
SHA1e354d1cc43d6a39d9732adea5d3b0f57284255d2
SHA2561adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e
SHA512908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf
-
Filesize
11.3MB
MD5a6c259915012001528585bd297bf7324
SHA16e7e757b1d8d57ee055469a20fe954982f124893
SHA2560c23d59c4dc890879201c4e1eda6c2ab82e1fb280dd299e527f50201b4a8c10d
SHA5120a7340eaa65bd9256c794ff0c11ec25c8f34be7ca509df5bb210df6dc45dcaf31e7e237d557a319b08b937f4b1c555605c4742033089c022c4d80dbc4f2c4e3a
-
Filesize
585KB
MD521789218f53c1cd4afeeb52c2d58ef2e
SHA1aa2d606cea6644ad8be0d5a5d7e08684b2375a3f
SHA256b80a3a3421cdc2a96ae20bde971bfe9d2c9c06373c327dd56c0da46b9c8922cf
SHA512d3e53b2ccae63997f2f3047b256d08c38611ee689907177807b7656d70099b10d5740a305b7d044a59cb1b488d68d41b218bbefadbd90fbd27df1ff74ee90ec8
-
Filesize
531KB
MD578e823ae99c0602ab5a52b9c3dfe8295
SHA1e4ff8068582e13c86a464975611181d3ed03ad62
SHA2564ae1a70a6bbe61e31f5cc7efc1d2fce2757d82974c2b6a530fbb8586d52527b9
SHA512ad83099c65fa2538d1267ecf21b634dd3ea3b69fb082bbc529894d6794f794a703f9c441547746e5104f3349f2cac53e5301496057f2a39c11118bd2495ba721
-
Filesize
491KB
MD558de570b208b0dd84b1f5e81c477b1f2
SHA187886f1e93d14594388c0e39b7f340a2c30a156f
SHA256c56f8ed503ee89ef5e5e194da25b1dafea62f790173f9845cd94eeaab8119fad
SHA512ee055de0a3a420afd7b13cf35476ce55c74a62bbbe2b3247560565a7c81506d670dd43fbc92d736c13f0f03b015cd45aa267a42a849b7b830ab178d04ae4473d
-
Filesize
1.0MB
MD532231dff2173f4aa7fcf02b18ffeb085
SHA10ffa6ec11ce7ee7cdae051150a178bd59a631336
SHA256c09c853e11788c5882e27c04a3e1ddf1cf099779d2577d9cba73042363ddc0ab
SHA5123d6848dd969fa1cf73f938dc74e5bfbab3bade8c1221e5274c6c2c1a03392217f48ee9f7ac5d39ae0c312b353eb49d0ad07d8a12b4659d86764a918b2efb2f31
-
Filesize
464KB
MD57280b7a1c7abb33c7502850b34e91bf7
SHA1b843940e1cb405b5b6b1df1289f6ed3599339442
SHA2560fea7ac40d0b7078cf8d295fd8240d9b12ba30e6e6ae739399f604bb98b9301a
SHA512b3b4fec03fdae23f5ecfb4ef0163d90031cb46e42582ae4ec451518756e3b5d35f1ca10e497d2eac3ef959abb63add8319a6c2e32ef743d4705a249a705d2fe5
-
Filesize
612KB
MD5c33a3d3706f8963c6f731fd9d2e30c0b
SHA1242ecad78529fd024effb2c15ebea0c02415a4a3
SHA2568758e3e95b1ee6ff4ea4cd476d16916893477296704810805f029c72b3b59399
SHA51254da84144df0c1668db2f0d0a075f4c03b81d98ef9f430865f9953f5833cb80e7f0724c5aa9d1e842b170c5619921d9d2ed018a6fb133862194df98acb19f883
-
Filesize
302KB
MD533a7bdc13554432f1ac82f46bb144646
SHA175947d2c0b9ee0acc5acd26ff67b5ba26328977c
SHA256d5ff5a1684a94a39748092bd85aecda179fffb7dba8cb7460f8e42c36f11c1c2
SHA51275139b031d06e73a5e6b7e90e42ed0043a3f574e2ce9134000cd8cbdc1243db0eb62555fded7ad2ff33c10ba7caede2a3f4208b895969793c345029db8258935
-
Filesize
329KB
MD51b69ffb622a81cd2ad086c35a3295eb6
SHA1dde7b7545c7683a67e8fffe30a02b5001aa9d994
SHA256c5a1446ab0cad0b63ecd5f6bd7ca60a31803f82b674cbc771a6aa9da3b84ba65
SHA512ed1d61d2002a35da855e88fc1b4c6fec6ba53ee0a3c320242f41913ea706c735fe865b78cccbc3c456e1200a8ad8cf5f1e13e1f5348a707cbce0d550ae138a6f
-
Filesize
478KB
MD58086ae24d124fe3ff2fa1588789d4b13
SHA19b1011c48f199e5801e530e38a56a669a5a57f61
SHA256102d13407c5a20edc5a5c056d09cfee2cb0645264c0d1a62d6b9da699de5e26a
SHA5121a25f3c27151f5bfc6ddf1626caaa2e868de87c51bd1be65dcc1a123c42af1a174b63f3d45123667e739b34e3cdf8ccf268c182ef3e432376527ebf024587b94
-
Filesize
558KB
MD59d9b2e51d11c81f7001900901075d2b1
SHA14209a05798522daca9a76e61514cb13ebe534b56
SHA256a78dad421474b55b8bc2881777108449cb519a69fabb8305ff84668c8a147ab4
SHA5129b502393a6c069d73e1db6fd2572abf04455b2fb3555b51cc138e233f57cbcfd1ac80857f75ae1f03543074806a5a1e9b647fdb3eb3928b3062275f9e6b0db44
-
Filesize
720KB
MD5e712ee834349c1107130755e2418a479
SHA1f413d4f1bfbd42cbdd8ee3e939fb5a6bfd95dd81
SHA256b24a96c9b3644afad63adb87d4f0e01db5597821272debf2f5bff1eb993f533b
SHA5121ca96d7ce0c9e1dee6c08a18932c8330cf9d612939507a47ea418bb5b4ccebaf8a79e2a1fa2d63d1f5e0d9eaa0db18cd7bb281a4659c03b31c3bbd41b095ecb5
-
Filesize
733KB
MD5928b9d844e85b35ff4ea062a05794364
SHA1b18065c1e47213b4a9314cd5a94b3addc0785b0b
SHA25698f70124303dee416830402bbd02556db68889a7888a4379a21b229dbdf265cd
SHA5127b8ee103e05dfad8a27b713793508d96b8a135692b7409408a865dab9c2e058895401ec975d6bada8dfefaa976ea7aed5e3692fdd1f8a24f866b8e282bbe55e5
-
Filesize
599KB
MD5c6d8c8bedb6e1addc2a05d21192cf62d
SHA1801813bd4a3a195665247a3680d5fd44672f1236
SHA256507bf60e7667fec75a0743b845b0895b162b4a57711b30ae4f8fb2e4674535f5
SHA512d31ead2ba742f2b1c28c9c950e29982d30b82a722fb2ac85d206bb6aa6b11241429ff0234bedfc79ff058559d19b98606483676f12a3dd1c5f811b5563b5d210
-
Filesize
343KB
MD51f58b8bd93ff15fb48e02d9fa8601918
SHA1d1c2201798c138e525d345a26534544f94cec6b0
SHA256048a4837b143f89aac5ba0e03c7b5f1a1bc4e678407dad476ad4eaa4005f4784
SHA5121774c8e12241c164e230f9f5ca834048cf6f235b2925b9ec82dd78f858bb0da47e6b0a15949cbe2662a5a1ee719340b606ce10d9160c710169e157c7544b81e0
-
Filesize
316KB
MD5f6585ad9371f90dd63f61312645c374f
SHA1036e46b6efbfe047794e6c4a403b8efeeb204ba3
SHA2562fc51a499c6391caa10d45e1ccb845060c8983ce3c210fbac7d4049852e47ad9
SHA5121cbc51bffa1a5f25edfef214f56649a95952fb74e7d3d1ae502e531d915629ad9dd7a233f7b95abb1c50d0b0a77de51c300748b9375b06796b71805acd30827c
-
Filesize
572KB
MD5954857a98297705016c4da35c6dc44d7
SHA1edb2403f8701122678f7865945c3b292b7061019
SHA256bedc324828868f7ef05c7ca5057f89f1e09da4e70cf87ef0f2c5c470839e5b80
SHA512e85b8e23b1eba8b2c1bbde19d43faf63f876f4d4941f54c4d6ca84639955729eed29f883b55ea19c38bdfbb8cd6bf8ef2cb2da50c3f745fe41cfdaf1ff205e5a
-
Filesize
289KB
MD5dcf20b923160edadf813af21fa48955e
SHA11be21bd1d289b9fac937f7054515393417a43978
SHA256a2589837ba14bf74662b11bcc254fcb502baf27860f2bd9eaf1bb4648e77fc69
SHA512e22f4250e31f69488d5d764dfd66275d49be9f5fde4c49b951b120386c83452361ec524f8ea43e3921ddaba0dcbbe55523e701be525802ff9f99348f9c3357ea
-
Filesize
410KB
MD57b34bab001da91145932847c2268ccbf
SHA107f478cd6300b7d6e9909a59e9c63c3e5579a844
SHA256f5360bc84094f7df3c7863186ea1cc511109a380a782d6593618f5bc83197bf3
SHA512bddc2722096b3cfc379bf847feb8024a75eb0e5bf73d969bb42522f3764192995e8373c9f6b545cbbc363245fac8581a765e3206c2c432ac775501e7185fe302
-
Filesize
356KB
MD5a47a417233341a11bd10a434a147217d
SHA1736e787fbc2a484ec04f4a4a74a8a0cba50a2fe2
SHA2568272f2e7d389a6a47fbf018435020d0fe133dc1eabf99b36782693ccae269d5b
SHA512b731a7f571dc44fec4aa02e46a03f24b1c826c631d25f67a046dee13665a1ee7b97dcd1ba8f9d60d3f4c281a096c8de5e64f8342330e516d758b8e707c71a096
-
Filesize
451KB
MD59c6578b02820037cbd3a29cc6bb0e21b
SHA1777407eb84e8892a1aa1f33cf734ea09aa699fcf
SHA256ec42f561dc11023d07776189c01e98fcc43762250f0c4927069de086f0541aa9
SHA5127d90ed54b10d2965080c8d4d8322145437421b943c9aec26c1adb0a9b6b1148365fc5b219b87d209a33bbe9ada32736fb0ea17387767ad3c5ff5ade75c450108
-
Filesize
397KB
MD554d506505657675488cca2a3eb3d79c6
SHA183aa27022fce9df1677fc520d89575f91b608537
SHA256b8aff280fe3dff0364ca5878e368341a404d2628c8519d327aeeaac1db473daa
SHA5121f7ba6d5f7d894a278ce29d28f29b5ba3123d4740679db48e94859b7339b37a2a7a14d945e8c6c0f12011347c3bda4c18ad1bcae0337bb47985a6479d5939ebf
-
Filesize
626KB
MD501e28a72d305b951e113da52b3a25673
SHA190b71a010117eef6dd28dbac6f2961ddcb2f7a95
SHA256660785068ed5dd8fd04ecd3b810905c18aa86b686566744bab012895dcddfe5a
SHA5128448b5d37bad09d622cfe158bc85ee30fcc41fc9f383dd905c6fc9ed725ce2b34ad511267ce73f7305d0ef215a3ef9966ba05bfa5bf9476923d5828f2d3ddf01
-
Filesize
666KB
MD595c9daaaf5e5dc61b09ba9c938c76c13
SHA19711760b59fd1e7386dbe9ccb281250a6d15da74
SHA2567e98d8689c9b21827508e35f2342371d385ab11cef525d58657968bb09a08c67
SHA51248d91145f79878a8dd9a14935120a75d200c80850217f601fbeb2e713399036dfaac711f60202b762c781a6e0d23028528fe92f68cf2e9c3b496befa6937a7a7
-
Filesize
504KB
MD598d91a45ef0e22508392b36d82c49606
SHA1a5c7b0290f09917b5a83279b8b63ac678516e17a
SHA256bba7494ce72d8aaadbae61d8c1a515d9644c04ff9858ecd99bb72e03d97a38c7
SHA512094fb38853af0411319061d1645ad9c7365c87c66a27f7a55106c2a9bffa8b840ba6b9de20b174aa4eebe2f92f52cd02eea1bb5d3227e75b06e0cd3e14116b05
-
Filesize
639KB
MD5c9647bf11c2d172a1d2cccba4f231102
SHA13df9670a1647248eacb94b7230f82ca4e926e1c0
SHA25603f43c474de765b083e85af927604f1512f9f60f4757d0c06ec4f67dbdb62d50
SHA5129e2d4b77f383a6c02512f26fec23fa88d0b8b2386218349b4e4858059cbfec76a8b58b840999bd742595353f131e277d9119909a3c55368a6e7c03b8bf2ca8ac
-
Filesize
437KB
MD57f6ff951c7c0f7203f4268f55eb1776c
SHA135b721705c5c7eee39cb0fbe30c084848d6931b0
SHA256ffe5b082ac802425e40a259b1a16033e5eb6426f57d6e90dd5bb9d6c711d5942
SHA5126cfe49125844a5f8b0e6c8ca35f74c51034bb355060e1eeb4cfa337338a3ba5e5bde55e40334b00f5ce70a48f4f9ed476fcd93374d1821cd58f67b52da01ac0c
-
Filesize
693KB
MD5fd907af45d59870451fecb68512e8fb1
SHA1a0a0fc01145d2094d00812ef648b6cedd2b5f8a0
SHA256c74e4cb5fd58b2303534d7d71e3989f36e72aca6524b3d2d4228b259ca0f8000
SHA512d51b70f0b8916555202393f8f079bcb2246f0c874a9a65d3e7addcf552a10fb9ed59fbcb57e59776b7bd44eed60199b7ff552266638be691a4ee0d456a89dd4a
-
Filesize
653KB
MD57f26555516d2398c92a5d884d2ad4f0f
SHA14719f3537a8bfe46b20b2f8f7819a604c44ca300
SHA2566980eedbb44c4610ed7febd948c6dca36fcae754416fe2d30f589970da22e519
SHA5126f24d4d7a766257e746d55020d43e6ffa921c78d63cc5ea57c6c1f0d85484932346e13d3ad778d3adcd86eeb308c05c60ab8f184617ca237de293119600104f7
-
Filesize
747KB
MD50cc7f5f6093da8ae8c89af163ada0778
SHA17445b6559ed45842ffb4c66a5b7652d55f8cb375
SHA25648c1ac3c980e90f746bb73308ec1b364eec3fad9e1f9b1b919e057494c32493e
SHA51210cfe032086cf0a13c8f8e8d0746b8c6bfbe6afb52542fc1f54b1cd72209301c3aa8a1368853ad93d173f4fa1cafbcc50492c97c026c0542e88cf63a0196d309
-
Filesize
706KB
MD53d71ac9310ba9c2904fac1c17a60952e
SHA1d2a28a5916acc8e79b0e330ffb3bdf17e02cb583
SHA2567b63705a9717f8f15c9094dd5692c58b4e5ac6910b7450cab2bbd9ad86fdba32
SHA5124bd58d4a11d5ff8b29dba6b7b6d2bb7213ea1b334411c73616cc73d0a8963558c2c4d56fb6cb9933eb1c07238bb39ee80f80c03b892b4d5d48ab4f3ae5faa63d
-
Filesize
760KB
MD537e3ce7b5a15fb09b4be737ea1ad5a3f
SHA13064578a831b8963ce27e895d3c834a03824ccf8
SHA2565c08426fe0404bd7ffaf4fd410754285c07e6914d43fda0f6053540dfac0760c
SHA5125c4c9c7811921ddfff57d7303b9511835ae98ae8932292bc3f3d10da86a97878d5eee4dc19943a8d1df9fce11eddea18bfd4b539aceb31d5e5fd261019e6fd35
-
Filesize
262KB
MD5587ad97df619ed5211c7fafc91625b98
SHA129dff7d2abed31bc64d644f471bfaae3971f9cdb
SHA2560a729ff4a39fcc6705c51af9a3bc45904729bd7ec144ed76b1ee5c336c05d87b
SHA5120b436fd66e9b5536da1d36311cdfd897c47bab7dfaadf4a31f624b5b5026a92d1455efb4c883dd9ef1578c99154edf15be9fcbd11b42f9e673a0c21f549070a6
-
Filesize
679KB
MD57e025cabb573d58949c4cd3e5d08d276
SHA1dd3404e145181a331ec177b101bbd69fa5edb901
SHA25666781d1074d97c17d19f9ff2a6a4ca60e9e19e89298e9ca2736429bc6d248fd2
SHA512da62644c5aa87b4202b08855f3f12f022aead1e93bbcf00e0f0da757e53f496b632bdad5d0fe46c7b1e698a2d5930459a8afdca378f25379420ec7391090bf09
-
Filesize
424KB
MD51910cdb43074680e173c6834371e9a54
SHA1da54aa9b9858170640265f867ccae9768bb3d0fb
SHA2563613dfe9d4e66bbd7b9b4aedd5e3d9dac6b700d19b3b16e657e3e0410d4fa3af
SHA512c6d94fee0a57608ef6f2071bcb32ce7efce9783b27a56191829e0d9ed58d190accd8d42c1c1f2a0beec19b024a36e1481b0c2f080bfea2c265b29c9fe12076f6
-
Filesize
383KB
MD511622414a9e6105f176d07b2dc08ceff
SHA1f0b24b81582de232e7a3f348320ab0660fc175af
SHA25659358139290ce84595031d680f2a31c0304c853739d0f2dcfe514edf9bc32c08
SHA5127363ace54520a55ec8c5697183ec4427bbd8b0fa9fc184665091e28cbbb0db03213b3effcfaecf5d3a41fd1f44bc7156687b6ffbc59766046ab708860addd3e0
-
Filesize
370KB
MD54a06f4f7b7ce0df4df5ef3837cba8cbb
SHA11e7bf0f4d3d187adb7cc15c6eaadc355104071b0
SHA256ccae8363cd9c7f5fab519a862df648b87c967dddf5408a9840251544b8af3bd1
SHA5122642c749f58364fb178721266eef5813f5a5c65a2a41f45d140dbcf0037f5af6ccfffe315fe8a4917151c58eacde083d99a85a8bac9f829c3afd995212c48821
-
Filesize
276KB
MD5ee8d4cf5ccc09bcb87bedac222448570
SHA14dde56663a7b9066c5ed402e187af1c2fb8d9269
SHA256b6a357a1595aa35e8dc195a8dd980458ad5e973e75249e51146e7d14accf4410
SHA5123867cc50c837843cf44d6b3e619775659271c69f018f466c90f0c6fdb6ca32ba3da42fc92163635f7b49ab3ffc0b4bf7736e4d944a097a837f59ebe8c69deaf8
-
Filesize
518KB
MD59fc18929f986feda565e4b68941b778d
SHA13cc8069c5ded360507bf3d91a08f974a1eeb2a9d
SHA256812ecef0811e71f768edf949623dd4371d0c4168d50aec487f43cd93c4bdd23a
SHA5129c2751995a43090cea339e773c797239cd1103da4a374d5ed3870c5627c02715fe2fa2a719870b78ac365fb1b0fc2cf0fdfe4bf9c9cce598afad872f747da303
-
Filesize
3.3MB
MD5e58fdd8b0ce47bcb8ffd89f4499d186d
SHA1b7e2334ac6e1ad75e3744661bb590a2d1da98b03
SHA256283f40e9d550833bec101a24fd6fd6fbd9937ed32a51392e818ffff662a1d30a
SHA51295b6567b373efa6aec6a9bfd7af70ded86f8c72d3e8ba75f756024817815b830f54d18143b0be6de335dd0ca0afe722f88a4684663be5a84946bd30343d43a8c
-
Filesize
55B
MD50f98a5550abe0fb880568b1480c96a1c
SHA1d2ce9f7057b201d31f79f3aee2225d89f36be07d
SHA2562dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1
SHA512dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6
-
Filesize
545KB
MD57138167b461fd35aa693546b12c6e050
SHA12a87f81015df0c78fdf945677984ba30b7b3872a
SHA256601f434d07d2022ae3fc4514ee3d4e2ec0e9bc30714281fafc888932c9bc0ab5
SHA512e2e9fa519fc238f982b331392683b0649a61057425a86b97b87de9aa5a5d6816b50a85813d5f8eeaeb1c714225dcce3f03c93da5efd90f94cbeafa3b14254b89