Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
256s -
max time network
255s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19/01/2025, 16:34
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://cdn.discordapp.com/attachments/1095394818596810783/1330575945802977391/BBYeSM0WhOb.zip?ex=678e7aea&is=678d296a&hm=dc834524ee4d68970aabe416478c98f98a63ea3b6b87e9136e28b26da6bf5a68&
Resource
win10v2004-20241007-en
General
Malware Config
Extracted
lumma
https://deedcompetlk.cyou/api
Signatures
-
Lumma family
-
Executes dropped EXE 3 IoCs
pid Process 2216 Folding.com 2792 Folding.com 960 Folding.com -
Enumerates processes with tasklist 1 TTPs 6 IoCs
pid Process 460 tasklist.exe 3204 tasklist.exe 3640 tasklist.exe 2432 tasklist.exe 1388 tasklist.exe 652 tasklist.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File opened for modification C:\Windows\EmpiricalPl Bootstrapper.exe File opened for modification C:\Windows\NeitherRelax Bootstrapper.exe File opened for modification C:\Windows\UploadedNegotiations Bootstrapper.exe File opened for modification C:\Windows\PermalinkModerator Bootstrapper.exe File opened for modification C:\Windows\EmpiricalPl Bootstrapper.exe File opened for modification C:\Windows\PermalinkModerator Bootstrapper.exe File opened for modification C:\Windows\NeitherRelax Bootstrapper.exe File opened for modification C:\Windows\UploadedNegotiations Bootstrapper.exe File opened for modification C:\Windows\PermalinkModerator Bootstrapper.exe File opened for modification C:\Windows\NeitherRelax Bootstrapper.exe File opened for modification C:\Windows\UploadedNegotiations Bootstrapper.exe File opened for modification C:\Windows\EmpiricalPl Bootstrapper.exe -
System Location Discovery: System Language Discovery 1 TTPs 37 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Folding.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Folding.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language choice.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language extrac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bootstrapper.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language choice.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language extrac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Folding.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bootstrapper.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language extrac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language choice.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bootstrapper.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings taskmgr.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 1500 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 216 msedge.exe 216 msedge.exe 4768 msedge.exe 4768 msedge.exe 4440 identity_helper.exe 4440 identity_helper.exe 700 msedge.exe 700 msedge.exe 2216 Folding.com 2216 Folding.com 2216 Folding.com 2216 Folding.com 2216 Folding.com 2216 Folding.com 2792 Folding.com 2792 Folding.com 2792 Folding.com 2792 Folding.com 2792 Folding.com 2792 Folding.com 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2820 taskmgr.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs
pid Process 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4556 msedge.exe 4556 msedge.exe 4556 msedge.exe 4556 msedge.exe 4556 msedge.exe 4556 msedge.exe 4556 msedge.exe 4556 msedge.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 3204 tasklist.exe Token: SeDebugPrivilege 3640 tasklist.exe Token: SeDebugPrivilege 1388 tasklist.exe Token: SeDebugPrivilege 2820 taskmgr.exe Token: SeSystemProfilePrivilege 2820 taskmgr.exe Token: SeCreateGlobalPrivilege 2820 taskmgr.exe Token: SeDebugPrivilege 652 tasklist.exe Token: SeDebugPrivilege 460 tasklist.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 2216 Folding.com 2216 Folding.com 2216 Folding.com 2792 Folding.com 2792 Folding.com 2792 Folding.com 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 4768 msedge.exe 2216 Folding.com 2216 Folding.com 2216 Folding.com 2792 Folding.com 2792 Folding.com 2792 Folding.com 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe 2820 taskmgr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4768 wrote to memory of 1328 4768 msedge.exe 83 PID 4768 wrote to memory of 1328 4768 msedge.exe 83 PID 4768 wrote to memory of 3664 4768 msedge.exe 84 PID 4768 wrote to memory of 3664 4768 msedge.exe 84 PID 4768 wrote to memory of 3664 4768 msedge.exe 84 PID 4768 wrote to memory of 3664 4768 msedge.exe 84 PID 4768 wrote to memory of 3664 4768 msedge.exe 84 PID 4768 wrote to memory of 3664 4768 msedge.exe 84 PID 4768 wrote to memory of 3664 4768 msedge.exe 84 PID 4768 wrote to memory of 3664 4768 msedge.exe 84 PID 4768 wrote to memory of 3664 4768 msedge.exe 84 PID 4768 wrote to memory of 3664 4768 msedge.exe 84 PID 4768 wrote to memory of 3664 4768 msedge.exe 84 PID 4768 wrote to memory of 3664 4768 msedge.exe 84 PID 4768 wrote to memory of 3664 4768 msedge.exe 84 PID 4768 wrote to memory of 3664 4768 msedge.exe 84 PID 4768 wrote to memory of 3664 4768 msedge.exe 84 PID 4768 wrote to memory of 3664 4768 msedge.exe 84 PID 4768 wrote to memory of 3664 4768 msedge.exe 84 PID 4768 wrote to memory of 3664 4768 msedge.exe 84 PID 4768 wrote to memory of 3664 4768 msedge.exe 84 PID 4768 wrote to memory of 3664 4768 msedge.exe 84 PID 4768 wrote to memory of 3664 4768 msedge.exe 84 PID 4768 wrote to memory of 3664 4768 msedge.exe 84 PID 4768 wrote to memory of 3664 4768 msedge.exe 84 PID 4768 wrote to memory of 3664 4768 msedge.exe 84 PID 4768 wrote to memory of 3664 4768 msedge.exe 84 PID 4768 wrote to memory of 3664 4768 msedge.exe 84 PID 4768 wrote to memory of 3664 4768 msedge.exe 84 PID 4768 wrote to memory of 3664 4768 msedge.exe 84 PID 4768 wrote to memory of 3664 4768 msedge.exe 84 PID 4768 wrote to memory of 3664 4768 msedge.exe 84 PID 4768 wrote to memory of 3664 4768 msedge.exe 84 PID 4768 wrote to memory of 3664 4768 msedge.exe 84 PID 4768 wrote to memory of 3664 4768 msedge.exe 84 PID 4768 wrote to memory of 3664 4768 msedge.exe 84 PID 4768 wrote to memory of 3664 4768 msedge.exe 84 PID 4768 wrote to memory of 3664 4768 msedge.exe 84 PID 4768 wrote to memory of 3664 4768 msedge.exe 84 PID 4768 wrote to memory of 3664 4768 msedge.exe 84 PID 4768 wrote to memory of 3664 4768 msedge.exe 84 PID 4768 wrote to memory of 3664 4768 msedge.exe 84 PID 4768 wrote to memory of 216 4768 msedge.exe 85 PID 4768 wrote to memory of 216 4768 msedge.exe 85 PID 4768 wrote to memory of 4632 4768 msedge.exe 86 PID 4768 wrote to memory of 4632 4768 msedge.exe 86 PID 4768 wrote to memory of 4632 4768 msedge.exe 86 PID 4768 wrote to memory of 4632 4768 msedge.exe 86 PID 4768 wrote to memory of 4632 4768 msedge.exe 86 PID 4768 wrote to memory of 4632 4768 msedge.exe 86 PID 4768 wrote to memory of 4632 4768 msedge.exe 86 PID 4768 wrote to memory of 4632 4768 msedge.exe 86 PID 4768 wrote to memory of 4632 4768 msedge.exe 86 PID 4768 wrote to memory of 4632 4768 msedge.exe 86 PID 4768 wrote to memory of 4632 4768 msedge.exe 86 PID 4768 wrote to memory of 4632 4768 msedge.exe 86 PID 4768 wrote to memory of 4632 4768 msedge.exe 86 PID 4768 wrote to memory of 4632 4768 msedge.exe 86 PID 4768 wrote to memory of 4632 4768 msedge.exe 86 PID 4768 wrote to memory of 4632 4768 msedge.exe 86 PID 4768 wrote to memory of 4632 4768 msedge.exe 86 PID 4768 wrote to memory of 4632 4768 msedge.exe 86 PID 4768 wrote to memory of 4632 4768 msedge.exe 86 PID 4768 wrote to memory of 4632 4768 msedge.exe 86
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://cdn.discordapp.com/attachments/1095394818596810783/1330575945802977391/BBYeSM0WhOb.zip?ex=678e7aea&is=678d296a&hm=dc834524ee4d68970aabe416478c98f98a63ea3b6b87e9136e28b26da6bf5a68&1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4768 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe662046f8,0x7ffe66204708,0x7ffe662047182⤵PID:1328
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,7378264610645828063,16720658032261668517,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:22⤵PID:3664
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,7378264610645828063,16720658032261668517,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:216
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,7378264610645828063,16720658032261668517,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:82⤵PID:4632
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,7378264610645828063,16720658032261668517,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:12⤵PID:916
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,7378264610645828063,16720658032261668517,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:12⤵PID:2908
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,7378264610645828063,16720658032261668517,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5004 /prefetch:82⤵PID:4816
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,7378264610645828063,16720658032261668517,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5004 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4440
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2088,7378264610645828063,16720658032261668517,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5044 /prefetch:82⤵PID:4528
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,7378264610645828063,16720658032261668517,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:12⤵PID:4560
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2088,7378264610645828063,16720658032261668517,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3980 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:700
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2236
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3960
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3852
-
C:\Users\Admin\Downloads\ryosa\Bootstrapper\Bootstrapper.exe"C:\Users\Admin\Downloads\ryosa\Bootstrapper\Bootstrapper.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4308 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy Briefly Briefly.cmd & Briefly.cmd2⤵
- System Location Discovery: System Language Discovery
PID:892 -
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3204
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "opssvc wrsa"3⤵
- System Location Discovery: System Language Discovery
PID:216
-
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3640
-
-
C:\Windows\SysWOW64\findstr.exefindstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"3⤵
- System Location Discovery: System Language Discovery
PID:548
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 3471573⤵
- System Location Discovery: System Language Discovery
PID:1892
-
-
C:\Windows\SysWOW64\extrac32.exeextrac32 /Y /E National3⤵
- System Location Discovery: System Language Discovery
PID:4992
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "Cheese" Difficulties3⤵
- System Location Discovery: System Language Discovery
PID:2636
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b 347157\Folding.com + Saddam + Visa + Bowling + Rt + Chapters + Advertise + Continuous + Accessibility + Destruction + Architectural + Any 347157\Folding.com3⤵
- System Location Discovery: System Language Discovery
PID:2832
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Basement + ..\Florida + ..\Passenger + ..\Msg + ..\Welding + ..\Terrace + ..\Stretch j3⤵
- System Location Discovery: System Language Discovery
PID:1396
-
-
C:\Users\Admin\AppData\Local\Temp\347157\Folding.comFolding.com j3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2216
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 53⤵
- System Location Discovery: System Language Discovery
PID:388
-
-
-
C:\Users\Admin\Downloads\ryosa\Bootstrapper\Bootstrapper.exe"C:\Users\Admin\Downloads\ryosa\Bootstrapper\Bootstrapper.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4828 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy Briefly Briefly.cmd & Briefly.cmd2⤵
- System Location Discovery: System Language Discovery
PID:3204 -
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
PID:2432
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "opssvc wrsa"3⤵
- System Location Discovery: System Language Discovery
PID:3084
-
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1388
-
-
C:\Windows\SysWOW64\findstr.exefindstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"3⤵
- System Location Discovery: System Language Discovery
PID:3436
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 3471573⤵
- System Location Discovery: System Language Discovery
PID:2748
-
-
C:\Windows\SysWOW64\extrac32.exeextrac32 /Y /E National3⤵
- System Location Discovery: System Language Discovery
PID:4324
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b 347157\Folding.com + Saddam + Visa + Bowling + Rt + Chapters + Advertise + Continuous + Accessibility + Destruction + Architectural + Any 347157\Folding.com3⤵
- System Location Discovery: System Language Discovery
PID:4528
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Basement + ..\Florida + ..\Passenger + ..\Msg + ..\Welding + ..\Terrace + ..\Stretch j3⤵
- System Location Discovery: System Language Discovery
PID:3020
-
-
C:\Users\Admin\AppData\Local\Temp\347157\Folding.comFolding.com j3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2792
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 53⤵
- System Location Discovery: System Language Discovery
PID:4712
-
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\ryosa\README.txt1⤵
- Opens file in notepad (likely ransom note)
PID:1500
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /01⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2820
-
C:\Users\Admin\Downloads\ryosa\Bootstrapper\Bootstrapper.exe"C:\Users\Admin\Downloads\ryosa\Bootstrapper\Bootstrapper.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:956 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy Briefly Briefly.cmd & Briefly.cmd2⤵
- System Location Discovery: System Language Discovery
PID:3632 -
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:652
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "opssvc wrsa"3⤵
- System Location Discovery: System Language Discovery
PID:464
-
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:460
-
-
C:\Windows\SysWOW64\findstr.exefindstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"3⤵
- System Location Discovery: System Language Discovery
PID:3636
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 3471573⤵
- System Location Discovery: System Language Discovery
PID:3148
-
-
C:\Windows\SysWOW64\extrac32.exeextrac32 /Y /E National3⤵
- System Location Discovery: System Language Discovery
PID:608
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b 347157\Folding.com + Saddam + Visa + Bowling + Rt + Chapters + Advertise + Continuous + Accessibility + Destruction + Architectural + Any 347157\Folding.com3⤵
- System Location Discovery: System Language Discovery
PID:2588
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Basement + ..\Florida + ..\Passenger + ..\Msg + ..\Welding + ..\Terrace + ..\Stretch j3⤵
- System Location Discovery: System Language Discovery
PID:3772
-
-
C:\Users\Admin\AppData\Local\Temp\347157\Folding.comFolding.com j3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:960
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 53⤵
- System Location Discovery: System Language Discovery
PID:372
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" "https://www.bing.com/search?q=Folding.com AutoIt v3 Script (Beta) (32 bit)"1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:4556 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffe662046f8,0x7ffe66204708,0x7ffe662047182⤵PID:2684
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,4826412387737138899,1850217091242132612,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2284 /prefetch:22⤵PID:224
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,4826412387737138899,1850217091242132612,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2344 /prefetch:32⤵PID:3028
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,4826412387737138899,1850217091242132612,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2440 /prefetch:82⤵PID:1992
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4826412387737138899,1850217091242132612,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:12⤵PID:536
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4826412387737138899,1850217091242132612,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:12⤵PID:4736
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4826412387737138899,1850217091242132612,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4468 /prefetch:12⤵PID:3860
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4826412387737138899,1850217091242132612,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4692 /prefetch:12⤵PID:1376
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4826412387737138899,1850217091242132612,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:12⤵PID:1980
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4826412387737138899,1850217091242132612,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:12⤵PID:2956
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4826412387737138899,1850217091242132612,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4936 /prefetch:12⤵PID:2296
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4826412387737138899,1850217091242132612,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5588 /prefetch:12⤵PID:4452
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,4826412387737138899,1850217091242132612,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4952 /prefetch:82⤵PID:3944
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,4826412387737138899,1850217091242132612,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4952 /prefetch:82⤵PID:560
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3020
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:552
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5fab8d8d865e33fe195732aa7dcb91c30
SHA12637e832f38acc70af3e511f5eba80fbd7461f2c
SHA2561b034ffe38e534e2b7a21be7c1f207ff84a1d5f3893207d0b4bb1a509b4185ea
SHA51239a3d43ef7e28fea2cb247a5d09576a4904a43680db8c32139f22a03d80f6ede98708a2452f3f82232b868501340f79c0b3f810f597bcaf5267c3ccfb1704b43
-
Filesize
152B
MD5be8842caba48dcb8a02aa560da852cae
SHA12b696279fb773b0203a23179a44d1570642418dc
SHA2562130a10cf26ee5cf50fda25e19e0ad2992bc399dea33ea7ec20dda589d53cd0e
SHA51221dfdf64b51459d0767801966b05b14b072712dd490bed18ccfc386e4da2f47dd7f4317994dd5bc84ed8daf668ce826c21d05e8ce95633f98526202d06ca7ac6
-
Filesize
152B
MD59db2a0594df297bf53c2c7a01c33cad4
SHA1d2a815ec895516ea6b7cf3bff26b77383cdc901e
SHA25633730d3aa056b2f0f6cebaa88c2082cbfe65b0a4657566140a022cd8a9b62c44
SHA512e6349846db38ea7aed3338ca32dd022cbd84e6ae40ff252301020ba7b41a984907dad63d49cac44a854d4fc2c06d9b848582df953429191b211efceefa515043
-
Filesize
152B
MD536988ca14952e1848e81a959880ea217
SHA1a0482ef725657760502c2d1a5abe0bb37aebaadb
SHA256d7e96088b37cec1bde202ae8ec2d2f3c3aafc368b6ebd91b3e2985846facf2e6
SHA512d04b2f5afec92eb3d9f9cdc148a3eddd1b615e0dfb270566a7969576f50881d1f8572bccb8b9fd7993724bdfe36fc7633a33381d43e0b96c4e9bbd53fc010173
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD5dae777cd0384d8fba2f1a767c5d5be1d
SHA19896f0bd459da9e513069cc4977e3d863a3596e1
SHA256c6e540dc864d99deff5528be2277a7a373dc4a1b0d61a950c40a8191b9571ef9
SHA51241df9902d6d4cc482e9cf8cb0fad9ac7f8db079632038b2b332648cae42c3f76b2110355aaeebbb60d849564f8a1b3538eaa7bcb441708deca16f201783aaa9e
-
Filesize
186B
MD5094ab275342c45551894b7940ae9ad0d
SHA12e7ce26fe2eb9be641ae929d0c9cc0dfa26c018e
SHA256ef1739b833a1048ee1bd55dcbac5b1397396faca1ad771f4d6c2fe58899495a3
SHA51219d0c688dc1121569247111e45de732b2ab86c71aecdde34b157cfd1b25c53473ed3ade49a97f8cb2ddc4711be78fa26c9330887094e031e9a71bb5c29080b0d
-
Filesize
6KB
MD5e2c38593d95a8dcd0e0254f69a897943
SHA1701458f8809ce45a7bd3c40fa12a465d79550ac1
SHA256db4571a7ad1f39e28ad4a50b1ef531f28deb5feff3a481305bbc31722f8dd72f
SHA5121da55bf2f615a7bde01733d4e0f58e869481df1ad9c0468674b139a3d64f4accd13bb67bc8e2a82b5f5c50e831d07f2cef5f7541c8113e24eebe13c80e11e40a
-
Filesize
5KB
MD5849d8f4a62d5bad0ece50b0814e5bf08
SHA174876da952c98f5472bbe5bed3b4cea6defe1b3b
SHA256803e25532f8dbffb9b511890698395aa066622db0684d77ce9b6bccf869d91dc
SHA512655e6768941ee4db2e0b518212afe8485d7d2c16feb5975703b0b72c81b429ee57430ca280d1be7a800d0e4a4660cec9f1779f92fbd90ec013d6dbbea71ce8a3
-
Filesize
6KB
MD5b2074cd49fdf71e3ed93e9ff213d840a
SHA105580ded0687c6af8ce63af6605b49fcc251f1f5
SHA25607bb4eaa7daae1cf28a465811aa2bc82621bf5bb925468800191bed736d139ec
SHA51294497f7b37a0006fc14ef01e4bd3bf3bbb417d59cb7cad45956d14970337208bdd112fd58d98a4d2090b220bba838cc6e722c7c3affb75b4a861072344717f7a
-
Filesize
6KB
MD5742284d25058fb6cc6942167dfa16972
SHA19eda32de206228c17e7427dab030c5b66fecaa3f
SHA256bd9897e41016c4d88f8e77884849fa1f038b6fa929fa05f8e9f008d370c469a2
SHA512299b24d66dfd22eb62070cabe383c413be46fbbed852de02e85a9c91bb9def069e9d926c5b2e13ba540e05362cd43560f82007f8a503f959de09b2a4004edd53
-
Filesize
6KB
MD5777c631c6aa155cd2e335b81eb5b3259
SHA119cd8a0f997ca4870b3b6a3f9750ceaa2ea85fe2
SHA25670d1fffe4243858ce1bad4dd2da4798612f077c78dc673b961c7ab1b87901f1e
SHA5128efeb5a44f0b42a8ec3dca325a58bc38dcea24461fae15b358c530496f0a6afb414ff9cd409ef4485578cda0a5795e765986b3cf7af23633ba103b52eaf2563e
-
Filesize
6KB
MD5d38e637c4be1456e6c65c1e866d3a434
SHA11b5e097f8e33de0514ca1e309c4c876a243488d3
SHA256a8c03e6b6bbcb0f7763d368f0c8bdb4a462c8b0185ac4b3c3e8ac4b7c71df863
SHA512816412674bbd7e65e45c0e72ad62106b33faa91c50641b06f64d82af90aa767481a4aca819e50c5ab2661e1786f31bd519bd571507f09d3f07118440af4f2865
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
16B
MD5aefd77f47fb84fae5ea194496b44c67a
SHA1dcfbb6a5b8d05662c4858664f81693bb7f803b82
SHA2564166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611
SHA512b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3
-
Filesize
10KB
MD57e2637e5503eb4e5e6421312258a2f68
SHA13cd3d2266bc0151d055f70f7fa59ed5713acf970
SHA25663d4abb083af9c7836de61d33f0b611cd90cf60580bb0ebe3339f63eb2ce9d59
SHA51211a9d2009abfdf3e04e25fe401076afd4b6cdd180e4d5dd3c5a2978f7ed3a0f2f37ebb12f30d53889aa11fe87f30ca0592f819145230fe79b18daa52dd4dfcd3
-
Filesize
10KB
MD583d686abc10390e15434ffa6f6d94b1a
SHA1a94204b35d49066545c9c24d802a9295dc720b50
SHA2560441f88d0a5addf4f418ac2ae95d016c3caa2c7acde12dded7839692508374d4
SHA5122542057f7de45a2a65700f9db9d1bb8bf00423ee55efd5f4c3bb77462d2faa4b431a8cea0db8f7ea06c8aade05481d6bf95c6ec42686b52db58b3a3134ddcd61
-
Filesize
10KB
MD56d626425251e6766581fc260081594b1
SHA1be3e7f8cf38550a11ab599d17368d269c0c25328
SHA2566f94f1caf29193b668d4fbb4fad231e92354c1fb49202571a11a2bd168ae4b91
SHA512bd84a057671b87f81752ca1f3ee32f4cabf7d99dd21406bf3b47565335226b9114d72bc2cdf905eda746bb153aee109a46bf559e42a6e2369f88783178e9b91c
-
Filesize
11KB
MD5cab1375c976debe994b8a553878e92eb
SHA186320b4bddbdc32ecad374e55799a8b0e1afb93e
SHA2567887cb2cd511e5efa9077a39b795470602af2725db8272701f649f5891091320
SHA5126d1828a81dff6fffdf6eb4a233f65759dada1706c6562794d29eea4c49d51b3efc1846142a975388b5b0a4960351bb7c6df2087363f66e222877c2dcf1d98f2b
-
Filesize
1KB
MD5bc0c466ea461f70dc2bab92020f1e643
SHA1f17c66912508e95eac59bda2e773849600471a88
SHA256f3c6eb4b4f81b5e1aa458d46225dccd651a2d44d1367a14718b6bb76beec1de1
SHA512b1d03c359b8fcf46e7f07536004f7d11ab7bdd0cb044ca7bcfe63501428c4c93e43591e8367e5676478da8d554e4bd579cb6e37dc617f97f8a54a372361073c9
-
Filesize
925KB
MD562d09f076e6e0240548c2f837536a46a
SHA126bdbc63af8abae9a8fb6ec0913a307ef6614cf2
SHA2561300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49
SHA51232de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f
-
Filesize
494KB
MD5549720d78c44a4ca96f98a02d7376be0
SHA1c18a7ddd59ea61df41acfac5544aadc72bb6acba
SHA25637204d5c24cd97f012e61ba6c4aab3f6bd8778237ecbec3080fa54bfa5dcaf67
SHA512392674f314a993f0eb2e22354a9922b006e28b01cb2abdf416a188e48b8fbbea8df93cb793cefd6e91259b7de71c502ac1e5c33273d94e1a3671ee1147cbdab4
-
Filesize
118KB
MD5539587208032af4b529a60d530f100a4
SHA1ef39ddfa82f53bde5a674e51318aa3ce9a8789b2
SHA256bcee5e27e34159419173575bf6e22e23f0dad46cf6fa6aa84a1bb01c96516662
SHA5124c261199485e6a40ce46147c98e244f1297446115ebd6c944a29e4242b361816980ccb6096286c8f9dbec00f13ea9fdfa417648980bf06721abc866630c5e53f
-
Filesize
55KB
MD5eaab0c7db38adca2364923dc1bb8bacf
SHA1182819623bdee90678ae233b8094d05e51d48d68
SHA2565a5c226453b9c7c7f7bdb980ad2a02838456f9420d182d14c7336f8264a894f0
SHA51253d2c6559e2d1e71b62f91444608f1e61a246433499b75d6e3193cfd645ac4af3c4e4e1359da02b522d1e121de31f51d0010d96e8ef435a92328cef69aba4910
-
Filesize
15KB
MD559051edf957c7f4fec5e278f07cfdaa9
SHA1409217185334c187412941583e5814753d3f670f
SHA25671cb36f1506fa645a90a6f06619b67c4f2f0e1e0140bac2e6f8a91ed1988446f
SHA512f1897fa7dcc38c845cc3862f1eb33d493ca6c09338a6a7817fac6e99a72ecd07001a84e1935eccddf58e163fd8396c3333fad4c365cd5c8ade281dbc84735aba
-
Filesize
102KB
MD5ac3b8c0b9d965801a696519bc3bce457
SHA1c2fb54f9d7ffbbea6e5db175ca214eccc0b8ee7c
SHA256fbc3b647efe255870931d9dfa77a43c7248a7d8613712bcf0663862a4e97fb66
SHA5120aeeb7d05c46063a892b3aae756bfb92f245aae66c2fcd4c34610a348ad0c0904addabb99d97ca0c9c3cba3df7e8e96500f084b840487a9ed2582d1badf638c6
-
Filesize
63KB
MD544a805a4e5ba191661485ef167275506
SHA145c2594c944f02e5260bd97a185c2f21ab232182
SHA256e394dccd197c59fa4e2da7146174485a6681946d34faa3007bd5c1419d7125e0
SHA512a3a8f7283ca0a0ae16b21f2b81b9cd48b953112c50e64b99daba378cd0e098108512566208365db4bb7b78355439f94bbcace6f5169091fab0202cf7d55f1952
-
Filesize
106KB
MD57cbcc0fbb084bead6d5bbb8a00cbb997
SHA175bfaaa5232ab2cf9f2291ee1ce08f2acb076ebb
SHA256e0a98926b1e0968481640078ac6b833af96773a7f715851634346379f282795d
SHA5126b33f8afe19a28e5b300e8a32c3ec98a0365fc1594c693c4527d9b0275f46f6558c50e29417499650d9c1ea7091ea7af340c4111b90af06c5ab4277170170c9a
-
Filesize
23KB
MD5bb009bb1ab11657dd763b3a85e90f26f
SHA132fb786e48105f1574e8d345e66d2b16fc051d6e
SHA256e7b3f1da61a207080f7859d12764b1243ce5c84beaf1a7f026b3d0da5f9dec4c
SHA512ac73396967c496b93f8d4084537a286b4d5fe1315b0fd5992b03cc019521c1c25bafcb9826f85af59495a01ec711a2ec789c43af5befa46557f99224d0ce92bc
-
Filesize
56KB
MD519f399e75e91c4917cce10422db7b0fb
SHA1145fb431681a91d64a77b0ca99ba31b4ed7457b9
SHA256bbe32640a1be9b9dc5570043a2c72bd3d1da1e3480e61e41a1dc8daa42b07bd7
SHA51225b85fe872e3e9fc5e70d3dfd1647a6bbf2919d67126bb9007dcc61aae549d64a9b79fd3c05bc996202b03630420ecb4eb5b5613d0a1adeab0d2670e6a5aff6f
-
Filesize
119KB
MD587cfc9cbddca81f037640e23869fd727
SHA1e71c0a8106944e238edba3b2d6194cf5cb383168
SHA256f648aed5047fa8e5b99ce81cf85f05f4cfb193b8b349e6e5656e5c6dd0917cb2
SHA5122a3c9bbdbd222f9328b1379de025bff3f8d2c693fe68558cdb24a516ee7c9ac6615a9d1d62e4682532f8567138e67e6c26b6c7068d87b00415fc915172928e4f
-
Filesize
75KB
MD5e9ed56e42470ceb7a46263c49b9d8110
SHA113794b6f705be789af214a4f81585dee3710512b
SHA256d97494026b70f37cabc0ac614f54206ae2c5a5ab601b71888ae6491241dc2b20
SHA512ca1c0f00a68267274e9d31f3a2de0fb34ccfce0a57d67ffe76633fe1a156c05f1381b0c696f75898fd8b370cb8a6e56174bdfb43729ab2668e444ee6748d8040
-
Filesize
1KB
MD5d2ac6356ed5ed3a32e46acb2f47d68f5
SHA1e41205fe32c1ed0cc4a265e942dd472a76a22592
SHA2566b6a43352b0b87107609d9c91992b30069200b308e5a2a50ed5a931315f82bdc
SHA51247bafca4c789c7fad4db0534a93b8c7b659abb999393425f58d9b28ba553be1cc45b9001da1d5820e65b107034f48cd441c6855c7d7fc08117985d81054394a0
-
Filesize
81KB
MD535ee0a5fee1964bd57f2c66347d726df
SHA1d37bb5ba2456a310891f93d8e9ae1ad196dabcf6
SHA2569b8ab89609b074479bc9fe749e12792c34ab4799ea7ea5ac67cdd3758a1c1181
SHA5122006b993a36599a56131d744ea750a3de3d5eeb629d111d751d552e86cf3a4ea1c7d9b9dbb727e77b65ec8684cf0f22476840aed73df15186041b087476c0689
-
Filesize
91KB
MD5478eae0d2d8bc46181226c275688315d
SHA1674d1c954b6ba8bc77ea6e112912b2fbde64fbeb
SHA256aae6d5fc0e80a6033d55b81e05db13c66604f5fe453f78440de3912a44c553c1
SHA5129833ef8d0d29cbf1b1738eefd4c175a169c770f70f2699bde703092e5102439c779e7474866534bba6b58f49d160a49be0750b686c171415191ddb10469eb26d
-
Filesize
478KB
MD5f5406ccecddc6c9bd30ed30343c756ab
SHA1080ebf3593ee3c272e7e4f7c98fee6d326da45f8
SHA256a46bd5c1472f8b655ace3314ca667d39b10d989b6f8ed17b6c753b8b947a6938
SHA512a25eba5ea58855e65c529b858399b1574ccbed89038e90d50170562eceb11efba4f16242d54ad3b5232edc11f3f61109bbafc4398124c1bb45e43693657b1e81
-
Filesize
68KB
MD5355fafaeefdaaa291b3f48356e24216c
SHA1c675a50bffcf18f357966ec51e0adaf05a25b86b
SHA256d3210c22706049ab7ca2304fd17507bfa4a842af579a00b60644e09178f9fddb
SHA512f2fb4e46b4d6b24cba584e51c6a43e8ed1174a5048a69bd61a6e24e2772f389e55c2f6384d1ffe7c6f44eab8a6fe059608e39a0a60ad30f06eb63589c723ab4d
-
Filesize
86KB
MD5fc6c4e0bdb11443834c6af5b2ff6e6bb
SHA13c4bf0970e36371844c9a27a041fd09cbf65cf56
SHA256445d2c74ae1ba5af2eba4cc4a4deeabbda1ef920e272ce9f54a7d9374eb23402
SHA5129588272669bf2ecf277c83c836be28d4757a21b033e9919747fc11a7767abaf5d3af002d3379626b65e537aaa8fd2e30113994353592bcee577f3fbdd02dea5a
-
Filesize
54KB
MD57b8c4652937f053027395d23ef6c5b93
SHA13e203439da403069184a56d40d00b51e8a03a2cf
SHA256733b3e2f49984688e345d1acb07d22c9d5e44742f572fd610c114c50c04c3024
SHA51267b5aac27923f00fa7e39cefb6adc6714845cc9e3db51aa2fe8c910e09f95b2fe46ddc901257afa63ede0988792ee6245089ea419bd257e53f05c926793de929
-
Filesize
58KB
MD5110f9b2d470e415d55f8a0d78ae1f8a1
SHA1eeb9c0bf82f9a797fceed7d9725221348f45dcf1
SHA256fbafdc9359e5294e8410d3862aee050c5cc03aec557bd83345bdca27981c0138
SHA5121a8bf9fe93ff1b8cff52191bae71fed8822f4d99dd59ee6420709d037e26a185695e819535c793ffbe849e63637725e9ebdf487b57bb8f1ec3b4852e93954551
-
Filesize
50KB
MD56f3b4f30afb0c2fc164daaee95348815
SHA1c59e8d78f11d5af9aca282d52752c0846292d5e6
SHA256987fdfe4cb214563ecd4ba6d1990284e485a7701c323c1564d9d4afd3554c890
SHA512ce51ba253dc008b82ae51ac797362f93515b1ef481d6189f596f74c1172379bfa4bb86aa713ea62520a11c24281047aaee0d203d48fa1f3dcdc5121fff385809
-
Filesize
137KB
MD50fffca2125ec2d790c02b2bcd12ec8aa
SHA155883ab44b36fa0efe4747e2653786fbda5b60a5
SHA2569dc03047dec2d31586916298828447b291b3eadae317bab07f8917e4bf4dde96
SHA51253d6bb959d2d5ad5b3be4dde2b6c877eee4ae65e411f095bad980fc6ee58f49437dc8503186d544ab60aa6824cd70e616bf79cc13b713e27c5f75640db8ed70f
-
Filesize
83KB
MD59a2d8d245f55c0918e6a7e8b9e22ed25
SHA1827ace99c5e1570e3ea912e67dcf7ef6851c3ee1
SHA256e252cd74c35df37627de02488911ecfc1d57320be7dec21a7de03ccb9664d84b
SHA512076fba85e84cb31486a947e31c39464e08faacdad7b26645699f39fbe6f3d6bc6a7b926f46909f227e9c78f2ce8d9c2af0871e057db10345504db2226a2272c1
-
Filesize
1.5MB
MD577165621a4479597106e6d17565a2388
SHA13dc5ecf8051171845921e60dfa4bc6596c17744d
SHA2562579410e9f316e3eb80181813f87edab1b80724845b9c4fe3c3f2b065720d10b
SHA5121e045d4850899be53f760d87a715b13052c3cb4f8695ba4fc6badb2440039a1d938cd16c7e77ee9675309058dc7c53a07b0f7e070537d419c925c7e044d91e32