Analysis
-
max time kernel
263s -
max time network
264s -
platform
windows11-21h2_x64 -
resource
win11-20250217-en -
resource tags
-
submitted
22/02/2025, 13:24
Errors
General
-
Target
https://github.com/Da2dalus/The-MALWARE-Repo
Malware Config
Extracted
C:\Users\Admin\Downloads\!Please Read Me!.txt
wannacry
15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Modifies Windows Defender DisableAntiSpyware settings 3 TTPs 1 IoCs
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 2 IoCs
-
UAC bypass 3 TTPs 1 IoCs
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Wannacry family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Disables RegEdit via registry modification 2 IoCs
-
Disables Task Manager via registry modification
-
Disables use of System Restore points 1 TTPs
-
Downloads MZ/PE file 3 IoCs
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Office macro that triggers on suspicious action 1 IoCs
Office document macro which triggers in special circumstances - often malicious.
-
Drops startup file 2 IoCs
-
Executes dropped EXE 10 IoCs
-
Impair Defenses: Safe Mode Boot 1 TTPs 1 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 5 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 4 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
System Location Discovery: System Language Discovery 1 TTPs 16 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 9 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 12 IoCs
-
Interacts with shadow copies 3 TTPs 4 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Kills process with taskkill 4 IoCs
-
Modifies data under HKEY_USERS 15 IoCs
-
Modifies registry class 8 IoCs
-
NTFS ADS 6 IoCs
-
Suspicious behavior: AddClipboardFormatListener 5 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 19 IoCs
-
Suspicious use of SetWindowsHookEx 31 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 9 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/Da2dalus/The-MALWARE-Repo2⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe34203cb8,0x7ffe34203cc8,0x7ffe34203cd83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1296,17656569252240222626,17242190451912407862,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1960 /prefetch:23⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1296,17656569252240222626,17242190451912407862,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:33⤵
- Downloads MZ/PE file
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1296,17656569252240222626,17242190451912407862,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2724 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1296,17656569252240222626,17242190451912407862,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1296,17656569252240222626,17242190451912407862,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1296,17656569252240222626,17242190451912407862,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5856 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1296,17656569252240222626,17242190451912407862,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5856 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1296,17656569252240222626,17242190451912407862,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5912 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1296,17656569252240222626,17242190451912407862,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5588 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1296,17656569252240222626,17242190451912407862,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5940 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1296,17656569252240222626,17242190451912407862,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5868 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1296,17656569252240222626,17242190451912407862,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1296,17656569252240222626,17242190451912407862,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2612 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1296,17656569252240222626,17242190451912407862,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4692 /prefetch:83⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1296,17656569252240222626,17242190451912407862,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6456 /prefetch:83⤵
-
-
C:\Users\Admin\Downloads\WannaCry.exe"C:\Users\Admin\Downloads\WannaCry.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 194091740230774.bat4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cscript.execscript //nologo c.vbs5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe f4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im MSExchange*4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Microsoft.Exchange.*4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sqlserver.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sqlwriter.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe c4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c start /b !WannaDecryptor!.exe v4⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe v5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.execmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet6⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete7⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe4⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1296,17656569252240222626,17242190451912407862,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5596 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1296,17656569252240222626,17242190451912407862,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5712 /prefetch:83⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Downloads\Melissa.doc" /o ""3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1296,17656569252240222626,17242190451912407862,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5568 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1296,17656569252240222626,17242190451912407862,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6060 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1296,17656569252240222626,17242190451912407862,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5372 /prefetch:83⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Downloads\metrofax.doc" /o ""3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122884⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1296,17656569252240222626,17242190451912407862,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6040 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1296,17656569252240222626,17242190451912407862,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6944 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1296,17656569252240222626,17242190451912407862,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4088 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1296,17656569252240222626,17242190451912407862,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1296,17656569252240222626,17242190451912407862,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2596 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1296,17656569252240222626,17242190451912407862,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5712 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1296,17656569252240222626,17242190451912407862,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6116 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1296,17656569252240222626,17242190451912407862,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3316 /prefetch:83⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\Downloads\Annabelle.exe"C:\Users\Admin\Downloads\Annabelle.exe"3⤵
- Modifies WinLogon for persistence
- Modifies Windows Defender DisableAntiSpyware settings
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- System policy modification
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
-
C:\Windows\SYSTEM32\NetSh.exeNetSh Advfirewall set allprofiles state off4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\System32\shutdown.exe"C:\Windows\System32\shutdown.exe" -r -t 00 -f4⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1296,17656569252240222626,17242190451912407862,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4720 /prefetch:83⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\Downloads\satan.exe"C:\Users\Admin\Downloads\satan.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Downloads\satan.exe"C:\Users\Admin\Downloads\satan.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Roaming\Guluza\vaob.exe"C:\Users\Admin\AppData\Roaming\Guluza\vaob.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Guluza\vaob.exe"C:\Users\Admin\AppData\Roaming\Guluza\vaob.exe"6⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1296,17656569252240222626,17242190451912407862,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6916 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1296,17656569252240222626,17242190451912407862,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4036 /prefetch:83⤵
-
-
-
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" delete shadows /all /quiet2⤵
- Interacts with shadow copies
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding1⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa39e1055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
3Windows Service
3Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
3Windows Service
3Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Direct Volume Access
1Impair Defenses
5Disable or Modify System Firewall
1Disable or Modify Tools
3Safe Mode Boot
1Indicator Removal
2File Deletion
2Modify Registry
7Subvert Trust Controls
1SIP and Trust Provider Hijacking
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5fe68444a298dfe7ce3afb15e1e04dc2d
SHA1ce8500b8bc9f8033bf5f6b28174d04852e996cde
SHA2564fa17fcbb66e9306869abf881cf02c7b890bd34c34852c8a8f0e276bab375ba0
SHA512ed3aec46de266977a45e00363f3e258e53e9763fd5304861d2a7582344f6364f9dba20d5a13e6c2eee42e6bb875eec2f3e900f45cc64bf911e7055008c2374c4
-
Filesize
152B
MD5648295913e8e74a91d84a0bd6dfa0efe
SHA1e42c17ec7e237fa16204bd204ba0d47c2e7aa057
SHA2563f46ccf49be312c1e7b3cd94ff1d27970975d6a80e052769daf31c772adb260c
SHA5126e3f03fade65388ad14c2443300f79d028986a7863d32ad731a3b1aef4bc4937e7cb150c814947befdf4d2a8510f70368ad35621ae854b9037e46488df7423e2
-
Filesize
1KB
MD5af8153c3b754d5d8469c3204c120edc1
SHA1cfcdd77531cf569ba26864ddd0ca40ba6dcbbc39
SHA256f3541f9f06ec786e7cd913f07f4e664798a29de7d12006de886f90769d4f4aaf
SHA512286d64242970e3bca3fdff85924c69d577f89eb4586e386b210e51333a38fe9bfd105702734ec6d3158f0e02f22c638a97c5af2401706539f1139202aac2d282
-
Filesize
1KB
MD58d95ceb2b20d6e376ba47b2fce6bb7c1
SHA14d942101fcd5cbe2eb7089ca8678699aa5c61b53
SHA25670d2e9db9c3f196af17c9c63e4ae8baf220083d50b5191f9b6c4ad69c1eefbbd
SHA512b8362e135dac5a06bd67543334917b121f47c9cf3c9910508c9b052cdc45d71fd7cbcd019c994f3fd67d4c617f4f50c2d7e1d119630c2f88ce62ace91926d0a6
-
Filesize
111B
MD5807419ca9a4734feaf8d8563a003b048
SHA1a723c7d60a65886ffa068711f1e900ccc85922a6
SHA256aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631
SHA512f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c
-
Filesize
579B
MD501429fc634925121b7c8ae154f15b8b7
SHA19bb6e7f6534427d52e4b20f6d7b116c69a853a5c
SHA25656b0bd40fda46ae0609ed209e4e2cff4ae489df90538050fd9310cbdc7841dca
SHA512713853838aaa359fe990653834043564ef516d8d789b2481542c6e4be8320d9a008abdc2cf44662e25499a45eadeed3b744b789cad852dc2b29295fd310a8ca4
-
Filesize
5KB
MD56e3370ba1cd01b02ac3d2a00f00d9550
SHA1aedd407c13b74f2490b0531b0c3b1c22c67a9d58
SHA25609361b345648b800f80636fd7bbd40daced5d684ffdf474be4c51bc918dd8cda
SHA51280a013d45cdb76e908d986a487dc6f3ca223d7a9ed82cf5bf1a5cc8d8470bc8f4ab5201357c8f4c3380a0738ffeb2ef2a3fdf41ab99aa3feefb0d44caa042e3f
-
Filesize
6KB
MD5ec1ab6e629813782121e3101b8cb2b83
SHA16a57771372228264f1f8d32e6756142413c4dd05
SHA256d19ffd018ef8b166d6b80c53d9f8387ce98d2ea1d67648b22e0732544ec42f2a
SHA512f6d8ec676b1994be86235124b0fa64c0b0429504b4fba7c2ccd53b0b817386f2ecfed31af4de1b667db7efff0fd62b502142f4d34847c149c1874485d98561ea
-
Filesize
6KB
MD50ee3a73f20aaef95127d9026e5cb0530
SHA1199876ff9fb5273f508d9575f41d2133e595b62a
SHA256be4bb22dd5b23a814e846c199118519b88647fa23e03fde5a9a51fd6a0dd2820
SHA512da066054cf3eaabbaa6e88c409d7a7b3635b55a236371d1cc5222e1677c43a54f7411250c833d6c5c97ffafe102e6049e903ae97622e3d43d53236df99e0fdd5
-
Filesize
6KB
MD55b7bc5bc061b1d921ed5b2901e57ce31
SHA1c0b79198f6fe6bf4210bb326bbc306e6396b0810
SHA2563449b4638fde0f8ee45e7490b290224317a522bb1e7fbac239a5d6cad3c97070
SHA512f03cf2e1864292b6e697442ddc531d9f53df7fa99e48d2bb64130e271d9d2cd7fe4863b265c08ba58722b9e968b46e6d228746abf35d3c43ffb64f3cb6e08c30
-
Filesize
1KB
MD55fa0b882aff360cf97a5b2a612dcead6
SHA19b8e793dd0f7a9b531a6dcc803f0519c662d8020
SHA256468969681dcba3e518e2d963718322d755abedc472006ccc1e9a60ca951551c9
SHA512b55c0eae138b11983711779f8d24fe68fb3da0565ed32a2c9f6a4e21494f79429d3f939c76425f78da6821fc47f74ff74e7cb10a0eadbaa8ad928a2da46e2371
-
Filesize
1KB
MD5fc208dad9ec9175e4de94bbc6a79eda6
SHA19431bb5207a07d45416a46f56680124e985075f8
SHA256cacd044756068ab5493e3c7c8f37eba702b6595dd654e1cd044cab4fd15621f2
SHA5122535e1253553067aa72bb74ab2a2e5127255a502d57e8d1f3564ccaa71ad2be62359aea61cd05c3d2195135f6ffd0af3dc7ec71afada5b8eadced4257b5a9106
-
Filesize
1KB
MD503add8b3ca9f29b2d4a4730dd1763a6b
SHA126f59b0d30a0432142b42fbd0b806eceee492c58
SHA256f6fed6a0778977ba72d6ee2959937a855e560e68881ec3dabb6a598082c9ba2d
SHA512b5f04f00658ee3f64cf1a15cc71e5d7e51127769b12287d9cad50a04f5f6e6153d2867475fb93936003a63128b5a7a1af8d3c8c03829cd63dc86f79e91d73336
-
Filesize
1KB
MD5bd779aa6109e719d032c65128396db86
SHA16a0df150f49799af0703496acfe18da173fbd4f1
SHA256114017289a22870d00d93d12be71897674b374eef887820d19e8240c3487f28c
SHA512023cf1486bbdc825e984f41a4d9dc59b62023a6f8163e66ca9292d6485d0ec752430f4f578437ef18aa3e78bf0248580c8d1dcc104854bd8581ae76f5d8e6c74
-
Filesize
1KB
MD5b39259b90f79723f622b0127cc8dffc1
SHA14f5b63924ebd756326df27d7026e98dd035006f6
SHA256dbc4e44e2e9f2781820b79c62eb7958a93d398bdb4b908e2dcdd46f96e01b6f8
SHA512b14eaccaa71eb280e883de4b8a6a92900ec2a1156a64368fbd33bcbf732b94d769c4ba19b5510f8ba9349833d6e16b5c296becd6d217ef715955f66b54db41cd
-
Filesize
874B
MD5f421219983603277844c12230a50c7b1
SHA179cd35bbc659e4f9b8aa26bf1608d9f5879887d9
SHA2561c903c4b5353508b575bfb99bb1d7f87cf307e9e75b6a1c9e4dfbee54d785a8e
SHA51234d38aed66a698ec3cace1a9434c9e400e4803d91c3ce631008817acc99ab07efc61938a2b0cb9391a07c575be8b6a6b96c44203150d200ed1ee632651c015dc
-
Filesize
1KB
MD5442d9af439528ff65e01bbed7fdc1775
SHA1515bd36c0ce6b37ed80f2f50eecc5d974e7daff7
SHA25663f761129d1ea31465b736fa7cf988b0543af7d47ca3cd181871ca0248873283
SHA512078d58c1ce31e5c5070ec145bdf8fcf3b6e393bfdada6e54b95a03e9112739bf2507dcba1619a1f94bec6ac07e19ea3260cf356e6b341729ff7730a1c6583bb6
-
Filesize
1KB
MD5e24c2155af09e9a1e9f112f7cf1c6d3a
SHA190747b8af44c8f956d9e3a5a829f664a305c010c
SHA25676bb857c8d9ba97d6b5b8617b589f910c21da4bbab5e3f56573eef571271fcaa
SHA512240f26d23190384abe06661cf7fd81a84d7a21e8d97842c3cba129c86332b38bc5c152a6cfa0f3fc4c8bf7d2dc0a394a903f481eeffcfd06a7687e8dec4d7a26
-
Filesize
1KB
MD59d023ddff4e9f05ca7bd85aaa51607bf
SHA10c46b8aa2b722195b56b269cfe4f43c7173734fe
SHA2569eee39fee720bd13d06951b0605c6bdae10ef3dd4a9acb9c5deef1276c17dd3e
SHA512767eda07bd82f1ed0921c7b2b5634e2ccbfd46a76dda3269f1f80aacf71f839ad1b5e2a60c882896141afa84ac450a87150b953ddfd193be114d822697f82a9a
-
Filesize
1KB
MD540994c7fc4c51f24c97b0d59a6873dc5
SHA1e7d5c2ca6e92d6c38875285f3a0b2ef7985e7565
SHA2565d995866316eed6fdcef331e1b6d1fb4db4ae420ecd093edd93d53ca9e5c613a
SHA5120d70eeecfcec1335060861a63bd44f120d4dad3f530f27bbb8e2f3a9baaa88094f99181468e6eb73feb1f403142aa6f97a54bbb8300582cf176fb8e0f623dfd1
-
Filesize
874B
MD59c2395d4386af3d7f1b37ebd7d37c93c
SHA12278a14bb12b3cd42b58fffb9efe55ed437714cb
SHA2568418754dfc82f349db3f16550a5c2e0aa6df01ccd047c022e50883cdbe40264a
SHA512d89ba2b354e2eea250088ebec3d1f68707cc60e6b2bb22f36d34b634b6ff9bf9d7dca4fe875aee0600ce3ecb78e6cd056f321bb42fc1c6bb469acc4c2850142c
-
Filesize
5.1MB
MD5e2c1a41fbaf0a0569e29151d76304a62
SHA1c8a5c2e2630d564ae98a538d6798b017bd1f7441
SHA2568158059c82cdc1698fa6c03e057f86cc468bc2a5da0b98cc2c133688d67ac51b
SHA512a8b9cc7f820b219027c0b2600e68d346cc75d9c21aff63c913c9369e00fd17dcfcc4fdc566bcf0e8772e1a8acd5a9da936fd1c9b186aa50afc3dcbb0d8cfdd19
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
16KB
MD59a8e0fb6cf4941534771c38bb54a76be
SHA192d45ac2cc921f6733e68b454dc171426ec43c1c
SHA2569ee9211a57c3f6fa211fe0323fa8cd521e7cbffcd8ff0896645a45795dc472be
SHA51212ed22537dcc79d53f6c7d39e92a38f8fea076d793198928f5b7a5dd1234d50a3c0b4815632f3fadf8bc4ef0499773d22bd83f961d2d0ffd8afacf471bd3a5ae
-
Filesize
16KB
MD5d926f072b41774f50da6b28384e0fed1
SHA1237dfa5fa72af61f8c38a1e46618a4de59bd6f10
SHA2564f7b0e525d4bfc53d5df49589e25a0bccf2fcf6a1a0ca3f94d3285bb9cf0a249
SHA512a140df6ec0d3099ef374e8f3ece09bf91bc896ac4a1d251799a521543fe9bdea796ba09fa47932bd54fa939118495078f9258557b32c31d3d4011b0666a4723f
-
Filesize
11KB
MD55234bfef5e4997c6f0cb3515fc20e63d
SHA1acc0a3b6ec45bf9de68e66b23a429e31f925598f
SHA25601d8ab1086c87880a09a99cccae064827637aad3b7e26ad344bb7776e0e7b233
SHA51275608883994a007eca20967ca878b98d27d7cb435b13b9e09005f97794f9215694db8ec3345cde0020b66cabbfa37a235ca1a4fcf1fc81b65908483fffbf3ef0
-
Filesize
12KB
MD59e02d2d7397b52e1f5b70e6555984565
SHA14260ccdecbc7af099cf624cd103a9cd5c4d607e0
SHA25664017deba05a9149dd39d5c7f274957afecb119498b52200dffb40f593afbd5b
SHA512b627d8ae54067958f7203e6048b40f82a2444776516164c0329a8b8456a08c38ec5935693cf662c694bf166dd2188e7f49f4a2d372fab4d77690bde233379119
-
Filesize
12KB
MD5eeb13a6d6b29c7c32ea96a24365b284e
SHA1756d46c828fa7346cf10c74a5e882a40726cc3e2
SHA2569d22c3e95da10b2f06875f11aacd18a967644a81fc82fee0477ea974981c66da
SHA512bc71804ff0e083f8968702cdea1f1c291c716d6da5e40d99cb3e6fc91256c9e654badece8f8c5a16a359044a17104cad86c9d2cb82733208a44e945898b1898d
-
Filesize
12KB
MD5b7610e473cc37a2e832ffa667b4b4d2a
SHA1800cc0433ced780ab75c8d2506f9520a5531835b
SHA256387604aa440ee80386e2cf1661ade3d96a5b6b6f2f3a23d5934e71c49df68a4c
SHA5125544e583ca0fc300c581536575df127d7a08e0a82bbcd83da3c631d521f4c8a4e26c8071310c01234ed97f259ff4c66dd9c09e627dee027a67df52347408953a
-
Filesize
11KB
MD5fb642af678de7013af70fd43737c0302
SHA1475f85511666f75638ec95f8ba79dd69463555b8
SHA2568ec783403c00ea67ab843e0bfb3e5a2d5b2203eb0ca9b4796899c3bde468a1f4
SHA512fe79529f41ff1296e7718dd2c9a6a057b36231bcc83f26bb54fae594b809acbbe055938a68c0332ddffaa261ff25599d16e6d97c0c943912c0dc0dbe9f08b400
-
Filesize
12KB
MD5899cd9cf3aa28885d410f37807f2fb98
SHA1254237699c9b2372bcfe66fb458e31eb8b38b7e5
SHA256ac3f3c0d8aa9bbbe2992b6e8213b27fcd14f5e11af817ddab1b49d4a60c96288
SHA512d0f13c077cd1939fafbe56dd36e3a524861ac732318995d52a1d44bde41f0da4818d5c49848150c2934a79cff1789ce552f8dbc63d4bd5a3d99f74b5f457b395
-
Filesize
12KB
MD5c565e61b4c320db3e4175ea945720a12
SHA1b194bc5280219af628b26c483c4dd097e09e59f1
SHA2562fae38ffbc2ea4cd527aae52828472a20575b1b375bfe7cada60391ad89bcfab
SHA512bc491a374fbfb5da425839e200e11aa4ec953e45b57bc9e3b941546ea22b6d5e4a2870100d2a5e8e60183f5496928dd5b13b4bf28c79a691059d8e515a34bfde
-
Filesize
21B
MD5f1b59332b953b3c99b3c95a44249c0d2
SHA11b16a2ca32bf8481e18ff8b7365229b598908991
SHA256138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c
SHA5123c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4
-
Filesize
417B
MD5c56ff60fbd601e84edd5a0ff1010d584
SHA1342abb130dabeacde1d8ced806d67a3aef00a749
SHA256200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c
SHA512acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e
-
Filesize
87B
MD5e4e83f8123e9740b8aa3c3dfa77c1c04
SHA15281eae96efde7b0e16a1d977f005f0d3bd7aad0
SHA2566034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31
SHA512bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9
-
Filesize
14B
MD56ca4960355e4951c72aa5f6364e459d5
SHA12fd90b4ec32804dff7a41b6e63c8b0a40b592113
SHA25688301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3
SHA5128544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d
-
Filesize
177KB
MD5f63003dde9a3135b40e763c90410bdd1
SHA186255ca46580878d88164fbd071614a3c7fb2b0d
SHA256df18ba4022afa040ddbd4bc1c025e656610fdfec688313219733911a057c6e08
SHA512a5a1b291bfcfb4cd699820ff30016de1567e70281a1021e00ca94101f4e6b38aab083c920f546e99a1c7fadc4e3875a95aa3f25fe895bee0105148326adcaf5e
-
Filesize
12KB
MD5f762eb378ef4adfdbcde1ccb1feb3d85
SHA17edf39acdf8427ca6a1aedd64fcb357d750b57f2
SHA256293aad946db865698d8d49c7da3c5f548dbf373187352363c15b2730152ef138
SHA5129a7799ae7e4cd662a0703976ce5d08a94e9d6b1a3d2fbd2367f55c4fc260b0de371647b75577186d087c5cd4dd600ad6a69fd17036f5fab995587ce87f386b70
-
Filesize
13KB
MD51aafce5863c24f2624244d77bc273cec
SHA1b142e052f6e7d1f8aeb620e8e1c587563d25d74b
SHA256278240deecb9ede2b2c880e4e7ac3ed7495745714f6e3b8559f2ea0f808a67ef
SHA512367700b57056f9cb357c7660012e236e96d414afc2404c5ce620f506bd8e6d9d6fe4532752d474a37af702884bd6092451fe275f14ef365b52cf4f51ccc88d0c
-
Filesize
36KB
MD51caaa0f3f122769c9630a265ecf62b35
SHA1c155c00bf28ab3a966f2052b2c9657e48ad332b6
SHA2569c0a87aea9bf3191bb0d048a7de016d4cab13427c1612484a7c94dfce22ad38b
SHA5129b74622376a6ba4ecd9f378a758398eaf61d55084c584fe665750ad4ae702f78b0eb02171e83eb925a365760cfbc1bb2b267bbcf5d8a00afec2b302197c89719
-
Filesize
24KB
MD5a6064fc9ce640751e063d9af443990da
SHA1367a3a7d57bfb3e9a6ec356dfc411a5f14dfde2a
SHA2565f72c11fd2fa88d8b8bfae1214551f8d5ee07b8895df824fa717ebbcec118a6c
SHA5120e42dd8e341e2334eda1e19e1a344475ed3a0539a21c70ba2247f480c706ab8e2ff6dbeb790614cbde9fb547699b24e69c85c54e99ed77a08fe7e1d1b4b488d0
-
Filesize
8KB
MD5aafc89bd7bad5e56531a5997f68d42a3
SHA15bd8dd9a9495139180479815ab1a84c85b858ba6
SHA2565947cb2a5afbfc19fc0d6c0d15ad373f9d17a55710f25779c1db1a144a4c0100
SHA5128e21595200f3eb5d05eabc4849a10772c383d4f3d9039e619af5577001d8c6374361f3c232a7a8658c18002808b45bbee0e56ccba2c42c63a4fd40ad895cab40
-
Filesize
5KB
MD50ed5bc16545d23c325d756013579a697
SHA1dcdde3196414a743177131d7d906cb67315d88e7
SHA2563e430584cd9774ea3b21d8e19b485b48212fe356776158dd5f3c5f63a5bde7d3
SHA512c93072d11058fa50e3b09ff4da9f3dbe2637c2b5df05e616bd8ddd04557ea1e8b0db106b1545fad334619118c467776f81cf97ca52d3f2fcbbe007f30032b8af
-
Filesize
816KB
MD50a57b9d7f607da77cad749c61f515593
SHA1fd3c210382ad80e6acd936115e8ba0ecee2b4b7c
SHA2568585fa818adc5f5eebd7d9d0520bd9f25f6b6fa29012a5f9c64d791471bc2cd6
SHA5126bcbd76326533b5b46541d8c9d7dc0cb3ba210c73167ec355816e5ab9858f9049642c642f494df2d3f9ca93f9f4a3e82de0b62b80d09d6c8c208698164b55ecc
-
Filesize
830KB
MD593bd6d477205a69093f7f642aa9be722
SHA14b4188e8fb771450d02209ef634715219c03c81d
SHA2563adb733d4a2bab5f914bddcd3c43ccc786c323ec402095569a43246639f3aeba
SHA512079f604b2bc28d5e392341457e8b1c8d411db0bf49e5af2585fde9e5a287d83495e8abb899e0d7b3725dc3ece33ec43462503b16c6fc7f6087b23ea747bccb89
-
Filesize
254B
MD51873596b69511813011d2e415aecbd00
SHA1a829371ddc28993e73ec5cef84a401e136340635
SHA2562c33b1a760e609cd595e8e598f0612b4d1213e0f3f7bd4b489e01dbd1dede3ae
SHA5121b18c50ab87a908683e5fb70e83d39a601e1fe02dd4689341147cc553e6740a8c4f55dd3692824bdf77313d1dd42224755bdcfb55ae6df4d89c43e6f96ed7fec
-
Filesize
294B
MD54a5fd4ae80b519994d682b0e9af443fa
SHA1ef691302f8715905c3279a52b027438883884d1d
SHA25669b186b801e93f6347e0d7f7eb050395568964e1fa990cda177e45a2c727ba1e
SHA512d5872d4fbe468857936783d9f92892209e092e06ca4d9fbfd6f23ef3eef6f58d9d86f727faf876952e8bcbb60013bfd0a6d9fc572bb16ffdfad9be56911fd2bc
-
Filesize
31KB
MD5579440320b31f3f38e2bbd39acea7ed0
SHA1f916a82fa2f601603f8aee4bc29b552373ecbb84
SHA256db624719beca1852b31f205b8ee8546d377c7272bea5bc0060e8d56880c0ece7
SHA512d9470c2fb9a5eaf781e36afacc4242f166e3c45632362cf3e5124ff6f477026df37be8c7720e4355f35bde281de3cabcc69f7b48ca6f439ba8b0e754dc2b9137
-
Filesize
16B
MD5d29962abc88624befc0135579ae485ec
SHA1e40a6458296ec6a2427bcb280572d023a9862b31
SHA256a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866
SHA5124311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f
-
Filesize
658B
MD5dabedc35104aaa0b9872505ae5e4bdf2
SHA1b0decbd6bdadcb80ba0fb7c993514b02428043cd
SHA2565e62e1dae4ba61a99d3fabd7faec2556ca7703bc592a4e2b1455bec38ddbc0d2
SHA51265c6a1bd63b82519b6707ba99e8fd5483cf4fb0e5b3a27076699d2d004e2a3153818d99ae35d07d8860ad1646fdbab53c72304f5749976f1a9a1022042d744af
-
Filesize
658B
MD58e026924c266220ecb899e44369a675f
SHA1ee15e50478b1844a77e4284f0892d99d89087f08
SHA25638f8ca61ac674f1ac0ad9def34fd429f1a8caf4e479dca62fa81349892592a5b
SHA512bed9d7988c5958d3acfdb0c646d35f9427e5cfb13fba9e883d0e5b6a2f3e9a10110336845e8f35666abc56b005bcebfc2c75e6c0247f851787da4325dbf3c663
-
Filesize
1KB
MD5914d7571b21dbe87d4f8d86ab705a939
SHA1b07e53bf460cce902f5d07e6539c5cccaa053405
SHA256b988feb4ab270bb63d363dbd7d3eb2740cc8d8081dd20e170401c2e92e097132
SHA51245502dfccc3b0476f51e65c4fb4dad25dab2bf156a8a7eab61a173957fdb35c58a2076e6767a9dc9e8dccf79b3112e9bd7b6e8fa84dec7ddf782cd283dcf3ef9
-
Filesize
800B
MD581c1845fff664ca86f152adc8fe842ff
SHA18c1e93c4a80cadc66690b01734e3faddf886b2d2
SHA256146bab79fe96119a1be2c3c8a62d188685b5e9cd0817551b5a5377cabcd55c7d
SHA512c37490ada3296d8e555748bcadce5a7223f6ad255f6c14ae52643640031882591211c9a05dabc988a9fbc437dad8ca6b8af7b996956118774bf8f507b3e9d10b
-
Filesize
592B
MD5e92592637c254ecdca05c4ecda118297
SHA118c503a8d591ca3636ede9942cfaf38ce53819c3
SHA256d29095368946445c112f72551849edf97d908c0d5afaad212bc3d4f4791e80b4
SHA5129c6ad6a2eb18511027ffb88ea71b718ab25b49593c7d13888c3f89cc2ce84ac91b34af8c7c6c7d28f8d6737e1e0220045e2496dc59ccd5ccadd9c30008f6bc13
-
Filesize
797B
MD5afa18cf4aa2660392111763fb93a8c3d
SHA1c219a3654a5f41ce535a09f2a188a464c3f5baf5
SHA256227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0
SHA5124161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b
-
Filesize
590B
MD57218af598a2efa5315d933257c5a331c
SHA1972ac5e7956cfb4f42104cf87a8b58c6cbe95b42
SHA2569a27a29aaa2a941dc5bbf811337d442634117b914ae771985db3acc61fb069b8
SHA51250f355ada4dbc63d82797e9eedbef2262026a576a83d8d87eaeaf20cdc54fb09fcd5cb70c3734af5fa7efdfbcfcca61e32596db97a18b9b82cc8502d960117e3
-
Filesize
136B
MD5034e84f843c0f0565a582503b611479a
SHA114f43732238fa24036522430f876009133adf1bc
SHA256157279742b9486409395b1ac938108a45cd56d6329f6956e4fdd7bd6768dd737
SHA512ab54b9ff2c8aafa29fafc776386a635c83b998b61c5abd8813d371bfca75c8d890f202cf7a2084dfb83461b3440cbbb6a0f4b911c685e53fbe3364bddadc325d
-
Filesize
136B
MD539f1b3ae0c5453b728489014291647bc
SHA1a8578c0b6bbdecc950fafe8619109813db807664
SHA25672eced62280c287b0f1dd043aa403c86df12818638e1d5b32211489cbde94b05
SHA512f6921af3e6b79b40421d94da50fd49caa0e80ce8f0a6504f2e1fd5ceeb89f62f780e2b58cf8c5272d0c5981a68b0238251b372e8cabfc49e2df065a374c86972
-
Filesize
136B
MD57a532f01d40d12e1a58b61ac68568e45
SHA177ff8feb730172d7ad0963744b20459e6a4fe3b4
SHA2568116521e4ce6005b36b6dd016d50a03d78fc6b34be31793ce6c8d962058adace
SHA5128450ad357d9191c9394c3de51e978c4408f9320b2d332bd3255a31de982f027497d019bd76798bd9d651c0fc2443e5c238304b32d02f4ec3d31f9a23897c17a8
-
Filesize
318B
MD5a261428b490a45438c0d55781a9c6e75
SHA1e9eefce11cefcbb7e5168bfb8de8a3c3ac45c41e
SHA2564288d655b7de7537d7ea13fdeb1ba19760bcaf04384cd68619d9e5edb5e31f44
SHA512304887938520ffcc6966da83596ccc8688b7eace9572982c224f3fb9c59e6fb2dcaa021a19d2aae47346e954c0d0d8145c723b7143dece11ac7261dc41ba3d40
-
Filesize
40KB
MD54b68fdec8e89b3983ceb5190a2924003
SHA145588547dc335d87ea5768512b9f3fc72ffd84a3
SHA256554701bc874da646285689df79e5002b3b1a1f76daf705bea9586640026697ca
SHA512b2205ad850301f179a078219c6ce29da82f8259f4ec05d980c210718551de916df52c314cb3963f3dd99dcfb9de188bd1c7c9ee310662ece426706493500036f
-
Filesize
55B
MD50f98a5550abe0fb880568b1480c96a1c
SHA1d2ce9f7057b201d31f79f3aee2225d89f36be07d
SHA2562dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1
SHA512dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6
-
Filesize
16B
MD552488ef3f42a79048b8cbb5503816741
SHA156651900d95ee36de389c29b7a7e6dedbb421eff
SHA2569ce5f9abb2fb204df9fc5db071bdfe0fefeb86da178d8c7b8e4ea29784c48154
SHA512d42a0c76a4d24d930a9b6ee15205a02a6edec97ca16e9febc6eb47d05ff7d6f2af7c3d430d416bf464dc561289428d412acc856718aa5ead58de51b1e8facd5e
-
Filesize
15.9MB
MD5b429600464ab2475f871129aae4303a8
SHA18040d1dfbc29194b491f2dcc505c4590299d8680
SHA256e7295f1b2e60cb142eef3be1c85d29d6259fe9d7f314ab81c58deb40d0e77a56
SHA5124ab197e831e142db89e0aa95b40fbde7f66c0c83da36ae8dba31325da5bb4eaab8b446063a547b81907581e370d80c43c9b8c54f21a5b8f949615ccc07be71fc
-
Filesize
224KB
MD55c7fb0927db37372da25f270708103a2
SHA1120ed9279d85cbfa56e5b7779ffa7162074f7a29
SHA256be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844
SHA512a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206
-
Filesize
184KB
MD5c9c341eaf04c89933ed28cbc2739d325
SHA1c5b7d47aef3bd33a24293138fcba3a5ff286c2a8
SHA2561a0a2fd546e3c05e15b2db3b531cb8e8755641f5f1c17910ce2fb7bbce2a05b7
SHA5127cfa6ec0be0f5ae80404c6c709a6fd00ca10a18b6def5ca746611d0d32a9552f7961ab0ebf8a336b27f7058d700205be7fcc859a30d7d185aa9457267090f99b
-
Filesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
Filesize
15.9MB
MD50f743287c9911b4b1c726c7c7edcaf7d
SHA19760579e73095455fcbaddfe1e7e98a2bb28bfe0
SHA256716335ba5cd1e7186c40295b199190e2b6655e48f1c1cbe12139ba67faa5e1ac
SHA5122a6dd6288303700ef9cb06ae1efeb1e121c89c97708e5ecd15ed9b2a35d0ecff03d8da58b30daeadad89bd38dc4649521ada149fb457408e5a2bdf1512f88677
-
Filesize
201B
MD502b937ceef5da308c5689fcdb3fb12e9
SHA1fa5490ea513c1b0ee01038c18cb641a51f459507
SHA2565d57b86aeb52be824875008a6444daf919717408ec45aff4640b5e64610666f1
SHA512843eeae13ac5fdc216b14e40534543c283ecb2b6c31503aba2d25ddd215df19105892e43cf618848742de9c13687d21e8c834eff3f2b69a26df2509a6f992653
-
Filesize
628B
MD50afd564f2bdb04fb36a92608e2cc7e3f
SHA10ba9ea8d43aea8b8e4506b3bd2c10346cabbbdef
SHA25686c47cf62e7255d23eaa50d2dc05327d43b8a7a6c5e24f4709fb582cf7dcbcd7
SHA512963198d529045a1614bb75df04c26a4e0d1c2ff0ec80e566b6e63c7d42e8efbe9e7b0293782590d78e36bada6edb7fe44048490a683da992a8775df37f634e69
-
Filesize
42KB
MD5980b08bac152aff3f9b0136b616affa5
SHA12a9c9601ea038f790cc29379c79407356a3d25a3
SHA256402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9
SHA512100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496
-
Filesize
221KB
MD528e855032f83adbd2d8499af6d2d0e22
SHA16b590325e2e465d9762fa5d1877846667268558a
SHA256b13b29772c29ccb412d6ab360ff38525836fcf0f65be637a7945a83a446dfd5e
SHA512e401cbd41e044ff7d557f57960d50fb821244eaa97ce1218191d58e0935f6c069e6a0ff4788ed91ead279f36ba4eddfaa08dc3de01082c41dc9c2fc3c4b0ae34
-
Filesize
236KB
MD5cf1416074cd7791ab80a18f9e7e219d9
SHA1276d2ec82c518d887a8a3608e51c56fa28716ded
SHA25678e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df
SHA5120bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
580KB
-
Filesize
756KB
-
Filesize
3.5MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
16.0MB
-
Filesize
21.6MB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
92KB