Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
26/06/2022, 03:43
Static task
static1
Behavioral task
behavioral1
Sample
3619101e101b7197d37b6b2c02687b81884f8c4ba021c25853f948b484fac4a4.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
3619101e101b7197d37b6b2c02687b81884f8c4ba021c25853f948b484fac4a4.exe
Resource
win10v2004-20220414-en
General
-
Target
3619101e101b7197d37b6b2c02687b81884f8c4ba021c25853f948b484fac4a4.exe
-
Size
424KB
-
MD5
591c7f90216f596b849ef9562b8f155b
-
SHA1
f3c185a27c38214418daa50407c9964fd5281d95
-
SHA256
3619101e101b7197d37b6b2c02687b81884f8c4ba021c25853f948b484fac4a4
-
SHA512
31cfa0fb8cc85398223b2377a170fbbdf01ad82764611c3c7775c80119bf0b5bd24d1943135ab18a3e1cff123813b0f786d522ea7d5c5387a1f84f8de6fa178f
Malware Config
Extracted
C:\$Recycle.Bin\S-1-5-21-1809750270-3141839489-3074374771-1000\_RECoVERY_+mjofi.txt
teslacrypt
http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/AB5C99490F31F
http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/AB5C99490F31F
http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/AB5C99490F31F
http://xlowfznrg4wf7dli.ONION/AB5C99490F31F
Extracted
C:\$Recycle.Bin\S-1-5-21-1809750270-3141839489-3074374771-1000\_RECoVERY_+mjofi.html
Extracted
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\_RECoVERY_+mjofi.html
http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/AB5C99490F31F
http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/AB5C99490F31F
http://uiredn4njfsa4234bafb32ygjdawfvs.frascuft.com/AB5C99490F31F
http://xlowfznrg4wf7dli.onion/AB5C99490F31F
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
suricata: ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon
suricata: ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 1 IoCs
pid Process 4952 tjbpjundmkvy.exe -
Modifies extensions of user files 3 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\OptimizeEdit.png => C:\Users\Admin\Pictures\OptimizeEdit.png.mp3 tjbpjundmkvy.exe File renamed C:\Users\Admin\Pictures\ClearSearch.png => C:\Users\Admin\Pictures\ClearSearch.png.mp3 tjbpjundmkvy.exe File renamed C:\Users\Admin\Pictures\FormatTest.crw => C:\Users\Admin\Pictures\FormatTest.crw.mp3 tjbpjundmkvy.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation 3619101e101b7197d37b6b2c02687b81884f8c4ba021c25853f948b484fac4a4.exe Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation tjbpjundmkvy.exe -
Drops startup file 6 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+mjofi.png tjbpjundmkvy.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+mjofi.txt tjbpjundmkvy.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_RECoVERY_+mjofi.html tjbpjundmkvy.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+mjofi.png tjbpjundmkvy.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+mjofi.txt tjbpjundmkvy.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_RECoVERY_+mjofi.html tjbpjundmkvy.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run tjbpjundmkvy.exe Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\idyyxtnewthy = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\tjbpjundmkvy.exe\"" tjbpjundmkvy.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Microsoft.Msn.Shell\_RECoVERY_+mjofi.png tjbpjundmkvy.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\MixedRealityPortalMedTile.scale-125_contrast-black.png tjbpjundmkvy.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-60_altform-unplated.png tjbpjundmkvy.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\_RECoVERY_+mjofi.html tjbpjundmkvy.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CANYON\THMBNAIL.PNG tjbpjundmkvy.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\COMPASS\_RECoVERY_+mjofi.html tjbpjundmkvy.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\LibrarySquare71x71Logo.scale-100.png tjbpjundmkvy.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-32_altform-unplated.png tjbpjundmkvy.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\en\_RECoVERY_+mjofi.png tjbpjundmkvy.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\de-DE\_RECoVERY_+mjofi.txt tjbpjundmkvy.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-white\_RECoVERY_+mjofi.txt tjbpjundmkvy.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-100_kzf8qxf38zg5c\Assets\Images\_RECoVERY_+mjofi.png tjbpjundmkvy.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-30_altform-lightunplated.png tjbpjundmkvy.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailMediumTile.scale-125.png tjbpjundmkvy.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-256_altform-lightunplated.png tjbpjundmkvy.exe File opened for modification C:\Program Files\Windows Defender\es-ES\_RECoVERY_+mjofi.png tjbpjundmkvy.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSplashLogo.scale-125.png tjbpjundmkvy.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Dtmf_9.m4a tjbpjundmkvy.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-20.png tjbpjundmkvy.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\_RECoVERY_+mjofi.html tjbpjundmkvy.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\LargeTile.scale-150.png tjbpjundmkvy.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\osf\miniinfoblue_16x16x32.png tjbpjundmkvy.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\hr-HR\_RECoVERY_+mjofi.png tjbpjundmkvy.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\en-US\_RECoVERY_+mjofi.png tjbpjundmkvy.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\deployed\jdk16\windows-amd64\_RECoVERY_+mjofi.html tjbpjundmkvy.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\LiveTile\6px.png tjbpjundmkvy.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\bg-BG\_RECoVERY_+mjofi.txt tjbpjundmkvy.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\Snooze.scale-64.png tjbpjundmkvy.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubMedTile.scale-100_contrast-white.png tjbpjundmkvy.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\_RECoVERY_+mjofi.png tjbpjundmkvy.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\TinyTile.scale-125_contrast-white.png tjbpjundmkvy.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-100_8wekyb3d8bbwe\_RECoVERY_+mjofi.html tjbpjundmkvy.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\Movie-TVStoreLogo.scale-100_contrast-white.png tjbpjundmkvy.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\lt-LT\_RECoVERY_+mjofi.png tjbpjundmkvy.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-96_contrast-black.png tjbpjundmkvy.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_PigNose.png tjbpjundmkvy.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib\_RECoVERY_+mjofi.html tjbpjundmkvy.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SLATE\_RECoVERY_+mjofi.html tjbpjundmkvy.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.targetsize-60_altform-unplated.png tjbpjundmkvy.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.1813.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\_RECoVERY_+mjofi.txt tjbpjundmkvy.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreSmallTile.scale-200.png tjbpjundmkvy.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\ODBC\Data Sources\_RECoVERY_+mjofi.txt tjbpjundmkvy.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\assembly\GAC_MSIL\_RECoVERY_+mjofi.txt tjbpjundmkvy.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.targetsize-36.png tjbpjundmkvy.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.scale-400_contrast-white.png tjbpjundmkvy.exe File opened for modification C:\Program Files\Windows Multimedia Platform\_RECoVERY_+mjofi.html tjbpjundmkvy.exe File opened for modification C:\Program Files\Common Files\System\msadc\en-US\_RECoVERY_+mjofi.html tjbpjundmkvy.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\fa-IR\_RECoVERY_+mjofi.html tjbpjundmkvy.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageBadgeLogo.scale-150_contrast-black.png tjbpjundmkvy.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\messaging\_RECoVERY_+mjofi.html tjbpjundmkvy.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\VoiceRecorderMedTile.contrast-white_scale-125.png tjbpjundmkvy.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.513.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\_RECoVERY_+mjofi.png tjbpjundmkvy.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MediumTile.scale-200_contrast-white.png tjbpjundmkvy.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\OutlookMailMediumTile.scale-200.png tjbpjundmkvy.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-96.png tjbpjundmkvy.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\Assets\MixerBranding\mixer_logo.png tjbpjundmkvy.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageWideTile.scale-400.png tjbpjundmkvy.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\bn-BD\View3d\_RECoVERY_+mjofi.html tjbpjundmkvy.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SplashScreen.scale-400_contrast-black.png tjbpjundmkvy.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubSmallTile.scale-200.png tjbpjundmkvy.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarWideTile.scale-125.png tjbpjundmkvy.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\StopwatchWideTile.contrast-black_scale-125.png tjbpjundmkvy.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Lighting\Light\Sunset.png tjbpjundmkvy.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\contrast-black\MixedRealityPortalMedTile.scale-200_contrast-black.png tjbpjundmkvy.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\tjbpjundmkvy.exe 3619101e101b7197d37b6b2c02687b81884f8c4ba021c25853f948b484fac4a4.exe File opened for modification C:\Windows\tjbpjundmkvy.exe 3619101e101b7197d37b6b2c02687b81884f8c4ba021c25853f948b484fac4a4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings tjbpjundmkvy.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 tjbpjundmkvy.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e tjbpjundmkvy.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 2008 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4952 tjbpjundmkvy.exe 4952 tjbpjundmkvy.exe 4952 tjbpjundmkvy.exe 4952 tjbpjundmkvy.exe 4952 tjbpjundmkvy.exe 4952 tjbpjundmkvy.exe 4952 tjbpjundmkvy.exe 4952 tjbpjundmkvy.exe 4952 tjbpjundmkvy.exe 4952 tjbpjundmkvy.exe 4952 tjbpjundmkvy.exe 4952 tjbpjundmkvy.exe 4952 tjbpjundmkvy.exe 4952 tjbpjundmkvy.exe 4952 tjbpjundmkvy.exe 4952 tjbpjundmkvy.exe 4952 tjbpjundmkvy.exe 4952 tjbpjundmkvy.exe 4952 tjbpjundmkvy.exe 4952 tjbpjundmkvy.exe 4952 tjbpjundmkvy.exe 4952 tjbpjundmkvy.exe 4952 tjbpjundmkvy.exe 4952 tjbpjundmkvy.exe 4952 tjbpjundmkvy.exe 4952 tjbpjundmkvy.exe 4952 tjbpjundmkvy.exe 4952 tjbpjundmkvy.exe 4952 tjbpjundmkvy.exe 4952 tjbpjundmkvy.exe 4952 tjbpjundmkvy.exe 4952 tjbpjundmkvy.exe 4952 tjbpjundmkvy.exe 4952 tjbpjundmkvy.exe 4952 tjbpjundmkvy.exe 4952 tjbpjundmkvy.exe 4952 tjbpjundmkvy.exe 4952 tjbpjundmkvy.exe 4952 tjbpjundmkvy.exe 4952 tjbpjundmkvy.exe 4952 tjbpjundmkvy.exe 4952 tjbpjundmkvy.exe 4952 tjbpjundmkvy.exe 4952 tjbpjundmkvy.exe 4952 tjbpjundmkvy.exe 4952 tjbpjundmkvy.exe 4952 tjbpjundmkvy.exe 4952 tjbpjundmkvy.exe 4952 tjbpjundmkvy.exe 4952 tjbpjundmkvy.exe 4952 tjbpjundmkvy.exe 4952 tjbpjundmkvy.exe 4952 tjbpjundmkvy.exe 4952 tjbpjundmkvy.exe 4952 tjbpjundmkvy.exe 4952 tjbpjundmkvy.exe 4952 tjbpjundmkvy.exe 4952 tjbpjundmkvy.exe 4952 tjbpjundmkvy.exe 4952 tjbpjundmkvy.exe 4952 tjbpjundmkvy.exe 4952 tjbpjundmkvy.exe 4952 tjbpjundmkvy.exe 4952 tjbpjundmkvy.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4028 3619101e101b7197d37b6b2c02687b81884f8c4ba021c25853f948b484fac4a4.exe Token: SeDebugPrivilege 4952 tjbpjundmkvy.exe Token: SeIncreaseQuotaPrivilege 4312 WMIC.exe Token: SeSecurityPrivilege 4312 WMIC.exe Token: SeTakeOwnershipPrivilege 4312 WMIC.exe Token: SeLoadDriverPrivilege 4312 WMIC.exe Token: SeSystemProfilePrivilege 4312 WMIC.exe Token: SeSystemtimePrivilege 4312 WMIC.exe Token: SeProfSingleProcessPrivilege 4312 WMIC.exe Token: SeIncBasePriorityPrivilege 4312 WMIC.exe Token: SeCreatePagefilePrivilege 4312 WMIC.exe Token: SeBackupPrivilege 4312 WMIC.exe Token: SeRestorePrivilege 4312 WMIC.exe Token: SeShutdownPrivilege 4312 WMIC.exe Token: SeDebugPrivilege 4312 WMIC.exe Token: SeSystemEnvironmentPrivilege 4312 WMIC.exe Token: SeRemoteShutdownPrivilege 4312 WMIC.exe Token: SeUndockPrivilege 4312 WMIC.exe Token: SeManageVolumePrivilege 4312 WMIC.exe Token: 33 4312 WMIC.exe Token: 34 4312 WMIC.exe Token: 35 4312 WMIC.exe Token: 36 4312 WMIC.exe Token: SeIncreaseQuotaPrivilege 4312 WMIC.exe Token: SeSecurityPrivilege 4312 WMIC.exe Token: SeTakeOwnershipPrivilege 4312 WMIC.exe Token: SeLoadDriverPrivilege 4312 WMIC.exe Token: SeSystemProfilePrivilege 4312 WMIC.exe Token: SeSystemtimePrivilege 4312 WMIC.exe Token: SeProfSingleProcessPrivilege 4312 WMIC.exe Token: SeIncBasePriorityPrivilege 4312 WMIC.exe Token: SeCreatePagefilePrivilege 4312 WMIC.exe Token: SeBackupPrivilege 4312 WMIC.exe Token: SeRestorePrivilege 4312 WMIC.exe Token: SeShutdownPrivilege 4312 WMIC.exe Token: SeDebugPrivilege 4312 WMIC.exe Token: SeSystemEnvironmentPrivilege 4312 WMIC.exe Token: SeRemoteShutdownPrivilege 4312 WMIC.exe Token: SeUndockPrivilege 4312 WMIC.exe Token: SeManageVolumePrivilege 4312 WMIC.exe Token: 33 4312 WMIC.exe Token: 34 4312 WMIC.exe Token: 35 4312 WMIC.exe Token: 36 4312 WMIC.exe Token: SeBackupPrivilege 1340 vssvc.exe Token: SeRestorePrivilege 1340 vssvc.exe Token: SeAuditPrivilege 1340 vssvc.exe Token: SeIncreaseQuotaPrivilege 2092 WMIC.exe Token: SeSecurityPrivilege 2092 WMIC.exe Token: SeTakeOwnershipPrivilege 2092 WMIC.exe Token: SeLoadDriverPrivilege 2092 WMIC.exe Token: SeSystemProfilePrivilege 2092 WMIC.exe Token: SeSystemtimePrivilege 2092 WMIC.exe Token: SeProfSingleProcessPrivilege 2092 WMIC.exe Token: SeIncBasePriorityPrivilege 2092 WMIC.exe Token: SeCreatePagefilePrivilege 2092 WMIC.exe Token: SeBackupPrivilege 2092 WMIC.exe Token: SeRestorePrivilege 2092 WMIC.exe Token: SeShutdownPrivilege 2092 WMIC.exe Token: SeDebugPrivilege 2092 WMIC.exe Token: SeSystemEnvironmentPrivilege 2092 WMIC.exe Token: SeRemoteShutdownPrivilege 2092 WMIC.exe Token: SeUndockPrivilege 2092 WMIC.exe Token: SeManageVolumePrivilege 2092 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4028 wrote to memory of 4952 4028 3619101e101b7197d37b6b2c02687b81884f8c4ba021c25853f948b484fac4a4.exe 81 PID 4028 wrote to memory of 4952 4028 3619101e101b7197d37b6b2c02687b81884f8c4ba021c25853f948b484fac4a4.exe 81 PID 4028 wrote to memory of 4952 4028 3619101e101b7197d37b6b2c02687b81884f8c4ba021c25853f948b484fac4a4.exe 81 PID 4028 wrote to memory of 4260 4028 3619101e101b7197d37b6b2c02687b81884f8c4ba021c25853f948b484fac4a4.exe 82 PID 4028 wrote to memory of 4260 4028 3619101e101b7197d37b6b2c02687b81884f8c4ba021c25853f948b484fac4a4.exe 82 PID 4028 wrote to memory of 4260 4028 3619101e101b7197d37b6b2c02687b81884f8c4ba021c25853f948b484fac4a4.exe 82 PID 4952 wrote to memory of 4312 4952 tjbpjundmkvy.exe 85 PID 4952 wrote to memory of 4312 4952 tjbpjundmkvy.exe 85 PID 4952 wrote to memory of 2008 4952 tjbpjundmkvy.exe 94 PID 4952 wrote to memory of 2008 4952 tjbpjundmkvy.exe 94 PID 4952 wrote to memory of 2008 4952 tjbpjundmkvy.exe 94 PID 4952 wrote to memory of 4196 4952 tjbpjundmkvy.exe 95 PID 4952 wrote to memory of 4196 4952 tjbpjundmkvy.exe 95 PID 4952 wrote to memory of 2092 4952 tjbpjundmkvy.exe 96 PID 4952 wrote to memory of 2092 4952 tjbpjundmkvy.exe 96 PID 4196 wrote to memory of 3288 4196 msedge.exe 98 PID 4196 wrote to memory of 3288 4196 msedge.exe 98 PID 4196 wrote to memory of 2500 4196 msedge.exe 103 PID 4196 wrote to memory of 2500 4196 msedge.exe 103 PID 4196 wrote to memory of 2500 4196 msedge.exe 103 PID 4196 wrote to memory of 2500 4196 msedge.exe 103 PID 4196 wrote to memory of 2500 4196 msedge.exe 103 PID 4196 wrote to memory of 2500 4196 msedge.exe 103 PID 4196 wrote to memory of 2500 4196 msedge.exe 103 PID 4196 wrote to memory of 2500 4196 msedge.exe 103 PID 4196 wrote to memory of 2500 4196 msedge.exe 103 PID 4196 wrote to memory of 2500 4196 msedge.exe 103 PID 4196 wrote to memory of 2500 4196 msedge.exe 103 PID 4196 wrote to memory of 2500 4196 msedge.exe 103 PID 4196 wrote to memory of 2500 4196 msedge.exe 103 PID 4196 wrote to memory of 2500 4196 msedge.exe 103 PID 4196 wrote to memory of 2500 4196 msedge.exe 103 PID 4196 wrote to memory of 2500 4196 msedge.exe 103 PID 4196 wrote to memory of 2500 4196 msedge.exe 103 PID 4196 wrote to memory of 2500 4196 msedge.exe 103 PID 4196 wrote to memory of 2500 4196 msedge.exe 103 PID 4196 wrote to memory of 2500 4196 msedge.exe 103 PID 4196 wrote to memory of 2500 4196 msedge.exe 103 PID 4196 wrote to memory of 2500 4196 msedge.exe 103 PID 4196 wrote to memory of 2500 4196 msedge.exe 103 PID 4196 wrote to memory of 2500 4196 msedge.exe 103 PID 4196 wrote to memory of 2500 4196 msedge.exe 103 PID 4196 wrote to memory of 2500 4196 msedge.exe 103 PID 4196 wrote to memory of 2500 4196 msedge.exe 103 PID 4196 wrote to memory of 2500 4196 msedge.exe 103 PID 4196 wrote to memory of 2500 4196 msedge.exe 103 PID 4196 wrote to memory of 2500 4196 msedge.exe 103 PID 4196 wrote to memory of 2500 4196 msedge.exe 103 PID 4196 wrote to memory of 2500 4196 msedge.exe 103 PID 4196 wrote to memory of 2500 4196 msedge.exe 103 PID 4196 wrote to memory of 2500 4196 msedge.exe 103 PID 4196 wrote to memory of 2500 4196 msedge.exe 103 PID 4196 wrote to memory of 2500 4196 msedge.exe 103 PID 4196 wrote to memory of 2500 4196 msedge.exe 103 PID 4196 wrote to memory of 2500 4196 msedge.exe 103 PID 4196 wrote to memory of 2500 4196 msedge.exe 103 PID 4196 wrote to memory of 2500 4196 msedge.exe 103 PID 4196 wrote to memory of 304 4196 msedge.exe 104 PID 4196 wrote to memory of 304 4196 msedge.exe 104 PID 4196 wrote to memory of 220 4196 msedge.exe 105 PID 4196 wrote to memory of 220 4196 msedge.exe 105 PID 4196 wrote to memory of 220 4196 msedge.exe 105 PID 4196 wrote to memory of 220 4196 msedge.exe 105 PID 4196 wrote to memory of 220 4196 msedge.exe 105 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System tjbpjundmkvy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" tjbpjundmkvy.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3619101e101b7197d37b6b2c02687b81884f8c4ba021c25853f948b484fac4a4.exe"C:\Users\Admin\AppData\Local\Temp\3619101e101b7197d37b6b2c02687b81884f8c4ba021c25853f948b484fac4a4.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4028 -
C:\Windows\tjbpjundmkvy.exeC:\Windows\tjbpjundmkvy.exe2⤵
- Executes dropped EXE
- Modifies extensions of user files
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4952 -
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4312
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT3⤵
- Opens file in notepad (likely ransom note)
PID:2008
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM3⤵
- Suspicious use of WriteProcessMemory
PID:4196 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0x40,0x104,0x7ffbc3d146f8,0x7ffbc3d14708,0x7ffbc3d147184⤵PID:3288
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,6394372318946066506,15834496912554252623,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:24⤵PID:2500
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,6394372318946066506,15834496912554252623,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:34⤵PID:304
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,6394372318946066506,15834496912554252623,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2660 /prefetch:84⤵PID:220
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,6394372318946066506,15834496912554252623,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4012 /prefetch:14⤵PID:4640
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,6394372318946066506,15834496912554252623,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3944 /prefetch:14⤵PID:2816
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2080,6394372318946066506,15834496912554252623,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5064 /prefetch:84⤵PID:3852
-
-
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2092
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\361910~1.EXE2⤵PID:4260
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1340
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4884
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD5788029d81d583ce7b2a4bcc261417c36
SHA1273c4b091769c5a6b831dcd3e74a58facfd7caa8
SHA256a4ea3b9f212c894d83a110e72069dcdf0603d5627e41f976aabb34966648ca7a
SHA512d471f0c5c9b7607beb357bc1580163ac11a02a8fa9d5469be1c51a8cf5ab1587d329e27f2ffcfc324b9c1a8d680beaa42f243b933ccdaede424e5d5c9cb19ec6
-
Filesize
65KB
MD55609e6ff4b8467f0646a9c200216ca5c
SHA1ee6153e6bdde787f5a29900e43b5aa7f10873f6e
SHA2561ba96e5b92eeb4cf8f546ce30af0aa8f74b80130138ba4012db7a187bdf59cd9
SHA512dde839ade5c0f96856b3d79fe16edb24efa102609388b75395e0ba1efbd087378519282276ca06ebd25812a5537717cd20bcdaf243c332f1de1e82bfd7690462
-
Filesize
1KB
MD5373c9e3d99d0e03ac626d8f67f8feff2
SHA11353c50a7973f0d19ba71d36da349a430bea43ee
SHA256c033b32d4be850140d1c7a8b37ad869e7632458e0191d687ea755152a2b41717
SHA512547dd0927efadf177f99c5cf1fa7201076962a6a5458a5b4f55737a2fbbc469063630a6abced45cb7b561583aac3bc7510714c5f7d3e5ee768c4ee13c34403f1
-
Filesize
8KB
MD5788029d81d583ce7b2a4bcc261417c36
SHA1273c4b091769c5a6b831dcd3e74a58facfd7caa8
SHA256a4ea3b9f212c894d83a110e72069dcdf0603d5627e41f976aabb34966648ca7a
SHA512d471f0c5c9b7607beb357bc1580163ac11a02a8fa9d5469be1c51a8cf5ab1587d329e27f2ffcfc324b9c1a8d680beaa42f243b933ccdaede424e5d5c9cb19ec6
-
Filesize
65KB
MD55609e6ff4b8467f0646a9c200216ca5c
SHA1ee6153e6bdde787f5a29900e43b5aa7f10873f6e
SHA2561ba96e5b92eeb4cf8f546ce30af0aa8f74b80130138ba4012db7a187bdf59cd9
SHA512dde839ade5c0f96856b3d79fe16edb24efa102609388b75395e0ba1efbd087378519282276ca06ebd25812a5537717cd20bcdaf243c332f1de1e82bfd7690462
-
Filesize
1KB
MD5373c9e3d99d0e03ac626d8f67f8feff2
SHA11353c50a7973f0d19ba71d36da349a430bea43ee
SHA256c033b32d4be850140d1c7a8b37ad869e7632458e0191d687ea755152a2b41717
SHA512547dd0927efadf177f99c5cf1fa7201076962a6a5458a5b4f55737a2fbbc469063630a6abced45cb7b561583aac3bc7510714c5f7d3e5ee768c4ee13c34403f1
-
Filesize
8KB
MD5788029d81d583ce7b2a4bcc261417c36
SHA1273c4b091769c5a6b831dcd3e74a58facfd7caa8
SHA256a4ea3b9f212c894d83a110e72069dcdf0603d5627e41f976aabb34966648ca7a
SHA512d471f0c5c9b7607beb357bc1580163ac11a02a8fa9d5469be1c51a8cf5ab1587d329e27f2ffcfc324b9c1a8d680beaa42f243b933ccdaede424e5d5c9cb19ec6
-
Filesize
65KB
MD55609e6ff4b8467f0646a9c200216ca5c
SHA1ee6153e6bdde787f5a29900e43b5aa7f10873f6e
SHA2561ba96e5b92eeb4cf8f546ce30af0aa8f74b80130138ba4012db7a187bdf59cd9
SHA512dde839ade5c0f96856b3d79fe16edb24efa102609388b75395e0ba1efbd087378519282276ca06ebd25812a5537717cd20bcdaf243c332f1de1e82bfd7690462
-
Filesize
1KB
MD5373c9e3d99d0e03ac626d8f67f8feff2
SHA11353c50a7973f0d19ba71d36da349a430bea43ee
SHA256c033b32d4be850140d1c7a8b37ad869e7632458e0191d687ea755152a2b41717
SHA512547dd0927efadf177f99c5cf1fa7201076962a6a5458a5b4f55737a2fbbc469063630a6abced45cb7b561583aac3bc7510714c5f7d3e5ee768c4ee13c34403f1
-
Filesize
8KB
MD5788029d81d583ce7b2a4bcc261417c36
SHA1273c4b091769c5a6b831dcd3e74a58facfd7caa8
SHA256a4ea3b9f212c894d83a110e72069dcdf0603d5627e41f976aabb34966648ca7a
SHA512d471f0c5c9b7607beb357bc1580163ac11a02a8fa9d5469be1c51a8cf5ab1587d329e27f2ffcfc324b9c1a8d680beaa42f243b933ccdaede424e5d5c9cb19ec6
-
Filesize
65KB
MD55609e6ff4b8467f0646a9c200216ca5c
SHA1ee6153e6bdde787f5a29900e43b5aa7f10873f6e
SHA2561ba96e5b92eeb4cf8f546ce30af0aa8f74b80130138ba4012db7a187bdf59cd9
SHA512dde839ade5c0f96856b3d79fe16edb24efa102609388b75395e0ba1efbd087378519282276ca06ebd25812a5537717cd20bcdaf243c332f1de1e82bfd7690462
-
Filesize
1KB
MD5373c9e3d99d0e03ac626d8f67f8feff2
SHA11353c50a7973f0d19ba71d36da349a430bea43ee
SHA256c033b32d4be850140d1c7a8b37ad869e7632458e0191d687ea755152a2b41717
SHA512547dd0927efadf177f99c5cf1fa7201076962a6a5458a5b4f55737a2fbbc469063630a6abced45cb7b561583aac3bc7510714c5f7d3e5ee768c4ee13c34403f1
-
Filesize
8KB
MD5788029d81d583ce7b2a4bcc261417c36
SHA1273c4b091769c5a6b831dcd3e74a58facfd7caa8
SHA256a4ea3b9f212c894d83a110e72069dcdf0603d5627e41f976aabb34966648ca7a
SHA512d471f0c5c9b7607beb357bc1580163ac11a02a8fa9d5469be1c51a8cf5ab1587d329e27f2ffcfc324b9c1a8d680beaa42f243b933ccdaede424e5d5c9cb19ec6
-
Filesize
1KB
MD5373c9e3d99d0e03ac626d8f67f8feff2
SHA11353c50a7973f0d19ba71d36da349a430bea43ee
SHA256c033b32d4be850140d1c7a8b37ad869e7632458e0191d687ea755152a2b41717
SHA512547dd0927efadf177f99c5cf1fa7201076962a6a5458a5b4f55737a2fbbc469063630a6abced45cb7b561583aac3bc7510714c5f7d3e5ee768c4ee13c34403f1
-
Filesize
424KB
MD5591c7f90216f596b849ef9562b8f155b
SHA1f3c185a27c38214418daa50407c9964fd5281d95
SHA2563619101e101b7197d37b6b2c02687b81884f8c4ba021c25853f948b484fac4a4
SHA51231cfa0fb8cc85398223b2377a170fbbdf01ad82764611c3c7775c80119bf0b5bd24d1943135ab18a3e1cff123813b0f786d522ea7d5c5387a1f84f8de6fa178f
-
Filesize
424KB
MD5591c7f90216f596b849ef9562b8f155b
SHA1f3c185a27c38214418daa50407c9964fd5281d95
SHA2563619101e101b7197d37b6b2c02687b81884f8c4ba021c25853f948b484fac4a4
SHA51231cfa0fb8cc85398223b2377a170fbbdf01ad82764611c3c7775c80119bf0b5bd24d1943135ab18a3e1cff123813b0f786d522ea7d5c5387a1f84f8de6fa178f