Resubmissions
19-09-2022 14:04
220919-rdc9sacaf4 1019-09-2022 14:03
220919-rcs9lsfghq 319-09-2022 14:02
220919-rca32acab4 3Analysis
-
max time kernel
1671s -
max time network
1818s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
19-09-2022 14:04
Static task
static1
Behavioral task
behavioral1
Sample
f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.rar
Resource
win10-20220812-en
windows10-1703-x64
21 signatures
1800 seconds
General
-
Target
f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.rar
-
Size
196KB
-
MD5
7d02973013bf5377f423f087a9acbada
-
SHA1
5517c3a070261201db6c3b703cf4e1437b4fa454
-
SHA256
a316efdb45d99ce940a32167e72016ad0250ec12748bf488ab16b7fcba847614
-
SHA512
ac8cba1fa7060daec32d5ccdeeb31681d04dab0677e475d4d58f3c53fe823aa51fd33bba647cc5dfd1e3255bc5507439705e916305fcfc042111dbb405ff7925
-
SSDEEP
3072:1KlUDpRtml4HtFJhtsHGHVPZ1vzTtMwEIc+UYNOCxfHtPoyRGnH7H9xbF/026Mj:154l4CmHVPPPtMPHYki7QH7Hzb76Mj
Score
10/10
Malware Config
Extracted
Path
C:\$Recycle.Bin\S-1-5-21-1099808672-3828198950-1535142148-1000\DECRYPT_YOUR_FILES.HTML
Ransom Note
<html>
<head>
<style>
body{
background-color: #3366CC;
}
h1 {
background-color: RGB(249, 201, 16);
}
p {
background-color: maroon;
color: white;
}
</style>
</head>
<body>
<center>
<h1><b> Attention ! All your files </b> have been encrypted. </h1></br>
<p>
Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.</br>
That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.</br>
Getting a decryption of your files is - SIMPLY task.</br></br>
That all what you need:</br>
1. Sent Your ID_KEY on mailbox [email protected] or [email protected] </br>
2. For test, decrypt 2 small files, to be sure that we can decrypt you files.</br>
3. Pay our services. </br>
4. GET software with passwords for decrypt you files.</br>
5. Make measures to prevent this type situations again.</br></br>
IMPORTANT(1)</br>
Do not try restore files without our help, this is useless, and can destroy you data permanetly.</br></br>
IMPORTANT(2) </br>
We Cant hold you decryption passwords forever. </br>ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption.
</p>
<p> Your ID_KEY: <br>
</p>
<table width="1024" border="0">
<tbody>
<tr>
<td><p>ZkWr5ZdRm/Z8EMoo4cVitWxtitEUK3sPgHPyvVVYbs1hkTpN6Z28se5vmhzVyBxcpzWz5THSh5k1+SqO0QAXoKG8QZkAveGiD/18UzqzWMNu8okWOJMgmaE9kQa5UM2Pn6/EMaerYJNjlnCSHkQj5yJ3xwN9P8iSgqavKNnaVevGi9GV14tLsttw6KP+NepIHxwwr0/T3ha8he62HUwqZ2y+pd24OtoIpTPs36kWbUTAXzp1KG1uFTOA7c8g3C4bHwwTw0IBM1NvZotNcygwQIoABKEt/7hbAwIu6mqhMz7DZEN2ZO56o7RL1AbdLRoBSZ/N4+65twKP5wgWGhDO6A==ZW4tVVM=</p></td>
</tr>
</tbody>
</table>
</center></html></body>
Signatures
-
Fantom
Ransomware which hides encryption process behind fake Windows Update screen.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Disables Task Manager via registry modification
-
Drops file in Drivers directory 19 IoCs
description ioc Process File created C:\Windows\SysWOW64\drivers\UMDF\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File opened for modification C:\Windows\SysWOW64\drivers\es-ES\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Windows\SysWOW64\drivers\de-DE\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Windows\SysWOW64\drivers\it-IT\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Windows\SysWOW64\drivers\UMDF\en-US\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File opened for modification C:\Windows\SysWOW64\drivers\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Windows\SysWOW64\drivers\en-US\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Windows\SysWOW64\drivers\fr-FR\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File opened for modification C:\Windows\SysWOW64\drivers\UMDF\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File opened for modification C:\Windows\SysWOW64\drivers\it-IT\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File opened for modification C:\Windows\SysWOW64\drivers\UMDF\en-US\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Windows\SysWOW64\drivers\gmreadme.txt f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Windows\SysWOW64\drivers\es-ES\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Windows\SysWOW64\drivers\ja-JP\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Windows\SysWOW64\drivers\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File opened for modification C:\Windows\SysWOW64\drivers\de-DE\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe -
Executes dropped EXE 2 IoCs
pid Process 3188 f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe 4064 WindowsUpdate.exe -
Modifies extensions of user files 4 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\DismountApprove.crw => C:\Users\Admin\Pictures\DismountApprove.crw.fantom f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File renamed C:\Users\Admin\Pictures\ResizeInitialize.crw => C:\Users\Admin\Pictures\ResizeInitialize.crw.fantom f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File renamed C:\Users\Admin\Pictures\SkipInstall.raw => C:\Users\Admin\Pictures\SkipInstall.raw.fantom f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File renamed C:\Users\Admin\Pictures\SyncDisable.png => C:\Users\Admin\Pictures\SyncDisable.png.fantom f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\System32\DriverStore\FileRepository\dc1-controller.inf_amd64_3e6d5f6b971160a2\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Windows\System32\DriverStore\FileRepository\wiaca00j.inf_amd64_2b730d5c3b5d1ba1\amd64\MP270\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsUpdate\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_RegistryResource\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\TroubleshootingPack\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Windows\SysWOW64\Configuration\Registration\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Windows\System32\DriverStore\FileRepository\ramdisk.inf_amd64_d2556ade4c9b7746\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Windows\System32\DriverStore\FileRepository\umpass.inf_amd64_06b97b2384f67b0a\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Windows\System32\DriverStore\FileRepository\wiaca00j.inf_amd64_2b730d5c3b5d1ba1\amd64\MP490\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Windows\System32\DriverStore\FileRepository\wiaca00j.inf_amd64_2b730d5c3b5d1ba1\amd64\MX860\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_PackageResource\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCClassResources\WindowsPackageCab\es-ES\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Windows\System32\DriverStore\FileRepository\prngeclv.inf_amd64_5626f47f96e3c55b\GE-XPS-pipelineconfig.xml f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Windows\SysWOW64\en-US\Licenses\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Windows\SysWOW64\Licenses\neutral\_Default\Professional\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Windows\SysWOW64\Com\fr-FR\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmtdkj2.inf_amd64_bfba8412a4fecc8e\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Windows\SysWOW64\Speech_OneCore\Common\en-GB\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.ODataUtils\de-DE\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File opened for modification C:\Windows\SysWOW64\IME\IMETC\Applets\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File opened for modification C:\Windows\SysWOW64\Tasks\Microsoft\Windows\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSScheduledJob\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Windows\System32\DriverStore\FileRepository\ks.inf_amd64_58cf6ccea72a2082\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Windows\System32\DriverStore\FileRepository\wnetvsc_vfpp.inf_amd64_a5d3da640e7e06e2\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Windows\System32\DriverStore\FileRepository\wvmic_ext.inf_amd64_e320ef16485392eb\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File opened for modification C:\Windows\SysWOW64\DiagSvcs\fr-FR\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Windows\SysWOW64\ar-SA\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Windows\System32\DriverStore\FileRepository\hidbthle.inf_amd64_792724380f6ef57c\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Windows\SysWOW64\Licenses\neutral\OEM\Professional\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File opened for modification C:\Windows\SysWOW64\spp\tokens\ppdlic\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\VpnClient\de-DE\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Windows\System32\DriverStore\FileRepository\c_extension.inf_amd64_201d066dd7f4e431\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Windows\SysWOW64\Speech\Engines\SR\en-US\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_PackageResource\en-US\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File opened for modification C:\Windows\SysWOW64\migration\fr-FR\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Windows\System32\DriverStore\FileRepository\c_volsnap.inf_amd64_50968f8b182c2ecf\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmgl005.inf_amd64_922469ce3ac2af05\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Windows\SysWOW64\NDF\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File opened for modification C:\Windows\SysWOW64\F12\it-IT\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File opened for modification C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Windows\System32\DriverStore\FileRepository\prnms009.inf_amd64_faa2804656671550\MPDW-PDC.xml f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Windows\SysWOW64\F12\ja-JP\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\ProcessSet\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.ODataUtils\fr-FR\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_RoleResource\fr-FR\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File opened for modification C:\Windows\SysWOW64\XPSViewer\ja-JP\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmbsb.inf_amd64_175c9334db491382\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Windows\System32\DriverStore\FileRepository\netb57va.inf_amd64_11911b9263320299\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Windows\SysWOW64\Printing_Admin_Scripts\de-DE\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Windows\SysWOW64\Speech\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Windows\System32\DriverStore\FileRepository\sensorsservicedriver.inf_amd64_b05164552cbee11f\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Windows\SysWOW64\migration\de-DE\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File opened for modification C:\Windows\SysWOW64\Nui\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Windows\SysWOW64\InstallShield\setupdir\000a\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File opened for modification C:\Windows\SysWOW64\pl-PL\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File opened for modification C:\Windows\SysWOW64\wbem\ja\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Windows\System32\DriverStore\FileRepository\eaphost.inf_amd64_dcc7a3a5a0152eb7\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmarn.inf_amd64_7d2a86d3cfc2b931\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmtexas.inf_amd64_66b3e43fcc91715c\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Windows\System32\DriverStore\FileRepository\prndlclf.inf_amd64_efe1d550b7437499\dlclfhb0-pipelineconfig.xml f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Windows\System32\DriverStore\FileRepository\pmem.inf_amd64_20c469318128a4bd\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Windows\System32\DriverStore\FileRepository\usbaudio2.inf_amd64_62f9abd1b1943c4a\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\2d5s8g4ed.jpg" f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\contrast-black\MedTile.scale-100_contrast-black.png f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\hr-hr\ui-strings.js f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Program Files\Common Files\microsoft shared\ink\en-US\boxed-join.avi f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.model.workbench.nl_zh_4.4.0.v20140623020002.jar f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-favorites_zh_CN.jar f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GetStartedWideTile.scale-200.png f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\OneConnectWideTile.scale-100.png f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_2017.130.1208.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ca-es\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ca-es\ui-strings.js f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Program Files\Common Files\microsoft shared\ink\el-GR\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_neutral_split.scale-100_kzf8qxf38zg5c\SkypeApp\Assets\SkypeLogo.scale-100.png f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\mz_60x42.png f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Program Files (x86)\Common Files\System\ja-JP\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarSmallTile.scale-400.png f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-white\MedTile.scale-200.png f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\XboxApp.UI\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\root\ui-strings.js f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Program Files\VideoLAN\VLC\locale\mk\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\aq_16x11.png f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\xk_16x11.png f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files-select\js\selector.js f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Autumn\autumn_13c.png f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Fable\fable_11h.png f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\Resources\Fonts\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\7.jpg f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNotePageWideTile.scale-150.png f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-GoogleCloudCache-Light.scale-140.png f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\ko-kr\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Program Files (x86)\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\46.jpg f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_neutral_split.scale-100_8wekyb3d8bbwe\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\VoiceRecorderSplashScreen.scale-200.png f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-32_altform-unplated_contrast-high.png f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Program Files\VideoLAN\VLC\plugins\d3d9\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\sv-se\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-150_8wekyb3d8bbwe\Assets\WideLogo.scale-150.png f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ca-es\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\da-dk\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\hprof-16.png f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4-dark_win.css f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\da-dk\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\en-gb\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\th\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\182.png f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_neutral_split.scale-200_8wekyb3d8bbwe\microsoft.system.package.metadata\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\kp_16x11.png f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\nl-nl\ui-strings.js f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\sl-si\ui-strings.js f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Program Files\VideoLAN\VLC\locale\kn\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.Xaml.Toolkit\Assets\Buttons\Menu\Menu_back-over.png f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_neutral_split.scale-100_kzf8qxf38zg5c\SkypeApp\Assets\LockScreenBadgeLogo.scale-100.png f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailWideTile.scale-100.png f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\fi_get.svg f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\LiveTile\1px.png f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-30_contrast-white.png f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\tl_60x42.png f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\LinkedInboxLargeTile.scale-150.png f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_anonymoususer_24.svg f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\eu-es\ui-strings.js f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\hr-hr\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-125_8wekyb3d8bbwe\Assets\contrast-black\AppList.scale-125_contrast-black.png f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\InfusedApps\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\7989_40x40x32.png f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Windows\InfusedApps\Packages\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Autumn\mask\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-d..ger-redir.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_22879807f74b1ef3\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Windows\WinSxS\x86_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.6161_none_49768ef57548175e\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Windows\InfusedApps\Packages\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-36_altform-unplated_contrast-white.png f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Windows\InfusedApps\Packages\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubMedTile.scale-100_contrast-high.png f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics.Resources\v4.0_3.0.0.0_fr_31bf3856ad364e35\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-c..trast-white.cortana_31bf3856ad364e35_10.0.15063.0_none_014ea5da0b60c418\AppListIcon.targetsize-80.png f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Windows\InfusedApps\Applications\Microsoft.3DBuilder_13.0.10349.0_neutral_~_8wekyb3d8bbwe\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-c..trast-white.cortana_31bf3856ad364e35_10.0.15063.0_none_7ddc9423768fbb05\MediumTile.scale-125.png f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-cabview.resources_31bf3856ad364e35_10.0.15063.0_it-it_7ecd8f3bd6124ac5\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-n..efetching.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_d648fe236cf1001a\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Windows\INF\wsearchidxpi\0000\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-igdhelperclass_31bf3856ad364e35_10.0.15063.0_none_4339b7327c6325c8\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Windows\WinSxS\amd64_sdfrd.inf.resources_31bf3856ad364e35_10.0.15063.0_en-us_987fd80ebce76eda\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Windows\WinSxS\amd64_wvmbushid.inf.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_3ab933430ff188bd\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.15063.0_none_13cc520b866eaf57\discovery.js f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-l..se-volume-education_31bf3856ad364e35_10.0.15063.0_none_bd3d4b1019e74f0f\license.rtf f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-t..torserver.resources_31bf3856ad364e35_10.0.15063.0_en-us_cb87a382534d992c\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Windows\WinSxS\amd64_net8192su64.inf.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_6a0403f907bc21c9\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Windows\WinSxS\amd64_windows-defender-ma..t-onecore.resources_31bf3856ad364e35_10.0.15063.0_it-it_139836651c6d037c\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-w..immersive.resources_31bf3856ad364e35_10.0.15063.0_de-de_fc96d983c2670b6b\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Windows\InfusedApps\Packages\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\177.png f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\image2.gif f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\lib\text.js f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-rpc-netsh.resources_31bf3856ad364e35_10.0.15063.0_it-it_8ec8fc07edeae09c\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-runas.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_6569b3772ae65bed\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-n..rity-domain-clients_31bf3856ad364e35_10.0.15063.0_none_2bee55122b04764f\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Windows\WinSxS\amd64_wiaca00j.inf_31bf3856ad364e35_10.0.15063.0_none_53a73a8467cc268a\amd64\MP830\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Windows\WinSxS\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_bg-bg_b2fa0d00b493b950\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Windows\WinSxS\amd64_amdsbs.inf.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_7e1e69359137f5b4\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Windows\WinSxS\amd64_c_fsphysicalquotamgmt.inf.resources_31bf3856ad364e35_10.0.15063.0_es-es_8b72dc9d25eaf455\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-c..ontroller.resources_31bf3856ad364e35_10.0.15063.0_en-us_3c54ecb629fe9c8e\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-i..ntrolpanel.appxmain_31bf3856ad364e35_10.0.15063.0_none_2bd1e3a1cfd67be0\TinyTile.contrast-white_scale-200.png f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Windows\InfusedApps\Packages\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosWideTile.scale-200.png f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\pris\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-p..or-events.resources_31bf3856ad364e35_10.0.15063.0_en-us_78123b46349f51f3\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-i..on-server2003compat_31bf3856ad364e35_10.0.15063.0_none_7e92b607e661402f\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Windows\InfusedApps\Packages\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Awards\pyramid\Mummys_Boy_Unearned_small.png f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Windows\InfusedApps\Packages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-white\SmallTile.scale-125.png f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-i..r_service.resources_31bf3856ad364e35_10.0.15063.0_it-it_5074249daeb6086d\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-m..nsors-api.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_0924af70e9fcefa5\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Windows\InfusedApps\Packages\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-t..sync-task.resources_31bf3856ad364e35_10.0.15063.0_it-it_6b17c63d0e460d48\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-u..iagnostic.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_90eb413cd4b6d1f5\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Windows\WinSxS\x86_microsoft-windows-r..izard-mui.resources_31bf3856ad364e35_10.0.15063.0_es-es_43363a4921bbe1cc\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Windows\InfusedApps\Packages\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Autumn\autumn_13c.png f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Windows\SystemApps\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\speech\0c0a\tokens_esES.xml f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-aero.resources_31bf3856ad364e35_10.0.15063.0_es-es_4b25b8aa92f9fee7\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.15063.0_none_13cc520b866eaf57\oobeoutro-main.html f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-grpconv.resources_31bf3856ad364e35_10.0.15063.0_es-es_fe3b4b1a86629301\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-wlansvc.resources_31bf3856ad364e35_10.0.15063.0_en-us_592e0d86034a5e14\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Windows\InfusedApps\Packages\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\13.jpg f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Windows\InfusedApps\Packages\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Western\western_background.jpg f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-d..entsnapin.resources_31bf3856ad364e35_10.0.15063.0_de-de_e50e08e08e1467c4\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-d..mmand-ldp.resources_31bf3856ad364e35_10.0.15063.0_de-de_c0181f8314e637a5\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-w..vider-dll.resources_31bf3856ad364e35_10.0.15063.0_es-es_6c61fcc62189aac1\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Windows\SystemResources\Windows.UI.Shell\Images\DefaultSystemNotification.scale-400.png f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-f..tory-core.resources_31bf3856ad364e35_10.0.15063.0_es-es_09b12e41f97351a2\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-microsoftedge_31bf3856ad364e35_10.0.15063.0_none_224b97ad28ee338b\MicrosoftEdgePDF.targetsize-63.png f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Windows\WinSxS\msil_system.management.resources_b03f5f7f11d50a3a_10.0.15063.0_ja-jp_7276a890d7836b7e\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Windows\WinSxS\x86_microsoft-windows-m..-management-console_31bf3856ad364e35_10.0.15063.0_none_c46888c5f61386ec\DECRYPT_YOUR_FILES.HTML f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe File created C:\Windows\InfusedApps\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\Dismiss.scale-64.png f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 4000 vssadmin.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 4144 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3188 f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe 3188 f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeRestorePrivilege 4052 7zG.exe Token: 35 4052 7zG.exe Token: SeSecurityPrivilege 4052 7zG.exe Token: SeSecurityPrivilege 4052 7zG.exe Token: SeRestorePrivilege 4756 7zG.exe Token: 35 4756 7zG.exe Token: SeSecurityPrivilege 4756 7zG.exe Token: SeSecurityPrivilege 4756 7zG.exe Token: SeRestorePrivilege 4056 7zG.exe Token: 35 4056 7zG.exe Token: SeSecurityPrivilege 4056 7zG.exe Token: SeSecurityPrivilege 4056 7zG.exe Token: SeDebugPrivilege 3188 f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe Token: SeBackupPrivilege 1456 vssvc.exe Token: SeRestorePrivilege 1456 vssvc.exe Token: SeAuditPrivilege 1456 vssvc.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 4052 7zG.exe 4756 7zG.exe 4056 7zG.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1624 OpenWith.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 3188 wrote to memory of 4064 3188 f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe 84 PID 3188 wrote to memory of 4064 3188 f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe 84 PID 3188 wrote to memory of 4628 3188 f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe 89 PID 3188 wrote to memory of 4628 3188 f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe 89 PID 3188 wrote to memory of 4628 3188 f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe 89 PID 3188 wrote to memory of 1992 3188 f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe 91 PID 3188 wrote to memory of 1992 3188 f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe 91 PID 3188 wrote to memory of 1992 3188 f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe 91 PID 3188 wrote to memory of 4168 3188 f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe 92 PID 3188 wrote to memory of 4168 3188 f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe 92 PID 3188 wrote to memory of 4168 3188 f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe 92 PID 4628 wrote to memory of 4000 4628 cmd.exe 95 PID 4628 wrote to memory of 4000 4628 cmd.exe 95 PID 4628 wrote to memory of 4000 4628 cmd.exe 95
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.rar1⤵
- Modifies registry class
PID:4344
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1624
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2664
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap30523:208:7zEvent217041⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4052
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap30306:208:7zEvent104591⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4756
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap14570:208:7zEvent181201⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4056
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\vcredist2010_x86.log-MSI_vc_red.msi.txt1⤵
- Opens file in notepad (likely ransom note)
PID:4144
-
C:\Users\Admin\Desktop\f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe"C:\Users\Admin\Desktop\f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b.exe"1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Modifies extensions of user files
- Drops startup file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3188 -
C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"2⤵
- Executes dropped EXE
PID:4064
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Roaming\delback.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:4628 -
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:4000
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\update0.bat" "2⤵PID:1992
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\update.bat" "2⤵PID:4168
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1456
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
21KB
MD5fec89e9d2784b4c015fed6f5ae558e08
SHA1581fd9fb59bd42fbe7bd065cf0e6ff6d4d0daba2
SHA256489f2546a4ad1e0e0147d1ca2fd8801785689f67fb850171ccbaa6306a152065
SHA512e3bbf89cc0a955a2819455137e540952c55f417732a596ef314a46d5312b3bed644ac7595f75d3639ebc30e85f0f210dba0ef5b013d1b83bafd2c17a9d685a24
-
Filesize
21KB
MD5fec89e9d2784b4c015fed6f5ae558e08
SHA1581fd9fb59bd42fbe7bd065cf0e6ff6d4d0daba2
SHA256489f2546a4ad1e0e0147d1ca2fd8801785689f67fb850171ccbaa6306a152065
SHA512e3bbf89cc0a955a2819455137e540952c55f417732a596ef314a46d5312b3bed644ac7595f75d3639ebc30e85f0f210dba0ef5b013d1b83bafd2c17a9d685a24
-
Filesize
35B
MD5d41ac96c53b4fe0dfbe1b080649141c1
SHA1b4d75213c61646b5bd48eadf723542fa9aef8b00
SHA256325de85e48afabcc0d53d5f6d9371314d0ed6e46d91c271abceccca58cbbd238
SHA512a65c10d4face73078643ebc99c022a19a5944cef222c27739bc94456bd7601b5f118d4f2738fbc8374b8ad86c927fa0dcca7177fc936409f3000b7b58a6c1563
-
Filesize
261KB
MD57d80230df68ccba871815d68f016c282
SHA1e10874c6108a26ceedfc84f50881824462b5b6b6
SHA256f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b
SHA51264d02b3e7ed82a64aaac1f74c34d6b6e6feaac665ca9c08911b93eddcec66595687024ec576e74ea09a1193ace3923969c75de8733859835fef45335cf265540
-
Filesize
261KB
MD57d80230df68ccba871815d68f016c282
SHA1e10874c6108a26ceedfc84f50881824462b5b6b6
SHA256f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b
SHA51264d02b3e7ed82a64aaac1f74c34d6b6e6feaac665ca9c08911b93eddcec66595687024ec576e74ea09a1193ace3923969c75de8733859835fef45335cf265540
-
Filesize
118B
MD5b475c533e564f8852ddf9fcfe4db09f4
SHA1bdf36278496eec65e22f5918a8a2a80ecccf2780
SHA256c705986a72124e9c1cff0fc3b7fba4390fbef27e4313eb1b3fc482c7b9e67338
SHA51205f829bff151f286955259faac2eb332b5a21f90530698ef522e0d1342cfc8d9ac6953c55308b9a62b8d079eb864ca3b7e3b63ad2256634c0bdab4e012f55040
-
Filesize
78B
MD5397dc7373e23f1980ecf849a29708041
SHA16c91608ebe57a3d9375f646ff287e46a9f18c861
SHA2563ffedf213b18d61561cdbdf3de6946284c7b0541a69a89ebda74add1aff7fd5a
SHA5129c8cf8355cde0402b71fb4e713d14ed12a1031c3120b4a1af6e10ce02dd5828b8d27345ef28f40c34da329e47b36f4f0da74c7cd4cf3d3964d004a16e72096fb