Analysis
-
max time kernel
142s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
25-11-2023 03:01
Static task
static1
Behavioral task
behavioral1
Sample
quantum_locker/quantum_locker.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
quantum_locker/quantum_locker.exe
Resource
win10v2004-20231023-en
General
-
Target
quantum_locker/quantum_locker.exe
-
Size
75KB
-
MD5
0706764b3963df092079d3bdef787a1f
-
SHA1
73c2460d59f3d0637523ca6d35425aae14358ba1
-
SHA256
b63e94928da25e18caa1506305b9ca3dedc267e747dfa4710860e757d2cc8192
-
SHA512
3af7ff3b2aa689eb4c410562b5ead74ff77417da941521928391c6fac3dcc6a75f6d866f52b12f67a41564cfa81afcda51857c0f208f9e90e8629e0f0b5d5cb4
-
SSDEEP
1536:9aX51pVH9hsgNGLs6BLM1frxz/HTfcKKBaJGp:OfJGLs6BwNxnfTKsG
Malware Config
Extracted
C:\Users\Admin\Desktop\README_TO_DECRYPT.html
quantum
Extracted
C:\Users\Admin\Documents\README_TO_DECRYPT.html
quantum
http://tijykgureh7kqq5cczzeutaoxvmf6yinpar72o3bxome7b44vwqxadyd.onion/?cid=9064d8b148a0f19a9e3598a6e0b0aeb17b39db9562368650164eefdf45b6ef53
Signatures
-
Quantum Ransomware
A rebrand of the MountLocker ransomware first seen in August 2021.
-
Drops desktop.ini file(s) 26 IoCs
description ioc Process File opened for modification \??\c:\Users\Admin\Favorites\Links for United States\desktop.ini quantum_locker.exe File opened for modification \??\c:\Users\Admin\Pictures\desktop.ini quantum_locker.exe File opened for modification \??\c:\Users\Admin\Saved Games\desktop.ini quantum_locker.exe File opened for modification \??\c:\Users\Public\Documents\desktop.ini quantum_locker.exe File opened for modification \??\c:\Users\Admin\Desktop\desktop.ini quantum_locker.exe File opened for modification \??\c:\Users\Admin\Favorites\Links\desktop.ini quantum_locker.exe File opened for modification \??\c:\Users\Public\Pictures\desktop.ini quantum_locker.exe File opened for modification \??\c:\Users\Public\desktop.ini quantum_locker.exe File opened for modification \??\c:\Users\Public\Downloads\desktop.ini quantum_locker.exe File opened for modification \??\c:\Users\Public\Libraries\desktop.ini quantum_locker.exe File opened for modification \??\c:\Users\Admin\Searches\desktop.ini quantum_locker.exe File opened for modification \??\c:\Users\Public\Desktop\desktop.ini quantum_locker.exe File opened for modification \??\c:\Users\Public\Videos\Sample Videos\desktop.ini quantum_locker.exe File opened for modification \??\c:\Users\Public\Music\desktop.ini quantum_locker.exe File opened for modification \??\c:\Users\Public\Recorded TV\desktop.ini quantum_locker.exe File opened for modification \??\c:\Users\Public\Videos\desktop.ini quantum_locker.exe File opened for modification \??\c:\Users\Admin\Documents\desktop.ini quantum_locker.exe File opened for modification \??\c:\Users\Admin\Music\desktop.ini quantum_locker.exe File opened for modification \??\c:\Users\Admin\Links\desktop.ini quantum_locker.exe File opened for modification \??\c:\Users\Admin\Videos\desktop.ini quantum_locker.exe File opened for modification \??\c:\Users\Public\Recorded TV\Sample Media\desktop.ini quantum_locker.exe File opened for modification \??\c:\Users\Admin\Downloads\desktop.ini quantum_locker.exe File opened for modification \??\c:\Users\Admin\Favorites\desktop.ini quantum_locker.exe File opened for modification \??\c:\Users\Public\Pictures\Sample Pictures\desktop.ini quantum_locker.exe File opened for modification \??\c:\Users\Admin\Contacts\desktop.ini quantum_locker.exe File opened for modification \??\c:\Users\Public\Music\Sample Music\desktop.ini quantum_locker.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\f: quantum_locker.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "407043174" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d79072038c960342ab421b8facb933e90000000002000000000010660000000100002000000053fe0e92e8b22705e67681cc5e6f476e4a8d678097351c76e7f48bc6cf6ed29d000000000e80000000020000200000004d8b434bd4184e429030226350e136c101feb7b9e9db6f2e8463ea7a2f862b90900000006f992dac28a2416694c2c199c728d87a5d7ff42ea35df954fdb07a1c24e82cfc32ff46eb00735b7b78dd628ccb2a4720415a3f1faedc3cabdb171d20b8ccb4967a9e8711350de841f0bf4ffb296b057fd6c01f923904bb765c38272caba40e353fba9fe82656f809ccd8a91d3e93008f9257c95466a66bd5d31d6df266e9c9a394c59afe91ed674251d97a11faf6e820400000005a976dd1221846df66554c955e4ddf0e3c3fe387de79a3a965af6fdcef7de2dccc0311f82e0414c9e202241dc9bb78652ca64485a46e706140e19497e2ff801d iexplore.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d79072038c960342ab421b8facb933e900000000020000000000106600000001000020000000d824cc73468c81b426c3c10ccfbc2f3c42b800d6547d10a93d74758fab93d6ae000000000e8000000002000020000000b9b8038417ea23d4e082e924d4acd0ded388533a48b0de3b82648918fefc16c22000000070dc7a1452a4c732bac800b43721138e892992da76f90e960f151c1ace102943400000005c6a33f0af5585eb98e9053003821a4847a12e1e5e31b1e1aea135041c655c579eb555bbacfb8c515c74d3e3b223c886d76d4c85416e96f3e30ee93a6e21038c iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70045ecd4b1fda01 iexplore.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F84E2481-8B3E-11EE-888E-E6337F2BB1FD} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\.quantum\shell\Open quantum_locker.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\.quantum\shell\Open\command quantum_locker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\.quantum\shell quantum_locker.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3068 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1464 quantum_locker.exe 1464 quantum_locker.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeRestorePrivilege 1464 quantum_locker.exe Token: SeDebugPrivilege 1464 quantum_locker.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 912 iexplore.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 912 iexplore.exe 912 iexplore.exe 2984 IEXPLORE.EXE 2984 IEXPLORE.EXE 2984 IEXPLORE.EXE 2984 IEXPLORE.EXE 912 iexplore.exe 3068 WINWORD.EXE 3068 WINWORD.EXE 3068 WINWORD.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 912 wrote to memory of 2984 912 iexplore.exe 34 PID 912 wrote to memory of 2984 912 iexplore.exe 34 PID 912 wrote to memory of 2984 912 iexplore.exe 34 PID 912 wrote to memory of 2984 912 iexplore.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe"C:\Users\Admin\AppData\Local\Temp\quantum_locker\quantum_locker.exe"1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1464
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:2080
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Documents\README_TO_DECRYPT.html1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:912 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:912 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2984
-
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\Documents\Are.docx"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3068
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5da19bc5a39ee75efa1d55cb8cfc21e21
SHA1fca90de8445a55a95dd104e9e431b85ea085438a
SHA2563e73f26b7a54cf99c01c4be64d7ab6f64e5c5fecd5e1213f9dad0b79c8a5f933
SHA512cf160ba864f529d8e906ddf3b752f754b1e54524e98f719e3a8821a6d74a68b11a7430d834422d9b97f6b8c602a3552dd0b0b92a04b505d60c4c486dd3bb4e49
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD57ea6b039dab6302f5909e816b50bf793
SHA1de0ea96095400f728623db36e43cb7f5f546da9b
SHA256b2239bfd37aaae8926832d42a779d1d7dfa834c87c16316c188544e47cf726ce
SHA512801c325629c14e4de232eacd4600571ffc3c7e123130d34d93587fd00484d8533da7915c38024a46da77c93f76015379158403afeb467dc9e6ade381d00052ac
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD572d73d24e81421a94d3576e2e77d493c
SHA1d33c25c482ffa102367f8ff8bd384a00d954c955
SHA256e4a73b4b252f80a4c0a64f548e27dbcd81d6eb3e2fd4ec4789600afbdb2143b3
SHA512ac18bdd139934e1a6877e0f126224a656dd5a72f6ed7eeb19df4c7ff72e42aeaaba2ca2d7e2b65815bc744539434f1e3f83fa300ce1bf57e33eff39026a2f07f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5486fbfe4f83af1fec3a8f7c5855f6d6f
SHA1acc1d632c79349aba272c08deec46a55d763992a
SHA2561c84efe3a6549fe90363e8c10b2d73aa2df89c02658eb447cee1aa2c6427aa08
SHA51206daeb54490afb5826b5dbef12ec0e58a6c71e7ed9f38b499e445386ef5973df58c7c18f03177304b5ca77072173a3e71451229d89a5c81398e4d978f28be020
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5ce47b8ff22f5cac73c55bd38d2b64954
SHA1bc5bff01e5bb945d923d89d88cf915de86a6be04
SHA2565f2ad27a39f313438f28558e597de07ddbcecbcf735520eee8f8fc89e3113565
SHA512f3e708a2af6b4b40a02984deb3f582bf0e1c1f7044a10eba9bc1f32e6312761ecf49a56f6b80d924463e7a870fd434845ff7e50a2fabb61e7967cf165040e0a2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD582bf6f201961bbb26999da4086b34167
SHA1700d04f996d8b5d34060a211395e2a77c54c9d6d
SHA256c2e8390434531c924d140bf932d69a78126f674c8ceeeec8664e65ef4956298c
SHA5120508381a2eec735fc73d375d620dca1f9b4ba5978b5bb32615ca25e32981a059aa986d35470afa17f6d093adc66be488cc6ea081a9e7605ce6b7c209f370b6da
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5d108e7884bee33cc33a4521d8a7ae52a
SHA1186ab5f91bb7214706649e3999767866a6cbfedb
SHA2565199032e34040dbf3bdd607df7db4ee32c227c847aea1c545d88d4f9463f7a69
SHA512bba9ea98427b66efa92676e5350c12c3fbcb44d8fae082e18ccf127ac492bdab5545cbb552762180f7ef9e230364f4dade13a4954e7cd8b6d751d97dead5f7fa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5e00e34ea44090d2c1d57ae0c549265f2
SHA13e62f7aa6f6f13c7663fe25a5755ca782c62a74e
SHA25674571c0e04b44b2db046753edeee7da0ae81e5c959ea133cb0b9edb4282fb8e4
SHA512eef1a8670dc3866552081e311cd7034e162b2ffe5cfdff8f31c44f419fabd9eeded88f4b005579e8d6476df08910d36ae0f7f3a41d05c807872bac9961bbe29e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5720a3add29ed96a98e3329c63c59940b
SHA17596fc85f53a6b704b55491a10f68eaf99b89d39
SHA2563bb77c58bff153fb30c44b180a6a5297a58086d76834fa3a218a868ea54e22ab
SHA512244282d83cead49f7b33d1d52cbd67aa24225d13c11d1dd41cd769a1b4a0d45ed8193a7dd35311d42848bddf1de5f113f19c345f7800ceec1ecfdf11e3a92d42
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5a793d7562f9c6416515bd8a57256183c
SHA1db4f399504c99eacc3a7ca72e479dc5c24753bf5
SHA256d3b9e519f720e0fbde5c030cfc6aaa3aa095f1f6ceadd1d5be81a3b612b13c8d
SHA512dc372c57b93c096bd0fdc7cc192dd559fed2a037ef4d927f7ef65ef4229a470f03538dbb4d84907eb414e230cc3a65243343c690129807ebb7bd60340b0b4240
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5d7173d71bcf74f645a30b92435c4e35d
SHA188fff6a15ed25415fcd2b12f4aa35bc99fb12376
SHA256801a7b7c4ac6da43f1c3f53250ea07de362a3470fea80e53754120a4fc93b162
SHA5126acb9215aada232a66233c7725453349103404464fc5817897b1cdb476f4ac33f9dc4be1305bd0f0e0c662a6b4e1d8f8dcb99d55cc506ef896aabbc58b568f87
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5202846aed54a09b7aff5cb4975aa9e25
SHA1475fe160b6c9d65b055c627876633c4ba302e6f7
SHA256d0a6d7c98aeb11284d89fda5d171b82368fc3192bddbb85e2648a9ba0ed2dade
SHA512adb3afed6a019e4fa629f88bc070963ea12d68505fa52ed6ad2c5c29a6c00818db527e6e4e6c05faf416204f7bd854de2555c713de9aa319bd5e74bff0a6f48d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5c5af4680dee5af4042fa7a4e0f58a51e
SHA1efecfcd8031e3db34ccd89840d2e7acf51ccc14b
SHA25647bccbbd4757153143c9628e8c16177231f9181fa7dff1706e22e0844c2742e3
SHA512f8f3c8c16417ad4592c918d135c0dfa98df87b30b6802528d45013d41aac73b2d01c7525898a159734d49fb8909e53732da9d5cb0a796576e7b85d2c3c04f76d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD54e392c7b4f9e013b92ad5c44ec60d69e
SHA1fd3e7b7fed9a740b4f971f4ba945b4b1aff9cd28
SHA2567d03c2545934c40113458b0b37b13fd7df076050bf08f3eaec7201067f6863e6
SHA5127362038a1d46de9a1c03263ccc58e20e253aa5e03088f2221f3a138821197c388f12a07c648702e9b2caa4222639c9e02226d34ff78fbe512b8713a909f1dc1a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5d6e3cef12f9223fb44e9318fbdff6cbe
SHA1e7ce90331ff41b69dc22d02912f3704e1cbc5b88
SHA256fd54087b7916cfd1d6b1da165b81885c2424699d511ef14a4ed89d4e6b47ef04
SHA512f0db0a0e338aeb29c1b6a8af68a20528bb326f59c17118d7d27ef62a8367d866a7f3db3eb72aaf906e946ad40e0ed105624cbc0e505c521bb25300758accd938
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD55244a2b65399d13a0575f6502220ad02
SHA156c53f5fb9d569bb423714de2159989705443dec
SHA2565114c1ad3c73998d396b751edfd350b8b80d53cd8faec7cfe47af80439473c83
SHA51274e53b410074ba73edb3d5971aa4f03f7abfb072512c2acf11af6aa25cf101a5f614aef9bee42006807fe8137c44b28d91b31e9029c0e1302dd8c85883116b81
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD57d6ab48c60bce9106c826b765d4fa116
SHA106621fb586eab38d3261f75b8a917bfd165701ff
SHA25618b1ea876a4deaa79cabe39740b454138e0852e16328bec727c3d1f873b5cb6f
SHA5127d15305a56b48c43f747518cbd97d605a99b80bfd8170b070e2b4722ef5b647dc5799fffff3ccd9e24626f51bac94f47776ab0beb0da39b5c0851a9340562623
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5331b1942f78f00334e89cec0830557f9
SHA14480dc303ca6630016ad6380f8bc070d33258ce9
SHA2562d4d6f10fb83110fe335e22b01c8f97822a5b20e63f7d5dca832ccbf3fc84a3f
SHA512fd92a24148af1fdb7d3335391f123d371d325bccf939adbaa931c867efcc835cd85960b9ec2482efc2ed2b9a2c3abb1881389588c7600729f0db7e4203e3851d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD56a63fb11d1d808cd44220cb5f127b578
SHA116bae018fc84395eda02a6c19a0a8c1155dc1934
SHA256053ec2c0c96f8bdd93507642b7478fe633b5481dccf83c9464728537b7e4fb4c
SHA512ac58c1dcb642ef5d672ac16f1952d69b00f76ece8dbc645b2af0f283138137b2d38dadb844ba2c37f6645a892f80752ce376435570c3d9b4d654b4f73f3c8163
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5cfb380b65ee5985ed08421bbdb28d1f0
SHA10900a4df3313982dabb663cf7bd0cb2f64558371
SHA2560759783cb0f9062d92a60beb8d771cd715013c326deb1cdfd6a14aead74d8ed6
SHA5127f83f8946833ea1a404165513e3d2514c92e81f085815aecdf32772ccdf4223a56e44c9bfc241dff299e52a8b01b30317d72b2f0af5fa538e77f3585d6fa174e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5e24118b156e85d9c3e4905dbf1400bd5
SHA1e61814505576a23a53e0420f31c28cd61a42d0d7
SHA256c6d1012f681a6f3ecc281e3e1824b8a3883074033bd2233afb75b34c53ead1a2
SHA512abe10e50fc69696181c8a88c1861567a24ad6c92471d1ff9e983dafa5de4112cef6d99a6c128280a18c9c664c9c559e05ea2809633fe80f3d4d249ef4bd028b8
-
Filesize
61KB
MD5f3441b8572aae8801c04f3060b550443
SHA14ef0a35436125d6821831ef36c28ffaf196cda15
SHA2566720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA5125ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9
-
Filesize
163KB
MD59441737383d21192400eca82fda910ec
SHA1725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA5127608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf
-
Filesize
20KB
MD5f3b1f8b7435a675a5d3bd513df1e1001
SHA1931068ac0cbdd9f264145c84583400f4ecce23c1
SHA2563bd0ac1318ba3d7827ae1ca44ee3a331107117dbbc5c48002cbbb4729da0d0d7
SHA5125312d6cc12734aa376b8c46fb1baf4965e93a4f07a24bbed9d6f01f286eff2351d2cdb2377bf4d3ddefcee741e70761210cca6f8e14adb19c21a412cb6588830
-
Filesize
2KB
MD51078b97fb2d214bae3d544af353da509
SHA17155ed424f32deb0bc44d7fd57bc81293ed20d62
SHA25654496acc9bdfbb474dd0379d0a31ba38e8420b8d0bcf935c07b8e450ccf38485
SHA5126545f697ad564bda980b1d98977199ede80d6a2ed101ee1eebc4ef4476124d5ab8529e7993ac35cbd36caa8724dabfcf7c9cd7fa4db89766f05e00436b807708
-
Filesize
11KB
MD58d1210fe51f6306ccaffac41171dd656
SHA133d8688e7e5abaf53e8a41685cd215bde89007c4
SHA256947d4fe7be066e70174ae601a968bb08c93e37f5b0530efb8683b21d2e2370e6
SHA51235fe0bf8ddfe909076ac4ab7247c473f210c695d4a5615688af6cb4905c3cd9705f9bdd6a4a48862cd666d89c80c912a0801147bbfd429911aa5a75c75029e69
-
Filesize
2KB
MD51078b97fb2d214bae3d544af353da509
SHA17155ed424f32deb0bc44d7fd57bc81293ed20d62
SHA25654496acc9bdfbb474dd0379d0a31ba38e8420b8d0bcf935c07b8e450ccf38485
SHA5126545f697ad564bda980b1d98977199ede80d6a2ed101ee1eebc4ef4476124d5ab8529e7993ac35cbd36caa8724dabfcf7c9cd7fa4db89766f05e00436b807708