Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
15-03-2024 00:38
Static task
static1
Behavioral task
behavioral1
Sample
Version 2.8.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
Version 2.8.exe
Resource
win10v2004-20240226-en
General
-
Target
Version 2.8.exe
-
Size
227KB
-
MD5
2ab8e3e63a7c847855ad80770dc2fd59
-
SHA1
dae76d78053f9699f4cb7ccae51df9d4b6202ac7
-
SHA256
7d306cc818d68effe14ccbebc60f2bb6de75a9e6fb2c840e5ffe575ebf98376b
-
SHA512
6a968d8c7e96c121b77a8bdc14e709fa79301d6f660d933e487008c09f6bdbf356ac4bfa31bab62f8dd69cfbc2e8c43a17ff86133a8d0c1cd4db343cf8366b31
-
SSDEEP
6144:yR9ixUkjCMkI3pwo9EkhtNK3OotdWV3vBLGC:oof+ewfkhsnWBvBj
Malware Config
Extracted
C:\Users\Admin\Desktop\read_it.txt
Signatures
-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3804-1-0x0000000000C50000-0x0000000000CA0000-memory.dmp family_chaos -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 4344 bcdedit.exe 1512 bcdedit.exe -
Processes:
wbadmin.exepid process 4304 wbadmin.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Version 2.8.exesvchost.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation Version 2.8.exe Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation svchost.exe -
Drops startup file 3 IoCs
Processes:
svchost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\read_it.txt svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 404 svchost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 34 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Users\Admin\Downloads\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini svchost.exe File opened for modification C:\Users\Public\Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Links\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini svchost.exe File opened for modification C:\Users\Public\Documents\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Music\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Searches\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini svchost.exe File opened for modification C:\Users\Public\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Documents\desktop.ini svchost.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini svchost.exe File opened for modification C:\Users\Public\Music\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini svchost.exe File opened for modification C:\Users\Public\Videos\desktop.ini svchost.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-399997616-3400990511-967324271-1000\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Videos\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini svchost.exe -
Drops file in System32 directory 11 IoCs
Processes:
svchost.exedescription ioc process File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log svchost.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\36fz2ldwf.jpg" svchost.exe -
Drops file in Windows directory 1 IoCs
Processes:
mspaint.exedescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vds.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 vds.exe -
Checks processor information in registry 2 TTPs 15 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEWINWORD.EXEEXCEL.EXEEXCEL.EXEEXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE -
Enumerates system info in registry 2 TTPs 15 IoCs
Processes:
EXCEL.EXEEXCEL.EXEEXCEL.EXEEXCEL.EXEWINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 2868 vssadmin.exe -
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1133588658" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000055176c4ced34542856d0f29947515a500000000020000000000106600000001000020000000af944a042039977805d3ae2b96e07245242f1c2ea40a61100ac57bf052234906000000000e80000000020000200000005b66cadb7d68a0a7bd4634b60f05149f29fe7a106b935a595fca582bf678d3ea200000000470368c091a6d743e06bf1ebe2fb59988cf058635488e055063e29cbbb0275e40000000cbeeea141eabbb9009bee0d772f2dc9f359e9a74096ec8e37182e13068e6d952094639d7c6da25f1033aa6df6a950df7145e264f07d5d8f5689debeae2fb7d81 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31094385" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0641e467176da01 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000055176c4ced34542856d0f29947515a500000000020000000000106600000001000020000000da51e1b91057d15718f45f01d09d7dbebf399b467a2b59a1123a542afd9a5744000000000e800000000200002000000082367f25d5223a4d5f1fb27ebfe6165ffd180764f1b7bf982db414acd360993820000000303cdbe78178e12534eb95cf36de817138229d92f074510cc6eadaa0eea8418340000000cd5dd9cd3d7ea402ba3c24e79f4f90d246b6f3ec48c4bde6c9d7801273c96ca2bf4c24f1dc58823ecb4588a5ab1561e7b112b47e3674ac66adc3ef7ed5dcf473 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e01f23467176da01 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{6F338B00-E264-11EE-87B8-F2C20ACFDC46} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31094385" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Internet Explorer\IESettingSync IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1133588658" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE -
Modifies registry class 2 IoCs
Processes:
mspaint.exesvchost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings mspaint.exe Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings svchost.exe -
Opens file in notepad (likely ransom note) 2 IoCs
Processes:
NOTEPAD.EXENOTEPAD.EXEpid process 3600 NOTEPAD.EXE 668 NOTEPAD.EXE -
Suspicious behavior: AddClipboardFormatListener 8 IoCs
Processes:
svchost.exeEXCEL.EXEEXCEL.EXEWINWORD.EXEEXCEL.EXEEXCEL.EXEvlc.exepid process 404 svchost.exe 4296 EXCEL.EXE 272 EXCEL.EXE 4312 WINWORD.EXE 4312 WINWORD.EXE 2972 EXCEL.EXE 3788 EXCEL.EXE 2276 vlc.exe -
Suspicious behavior: EnumeratesProcesses 53 IoCs
Processes:
Version 2.8.exesvchost.exemspaint.exemspaint.exepid process 3804 Version 2.8.exe 3804 Version 2.8.exe 3804 Version 2.8.exe 3804 Version 2.8.exe 3804 Version 2.8.exe 3804 Version 2.8.exe 3804 Version 2.8.exe 3804 Version 2.8.exe 3804 Version 2.8.exe 3804 Version 2.8.exe 3804 Version 2.8.exe 3804 Version 2.8.exe 3804 Version 2.8.exe 3804 Version 2.8.exe 3804 Version 2.8.exe 3804 Version 2.8.exe 3804 Version 2.8.exe 3804 Version 2.8.exe 3804 Version 2.8.exe 3804 Version 2.8.exe 3804 Version 2.8.exe 3804 Version 2.8.exe 3804 Version 2.8.exe 3804 Version 2.8.exe 3804 Version 2.8.exe 404 svchost.exe 404 svchost.exe 404 svchost.exe 404 svchost.exe 404 svchost.exe 404 svchost.exe 404 svchost.exe 404 svchost.exe 404 svchost.exe 404 svchost.exe 404 svchost.exe 404 svchost.exe 404 svchost.exe 404 svchost.exe 404 svchost.exe 404 svchost.exe 404 svchost.exe 404 svchost.exe 404 svchost.exe 404 svchost.exe 404 svchost.exe 404 svchost.exe 404 svchost.exe 404 svchost.exe 3024 mspaint.exe 3024 mspaint.exe 2296 mspaint.exe 2296 mspaint.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
vlc.exepid process 2276 vlc.exe -
Suspicious use of AdjustPrivilegeToken 50 IoCs
Processes:
Version 2.8.exesvchost.exevssvc.exeWMIC.exewbengine.exedescription pid process Token: SeDebugPrivilege 3804 Version 2.8.exe Token: SeDebugPrivilege 404 svchost.exe Token: SeBackupPrivilege 4432 vssvc.exe Token: SeRestorePrivilege 4432 vssvc.exe Token: SeAuditPrivilege 4432 vssvc.exe Token: SeIncreaseQuotaPrivilege 316 WMIC.exe Token: SeSecurityPrivilege 316 WMIC.exe Token: SeTakeOwnershipPrivilege 316 WMIC.exe Token: SeLoadDriverPrivilege 316 WMIC.exe Token: SeSystemProfilePrivilege 316 WMIC.exe Token: SeSystemtimePrivilege 316 WMIC.exe Token: SeProfSingleProcessPrivilege 316 WMIC.exe Token: SeIncBasePriorityPrivilege 316 WMIC.exe Token: SeCreatePagefilePrivilege 316 WMIC.exe Token: SeBackupPrivilege 316 WMIC.exe Token: SeRestorePrivilege 316 WMIC.exe Token: SeShutdownPrivilege 316 WMIC.exe Token: SeDebugPrivilege 316 WMIC.exe Token: SeSystemEnvironmentPrivilege 316 WMIC.exe Token: SeRemoteShutdownPrivilege 316 WMIC.exe Token: SeUndockPrivilege 316 WMIC.exe Token: SeManageVolumePrivilege 316 WMIC.exe Token: 33 316 WMIC.exe Token: 34 316 WMIC.exe Token: 35 316 WMIC.exe Token: 36 316 WMIC.exe Token: SeIncreaseQuotaPrivilege 316 WMIC.exe Token: SeSecurityPrivilege 316 WMIC.exe Token: SeTakeOwnershipPrivilege 316 WMIC.exe Token: SeLoadDriverPrivilege 316 WMIC.exe Token: SeSystemProfilePrivilege 316 WMIC.exe Token: SeSystemtimePrivilege 316 WMIC.exe Token: SeProfSingleProcessPrivilege 316 WMIC.exe Token: SeIncBasePriorityPrivilege 316 WMIC.exe Token: SeCreatePagefilePrivilege 316 WMIC.exe Token: SeBackupPrivilege 316 WMIC.exe Token: SeRestorePrivilege 316 WMIC.exe Token: SeShutdownPrivilege 316 WMIC.exe Token: SeDebugPrivilege 316 WMIC.exe Token: SeSystemEnvironmentPrivilege 316 WMIC.exe Token: SeRemoteShutdownPrivilege 316 WMIC.exe Token: SeUndockPrivilege 316 WMIC.exe Token: SeManageVolumePrivilege 316 WMIC.exe Token: 33 316 WMIC.exe Token: 34 316 WMIC.exe Token: 35 316 WMIC.exe Token: 36 316 WMIC.exe Token: SeBackupPrivilege 2788 wbengine.exe Token: SeRestorePrivilege 2788 wbengine.exe Token: SeSecurityPrivilege 2788 wbengine.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
Processes:
iexplore.exevlc.exepid process 1668 iexplore.exe 2276 vlc.exe 2276 vlc.exe 2276 vlc.exe 2276 vlc.exe 2276 vlc.exe 2276 vlc.exe 2276 vlc.exe 2276 vlc.exe 2276 vlc.exe 2276 vlc.exe 2276 vlc.exe 2276 vlc.exe 2276 vlc.exe 2276 vlc.exe 2276 vlc.exe 2276 vlc.exe 2276 vlc.exe -
Suspicious use of SendNotifyMessage 16 IoCs
Processes:
vlc.exepid process 2276 vlc.exe 2276 vlc.exe 2276 vlc.exe 2276 vlc.exe 2276 vlc.exe 2276 vlc.exe 2276 vlc.exe 2276 vlc.exe 2276 vlc.exe 2276 vlc.exe 2276 vlc.exe 2276 vlc.exe 2276 vlc.exe 2276 vlc.exe 2276 vlc.exe 2276 vlc.exe -
Suspicious use of SetWindowsHookEx 58 IoCs
Processes:
iexplore.exeIEXPLORE.EXEEXCEL.EXEEXCEL.EXEWINWORD.EXEEXCEL.EXEEXCEL.EXEmspaint.exemspaint.exeOpenWith.exevlc.exepid process 1668 iexplore.exe 1668 iexplore.exe 624 IEXPLORE.EXE 624 IEXPLORE.EXE 624 IEXPLORE.EXE 4296 EXCEL.EXE 4296 EXCEL.EXE 4296 EXCEL.EXE 4296 EXCEL.EXE 4296 EXCEL.EXE 4296 EXCEL.EXE 4296 EXCEL.EXE 4296 EXCEL.EXE 4296 EXCEL.EXE 272 EXCEL.EXE 272 EXCEL.EXE 272 EXCEL.EXE 272 EXCEL.EXE 272 EXCEL.EXE 272 EXCEL.EXE 272 EXCEL.EXE 272 EXCEL.EXE 272 EXCEL.EXE 272 EXCEL.EXE 272 EXCEL.EXE 272 EXCEL.EXE 272 EXCEL.EXE 4312 WINWORD.EXE 4312 WINWORD.EXE 4312 WINWORD.EXE 4312 WINWORD.EXE 4312 WINWORD.EXE 4312 WINWORD.EXE 2972 EXCEL.EXE 2972 EXCEL.EXE 2972 EXCEL.EXE 2972 EXCEL.EXE 2972 EXCEL.EXE 2972 EXCEL.EXE 2972 EXCEL.EXE 2972 EXCEL.EXE 2972 EXCEL.EXE 3788 EXCEL.EXE 3788 EXCEL.EXE 3788 EXCEL.EXE 3788 EXCEL.EXE 3788 EXCEL.EXE 3788 EXCEL.EXE 3788 EXCEL.EXE 3788 EXCEL.EXE 3788 EXCEL.EXE 3024 mspaint.exe 3024 mspaint.exe 3024 mspaint.exe 3024 mspaint.exe 2296 mspaint.exe 3576 OpenWith.exe 2276 vlc.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
Version 2.8.exesvchost.execmd.execmd.execmd.exeiexplore.exedescription pid process target process PID 3804 wrote to memory of 404 3804 Version 2.8.exe svchost.exe PID 3804 wrote to memory of 404 3804 Version 2.8.exe svchost.exe PID 404 wrote to memory of 1172 404 svchost.exe cmd.exe PID 404 wrote to memory of 1172 404 svchost.exe cmd.exe PID 1172 wrote to memory of 2868 1172 cmd.exe vssadmin.exe PID 1172 wrote to memory of 2868 1172 cmd.exe vssadmin.exe PID 1172 wrote to memory of 316 1172 cmd.exe WMIC.exe PID 1172 wrote to memory of 316 1172 cmd.exe WMIC.exe PID 404 wrote to memory of 3580 404 svchost.exe cmd.exe PID 404 wrote to memory of 3580 404 svchost.exe cmd.exe PID 3580 wrote to memory of 1512 3580 cmd.exe bcdedit.exe PID 3580 wrote to memory of 1512 3580 cmd.exe bcdedit.exe PID 3580 wrote to memory of 4344 3580 cmd.exe bcdedit.exe PID 3580 wrote to memory of 4344 3580 cmd.exe bcdedit.exe PID 404 wrote to memory of 3204 404 svchost.exe cmd.exe PID 404 wrote to memory of 3204 404 svchost.exe cmd.exe PID 3204 wrote to memory of 4304 3204 cmd.exe wbadmin.exe PID 3204 wrote to memory of 4304 3204 cmd.exe wbadmin.exe PID 404 wrote to memory of 3600 404 svchost.exe NOTEPAD.EXE PID 404 wrote to memory of 3600 404 svchost.exe NOTEPAD.EXE PID 1668 wrote to memory of 624 1668 iexplore.exe IEXPLORE.EXE PID 1668 wrote to memory of 624 1668 iexplore.exe IEXPLORE.EXE PID 1668 wrote to memory of 624 1668 iexplore.exe IEXPLORE.EXE -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Version 2.8.exe"C:\Users\Admin\AppData\Local\Temp\Version 2.8.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3804 -
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:404 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete3⤵
- Suspicious use of WriteProcessMemory
PID:1172 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:2868 -
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
PID:316 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no3⤵
- Suspicious use of WriteProcessMemory
PID:3580 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
PID:1512 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no4⤵
- Modifies boot configuration data using bcdedit
PID:4344 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet3⤵
- Suspicious use of WriteProcessMemory
PID:3204 -
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
PID:4304 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt3⤵
- Opens file in notepad (likely ransom note)
PID:3600
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4432
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2788
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:4812
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
PID:4228
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\read_it.txt1⤵
- Opens file in notepad (likely ransom note)
PID:668
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2968
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -nohome1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1668 CREDAT:17410 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:624
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Documents\SuspendStop.xla"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4296
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Documents\SuspendStop.xla"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:272
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n /f "C:\Users\Admin\Documents\WatchUnpublish.dotm"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4312
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Documents\CompressDisable.xlsm"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2972
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Documents\CompareRequest.ods"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3788
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Pictures\CheckpointCompress.bmp"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3024
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService1⤵PID:4940
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Pictures\ExpandResize.jpeg" /ForceBootstrapPaint3D1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2296
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc1⤵
- Drops file in System32 directory
PID:2836
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:3576
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Music\DismountHide.mpeg"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2276
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A
Filesize471B
MD559a10c466b70e95b0895f621b8cc5489
SHA15a545958147ab9c7adc42e64d02c3e70b7e2e089
SHA256c47133941d2c12d0ce1f5b832a5f688ee284b9eaf1000c8fb84ccc1993a50f80
SHA5124ec215c21760c7c286321633ddb0a94da1a476a076a6a3a25e45b5bc1c496cc191590791f70b8cb05a1c36e131186e694071f176cc328a7b94f28e1544c2f231
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A
Filesize412B
MD58fae59fe9dc647315277fd4ed47cb211
SHA1f619d4dfaf39d45c374ace2847c69721ede5f2f4
SHA2568c8490f628716677bb0c0de91e0f7bd27bbae274c8e180c3976eee59b1c82347
SHA512d18d164b27e49501e6e14b18f480bd2a9a69645e0be3b598bb4ce6d858748d05982d5192ba6f9daf76dd318b1893eaa63a5307a26557c3a67fa8a205c1944dc5
-
Filesize
21B
MD5f1b59332b953b3c99b3c95a44249c0d2
SHA11b16a2ca32bf8481e18ff8b7365229b598908991
SHA256138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c
SHA5123c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4
-
Filesize
417B
MD5c56ff60fbd601e84edd5a0ff1010d584
SHA1342abb130dabeacde1d8ced806d67a3aef00a749
SHA256200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c
SHA512acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e
-
Filesize
87B
MD5e4e83f8123e9740b8aa3c3dfa77c1c04
SHA15281eae96efde7b0e16a1d977f005f0d3bd7aad0
SHA2566034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31
SHA512bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9
-
Filesize
14B
MD56ca4960355e4951c72aa5f6364e459d5
SHA12fd90b4ec32804dff7a41b6e63c8b0a40b592113
SHA25688301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3
SHA5128544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\60B37701-F0D5-40FC-8A1E-16C4E7895769
Filesize160KB
MD58ad766173a1d98da6a933aff76768df9
SHA1114d383c83f28232a8ed5ed95dc0e8716c1d4e0c
SHA2561ec2863366481a127f1e7e2e124304f2af89ee8c0a98971c134293d9a84f36f9
SHA5123978d07a79a7468beb39535465ff617124c0fdd4a63456d3e446bb0a0114551140915033c4eb203ab31e50eb527ec633cebac80f6f020f3f0b6303fc1073bf75
-
Filesize
321KB
MD59a31984beee041a8946d5a6c8b0ceca5
SHA1d8df49013f8e2e98078f887a51afa7a635a6ab3a
SHA2569a47070c102054a55102bf3ef85f911c4d6b750bb187a3cef148f589418d4a7d
SHA51275efabc90e355221d9690bdb6a3e583640ea4eee5fd265a4e3b72847d7a0ffa4ca05dcbd7dc08bf4913862920b9864d06fc89fde220dad7e7a7d427f29bec9b2
-
Filesize
24KB
MD58665de22b67e46648a5a147c1ed296ca
SHA1b289a96fee9fa77dd8e045ae8fd161debd376f48
SHA256b5cbae5c48721295a51896f05abd4c9566be7941cda7b8c2aecb762e6e94425f
SHA512bb03ea9347d302abf3b6fece055cdae0ad2d7c074e8517f230a90233f628e5803928b9ba7ba79c343e58dacb3e7a6fc16b94690a5ab0c71303959654a18bb5da
-
Filesize
24KB
MD5085ebd119f5fc6b8f63720fac1166ff5
SHA1af066018aadec31b8e70a124a158736aca897306
SHA256b8411fe8ec499074fca9047f6983d920279e84ddf3b02b2dd5c08cf07ec44687
SHA512adb0522830db26123347cb485c43b156f5c888510e52091ba0fafc22b650ad29630c027746c920321905c28259dce7ff63dded93a79efddd5567c68312117875
-
Filesize
80KB
MD5294b3286e4f3bbbc408bd54b0691e935
SHA1adaf3fac4462f540ea29820980b2607495e1e4c9
SHA256fef9230227ec3b344775b3fa79221ded071afcf2d9d182c269f6cc66af23168f
SHA512efa2b8a96a6488a344531be6c074817933237c03524627cf18e0d24b6d5c0b565b60da3b065d9baa5a24d86ec7f144151b80558591742be57d1c03984fdbcc56
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize2KB
MD59be38927c27ea8a63ef4e2b25010176e
SHA154c3311e00312cdcf9e0b182703d4078b81d3ddd
SHA256456455d7c4d421727649a35e2a9016b52e106d804f13ebf91154b76f2194c0e1
SHA512b3fc866ae01a4561392745b8a28c83a20006b1166f5dd369b6e6f0c359dfd6bc0c4c2928aa5071c64e8d0f4b3b28c81583ebc920570adc1b21f29a24a852f0ea
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
Filesize2KB
MD5eef7868555d726485f11ee7287a14b63
SHA1b4adc673ef4c84b3758e58919b1fe9d3c3160bd3
SHA25602cba83a44056f45248b990f9ebb39c98ca4949d339f20120857ef1c2ddcd79a
SHA5126e4fd2b23b7349d70eb60b480ce6b23572a37c165e00e53f335c6bee1aa58abf789f4cf9a8d0651ef29892038dba00e8e18d1d44b0173308f91091f49a36356a
-
Filesize
259B
MD5f1b680fb961e172c0af6716e6e06cb3c
SHA165e1b755ae2b027fad865c792d8c31a5d7da5d4e
SHA2563f8408705ebb104da8d8f1aeb44c01dcb64eef62a7771df7ebf473631564b76c
SHA512add15b1dd3e9581adf80770c0ae0e3cad5363d1b0ed13a6e8d3a108859a69d36f3d4f2b4d8c452235b34f6d7fae13c42f403fad234133c5c56507acab03aaf0a
-
Filesize
227KB
MD52ab8e3e63a7c847855ad80770dc2fd59
SHA1dae76d78053f9699f4cb7ccae51df9d4b6202ac7
SHA2567d306cc818d68effe14ccbebc60f2bb6de75a9e6fb2c840e5ffe575ebf98376b
SHA5126a968d8c7e96c121b77a8bdc14e709fa79301d6f660d933e487008c09f6bdbf356ac4bfa31bab62f8dd69cfbc2e8c43a17ff86133a8d0c1cd4db343cf8366b31
-
Filesize
1KB
MD5ea03cbb2fdf2dc96252b579612602225
SHA1ac9ceff3c368f7409b9a7201f62fa92eded4da51
SHA256e4f0c335d1ffc3ed4a32ae4aee294c9652f67a765fbaaad1f90e0540d25ed565
SHA5121388a3f740f84541f8a8c0298bfe8b71f03d86a71174f97a68edcb4bdca0f467d6823b94314fa54547451c3ec4f6bc2228d74bf7537acf7c2dfb9f5a2d398051