Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
31/03/2024, 14:49
240331-r687xsec77 1029/03/2024, 09:29
240329-lf9swaeg87 1029/03/2024, 08:58
240329-kw8ebaed26 1029/03/2024, 08:57
240329-kwtadsed22 1029/03/2024, 08:49
240329-krew7sec34 10Analysis
-
max time kernel
551s -
max time network
514s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
29/03/2024, 09:29
Behavioral task
behavioral1
Sample
234.zip
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
234.zip
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
234.zip
Resource
win11-20240221-en
Behavioral task
behavioral4
Sample
antivirus.exe
Resource
win7-20240221-en
Behavioral task
behavioral5
Sample
antivirus.exe
Resource
win10v2004-20240319-en
Behavioral task
behavioral6
Sample
antivirus.exe
Resource
win11-20240221-en
General
-
Target
antivirus.exe
-
Size
144KB
-
MD5
4016477fd044882c78f3c1a47d7322e1
-
SHA1
6c75ffa25ef2d1d6a658ff415b2e47964032fc6a
-
SHA256
fbbaef754d6dafaaf32ae5e7937135fe81075806e5e2b0db1d6f9441a1cd8633
-
SHA512
17706a8238817e135ffe378e60e1e52964a00aeee6c6b9bc7f288a0390ae97d958f053cf693a4d829a35acbe32e3ab9599c13150a3155c671490736e88d19df1
-
SSDEEP
3072:xokEUyr9ql5n3yU6S4M5Er8zwIMsoE0WNOBKHAHp+FBZ+:er9ql53y04QEwzh0FaAHQLZ
Malware Config
Signatures
-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware 2 IoCs
resource yara_rule behavioral6/memory/572-0-0x00000000001E0000-0x000000000020A000-memory.dmp family_chaos behavioral6/files/0x000400000002a745-6.dat family_chaos -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 3208 bcdedit.exe 3464 bcdedit.exe -
pid Process 4368 wbadmin.exe -
Drops startup file 6 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hahaha.txt svchost.exe File opened for modification \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\desktop.ini.pvog taskmgr.exe File opened for modification \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\hahaha.txt taskmgr.exe File opened for modification \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\svchost.url taskmgr.exe -
Executes dropped EXE 1 IoCs
pid Process 2520 svchost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 36 IoCs
description ioc Process File opened for modification C:\Users\Admin\Saved Games\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini svchost.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-4181651180-3163410697-3990547336-1000\desktop.ini Decrypter.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini svchost.exe File opened for modification C:\Users\Public\Videos\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini svchost.exe File opened for modification C:\Users\Public\Documents\desktop.ini svchost.exe File opened for modification C:\Users\Public\Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Videos\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Music\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini svchost.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-4181651180-3163410697-3990547336-1000\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Searches\desktop.ini svchost.exe File opened for modification C:\Users\Public\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Links\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini svchost.exe File opened for modification C:\Users\Public\Music\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Documents\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini Decrypter.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini svchost.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\s249llnut.jpg" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3uh5x6971.jpg" Decrypter.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 7 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 4724 vssadmin.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000\Software\Microsoft\Internet Explorer\TypedURLs taskmgr.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings svchost.exe Key created \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings taskmgr.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 3148 NOTEPAD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2520 svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 572 antivirus.exe 572 antivirus.exe 572 antivirus.exe 572 antivirus.exe 572 antivirus.exe 572 antivirus.exe 572 antivirus.exe 572 antivirus.exe 572 antivirus.exe 572 antivirus.exe 572 antivirus.exe 572 antivirus.exe 572 antivirus.exe 572 antivirus.exe 572 antivirus.exe 572 antivirus.exe 572 antivirus.exe 572 antivirus.exe 572 antivirus.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 2520 svchost.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1592 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 54 IoCs
description pid Process Token: SeDebugPrivilege 572 antivirus.exe Token: SeDebugPrivilege 2520 svchost.exe Token: SeBackupPrivilege 2172 vssvc.exe Token: SeRestorePrivilege 2172 vssvc.exe Token: SeAuditPrivilege 2172 vssvc.exe Token: SeIncreaseQuotaPrivilege 784 WMIC.exe Token: SeSecurityPrivilege 784 WMIC.exe Token: SeTakeOwnershipPrivilege 784 WMIC.exe Token: SeLoadDriverPrivilege 784 WMIC.exe Token: SeSystemProfilePrivilege 784 WMIC.exe Token: SeSystemtimePrivilege 784 WMIC.exe Token: SeProfSingleProcessPrivilege 784 WMIC.exe Token: SeIncBasePriorityPrivilege 784 WMIC.exe Token: SeCreatePagefilePrivilege 784 WMIC.exe Token: SeBackupPrivilege 784 WMIC.exe Token: SeRestorePrivilege 784 WMIC.exe Token: SeShutdownPrivilege 784 WMIC.exe Token: SeDebugPrivilege 784 WMIC.exe Token: SeSystemEnvironmentPrivilege 784 WMIC.exe Token: SeRemoteShutdownPrivilege 784 WMIC.exe Token: SeUndockPrivilege 784 WMIC.exe Token: SeManageVolumePrivilege 784 WMIC.exe Token: 33 784 WMIC.exe Token: 34 784 WMIC.exe Token: 35 784 WMIC.exe Token: 36 784 WMIC.exe Token: SeIncreaseQuotaPrivilege 784 WMIC.exe Token: SeSecurityPrivilege 784 WMIC.exe Token: SeTakeOwnershipPrivilege 784 WMIC.exe Token: SeLoadDriverPrivilege 784 WMIC.exe Token: SeSystemProfilePrivilege 784 WMIC.exe Token: SeSystemtimePrivilege 784 WMIC.exe Token: SeProfSingleProcessPrivilege 784 WMIC.exe Token: SeIncBasePriorityPrivilege 784 WMIC.exe Token: SeCreatePagefilePrivilege 784 WMIC.exe Token: SeBackupPrivilege 784 WMIC.exe Token: SeRestorePrivilege 784 WMIC.exe Token: SeShutdownPrivilege 784 WMIC.exe Token: SeDebugPrivilege 784 WMIC.exe Token: SeSystemEnvironmentPrivilege 784 WMIC.exe Token: SeRemoteShutdownPrivilege 784 WMIC.exe Token: SeUndockPrivilege 784 WMIC.exe Token: SeManageVolumePrivilege 784 WMIC.exe Token: 33 784 WMIC.exe Token: 34 784 WMIC.exe Token: 35 784 WMIC.exe Token: 36 784 WMIC.exe Token: SeBackupPrivilege 2116 wbengine.exe Token: SeRestorePrivilege 2116 wbengine.exe Token: SeSecurityPrivilege 2116 wbengine.exe Token: SeDebugPrivilege 1592 taskmgr.exe Token: SeSystemProfilePrivilege 1592 taskmgr.exe Token: SeCreateGlobalPrivilege 1592 taskmgr.exe Token: SeDebugPrivilege 1800 Decrypter.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe 1592 taskmgr.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 572 wrote to memory of 2520 572 antivirus.exe 78 PID 572 wrote to memory of 2520 572 antivirus.exe 78 PID 2520 wrote to memory of 1284 2520 svchost.exe 80 PID 2520 wrote to memory of 1284 2520 svchost.exe 80 PID 1284 wrote to memory of 4724 1284 cmd.exe 82 PID 1284 wrote to memory of 4724 1284 cmd.exe 82 PID 1284 wrote to memory of 784 1284 cmd.exe 85 PID 1284 wrote to memory of 784 1284 cmd.exe 85 PID 2520 wrote to memory of 2568 2520 svchost.exe 87 PID 2520 wrote to memory of 2568 2520 svchost.exe 87 PID 2568 wrote to memory of 3208 2568 cmd.exe 89 PID 2568 wrote to memory of 3208 2568 cmd.exe 89 PID 2568 wrote to memory of 3464 2568 cmd.exe 90 PID 2568 wrote to memory of 3464 2568 cmd.exe 90 PID 2520 wrote to memory of 4736 2520 svchost.exe 91 PID 2520 wrote to memory of 4736 2520 svchost.exe 91 PID 4736 wrote to memory of 4368 4736 cmd.exe 93 PID 4736 wrote to memory of 4368 4736 cmd.exe 93 PID 2520 wrote to memory of 3148 2520 svchost.exe 97 PID 2520 wrote to memory of 3148 2520 svchost.exe 97 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\antivirus.exe"C:\Users\Admin\AppData\Local\Temp\antivirus.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:572 -
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete3⤵
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:4724
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
PID:784
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no3⤵
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
PID:3208
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no4⤵
- Modifies boot configuration data using bcdedit
PID:3464
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet3⤵
- Suspicious use of WriteProcessMemory
PID:4736 -
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
PID:4368
-
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\hahaha.txt3⤵
- Opens file in notepad (likely ransom note)
PID:3148
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2172
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2116
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:1308
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
PID:3048
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\ResetOpen.bat" "1⤵PID:4720
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004D0 0x00000000000004D81⤵PID:1416
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /01⤵
- Drops startup file
- Checks SCSI registry key(s)
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1592 -
C:\Windows\system32\WININIT.exe"C:\Windows\system32\WININIT.exe"2⤵PID:4652
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4816
-
C:\Windows\System32\DataExchangeHost.exeC:\Windows\System32\DataExchangeHost.exe -Embedding1⤵PID:4132
-
C:\Users\Admin\Desktop\decryptor-decrypter\Decrypter.exe"C:\Users\Admin\Desktop\decryptor-decrypter\Decrypter.exe"1⤵
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of AdjustPrivilegeToken
PID:1800
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
53B
MD5c29fc8dab98019241e58f381bed6329e
SHA1578ba8c2ca06e405de7fd72e258530e6283e06d9
SHA25691c9dc8117a50d7b5a8e2752dcb4b9a4f965ef8bcd086b9320dacd66978713dd
SHA512eba8f241b53d1c4d01717a4faead34c0aff5162150fe833c3a03aa027ecb40a58b9770e3debf010f4686fc83280fd3c87e1e878e3c17b6e72e3db604b306bbba
-
Filesize
1KB
MD538c37e267fe1393edec4f9fa42e0f4b3
SHA183d4dca12536f37deb851073d1590f7a4db0e946
SHA2560b227756de976c2a4924e33f4c5d5cb9c49f69bde6992306799c54f67dc077b7
SHA512b4812d92ea290f793c11f3bca9c63f5258bfecdbb6ac1c6212bbe1d7ad217c1ed4df01abfa312beb05233a9a658c0ff878aaedd516f0417b88ef2efa1fcd60ab
-
Filesize
57KB
MD56b3a864e9fc296d345cd560bcde9fbc5
SHA1d505ee20562039ee2f90d47186abb4867b1af662
SHA2564ed8a366ea302b5ee4520c7f0108aa78d39a015b8c392d995e7cc54b691136bd
SHA51206492da9e82de0dd5b3c6dbb5134a6b4e3de6f5e1499be4b8202cebd699bc52ea100a476c5ecec47188f71e01a1bed8a1c8a64c3a03bc3f3c5bdc65c382778d4
-
Filesize
181KB
MD56062caebbe1804189024b1ca6f526375
SHA196916acf4d3e717cb5d7d6531fc850410e047133
SHA2563a731a908c60658d56f5c23c3cb77ce3bf10e01a70fa4c01f562a94f5d96ddd3
SHA51252a74b437745d2410886ec8e938de18e5056783045577294a63485b4b45686783d846c1510907be36e58fe3348eec2279de665793d1d724ffcb68822a4badf1e
-
Filesize
13KB
MD5febb2466d85d397ba8a2b4a387aca089
SHA1b5cce6fbdcc333ea18c588c29acb53594c38bd25
SHA2566216714b8839f13d0ba5d4fa5b1627740d0ebc4998bf72f03e60ca5f6a98747c
SHA512806aeebf68bf79680ffbd9b9963064c860ac38c9d74a62c8f88e1924ab3823cecaed9dfbba34a5282c2fa701af2ef951de21097058572e5fdf55f2eddc48d8ee
-
Filesize
94KB
MD59783e25158aee0e1d1ed22ec6bfda917
SHA13ac7b47b63dd2a8ca275dd2ccc7960fca93bf131
SHA2563a30d9c9b7de7c6c7b57b04fdadf792c2cc6fed1a7fdbff940c04c57dd0598dd
SHA512220011103c760ee0a5a65c8ea4b495072330b6d03c03ee365129940afae0e409b882b2c005dcb77a0629c1a570ecc53c44435c1edddc48caf74c20d7af5153bb
-
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.25_(x64)_20240221122953.log
Filesize15KB
MD5b416879f686d255f37fa09a30b604fe9
SHA10bc68e2d952adac120a16ce666d85276fc6fc309
SHA25611445a9644dcc4d9b24d908788137724861253b7088fc9c0600bd8337f6257e2
SHA512d8e264a8c05954ef565aca50a55331a1a3d403eb143acd3adafac6cace4c330e771a62c1822f2182f3aa183ce3c8544ca3f226ceb615a80c780e08204bfcd3b6
-
Filesize
470B
MD50cec55727b8fd7f37260ca836aa7946f
SHA1a5ddb5da84ab3109080af98921ce092104b08f01
SHA2566caa8fdbbee5b7e8f0092c800f64ac9b0462e196d87ba0b6613e64b9a2cf7fc5
SHA512c9362db0355429262552eb5ca3e2b22531b3adf34a91c72d6439036fcbd5f7d9059f76c9e6264b8eeac820c35c778f4e462f80d7c7a6348bf16b054eeb3be55a
-
Filesize
6KB
MD5a9ae28665489552dfeca3372506f8c67
SHA19f9e826d69047b22040f41a1934f5cd93986a526
SHA25692c1797d8c66ceaffba8b5147e6ea2209f251860b70d16bd4c54fe4f8954fb41
SHA512329d7279f678f5270e48fbc34315d1bad9f7b8e1e959b3b9c7b9ba64c599676b1aa644389e1b25e9ed9c6d370eb8e62c24ac60dcf7a2606c34e9ca9b891539e2
-
Filesize
1KB
MD592d9363a05627847915c33fffa12f014
SHA12e8e8cb95e0bcd56da3b7126d854be3c015071be
SHA256f912c90d490a6ea6184a1e08bb6587b1c5992898f54c85b97d7eda145d7671b6
SHA51258343be2706c83b674e3198060818e2c9ba4f10c4b6b5c755d558d1823a5acde522c977897fcb9d066ad067a563a6d6f785cfac5b0e42638155bfdc2cf57664c
-
Filesize
428KB
MD5a2f1f21da9bdc51256ce7bd0cf096322
SHA1b0ba2c19436ec7f663f91c67d4f45f9d9ea4c35f
SHA256bdc691f3a450c0f0aa4a522e284dee90290f9391f286a4f9f0d2454045fc47df
SHA5121142a6f336abca007a9e6a14e70edca9f1e5fff43c21d753d77d6f3a1a92531f6ffd1310fde3078aaa73b9346172f92eda06c1538f5dc82d03f408164d84d281
-
Filesize
414KB
MD5908a6356515f3d4215fb98a9a5bb0d62
SHA1d895707bfc712f9947b17aa8b474358d0d1b5dc1
SHA2566fc2f89be384f099da60bb8aa87fadfea662adf73dbeaaabb65d7da4e860347c
SHA512be6915a343449c228644debc3ca6048db456267acf0b1f4993a68528dc07e95070ad00f6c3a2d006dfbd39c3611969604c23d487034598259d4b308b5028c264
-
Filesize
11KB
MD512c38938d8adc89d241f797f27c21554
SHA188a1c7140f4a5edc9aef5f7ee002a25d6b336694
SHA256a9f6935eedba6740c00ef867f4f840c40d802edd1170f49fac44c0226f0c988b
SHA512d4afc79044ea89596230f8c1850b60259544f160a61852464cd09e8a5c9dc2c25b204c1cec2a5dd361c4af84e9fc64d4432fd5d1fc2c5846d07919d9b95560d2
-
Filesize
11KB
MD594ac936f643f65cab18b82fda84c1e92
SHA19343f855f587d4d2b80f9ebd9bd40758cc25b3c5
SHA256015b0d42a9ecb820b26e493771068fa197a1cd6a86ce092fe587d72ee57b38b6
SHA512165446d33610f7dd754cb8d32d9b14d50c5ca1235c50aa9287236c3f657431fdb161497123851cfc8e5ea1de2fdbc3821d876bcb1ff18ca4812edf6328f35c02
-
Filesize
13B
MD5b2a4bc176e9f29b0c439ef9a53a62a1a
SHA11ae520cbbf7e14af867232784194366b3d1c3f34
SHA2567b4f72a40bd21934680f085afe8a30bf85acff1a8365af43102025c4ccf52b73
SHA512e04b85d8d45d43479abbbe34f57265b64d1d325753ec3d2ecadb5f83fa5822b1d999b39571801ca39fa32e4a0a7caab073ccd003007e5b86dac7b1c892a5de3f
-
Filesize
153KB
MD5b5a37e8de14d397cc8754e0527339b84
SHA1359b5fe5e251c65527c135395d448666017d1e19
SHA256cf6b5d36fc0ce15c0094ea953e2090500fe9473c36319a996cf59cf315d58384
SHA5121d2b9c722624a1b68f8d795dd488930c7bc350edb198682e27f4a7bbc51d7bad21603c143dd48244f8dca61143c84fecfd9fcbebcf8a7c8857c061d789d8254c
-
Filesize
235KB
MD5a7a53935d0588ab5d37a7754aac51805
SHA15d20d7e5058ffa9bc5b7723ba96d32e478bd651e
SHA2565caad74b0f90a261677cb028c07db4cd9052dfb65e8b6ef8e68701c084be9d82
SHA51278e7e39c13397900e072391e1d66061059c376098cd21e53f85946eef1fa974cf8398783851192cf1dd9356ed5168b54bd284806374134ec3a5526a24c09db8b
-
Filesize
174KB
MD5e6c37cb8886bc08ad14179ed2bb289d1
SHA15689c57ccb816be4f7ad3f24c241552b8091eb27
SHA256d988709e089734ba829de1745a91abee145009b9a0b19c594614d2081c7faf47
SHA512d04e04fcd7e1b5acb974c818b0b83f926f7850dc9df47238f1860b0732aaccec319dac63e472b93cad698a5036f1fdc8b617bc20c2ea29fd7d5e4420f7f3f770
-
Filesize
111KB
MD501edd6b7a872fc81e9701bdf5fd346b7
SHA1ad7a4d13b372670d5f8558adc9d108500b1a0e27
SHA256c36bb4da7df349f2fb9122a9a4d64445540b5090dbfd5c9653e2312598ac5fc9
SHA512b31b3d2c9e7b52300bbee5d4691d67f728621073b1cd157a1a74b0bce42b24f761a5ab9b5d1dea78e1360f28cecc53122738df321014cf15b270c105af8923a3
-
Filesize
183KB
MD51537f2d5ad04ea4d59841047c7e120e4
SHA1e8354636f3a1a07b529a23f06eaeb30885bb00cb
SHA256c8cbc92e03d408b8a098337199ad06e3cfbc7a8b2221eef7ed2a477f7bd414fa
SHA512017b2d8a9bf98019a93f6e7b8fd9aabf07c011a589b52e57c2f4a1da65382320740c57446bd7dacdd69b09ebf8386e18097c2e36044707c10b0320706e0bfa80
-
Filesize
169KB
MD50b5a2498d90b8aaa294d6fedc551b632
SHA1221e7d3f3553c137f220c5fc7c1d16025c164539
SHA25610ab9211cf192371cae9223bae26b14821ee9624f0611ce00744ba3ee2f35051
SHA5123f4e7d56e92ce8e7597abb6b1a0b613fb64c8bf20b5df60ba60cfd1c83f67be946ab188a8e687610b6072a0461e339917127d62f1585b662e1a2331b76b109ac
-
Filesize
339KB
MD5ba4f6c63f44b5bac8aa9a8533f376dfc
SHA107bb356f22b6601ba35a8472dc10d68080bd22a2
SHA2565d1fc3b7544d99fca702cb0813c9cf5b0f157da42c6cdbac59d3b8b93fa39ede
SHA51262109ffae3fac3d07b0939391ec05524e16b8f73e467c358b9b11dd1fe1b92ce6f4ca285f3ab63cf482d9d493c2fb5eb99f4cee3f5cc1e7fc41733ab2dbf51aa
-
Filesize
139KB
MD5c4d24ab9747695a50b722cb09b82a436
SHA14062ce7a79f97b325d73169c71d2198a3bffcd3b
SHA256f3ad77b402f88d3c31024b56f7ca93b864d685ffaf7e0db48844d5ffaee737a4
SHA512d28a1597c2764905ee7969b5c90a45663aa75cca4ce6463962d6b97f2771aa7e90403210112948fcfb9bf9ba512c9db5e05b6962eeef2413f299e119989feff6
-
Filesize
215KB
MD504304138b38ca3cd6747f0066c826edb
SHA1cc0d5c3c7008358e5c214e9f4c9e1da0645fe67c
SHA256445fdf55b94c426b8aeb5e68ce43057b8db7296f75c6040294ffe994faa7ed3a
SHA51256667ea67b7a3375d02b8c89634f171ae365b662bfcd32645fbd60f21453b97f96147fd6857a4257663dfe44dd5644b41b88a6d22a47d875b01bf9ddf23710e9
-
Filesize
202KB
MD5a234cc6a8472fe100e5bf364c4150bf0
SHA11fdbfdaa9946e2c588ffbdef6f16d4216570f87b
SHA256ac184d358ca7de1db3fbe26c43326ff85401f33200bb802acd8222677ba036a3
SHA512cf8f525290372c19a36b2ba2842a9f98096675cdbfe11677bfccf50cc2c8bb82cdbbbc661465597424f60c7ce551ebc435e2ea30cbb00feb128b2f494b98b2c7
-
Filesize
91KB
MD5c37981d090b6e4bc2c30cdec24d9a47b
SHA1c9e5717d6e15ae7c2351628e4486da66dccca06b
SHA256d67b1ec036ee144957e3886ca5b702fa641089f3d05a224282f73f649000c7f7
SHA512dc6d5c39472a2103aa9435ad926fd21cf47038c9d9be270efa7f5203b2ab1ba5460286f0d5aa5259713b4f7802433f3d425032b5faab11eb8aeacfc2172683d7
-
Filesize
304KB
MD565bffc958539555ce83619a122f49114
SHA15fb201da2916475f6a963d0ae3efc54b8380f5f9
SHA25621c43111c0328db00a30469c49c3dfa10677a04a35617402d7d10dd77e50d4eb
SHA512f258905f613a0ca39065a9d6ff4a6589848a848580dcbaf31f18102558d8f4849f7d1fd419216b471bace61a18dbcd781019075375c0f43a5a9465c5ce1850cb
-
Filesize
97KB
MD5fbb399e5b8ae0f18b0a7a194bb7d6825
SHA133976d583c480d181aaeb1dcb0043dcf6870b734
SHA256e84915e6bba41b9e9521ec02107f172950af46bb8407ec7780a0804bc86ddb51
SHA5129386882f6b734245e729bc1daf155c9732241d4e349eecefc183aba6146373b996fbdf2ee1b0b44e4c30e369f90bf8f2cd9af3fd852a79f9ec62278157bda36c
-
Filesize
156KB
MD581f52527178851f4ad45c27238a826d1
SHA1b75b036cb0229843657dac19c3a71b978382b8db
SHA256d824ef1582d089b83bde2f0829336f1ed2cb0edbf1aefc5d1ab1d13761cc56c2
SHA512980e55ded6d2af59b0ce11b4d875b1d2f3a120688687a915c57f8488af7cfce97fd634a01a5cac7edb0fac86be25e7420aedeca2ef9f2047f0eb0d4bd8271802
-
Filesize
150KB
MD59c6dca3f82abaed1efffa1a351d3459c
SHA16ac1bcdf6acc11a2ccc0329c64de6d8519e1b7c4
SHA25660d8b8436c33327af7adf3c73b18ab5ca855bc26fee0f10f8719cfcfb1497076
SHA5121ff9f9ec308b1a6f04aafc14d5cf69620348df529cd713be024789cadd192f07746cac9e41c87f51b7adab4536d58f09953dad73d2dd4efc3e46fb609d757925
-
Filesize
348KB
MD52a5a8f8e60e398ea5d7759d8909488d7
SHA19f598af8e4fc47bcd7aa2b6a3b875d75925385ca
SHA2569ce6ebe13380dc66f6a3eb2414c472189157c02b0ba27221781d7317a488be67
SHA512c755f6e1f90662d4e3da762ff4b916bb2380645507d895f4fda1e89553e0fb0e33735a17a5b9f3fa5d1680db4855f6d07f127f580d6a6e13709e19bbdef244d9
-
Filesize
436B
MD5fd6f22f5983550486f2a28096c48ce10
SHA1bafe6204a02f0c8ed3dce5de991c9e0e30602430
SHA25606f26cfa52d28715697f233ea3331304743e517ba69c7b899a2a1b8c244da91a
SHA51207380de784b9c2bfb76f87265fcec9fc3ff679286bcd70b77dec6506d75efe196735644154c45cb0212c80f868c2d80894805ea7f6880d2428e3cdc0eea9df40
-
Filesize
142B
MD51a09a38485cbf1d59c29d8e3213e1ab9
SHA19cbe6ebd07b13a0d4b2565dc15a273629aa97251
SHA2560a3bdc40dc0d243784bc5fa887b79110350b3d3200684f3ba99880fcea40e3b8
SHA512a33c228196a4b3f14e40ac6ccb6c43002de28063594c472db852bedac20a6725f4e7601b9f32516e2c6bea35f83746973b3f1d200d9e5d668bda7553b62ac616
-
Filesize
235KB
MD5262ff760d7355f91714aa49c12123086
SHA1b220915ad4f8b5ece2b7a25455a5fff157bc66c0
SHA2566ae0e8e925658a15de1a8dbef36492e6244e154c86fc2974f004f0012af5f882
SHA51200d38addcff22be1c0c80074d24e58d4e67af18f2f56fda6e889173ab4f34a2821aec1dea6ecf4a4c04ca35af21681243cd2f897da82258fc4ea19814a5b807e
-
Filesize
248KB
MD56df54529a7db427c887e0d4341cd790b
SHA19eacabe62c4596697a061adcf24cdd01cdfd90a0
SHA25676e5099b5fc1c425294dcd0a7d4f349ee5f7a6402c21db2fdac451378ab474a1
SHA512bd5d526deca50232840dd354566de0676ac6b8d53ba75145864b0aa4a74926e4d64f841e1852460f66eda1d8fb93ed3c481931b0694efd46cd4d01cebcca3c5d
-
Filesize
278KB
MD50ac8a347901efb7484809aa0f59563d5
SHA1cdb50e9ef802c6cce020e52705fb67be8c08ed78
SHA2562df9a9e924c2eaf298e18718f4f8a97b861d62d97d29543b0cc7e443cfb3ac05
SHA512499b603d64a91b0096255a093ddb80aafaecba6849967feab61d36c7994620ec61e66bdceb2e08fcfd73a5259994dd63e66e668cf40598662bd4320bb51c1e1e
-
Filesize
222KB
MD5914efa5e9a27eb511868c4ad622676ce
SHA14277422e2cfcdf4146834a8147ba27f39280577a
SHA2569f968cb2a417dfd67d40264179e67ca0ba5528c4bbaa09276ea2619528bf654b
SHA512fe83ae9ea341899d07dd53dcde33b90bbb60cddfe9f79378d3068791aaf2f1db043aacb2e335e12db5dd067c1696317320cdfa8c7202b394243883a9357187ec
-
Filesize
143KB
MD590814fbcd3adfd8f02c5a8cf7b381cec
SHA1c10c1c04361ec718e05446e10578983d061db81d
SHA25682e00fbd2c08c34db91a277c1d4ce25f948321dfaed190478c14267f84b61131
SHA512e8be36361ef7f6d6c1e4250bcd7b5d7ffe549fbc9260fae80dbbc28cf02f55eb8a32c25c2681618529802ef34917a30e8490c587e657d7988ec492188ed361b5
-
Filesize
124KB
MD5aa7ac3f75da3dda16ed30520880955ee
SHA14e9e0c5ed4faf68ef7ec87978615bc1b13066bae
SHA256d9cd104adf3c5d2911dc843c632ce31345d75511b57a098b1c8c15f00cce2acf
SHA51232587e7e344c83b02435827db45471296842c7a676d5af1658fa3fe5666b06f14ff2fe055aad03229514fb6e83d5812b469fcc5277f5f06e5391c17df0a5b205
-
Filesize
217KB
MD55d3de0545316f8022373640d20425587
SHA18c8e4e2c607dd7837fa1734cf3ce96c53b7d1ec6
SHA256359428b29cf81f1a25fae9129c62d36a1f4649f8cbf5d93d92014c6cf93a69f6
SHA512e3cdf688f18e16554b9efcb78f593f3fffc46c9bade69c627d8095c4c0e92387682c3200d2923576e85fdac63661fe216ea8363f680d35eb721e7edc61dc4aae
-
Filesize
195KB
MD5ab2c33ea3637390bb87740e4cbbe46f7
SHA11775fbe8693ae45cf32aa538d0248a407f3a9fd2
SHA25639fc29ab9110111f8184c4fa14ab8461e2aec88be20b12869f268c633fcce432
SHA512ffd3f5301bebb7004c02d92540dc2b047931bec3f0e0664ded7bd5662c09948153b61b7b4bcf4f3f45fe39010a561b948566d53d3419bca8e8e22f77022b4e7a
-
Filesize
117KB
MD585b866db9fd6a2ee03ec0e9a673d3a42
SHA1525789cca1808e876138efd4c70f24fbe2bb6b4f
SHA2560f6e0138486fefcec11555b5256e9f2c1abb05cab8ea09e138f72f363bbbac0e
SHA512e587ad1c6fb80e79068b620d16068894c1736c53d682822a4fbfda936d1337c21ab88e3c5877c063bab7286fca6640eba17b6d4237369847225bd8d7bbadb348
-
Filesize
479KB
MD537e3cfdb5e4992b0b86d1bb3d2e80e58
SHA1e1ccd9dd71d0ad3149396f3f4fdd1ba6f9f76d8d
SHA256c74a786fcf37fd9e309ba7e33f9b22085cc7eb83f0e754e1a3a21bde8624aca4
SHA512ed9f4edb745ad2a61b7093c93420a9a20daa2a9ed2cb82c4a4a836394b0718cd4a5c5351f0a102155eb07bc80c69675b7d654d9c7f4b459d721c7325696422c6
-
Filesize
244KB
MD58fd0095b6bd24eb269f5f8b4f9e1a2cc
SHA15a59af2292b3a7b0d54b712f16e5e3827a49cc31
SHA2563268d3204742f2c4906b6f0ba8867125283b7b5592d4c8dbc82c8759d8b5d239
SHA512ecfdfaf11d3650d8d9d9c1cacb77b609b7674bfc26730f0a23f5724f8e2f255807f28c3ff3f5e3ee85adb034dc2d3f5db4f057f0e74279c4fc3fcd4e35fef799
-
Filesize
252KB
MD5c89e369da25f5a7b07b10b72d021f621
SHA1f813c75148eba4856633f0fb3c26de0aa6729312
SHA256e48d91668aa0fe452badc513905a2d1b7dec30bf60701d35f6efc03e0241f9df
SHA5122ce44fb22839a18503b081df9d4edadcfc0ee65cb5c92811619f0cced55c7004e074bfe53c089e8c62f1b86c8809124965767a8359f9ab4817c38f05fa4c7037
-
Filesize
322KB
MD5189d8f91ff8c904339b3f2d60b55ccfd
SHA1c0c02f34bd09e5a304ff87c45f14707af2f89f5d
SHA256ff54286df226ee918bd06571584faf34f7f021fc6f4e33c7a43f7ce86b47df6c
SHA512010cbc854beb88a59ca3bbf81485c64acbbeb74b48bad1167b3f5b993546e6d6644f0e4ba0a1ce00265df8b52a3da3322469cb30d3b7bd40d6c7fbbf163bb995
-
Filesize
144KB
MD54016477fd044882c78f3c1a47d7322e1
SHA16c75ffa25ef2d1d6a658ff415b2e47964032fc6a
SHA256fbbaef754d6dafaaf32ae5e7937135fe81075806e5e2b0db1d6f9441a1cd8633
SHA51217706a8238817e135ffe378e60e1e52964a00aeee6c6b9bc7f288a0390ae97d958f053cf693a4d829a35acbe32e3ab9599c13150a3155c671490736e88d19df1
-
Filesize
63B
MD545dfa78907ccd5154a672941b7fd7805
SHA1c96e039c5d260e3fc61d65da6718d3a832a182fd
SHA2567d6a89c0a71eb6607c0f9226cbdbc241a154a49e463e599ea8ff126c161ad6af
SHA51245b88dc885c14920f7e309566475c1c0d35b43dfade79ae951d41b422a4cba511f36b6305f0fde21af780399929f529661e1e9f1bcf0190e2b73472ed9950f2b