Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
10-06-2024 10:44
Static task
static1
Behavioral task
behavioral1
Sample
VirusShare_1e096e7c6ffb32332933f693d00c6795.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
VirusShare_1e096e7c6ffb32332933f693d00c6795.exe
Resource
win10v2004-20240426-en
General
-
Target
VirusShare_1e096e7c6ffb32332933f693d00c6795.exe
-
Size
356KB
-
MD5
1e096e7c6ffb32332933f693d00c6795
-
SHA1
28e7f909cbc28ca3af8af503111c5fc9f42502b7
-
SHA256
963aafe897132f8bd0fb1ce4beca2c4c2c04d8699a9e2612106c762cccca6256
-
SHA512
8c26ddc0f8a3da79646851fc39f57d44a654e3967dad708239f882ed273fd14522d771087b0ff0d688fbb15392145e176be519ada7fd94103a05b90aaab6141c
-
SSDEEP
6144:C94ZeMgE+D+G+33DpgPgRArNZltP8aLK9cdfdCWJATnKH92tIrWuZ/kE7eVmhgst:C94ZeMgE+D+G+33DpgPqArrltP839Yfj
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\_ReCoVeRy_+hrxuq.txt
teslacrypt
http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/BBE5316D71F092
http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/BBE5316D71F092
http://yyre45dbvn2nhbefbmh.begumvelic.at/BBE5316D71F092
http://xlowfznrg4wf7dli.ONION/BBE5316D71F092
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (420) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself 1 IoCs
pid Process 2460 cmd.exe -
Drops startup file 3 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+hrxuq.txt glyadqxsdajw.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+hrxuq.html glyadqxsdajw.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_ReCoVeRy_+hrxuq.png glyadqxsdajw.exe -
Executes dropped EXE 2 IoCs
pid Process 2752 glyadqxsdajw.exe 1120 glyadqxsdajw.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\yeoosjw = "C:\\Windows\\system32\\CMD.EXE /c start C:\\Windows\\glyadqxsdajw.exe" glyadqxsdajw.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2760 set thread context of 2572 2760 VirusShare_1e096e7c6ffb32332933f693d00c6795.exe 28 PID 2752 set thread context of 1120 2752 glyadqxsdajw.exe 34 -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\_ReCoVeRy_+hrxuq.png glyadqxsdajw.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\zh-CN.pak glyadqxsdajw.exe File opened for modification C:\Program Files\Microsoft Games\_ReCoVeRy_+hrxuq.txt glyadqxsdajw.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\nn\_ReCoVeRy_+hrxuq.txt glyadqxsdajw.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\zu\LC_MESSAGES\_ReCoVeRy_+hrxuq.html glyadqxsdajw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\_ReCoVeRy_+hrxuq.txt glyadqxsdajw.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\de\LC_MESSAGES\_ReCoVeRy_+hrxuq.png glyadqxsdajw.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\my\LC_MESSAGES\_ReCoVeRy_+hrxuq.png glyadqxsdajw.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\extensions\_ReCoVeRy_+hrxuq.txt glyadqxsdajw.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\_ReCoVeRy_+hrxuq.html glyadqxsdajw.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\jquery-ui-1.8.13.custom.css glyadqxsdajw.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\css\_ReCoVeRy_+hrxuq.txt glyadqxsdajw.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\_ReCoVeRy_+hrxuq.txt glyadqxsdajw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\_ReCoVeRy_+hrxuq.txt glyadqxsdajw.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\cy\LC_MESSAGES\_ReCoVeRy_+hrxuq.png glyadqxsdajw.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\d3d9\_ReCoVeRy_+hrxuq.txt glyadqxsdajw.exe File opened for modification C:\Program Files\Windows Photo Viewer\ja-JP\_ReCoVeRy_+hrxuq.txt glyadqxsdajw.exe File opened for modification C:\Program Files\Windows Media Player\Media Renderer\_ReCoVeRy_+hrxuq.png glyadqxsdajw.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_blue_snow.png glyadqxsdajw.exe File opened for modification C:\Program Files\Java\jre7\lib\jvm.hprof.txt glyadqxsdajw.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\en_GB\_ReCoVeRy_+hrxuq.txt glyadqxsdajw.exe File opened for modification C:\Program Files\Windows Journal\_ReCoVeRy_+hrxuq.html glyadqxsdajw.exe File opened for modification C:\Program Files\Windows NT\_ReCoVeRy_+hrxuq.png glyadqxsdajw.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\square.png glyadqxsdajw.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\_ReCoVeRy_+hrxuq.png glyadqxsdajw.exe File opened for modification C:\Program Files\Windows Sidebar\fr-FR\_ReCoVeRy_+hrxuq.txt glyadqxsdajw.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\square_h.png glyadqxsdajw.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\_ReCoVeRy_+hrxuq.html glyadqxsdajw.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\_ReCoVeRy_+hrxuq.png glyadqxsdajw.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\curtains.png glyadqxsdajw.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_ReCoVeRy_+hrxuq.html glyadqxsdajw.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ia\_ReCoVeRy_+hrxuq.png glyadqxsdajw.exe File opened for modification C:\Program Files\Windows Media Player\Network Sharing\_ReCoVeRy_+hrxuq.png glyadqxsdajw.exe File opened for modification C:\Program Files\Microsoft Games\Solitaire\ja-JP\_ReCoVeRy_+hrxuq.png glyadqxsdajw.exe File opened for modification C:\Program Files\Windows NT\TableTextService\de-DE\_ReCoVeRy_+hrxuq.html glyadqxsdajw.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_left_rest.png glyadqxsdajw.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\css\slideShow.css glyadqxsdajw.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\settings.js glyadqxsdajw.exe File opened for modification C:\Program Files\Common Files\System\ado\ja-JP\_ReCoVeRy_+hrxuq.html glyadqxsdajw.exe File opened for modification C:\Program Files\Mozilla Firefox\gmp-clearkey\_ReCoVeRy_+hrxuq.html glyadqxsdajw.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\sl.pak glyadqxsdajw.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\hr\LC_MESSAGES\_ReCoVeRy_+hrxuq.txt glyadqxsdajw.exe File opened for modification C:\Program Files\Windows NT\Accessories\_ReCoVeRy_+hrxuq.txt glyadqxsdajw.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\css\_ReCoVeRy_+hrxuq.png glyadqxsdajw.exe File opened for modification C:\Program Files\7-Zip\Lang\ku-ckb.txt glyadqxsdajw.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationLeft_ButtonGraphic.png glyadqxsdajw.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\tr.pak glyadqxsdajw.exe File opened for modification C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\de-DE\_ReCoVeRy_+hrxuq.png glyadqxsdajw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\_ReCoVeRy_+hrxuq.html glyadqxsdajw.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Backgammon\_ReCoVeRy_+hrxuq.txt glyadqxsdajw.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\shuffle_up.png glyadqxsdajw.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\js\weather.js glyadqxsdajw.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waxing-crescent_partly-cloudy.png glyadqxsdajw.exe File opened for modification C:\Program Files\7-Zip\Lang\sq.txt glyadqxsdajw.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\mai\LC_MESSAGES\_ReCoVeRy_+hrxuq.txt glyadqxsdajw.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_trans_rgb.wmv glyadqxsdajw.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\_ReCoVeRy_+hrxuq.png glyadqxsdajw.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\js\library.js glyadqxsdajw.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\css\_ReCoVeRy_+hrxuq.html glyadqxsdajw.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_PreComp_MATTE_PAL.wmv glyadqxsdajw.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\_ReCoVeRy_+hrxuq.html glyadqxsdajw.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\ja-JP\_ReCoVeRy_+hrxuq.png glyadqxsdajw.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Spades\fr-FR\_ReCoVeRy_+hrxuq.txt glyadqxsdajw.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\gui\_ReCoVeRy_+hrxuq.html glyadqxsdajw.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\glyadqxsdajw.exe VirusShare_1e096e7c6ffb32332933f693d00c6795.exe File created C:\Windows\glyadqxsdajw.exe VirusShare_1e096e7c6ffb32332933f693d00c6795.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A68C19D1-2716-11EF-B1D1-D2EFD46A7D0E} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f03e277b23bbda01 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e3c2bf1473fd9b479d08fa360818699000000000020000000000106600000001000020000000aaba28973630e5c13255385b3f7ed12a8b7fa6a0e3006d9e3c5506aff81d7609000000000e8000000002000020000000918057a92db0d9c021aa7cdcbb91a3a7fa2d61303202a529c4bb856806392850900000006a8a50c7af7c33f1d66eeb566d4b1708f3f34fac04a905966f62003d01a4c033471d2a813668c2b63a971263afb06685227a08d2e024bf450727c694198f742faeac278d24af7ee3bc57489f1b00146f99edd9682b87a9512f44fca54187a32cb0384032574cdde9b46d25a558eedf6b2cb8be6d80cc63df05358da34a7a79b81f3b052786e9808979384f571f32d51140000000876b2ae511622edbb19b2a22c263c90db4469b2a564263b72285a259c682a2e9802c01cd8c2575932c776044d0efdb34a6081fd0c7250927526ae55718579844 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e3c2bf1473fd9b479d08fa360818699000000000020000000000106600000001000020000000e0e06f0fdb1cf03bb23809e6e5dc6993e281d9a0d6f1ece50dce2eec61b398a5000000000e8000000002000020000000c1dd130cec68d9f4952f93f98d19a5700d44f27d1a80fed42540a3de9acf9cdc20000000a99c00dff7b4402618b26982465ac3bf761949d34d04179e1484ec776285ee5a400000002b87dd9f24e408c6655c80e55340bd82ff40bdf01eb2bce52277ba5b77fd0bf8ea2a1d6d0e6e5088f19b5ff96c6ef1a1154928887387133ba38798d1d283f1ec iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 1604 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1120 glyadqxsdajw.exe 1120 glyadqxsdajw.exe 1120 glyadqxsdajw.exe 1120 glyadqxsdajw.exe 1120 glyadqxsdajw.exe 1120 glyadqxsdajw.exe 1120 glyadqxsdajw.exe 1120 glyadqxsdajw.exe 1120 glyadqxsdajw.exe 1120 glyadqxsdajw.exe 1120 glyadqxsdajw.exe 1120 glyadqxsdajw.exe 1120 glyadqxsdajw.exe 1120 glyadqxsdajw.exe 1120 glyadqxsdajw.exe 1120 glyadqxsdajw.exe 1120 glyadqxsdajw.exe 1120 glyadqxsdajw.exe 1120 glyadqxsdajw.exe 1120 glyadqxsdajw.exe 1120 glyadqxsdajw.exe 1120 glyadqxsdajw.exe 1120 glyadqxsdajw.exe 1120 glyadqxsdajw.exe 1120 glyadqxsdajw.exe 1120 glyadqxsdajw.exe 1120 glyadqxsdajw.exe 1120 glyadqxsdajw.exe 1120 glyadqxsdajw.exe 1120 glyadqxsdajw.exe 1120 glyadqxsdajw.exe 1120 glyadqxsdajw.exe 1120 glyadqxsdajw.exe 1120 glyadqxsdajw.exe 1120 glyadqxsdajw.exe 1120 glyadqxsdajw.exe 1120 glyadqxsdajw.exe 1120 glyadqxsdajw.exe 1120 glyadqxsdajw.exe 1120 glyadqxsdajw.exe 1120 glyadqxsdajw.exe 1120 glyadqxsdajw.exe 1120 glyadqxsdajw.exe 1120 glyadqxsdajw.exe 1120 glyadqxsdajw.exe 1120 glyadqxsdajw.exe 1120 glyadqxsdajw.exe 1120 glyadqxsdajw.exe 1120 glyadqxsdajw.exe 1120 glyadqxsdajw.exe 1120 glyadqxsdajw.exe 1120 glyadqxsdajw.exe 1120 glyadqxsdajw.exe 1120 glyadqxsdajw.exe 1120 glyadqxsdajw.exe 1120 glyadqxsdajw.exe 1120 glyadqxsdajw.exe 1120 glyadqxsdajw.exe 1120 glyadqxsdajw.exe 1120 glyadqxsdajw.exe 1120 glyadqxsdajw.exe 1120 glyadqxsdajw.exe 1120 glyadqxsdajw.exe 1120 glyadqxsdajw.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2572 VirusShare_1e096e7c6ffb32332933f693d00c6795.exe Token: SeDebugPrivilege 1120 glyadqxsdajw.exe Token: SeIncreaseQuotaPrivilege 2720 WMIC.exe Token: SeSecurityPrivilege 2720 WMIC.exe Token: SeTakeOwnershipPrivilege 2720 WMIC.exe Token: SeLoadDriverPrivilege 2720 WMIC.exe Token: SeSystemProfilePrivilege 2720 WMIC.exe Token: SeSystemtimePrivilege 2720 WMIC.exe Token: SeProfSingleProcessPrivilege 2720 WMIC.exe Token: SeIncBasePriorityPrivilege 2720 WMIC.exe Token: SeCreatePagefilePrivilege 2720 WMIC.exe Token: SeBackupPrivilege 2720 WMIC.exe Token: SeRestorePrivilege 2720 WMIC.exe Token: SeShutdownPrivilege 2720 WMIC.exe Token: SeDebugPrivilege 2720 WMIC.exe Token: SeSystemEnvironmentPrivilege 2720 WMIC.exe Token: SeRemoteShutdownPrivilege 2720 WMIC.exe Token: SeUndockPrivilege 2720 WMIC.exe Token: SeManageVolumePrivilege 2720 WMIC.exe Token: 33 2720 WMIC.exe Token: 34 2720 WMIC.exe Token: 35 2720 WMIC.exe Token: SeIncreaseQuotaPrivilege 2720 WMIC.exe Token: SeSecurityPrivilege 2720 WMIC.exe Token: SeTakeOwnershipPrivilege 2720 WMIC.exe Token: SeLoadDriverPrivilege 2720 WMIC.exe Token: SeSystemProfilePrivilege 2720 WMIC.exe Token: SeSystemtimePrivilege 2720 WMIC.exe Token: SeProfSingleProcessPrivilege 2720 WMIC.exe Token: SeIncBasePriorityPrivilege 2720 WMIC.exe Token: SeCreatePagefilePrivilege 2720 WMIC.exe Token: SeBackupPrivilege 2720 WMIC.exe Token: SeRestorePrivilege 2720 WMIC.exe Token: SeShutdownPrivilege 2720 WMIC.exe Token: SeDebugPrivilege 2720 WMIC.exe Token: SeSystemEnvironmentPrivilege 2720 WMIC.exe Token: SeRemoteShutdownPrivilege 2720 WMIC.exe Token: SeUndockPrivilege 2720 WMIC.exe Token: SeManageVolumePrivilege 2720 WMIC.exe Token: 33 2720 WMIC.exe Token: 34 2720 WMIC.exe Token: 35 2720 WMIC.exe Token: SeBackupPrivilege 1864 vssvc.exe Token: SeRestorePrivilege 1864 vssvc.exe Token: SeAuditPrivilege 1864 vssvc.exe Token: SeIncreaseQuotaPrivilege 2196 WMIC.exe Token: SeSecurityPrivilege 2196 WMIC.exe Token: SeTakeOwnershipPrivilege 2196 WMIC.exe Token: SeLoadDriverPrivilege 2196 WMIC.exe Token: SeSystemProfilePrivilege 2196 WMIC.exe Token: SeSystemtimePrivilege 2196 WMIC.exe Token: SeProfSingleProcessPrivilege 2196 WMIC.exe Token: SeIncBasePriorityPrivilege 2196 WMIC.exe Token: SeCreatePagefilePrivilege 2196 WMIC.exe Token: SeBackupPrivilege 2196 WMIC.exe Token: SeRestorePrivilege 2196 WMIC.exe Token: SeShutdownPrivilege 2196 WMIC.exe Token: SeDebugPrivilege 2196 WMIC.exe Token: SeSystemEnvironmentPrivilege 2196 WMIC.exe Token: SeRemoteShutdownPrivilege 2196 WMIC.exe Token: SeUndockPrivilege 2196 WMIC.exe Token: SeManageVolumePrivilege 2196 WMIC.exe Token: 33 2196 WMIC.exe Token: 34 2196 WMIC.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1716 iexplore.exe 1440 DllHost.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 1716 iexplore.exe 1716 iexplore.exe 868 IEXPLORE.EXE 868 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 54 IoCs
description pid Process procid_target PID 2760 wrote to memory of 2572 2760 VirusShare_1e096e7c6ffb32332933f693d00c6795.exe 28 PID 2760 wrote to memory of 2572 2760 VirusShare_1e096e7c6ffb32332933f693d00c6795.exe 28 PID 2760 wrote to memory of 2572 2760 VirusShare_1e096e7c6ffb32332933f693d00c6795.exe 28 PID 2760 wrote to memory of 2572 2760 VirusShare_1e096e7c6ffb32332933f693d00c6795.exe 28 PID 2760 wrote to memory of 2572 2760 VirusShare_1e096e7c6ffb32332933f693d00c6795.exe 28 PID 2760 wrote to memory of 2572 2760 VirusShare_1e096e7c6ffb32332933f693d00c6795.exe 28 PID 2760 wrote to memory of 2572 2760 VirusShare_1e096e7c6ffb32332933f693d00c6795.exe 28 PID 2760 wrote to memory of 2572 2760 VirusShare_1e096e7c6ffb32332933f693d00c6795.exe 28 PID 2760 wrote to memory of 2572 2760 VirusShare_1e096e7c6ffb32332933f693d00c6795.exe 28 PID 2760 wrote to memory of 2572 2760 VirusShare_1e096e7c6ffb32332933f693d00c6795.exe 28 PID 2760 wrote to memory of 2572 2760 VirusShare_1e096e7c6ffb32332933f693d00c6795.exe 28 PID 2572 wrote to memory of 2752 2572 VirusShare_1e096e7c6ffb32332933f693d00c6795.exe 29 PID 2572 wrote to memory of 2752 2572 VirusShare_1e096e7c6ffb32332933f693d00c6795.exe 29 PID 2572 wrote to memory of 2752 2572 VirusShare_1e096e7c6ffb32332933f693d00c6795.exe 29 PID 2572 wrote to memory of 2752 2572 VirusShare_1e096e7c6ffb32332933f693d00c6795.exe 29 PID 2572 wrote to memory of 2460 2572 VirusShare_1e096e7c6ffb32332933f693d00c6795.exe 30 PID 2572 wrote to memory of 2460 2572 VirusShare_1e096e7c6ffb32332933f693d00c6795.exe 30 PID 2572 wrote to memory of 2460 2572 VirusShare_1e096e7c6ffb32332933f693d00c6795.exe 30 PID 2572 wrote to memory of 2460 2572 VirusShare_1e096e7c6ffb32332933f693d00c6795.exe 30 PID 2752 wrote to memory of 1120 2752 glyadqxsdajw.exe 34 PID 2752 wrote to memory of 1120 2752 glyadqxsdajw.exe 34 PID 2752 wrote to memory of 1120 2752 glyadqxsdajw.exe 34 PID 2752 wrote to memory of 1120 2752 glyadqxsdajw.exe 34 PID 2752 wrote to memory of 1120 2752 glyadqxsdajw.exe 34 PID 2752 wrote to memory of 1120 2752 glyadqxsdajw.exe 34 PID 2752 wrote to memory of 1120 2752 glyadqxsdajw.exe 34 PID 2752 wrote to memory of 1120 2752 glyadqxsdajw.exe 34 PID 2752 wrote to memory of 1120 2752 glyadqxsdajw.exe 34 PID 2752 wrote to memory of 1120 2752 glyadqxsdajw.exe 34 PID 2752 wrote to memory of 1120 2752 glyadqxsdajw.exe 34 PID 1120 wrote to memory of 2720 1120 glyadqxsdajw.exe 35 PID 1120 wrote to memory of 2720 1120 glyadqxsdajw.exe 35 PID 1120 wrote to memory of 2720 1120 glyadqxsdajw.exe 35 PID 1120 wrote to memory of 2720 1120 glyadqxsdajw.exe 35 PID 1120 wrote to memory of 1604 1120 glyadqxsdajw.exe 43 PID 1120 wrote to memory of 1604 1120 glyadqxsdajw.exe 43 PID 1120 wrote to memory of 1604 1120 glyadqxsdajw.exe 43 PID 1120 wrote to memory of 1604 1120 glyadqxsdajw.exe 43 PID 1120 wrote to memory of 1716 1120 glyadqxsdajw.exe 44 PID 1120 wrote to memory of 1716 1120 glyadqxsdajw.exe 44 PID 1120 wrote to memory of 1716 1120 glyadqxsdajw.exe 44 PID 1120 wrote to memory of 1716 1120 glyadqxsdajw.exe 44 PID 1716 wrote to memory of 868 1716 iexplore.exe 46 PID 1716 wrote to memory of 868 1716 iexplore.exe 46 PID 1716 wrote to memory of 868 1716 iexplore.exe 46 PID 1716 wrote to memory of 868 1716 iexplore.exe 46 PID 1120 wrote to memory of 2196 1120 glyadqxsdajw.exe 47 PID 1120 wrote to memory of 2196 1120 glyadqxsdajw.exe 47 PID 1120 wrote to memory of 2196 1120 glyadqxsdajw.exe 47 PID 1120 wrote to memory of 2196 1120 glyadqxsdajw.exe 47 PID 1120 wrote to memory of 2972 1120 glyadqxsdajw.exe 50 PID 1120 wrote to memory of 2972 1120 glyadqxsdajw.exe 50 PID 1120 wrote to memory of 2972 1120 glyadqxsdajw.exe 50 PID 1120 wrote to memory of 2972 1120 glyadqxsdajw.exe 50 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System glyadqxsdajw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" glyadqxsdajw.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\VirusShare_1e096e7c6ffb32332933f693d00c6795.exe"C:\Users\Admin\AppData\Local\Temp\VirusShare_1e096e7c6ffb32332933f693d00c6795.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Users\Admin\AppData\Local\Temp\VirusShare_1e096e7c6ffb32332933f693d00c6795.exe"C:\Users\Admin\AppData\Local\Temp\VirusShare_1e096e7c6ffb32332933f693d00c6795.exe"2⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\glyadqxsdajw.exeC:\Windows\glyadqxsdajw.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\glyadqxsdajw.exeC:\Windows\glyadqxsdajw.exe4⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1120 -
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2720
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_ReCoVeRy_.TXT5⤵
- Opens file in notepad (likely ransom note)
PID:1604
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\_ReCoVeRy_.HTM5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1716 CREDAT:275457 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:868
-
-
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2196
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Windows\GLYADQ~1.EXE5⤵PID:2972
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\VIRUSS~1.EXE3⤵
- Deletes itself
PID:2460
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1864
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Suspicious use of FindShellTrayWindow
PID:1440
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD5b8ae55373132a31cac7f2cc0059c4237
SHA110c0ab95f0936de14ec1db0ad78497c780134096
SHA256b5c071465cbcb66ef6d953d71bc5ad4199ffce408916a77158c6d8b70f81402b
SHA512b52b446aa336dcb9038b10359c9c0956aaf57cc00eb484375ee379e4c4636dc14d4fdf2a1a0b48bdd55823771ac2d7d5fae494e47f889c0b6bee8316be781c18
-
Filesize
12KB
MD55deea9320eb402b796e6d90230b75f70
SHA1eb88fc4eeb5bc5bd6b741af28bca9a4b5dec83f8
SHA256fe905dcd63aba8723280ea98142335e49ed1217d30c3477645a3bec6383c0772
SHA51209d6051230c788882461df22ca1fb29418540a480a6ac11b7f016babe76722753d5c1f905f389e38517bcbae9529fc728c48c480f535a80d01b21ce01c00d31e
-
Filesize
1KB
MD52cd0684a0f35b14c50890c2187e15ddc
SHA108059a832d3bf8cbfac00bbe422b35b53acca480
SHA2566ecfd02d4cccf1b10a756707f992cf7a0815a78c28d9a802897b43162662cb93
SHA5120ff6a6a1322120f8ea161b21dc301cfaa810a8a4db21e628533e942142a55f9f2708dc4c3f43305b077aa7effca9bdc2d0de3866b672e789603edb30e8677a58
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt
Filesize11KB
MD56e6c5716d2b1c985752c1f349f55a090
SHA131f96e7c3ec873eff795a5681aa1f85c7a1f106c
SHA25626e9dce0de4ec3c8dcc6cc9fa20bb8c23d1b9f9facdcd1b12e189aac92a42c78
SHA512d6f55e9b23e8725c8555a50e1dcab281e7a81618a5ef9bf038d1614c7c7df26b903e953b08519c93d66502addaea2ae8ad2e593505f030ab261916db4f20ef5c
-
Filesize
109KB
MD5669287f0adf2271c92e5bc98a9841852
SHA1eddcab3187071334a2884a0bfe8e1a6076318805
SHA256fc813521e197cb0a431dc2036aa83358c8d32f1687625b744daea651c98744e9
SHA512928252dd59f34bd6a649f90040749135a2f037fbb21aa0dea27f952cd14a9d285216874ab933a9685a57d7e6baaacb8be9e850c7c3decf1d4f8b96581a18b767
-
Filesize
173KB
MD560e385fc60a65963efbdf3e8665d208d
SHA1258031a20503f28398174374ccdb6f276968fdee
SHA2561b8df94b7ee88803263624448f738a2a54e6f20f96198321854299bcd45c8573
SHA512805bfc3e2cf89f26d3c57a81fc20f5302d6051b076a789fd6d5e438a5ee06c22aa501611c1db34f8b85bb9cbd549e7c28522be63ccc9f5f3ab54766ddb08c1ab
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55e9f5c80da5a45c34f8015ed0317648b
SHA10494ac1028737d07549ee787918f3a8b78a2c880
SHA256aab0f9076d847a9daba4a3117e92e954080cfe88b0d681177a39da2978a7737a
SHA512d741299510227ca1c19e3b44e8fe494eb49c25baa6beb9b6c1348291d7db53adc17554df7144030cf4d7a9c1499f263aab330d0ed6e0254ae29e0060833a4724
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD518c9970f5adeaea7b55eb4ada3bee867
SHA1929f83e4ac426cfcd851625000223a58834a6caa
SHA256188d88b03c7378feab982e25751012a4947ad24b9512daccdca57ad088651c61
SHA512a84b27c4e75051b8e9df58c055abbcd8bbc16782af135c55932cc43e2366b946082d08188b25748604818ddab513472a0e45b32bf5e49bc202ef911d2cdaf590
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50413265ade5159e6e99718d670e2b694
SHA13ffb0994dfda5b897aa9cdbe342b2ca2c6f60028
SHA256ee1819c52520a2197182d0a45fd0e89cc1a42677e4a9ee558a12916553ff08b2
SHA51246bb9708f0e1c943e2bcf966c8a223b0c29694ca2cb7bb1ee4902b9aae5e7423775d418b80bb6aeb15d7dd256d6657fcee09a652ca328e05a92f8ff2af866c61
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50de590a2d9a1b22330eafe3e0caf4dc9
SHA132358d5b5db9c88b346c85ab42fd4ecbe198f964
SHA256d2618fc5633138efdded54e750d75ac2e825e2a0b0eba93e2622ac893afa0071
SHA51241eed8339c9a7b17f2f14955130d3cd0a507cca601c27577dc89fc690e2dcc48066fa0cdce9d5f91c1288d12a7fcb0d61cbef2d77fec1e89e874b473b65a0a27
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD557f3572c4fe38c949e06e90d3121f17d
SHA17bd7f2976ad1f621aa0760a65d0734c1924fe9f1
SHA2560684196e8f353c048eaa12ccf917b9547935d163724bee9a3655615da3514398
SHA512a318af879700db4997c3dfe4bef1c9589996ee49fd692458718418f8551909399c31bcbc0894861306575c1e00899e165762c69f966b2830e81f4598d7af1795
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52eab130ba69216bfcdd05e4943cba1a3
SHA163e8c6b43f1be0ccdf6a9e2bb8b462b196eb090f
SHA256541cd06062df94048bdb7821319ee13352fd3a10f36f75f247401700140259bc
SHA512e33a68a71845310760b6a5e3451e7ecd07750490222d6b5c8c7f16cddcf6bf070ab024cb3cfed996921fa4d80389d66356e685a87eb9ddbc959b227d943107e4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53c69d7b06ec4ebc592d5a0a67e6152b6
SHA125bcfad896be3ef90abf068c8987e5dc7be41a5c
SHA25607249e7ba5c83f715b5bf4916d5c5fede92ff7a6a995067d70c04ad776947537
SHA51246ec8ea0c3817b445dba1c9f050b2a957b2c050ff39a71f4e2a6f4fb57c6bc4924af73feaef9e3f916bdb573406a7399ff9ee46aa58382a5967f47f855231ac7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5880c66e1915c9849ae3cffe0361a6a46
SHA137feabdb6c177aab597e071f4df1d56bcca7683e
SHA256db0a951626a5b514a7703b6d5a421ef19fbc774949dc1441356b3aab9407a21e
SHA512fc1c48be3fbf36b45f646c351fcff1545da6ab67df4cc588477eeb86a4e46c4b16dd4428f4fb4c5bc97aff54c99525e39d8b78989367853f61f3aa2bc6bd3375
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51b23e0f0878448fea4a84621b183c9fa
SHA1c09f79eeab7a25890138e20c849f05b638bf8053
SHA256500353ffb69371f1a834c101635d6f8fe1db61d7d19fdf34fc1d3bc229daeceb
SHA51245dfcd1e097956fff07227de6b83ef2579dacdb7e0fd4fb829b5e9ce388e109a17288631b1fffe42bed678720731ccd50d8328ceb32c72fcbfc00e3e7af4f6ef
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52bf14955a7aa3e03f249dd0edcc0fea0
SHA18ecc3974e53475671352062097af0fd67622351f
SHA25663211f15bdcfa970ba7dbbe2fd7fde294e13400d5a862b3120831bd3dfc7a8be
SHA512fb782b25116b5aefd6f8b2b279977a333eec9efad09ffa903df123cf39a16d79da7d2697a9319cc2adb5045f04a06b47c15f198db6af90a12b18e5db32d125c6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58bdede7a773468c60a6268b829fa75d1
SHA175a16b0cabb5b1f0649c8980b0163ea170f8ee28
SHA256400316bd82f5624e58be5790a5f71d5db98703516a149b1ea7502b8d586ad7f0
SHA5126ca155b4e8620028e5e5d7eae5869ff6760ac239b46ab22d666bd038d3f0d94aebe807f44f27400dfc59a3b6a9ba941eb29f80f0643266e4eca8bf482d2076ff
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
356KB
MD51e096e7c6ffb32332933f693d00c6795
SHA128e7f909cbc28ca3af8af503111c5fc9f42502b7
SHA256963aafe897132f8bd0fb1ce4beca2c4c2c04d8699a9e2612106c762cccca6256
SHA5128c26ddc0f8a3da79646851fc39f57d44a654e3967dad708239f882ed273fd14522d771087b0ff0d688fbb15392145e176be519ada7fd94103a05b90aaab6141c