Analysis
-
max time kernel
145s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
22-09-2024 17:28
Static task
static1
Behavioral task
behavioral1
Sample
KatyushaRansomware.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
KatyushaRansomware.exe
Resource
win10v2004-20240802-en
General
-
Target
KatyushaRansomware.exe
-
Size
2.4MB
-
MD5
7f87db33980c0099739de40d1b725500
-
SHA1
f0626999b7f730f9003ac1389d3060c50068da5a
-
SHA256
d00ee0e6eab686424f8d383e151d22005f19adbda5b380a75669629e32fe12a6
-
SHA512
1bf8e63a09ee7618102982a1d8c39c2eada1e7c52452d0cadb0df9010421799171880580dd6e4d5fb371d314ee7676d438ab827ef1695bb9de95835ac7cb47f8
-
SSDEEP
49152:tzlhgyBIjVpPZHZlPpLPk0vglJIAc/8KYBsxdO0G7x+dP1Y+:zy9jRZlFknvzcEKY8dOD7x8NY
Malware Config
Extracted
C:\_how_to_decrypt_you_files.txt
3ALmvAWLEothnMF5BjckAFaKB5S6zan9PK
https://www.bithumb.com/
http://www.coinone.com/
https://www.gopax.co.kr/
http://www.localbitcoins.com/
Signatures
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (7516) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
mimikatz is an open source tool to dump credentials on Windows 1 IoCs
resource yara_rule behavioral1/memory/2956-68-0x0000000140000000-0x0000000140106000-memory.dmp mimikatz -
Executes dropped EXE 3 IoCs
pid Process 2124 zkts.exe 2956 m64.exe 1912 ktsi.exe -
Loads dropped DLL 3 IoCs
pid Process 2076 cmd.exe 2716 cmd.exe 2748 KatyushaRansomware.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\W: ktsi.exe File opened (read-only) \??\X: ktsi.exe File opened (read-only) \??\E: ktsi.exe File opened (read-only) \??\L: ktsi.exe File opened (read-only) \??\R: ktsi.exe File opened (read-only) \??\S: ktsi.exe File opened (read-only) \??\N: ktsi.exe File opened (read-only) \??\U: ktsi.exe File opened (read-only) \??\T: ktsi.exe File opened (read-only) \??\Y: ktsi.exe File opened (read-only) \??\I: ktsi.exe File opened (read-only) \??\J: ktsi.exe File opened (read-only) \??\K: ktsi.exe File opened (read-only) \??\M: ktsi.exe File opened (read-only) \??\Q: ktsi.exe File opened (read-only) \??\V: ktsi.exe File opened (read-only) \??\Z: ktsi.exe File opened (read-only) \??\G: ktsi.exe File opened (read-only) \??\H: ktsi.exe File opened (read-only) \??\O: ktsi.exe File opened (read-only) \??\P: ktsi.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-BoldIt.otf.katyusha ktsi.exe File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14868_.GIF.katyusha ktsi.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-io.xml.katyusha ktsi.exe File created C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\vlc.mo.katyusha ktsi.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\Elegant.dotx.katyusha ktsi.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\BUTTON.GIF.katyusha ktsi.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui_3.106.0.v20140812-1751.jar.katyusha ktsi.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02390_.WMF.katyusha ktsi.exe File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15134_.GIF.katyusha ktsi.exe File created C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\ADRESPEL.POC.katyusha ktsi.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-modules-favorites.xml_hidden.katyusha ktsi.exe File created C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\Msgbox.accdt.katyusha ktsi.exe File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\1033\Synchronization.rll.katyusha ktsi.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\ALERT.ICO.katyusha ktsi.exe File created C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Equity.eftx.katyusha ktsi.exe File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21336_.GIF.katyusha ktsi.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03731_.WMF.katyusha ktsi.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler.xml.katyusha ktsi.exe File created C:\Program Files\Java\jre7\lib\zi\America\Argentina\Mendoza.katyusha ktsi.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00809_.WMF.katyusha ktsi.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02389_.WMF.katyusha ktsi.exe File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18199_.WMF.katyusha ktsi.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\SOCIALCONNECTORRES.DLL.katyusha ktsi.exe File created C:\Program Files (x86)\Microsoft Office\Office14\XIMAGE3B.DLL.katyusha ktsi.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\MANIFEST.MF.katyusha ktsi.exe File created C:\Program Files\Java\jre7\lib\ext\dnsns.jar.katyusha ktsi.exe File created C:\Program Files\Java\jre7\lib\zi\Etc\GMT+11.katyusha ktsi.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0400004.PNG.katyusha ktsi.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02296_.WMF.katyusha ktsi.exe File created C:\Program Files (x86)\Microsoft Office\Office14\SOCIALPROVIDER.DLL.katyusha ktsi.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-autoupdate-services.jar.katyusha ktsi.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-swing-plaf.xml.katyusha ktsi.exe File created C:\Program Files\VideoLAN\VLC\locale\ar\LC_MESSAGES\vlc.mo.katyusha ktsi.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\ended_review_or_form.gif.katyusha ktsi.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD07831_.WMF.katyusha ktsi.exe File created C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Grid.eftx.katyusha ktsi.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR17F.GIF.katyusha ktsi.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_center.gif.katyusha ktsi.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.greychart.ui.zh_CN_5.5.0.165303.jar.katyusha ktsi.exe File created C:\Program Files\VideoLAN\VLC\lua\intf\http.luac.katyusha ktsi.exe File created C:\Program Files\VideoLAN\VLC\lua\http\dialogs\error_window.html.katyusha ktsi.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR44B.GIF.katyusha ktsi.exe File created C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\ENVHM.POC.katyusha ktsi.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-settings.xml.katyusha ktsi.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02413_.WMF.katyusha ktsi.exe File created C:\Program Files (x86)\Microsoft Office\Document Themes 14\Pushpin.thmx.katyusha ktsi.exe File created C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\STRBRST.POC.katyusha ktsi.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-modules-appui_zh_CN.jar.katyusha ktsi.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00668_.WMF.katyusha ktsi.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0217302.WMF.katyusha ktsi.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02092_.WMF.katyusha ktsi.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00208_.WMF.katyusha ktsi.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0188679.WMF.katyusha ktsi.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0136865.WMF.katyusha ktsi.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00345_.WMF.katyusha ktsi.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\INFOPATH_COL.HXC.katyusha ktsi.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR11F.GIF.katyusha ktsi.exe File created C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.HK.XML.katyusha ktsi.exe File created C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\Dialog.accdt.katyusha ktsi.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD08758_.WMF.katyusha ktsi.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\imap.jar.katyusha ktsi.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsColorChart.html.katyusha ktsi.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Tashkent.katyusha ktsi.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core_zh_CN.jar.katyusha ktsi.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 39 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ktsi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zkts.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language KatyushaRansomware.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NOTEPAD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Interacts with shadow copies 3 TTPs 4 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1796 vssadmin.exe 552 vssadmin.exe 2644 vssadmin.exe 2792 vssadmin.exe -
Kills process with taskkill 14 IoCs
pid Process 2800 taskkill.exe 3012 taskkill.exe 2184 taskkill.exe 2152 taskkill.exe 1948 taskkill.exe 1648 taskkill.exe 2324 taskkill.exe 1664 taskkill.exe 1688 taskkill.exe 2356 taskkill.exe 2912 taskkill.exe 3032 taskkill.exe 2692 taskkill.exe 1880 taskkill.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004961a9603b5d8740891a04601e8b8fb900000000020000000000106600000001000020000000e6e5138383c4b3d58bf30c1c30c12513189fceaaf0c0a33fd511e2efb9cb339e000000000e8000000002000020000000ec5bdab701342cf12268b9102559c52a8cf0aa221e5b448c2f06bc7ba4212ffd9000000014044d7092e0b0ef18ec1e9dee61cdadb2f807fd17aca2e518f64d23643c3dc9d5675d24e5f61f88f688634bff48aa3db3a1ac2768f1d7a03ee033896245a9a6bf64ffedd9b960f5b6c6cace1d203725bfed1804922ca2ad26e05f225894fd4e3c1da45822c7f006087251904ddee51e460c74c82941660a261a5812d809284df96586a05d6073ce0dc98246319b5417400000009de6532ba3aa9539f761df2f78f536c755db72626c3f38516fa3b26d37d183028e87756eff9a31a047c39b207d2e75f09f08797bc7fb15157854e40cce3f6c9a iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "433188009" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0409dfd140ddb01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{28B84171-7908-11EF-8B64-E6B33176B75A} = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004961a9603b5d8740891a04601e8b8fb9000000000200000000001066000000010000200000007e27c7424a4299e02d21cae67ba7cbdf0a6abfac69c47443a009cbd75356e19d000000000e800000000200002000000005a717d32a2d43feef626402455189e73dd7dd774086077d9bf7da495c51641020000000ae2198f2273ce842ccbd724694904b70854fc6f12c44ffb6f31f12bc79449bd640000000998d249ff6da45fdec2092d4c5afeb162e0dd9d6c508b23e90c5553353ab1d0252a669830973635dece4777346c656bbcc391f68283f917fe6c132a37d44db58 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 2720 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 2956 m64.exe 2956 m64.exe 2956 m64.exe 2956 m64.exe 2956 m64.exe -
Suspicious use of AdjustPrivilegeToken 32 IoCs
description pid Process Token: SeDebugPrivilege 2956 m64.exe Token: SeDebugPrivilege 1948 taskkill.exe Token: SeDebugPrivilege 2324 taskkill.exe Token: SeDebugPrivilege 1648 taskkill.exe Token: SeDebugPrivilege 1880 taskkill.exe Token: SeDebugPrivilege 1664 taskkill.exe Token: SeDebugPrivilege 1688 taskkill.exe Token: SeDebugPrivilege 2356 taskkill.exe Token: SeDebugPrivilege 2912 taskkill.exe Token: SeDebugPrivilege 3032 taskkill.exe Token: SeDebugPrivilege 2184 taskkill.exe Token: SeDebugPrivilege 3012 taskkill.exe Token: SeDebugPrivilege 2800 taskkill.exe Token: SeDebugPrivilege 2152 taskkill.exe Token: SeDebugPrivilege 2692 taskkill.exe Token: SeBackupPrivilege 1912 ktsi.exe Token: SeSecurityPrivilege 1912 ktsi.exe Token: SeSecurityPrivilege 1912 ktsi.exe Token: SeBackupPrivilege 1912 ktsi.exe Token: SeSecurityPrivilege 1912 ktsi.exe Token: SeBackupPrivilege 1912 ktsi.exe Token: SeSecurityPrivilege 1912 ktsi.exe Token: SeBackupPrivilege 696 vssvc.exe Token: SeRestorePrivilege 696 vssvc.exe Token: SeAuditPrivilege 696 vssvc.exe Token: SeBackupPrivilege 1912 ktsi.exe Token: SeSecurityPrivilege 1912 ktsi.exe Token: SeSecurityPrivilege 1912 ktsi.exe Token: SeBackupPrivilege 1912 ktsi.exe Token: SeSecurityPrivilege 1912 ktsi.exe Token: SeBackupPrivilege 1912 ktsi.exe Token: SeSecurityPrivilege 1912 ktsi.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1016 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 1016 iexplore.exe 1016 iexplore.exe 2688 IEXPLORE.EXE 2688 IEXPLORE.EXE 2688 IEXPLORE.EXE 2688 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2748 wrote to memory of 2076 2748 KatyushaRansomware.exe 31 PID 2748 wrote to memory of 2076 2748 KatyushaRansomware.exe 31 PID 2748 wrote to memory of 2076 2748 KatyushaRansomware.exe 31 PID 2748 wrote to memory of 2076 2748 KatyushaRansomware.exe 31 PID 2076 wrote to memory of 2124 2076 cmd.exe 32 PID 2076 wrote to memory of 2124 2076 cmd.exe 32 PID 2076 wrote to memory of 2124 2076 cmd.exe 32 PID 2076 wrote to memory of 2124 2076 cmd.exe 32 PID 2748 wrote to memory of 2716 2748 KatyushaRansomware.exe 33 PID 2748 wrote to memory of 2716 2748 KatyushaRansomware.exe 33 PID 2748 wrote to memory of 2716 2748 KatyushaRansomware.exe 33 PID 2748 wrote to memory of 2716 2748 KatyushaRansomware.exe 33 PID 2716 wrote to memory of 2956 2716 cmd.exe 34 PID 2716 wrote to memory of 2956 2716 cmd.exe 34 PID 2716 wrote to memory of 2956 2716 cmd.exe 34 PID 2716 wrote to memory of 2956 2716 cmd.exe 34 PID 2748 wrote to memory of 1912 2748 KatyushaRansomware.exe 35 PID 2748 wrote to memory of 1912 2748 KatyushaRansomware.exe 35 PID 2748 wrote to memory of 1912 2748 KatyushaRansomware.exe 35 PID 2748 wrote to memory of 1912 2748 KatyushaRansomware.exe 35 PID 1912 wrote to memory of 2592 1912 ktsi.exe 37 PID 1912 wrote to memory of 2592 1912 ktsi.exe 37 PID 1912 wrote to memory of 2592 1912 ktsi.exe 37 PID 1912 wrote to memory of 2592 1912 ktsi.exe 37 PID 2592 wrote to memory of 1948 2592 cmd.exe 38 PID 2592 wrote to memory of 1948 2592 cmd.exe 38 PID 2592 wrote to memory of 1948 2592 cmd.exe 38 PID 2592 wrote to memory of 1948 2592 cmd.exe 38 PID 1912 wrote to memory of 1596 1912 ktsi.exe 40 PID 1912 wrote to memory of 1596 1912 ktsi.exe 40 PID 1912 wrote to memory of 1596 1912 ktsi.exe 40 PID 1912 wrote to memory of 1596 1912 ktsi.exe 40 PID 1596 wrote to memory of 2324 1596 cmd.exe 41 PID 1596 wrote to memory of 2324 1596 cmd.exe 41 PID 1596 wrote to memory of 2324 1596 cmd.exe 41 PID 1596 wrote to memory of 2324 1596 cmd.exe 41 PID 1912 wrote to memory of 2004 1912 ktsi.exe 42 PID 1912 wrote to memory of 2004 1912 ktsi.exe 42 PID 1912 wrote to memory of 2004 1912 ktsi.exe 42 PID 1912 wrote to memory of 2004 1912 ktsi.exe 42 PID 2004 wrote to memory of 1648 2004 cmd.exe 43 PID 2004 wrote to memory of 1648 2004 cmd.exe 43 PID 2004 wrote to memory of 1648 2004 cmd.exe 43 PID 2004 wrote to memory of 1648 2004 cmd.exe 43 PID 1912 wrote to memory of 672 1912 ktsi.exe 44 PID 1912 wrote to memory of 672 1912 ktsi.exe 44 PID 1912 wrote to memory of 672 1912 ktsi.exe 44 PID 1912 wrote to memory of 672 1912 ktsi.exe 44 PID 672 wrote to memory of 1880 672 cmd.exe 45 PID 672 wrote to memory of 1880 672 cmd.exe 45 PID 672 wrote to memory of 1880 672 cmd.exe 45 PID 672 wrote to memory of 1880 672 cmd.exe 45 PID 1912 wrote to memory of 1700 1912 ktsi.exe 46 PID 1912 wrote to memory of 1700 1912 ktsi.exe 46 PID 1912 wrote to memory of 1700 1912 ktsi.exe 46 PID 1912 wrote to memory of 1700 1912 ktsi.exe 46 PID 1700 wrote to memory of 1664 1700 cmd.exe 47 PID 1700 wrote to memory of 1664 1700 cmd.exe 47 PID 1700 wrote to memory of 1664 1700 cmd.exe 47 PID 1700 wrote to memory of 1664 1700 cmd.exe 47 PID 1912 wrote to memory of 1984 1912 ktsi.exe 48 PID 1912 wrote to memory of 1984 1912 ktsi.exe 48 PID 1912 wrote to memory of 1984 1912 ktsi.exe 48 PID 1912 wrote to memory of 1984 1912 ktsi.exe 48 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\KatyushaRansomware.exe"C:\Users\Admin\AppData\Local\Temp\KatyushaRansomware.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:/windows/temp/zkts.exe2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2076 -
\??\c:\windows\temp\zkts.exec:/windows/temp/zkts.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2124
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:/windows/temp/m64.exe2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2716 -
\??\c:\windows\temp\m64.exec:/windows/temp/m64.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2956
-
-
-
C:\Windows\temp\ktsi.exe"C:\Windows\temp\ktsi.exe"2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /F /IM mysqld.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM mysqld.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1948
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /F /IM httpd.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM httpd.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2324
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /F /IM sqlservr.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM sqlservr.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1648
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /F /IM sqlwriter.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:672 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM sqlwriter.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1880
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /F /IM w3wp.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM w3wp.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1664
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /F /IM sqlagent.exe3⤵
- System Location Discovery: System Language Discovery
PID:1984 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM sqlagent.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1688
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /F /IM fdhost.exe3⤵
- System Location Discovery: System Language Discovery
PID:2172 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM fdhost.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2356
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /F /IM fdlauncher.exe3⤵
- System Location Discovery: System Language Discovery
PID:2948 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM fdlauncher.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2912
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /F /IM reportingservicesservice.exe3⤵
- System Location Discovery: System Language Discovery
PID:2788 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM reportingservicesservice.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3032
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /F /IM omtsreco.exe3⤵
- System Location Discovery: System Language Discovery
PID:2848 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM omtsreco.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2184
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /F /IM tnslsnr.exe3⤵
- System Location Discovery: System Language Discovery
PID:2696 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM tnslsnr.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3012
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /F /IM oracle.exe3⤵
- System Location Discovery: System Language Discovery
PID:1132 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM oracle.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2800
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /F /IM emagent.exe3⤵
- System Location Discovery: System Language Discovery
PID:2884 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM emagent.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2152
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /F /IM mysqld-nt.exe3⤵
- System Location Discovery: System Language Discovery
PID:2624 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM mysqld-nt.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2692
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c vssadmin delete shadows /all /quiet&vssadmin delete shadows /all /quiet3⤵
- System Location Discovery: System Language Discovery
PID:1080 -
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
PID:1796
-
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
PID:552
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vssadmin delete shadows /all /quiet&vssadmin delete shadows /all /quiet3⤵PID:1596
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:2644
-
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:2792
-
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\_how_to_decrypt_you_files.txt3⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
PID:2720
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" c:/ProgramData/_how_to_decrypt_you_files.txt3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1016 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1016 CREDAT:275457 /prefetch:24⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2688
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\svchost.bat" "3⤵
- System Location Discovery: System Language Discovery
PID:552
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:696
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Direct Volume Access
1Indicator Removal
2File Deletion
2Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt.katyusha
Filesize27KB
MD55d2bce55ab3850f6fa77205aaeb9af80
SHA1402684832fe7bbe3a6bfa055fd8f5cda4ce852ce
SHA2568c79c871a6bc480897c9f8b725bbe377931c085151f163859e24cda67d460530
SHA512f3bd85700d32ba1f169a033b1e59f241f5fd481c49705e389db586c4ca97628556f8f650d0acbfb40a7a9a36d8b5eb1d7d773f7d114a72fe3816c0a5f222a2dc
-
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\TAB_OFF.GIF.katyusha
Filesize352B
MD506ab0a7c757b94a1f42d2053a14683e2
SHA10c679623b35ba7b887c1bd5560fd9429f9ea7f86
SHA256b67eed4dc793c89dab1df37af0d5b2394b61f6b70e85ceff797efb05346eaf8a
SHA51241ae1b470ae25a5d1d40f996bcc6f37ef86de8b329d69591e1ade07d3d060803c3aa1f5417882043d0351025a8a0494f572f8d56af556ee2609957d9808ad6c2
-
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\TAB_ON.GIF.katyusha
Filesize224B
MD5857d2986385ec5db6e5f8e2f28d72309
SHA12a2c0c3a941f1ad28868de6ef6497fe2475859d6
SHA2567bf41f9cb228c3c1fc11d6578a95b1eaea3461d6a3c2e65af53a32b0afe83ed1
SHA512325c71b66669a7e433bb0d3a98509fa056a1f7e47e34da24879fc817b31bdc32165cef5491d819883eb95503efa23a08ac9f13a3343745416b706435c5d8d885
-
Filesize
128B
MD57e235e14dc88a1a5d62a7bf13f05f234
SHA1bd353a1dfdad2dd827b39fd51eb1d7d31ab6d7ab
SHA25634654baef7bc23947a5caddd253b65467edab35069cbd3ef84e230864fc38002
SHA5126ae629d4f19e606a1d4c5b4232fc9924dcfe04a77e18fcc26ab56b1510f0533b1765482b0dfeea429472b92a1991d8c291eff67eb01c4561e0bd8f498350e24b
-
Filesize
128B
MD5251ff27a3bc04b390775e1be85863568
SHA13bfb40ceb8c27f0627771c0904f9bb0cdba3b226
SHA256d2aa1674a97ee3817962b706e77c2fc094d2dc66b96c157fc1ddc66ce88e0a45
SHA5125a625b353d92859235b3dd4c77894148c1c005aee5cdd55aee42680d7c6f7f29525280857b9175bab6ad5d387093754d4fe59b16097595f8933c2839e94c0c75
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\BUTTON.GIF.katyusha
Filesize192B
MD59588b6a65b692b2c7303d00e45451a94
SHA13f8591ce4225c33176a5712e5f1369211c815340
SHA256a4a839d20ce974f51cf8ca5b19089cbb3d409fd3ed4475ed4a40fd2cc5d08a2b
SHA512959659f2e25980c7c4fed02ae7aedef73b8a3d21d6ad275bdd12535570ed7f108e5c7bf6a0a2d7cca31c4f6a7c300eb2f8128772c1a6f034e63275f4aeeee7e8
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_OFF.GIF.katyusha
Filesize512B
MD585138b186bb36f77330b83e28eaabe9f
SHA1f529116ba74d3974f10f76383584ebf2f43a31d7
SHA25637b0c01e8b359f16a78dfdb22430ee7d29ba681dc2dad9494005bb0cb93b6a8d
SHA512583babd3f741c9b8ed93af9e94d20900b11a25e265076ed2b81123242ddab9b78a52cfe68c65465c70f56f15fc676da671f5f822ed89f79a03b3b19887cdd3e0
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_ON.GIF.katyusha
Filesize1KB
MD557330ed3e8c1b56abb132b1a0bf07d1b
SHA14a5a0e644385555183812e25c0df497547ec6140
SHA256d07f09015a8fe237d56a6177f5ded8840c04a8ada8eb9d26a6322a7235bea5a1
SHA51240f3de09d7d1efc25bb56eca4a263f78019ec20218db7895fd55e74e8f580c525c948185505e866fac7fa817165c931e476b7e0f2eefa5ee84c608445c53c5ff
-
Filesize
816B
MD571ee796bcdddf0d4aac768bd48b9c735
SHA1cec969bc82965bc69e0581df08b6f205993775bd
SHA256c5451c577997b32fec9e62f0a9da4662af16a05eaaf6e180107ec40cd46f6e21
SHA512e02207ed23287d38905b42c9a792b941d5ac4c32302d77717a8b0e83bd583280575104289bfcd81b8abe70ef1f17cd7a5adce207f8926f9e20ef4baaf7abffb1
-
Filesize
5KB
MD5feb02f7f9faed02a2701847b563064d1
SHA17efaed611057b151384041fd56ec1ae3d4a04ffc
SHA2566ba66a403fd1ff129a0fcb481947f974817fb631d278a8c00df9e86d430b1adf
SHA512d116c9fe40b035dab78a2edf65b153bf098788a401ce0b472f04a2c0fcdfdf5ee50376265447c5831980f343fcf92a148d6befa73b8f0af48c6ba75e6f413f04
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\epl-v10.html.katyusha
Filesize12KB
MD5dab56029ba131a795852d842f7f1ee89
SHA150174dde1b3c9b575e372de8222609481d8a46b8
SHA256b43f4fdfab84afc9b630069efe7a58f405176b4108f902cc03184326b7602b0a
SHA512ff616fe6f0860e6413317f9939c73f715a31fc0627b42f9b182394dae56a720940130755250ba22f5a07c9d4fa9db13e2b805809bb06d5ca0f7441578d7ad9bc
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html.katyusha
Filesize8KB
MD51ef94be1c1ace8033644874c7ca25af4
SHA10ad847d1d8762b06865773b30879d771f966d95f
SHA2563f36da2bc2166b9d0336654fc508a8170e720b7aee882164cdbb5d7a440ffb95
SHA51251675f0be88cd31e1ca9ff3a08eed5db6e8f2df783462e4d372b60704ca6d9c3e5051aae38c64e77d274032265e116c246441ae1cb2a8374fd03f4877d37f37e
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\eclipse.inf.katyusha
Filesize64B
MD517c97d05980c0cb190a4e6e180a9711a
SHA1d31874918a67a004594fd9f4baa15e3d8f0f6f75
SHA2562e8089b1409c8f4134d473cb48176394cda154d57c99b251fecb0e1e83054833
SHA512148cf0949faf4ad461bc266e05f2371b723eabaee476ccdcac4e49ad7a5a7d14eac50fb5e31eb8004d75dc1fcc009e7c5dcc9f8942c8f2930065650c8bfd62d0
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\ECLIPSE_.RSA.katyusha
Filesize7KB
MD5d31c81a1a91803ce5a43681913d156a6
SHA14888f6d74a3fe5b8384712e090380e5adf791de4
SHA256a153a317672457f6a740199e451681b2d04a2855422debdab9ebf60d1d6cbab2
SHA5126d1efc3812b4f6074f8d3cf9f4203e5614ff8d008e61ffda9c330df26a153281be4695c62648fd4f10f9eb7d39fd11c3b3b30f10fefec319c51a1f83acdd88e6
-
Filesize
16B
MD5fca03c80ccbb27e4a2d9c9c4f03c487a
SHA1bd639087c07076ab7fbe10663d23c81481ee69c2
SHA2567c1a8fa6c686588065e3f2466954e63e76969fa044af6adccc179a49b040272a
SHA512daecd65675a56c8a00c2e4fb0ccb4ed8fe013865341c3f15f8b11be2c3e2d29b8e589743d0d7fd737acaca0bc1f0e2f002c99b6a3a11d7e4c8383674f2830b4e
-
Filesize
160B
MD5ae46e1c71e41e736745f91f0e0227f59
SHA190321ac313bfb4fcbce596be387b8b45f7fecab5
SHA256274df53e5866caf87a095096eb75cc3e93a5e493f89449c0504426fcb1197081
SHA512638d17d42f81957e977117546d60fed88ce2489de13c8313b34e5773ad88bde3d19f9f137f2b266434f04eee891da3995290b691f8bdb9911e74b32ace3e26ea
-
Filesize
32B
MD592915b92cdbe6fca5de268a9ca2f8977
SHA152e548cd918b2b68de71859148b69cff3b6bc219
SHA256f24cf0e91d7750907cd744b86b3f2043379b7c02c30372fb390936fbc470f0cb
SHA512455d946757923d68d7b267d7015d5721ec312c7aaaca4f1e3b4e0c59f75efdbab63eee598592bcbe78dad2eb4c8aa7d7b2d23e6894f85d277610f1aab8693d47
-
Filesize
32B
MD5f3ed46f9bb3560f149599ce6b98fce95
SHA1ebdadd29f1881b706aacf2a81f9a4809705f95b3
SHA25698a8de7a825fbeee2314e29e60b4dfaaa1b4001b8e01d483c4303ef9967936f8
SHA5127982797738ebbea13d5d5b6a674e5ea8643ad50cf892f526700537cb1538510f9981aa631491693cf0b8c1da8916ae27ee194e3d5ed88d73abfec59d86ce58d5
-
Filesize
32B
MD55014b7d82848c7f3e5d98101671f2c68
SHA116940fd0a447200adafe9760640da069d54383e9
SHA25671fd9d2d2aff7bbb181d2fdd67548779ea15ed6c4469826b6a84c7c9374f9e92
SHA5124353080a3d9e30a89901c376a7ac38d308cd6f804af42f1f695848ab417d590918baf5e06adbcfe2dd61d592e4ee9fc7bd8253b6fbff1621bc962797bc8cc429
-
Filesize
32B
MD5d1c3bfd8ee5746f2864bc793b38a7f22
SHA1c57f1f70da1566aeb38aee07e81b0c540ec0e5df
SHA256dedc191676ca4d4811717bb53b3492bccc31eae59bbfab1a0d2769c02f45c1ae
SHA51274c74e0a9cc92d38e04050f8dc505293e4ffebef0126c754f1f7f3860a0ba4d1a9b72656b68ab2949f7d9c7a3524d59daa18ca6e10c5dc39a15d03f231362b40
-
Filesize
831KB
MD54de3a60ffec424a12beb20696426041d
SHA165a70d73fd891f25164569a83c4615e6e937bff3
SHA256220878d42c5ba1a8a927eb92be22e0f006989a4a633e1d6cf2da466f9893953a
SHA5125cf500a8229cf0b59a6bd2df9a4b1885129523ee45ba1e443f9cdc6829c2e9621b26625f0768fc60755b545895f6df16f762fffe230c0776ab5acaacc8a5dbb0
-
C:\ProgramData\Package Cache\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi.katyusha
Filesize140KB
MD5ad84896607edd7f08cd273e405c5ddb2
SHA14fffdb3262bda1df5426b1ae39560b5180c666ff
SHA2560d8a3983b129bb0920130a2cae4bf739dca33e0d65184c99fe40e36b4d43362b
SHA512910b4094f1bf5de543776be6b9cd7d4335590f182f8712ef83e6aa3345307e1230044350d3375ba973bb6159f3026145eae4ed7114bb7e61753416549785ebe7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5bd81ce2208ae51ce08def7ce1d97f540
SHA102362d72985791fdb68f6d6bd3e83723b4cfa528
SHA256847d3cd50691e8ef18f22034ccb5eb81db708d15e268bd63848db1f2b3639d69
SHA512616e94e90e43fcc3538219330d079c485f2f506756ce51dd65d877d66ae1d8b3f319cb2e4b538c8107c1e50121d5e26fc32f4d45b259f5373d6caa4c983c1dd8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD599de2bea01a824557c36c5b471fe54ef
SHA14a995862490dd9caef8898857a81da160dc60c8b
SHA2569863dfbbef129848bb46c64616dc782e11119b94cbba9621c706ccf5368244ef
SHA512cc83c541df2a3d30d9f614f426ff5fae37045ae1a7ce943ddecd77846337b034a25641fce0622862a0bec49485e8df1e6585b2cad39c408e2dff675b1d1afcc3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD551b201c9d582df6312e620296d99c6be
SHA1f2fa4ca02ff06c11209d6fbf18d67ec42f7dc806
SHA256ff20f894a41d9aae41bd9bea0f6de02fbb1fdb673291c6ef8e9bd9b55110531d
SHA512201155c461cecf5fb1547c04da5e1cdeafb201acef9e38d470b33f1bab48d7fd9c159e2bc49eb97153b1549f8e7ddeeb535541be91314f0b998e477eb21db4c6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5fd24d8e677e5c33ae325af9a0322d76c
SHA11ed71a62b8d9f08f65f5e8fe6bec9af141811b5b
SHA25636332d5ad089a7b76d5d3046a13c1d0d850301eef91a332ef9b934caff59a5b5
SHA51296d638bb27b412be01e82e8f4ad5fc90f38f39efa1edf0fdafc420bc9981dda6d45ce1c3f55463c2683c3f4c0b4a4a304bec9175041b5b465a1cba1fec7a2956
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5fda9af8a8b055b6d618077457de4db09
SHA14ec862d577c450ddd45d99abf582152985f07f4a
SHA25617b1c7fe33a9cc5d40af52c673f89f172e0c066969d9322fe5bc4a3310c22079
SHA51209cbf04e7059cee9b54110c268927b155971dadd57c541f616a288ce343a57a961ef85d70394cc2167e264fdd742ff5bed8c18fea3eb3e5359ddf4ba1f3900c6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD596f05357e09e3ca27fb3e3e9ba7afba1
SHA1c470a3ae04b11aa87d6b381ce3fe1bde64bbb96e
SHA2567b48d8713b4780ab22753f550cc414ad5e809301e4b10c79114aa9aad16f2e98
SHA5127fed4b64f95fb5ce6d145f915e3f80f573776e24cc91b3c5e5067dfb1a290ff842542d233e4a26cbadb54b38daede869d00f6bcb00ba20acb1b72b421766e459
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59bb90aa10393b9d567e6b10286ddf79f
SHA1eb2279d3cafda104c78f975e9011773991164e3d
SHA2565e7464cfa49940b46ef5480884b44cde33d01338dddf26dda4642c937bac2ef6
SHA5129f7e060eddaefc977f6ad4db6838f85b4b1267f19e2013a9b773a802b71dfe566f07896ce3d9b9c396c9661a3a8e278bc8edbebf4eaf01549bf9401f9aeff167
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ce78fa59495812951157b0e030abb5a1
SHA149d30d3b1d0e8da03258f1e7eef261f928412e82
SHA256a25486cd7cbf1708f3496512a273f61587150816df5575ed2455ab5ed3236d6d
SHA5122fa870d8b56e92d7fa8dfea1fb67cfe9a9022952f0a09fed88bb63e6f92a789970ff8dbb476767dfec1f0450fd5e60dc14b97945ba3b46564b816d8623d9e20e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56719d123967a4efde00efa356a47446d
SHA142b74a48254a1e814c29dbb96f26797ff839ad4f
SHA2565ceb409617180d0ad787da7ed1c9ab393de9691fe9363cb351e81337b8825a93
SHA51235548e4cb48ccf9613db37307427acfeb927309f0bef069378a70c892b869352d7bb53fc35503854f9ce6778a3fbd31e7e491016548f612fa015bad345b91072
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5584b0687d21b2b4f788aae780085fe19
SHA1e33aba9ab4163aa710f6e532f8c290a7af0002dc
SHA256dc174355b767f57cb4daac734e2f97a21012fcbe4b1ed273e4a28003ec0de5a0
SHA512bae0830be9856ae3db2706cddd9b335cbfaded5014029de4c72665b9982706116b8cbf1d8000412d7bca6be16436548400307bc225ebe1528a447678e1e4e279
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f8995596536b5c0863b6fc5ec4cb7b00
SHA15910b463b8914291ecfcbb007b969a6238257c2f
SHA256de5930fd75ff63d0c6d85112644c355cda035b7218f5b7826c1697a69cab5f46
SHA5120b8cc1df954e6345e8e03042833f1fb0e7327930f90d6f97002d1601a7c9fe65a7424bb1e60ebb23bb0cf8277365b636f6659b022b237b6fc8fa2c39fc3b93b1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59eead6868a0ccb3c82dbf4c7ccfb4669
SHA13ecacbd87994f9f008e4eccaf1fe6073ddae2be8
SHA256583b9679b6ef13def9652d5d1a2e70535dc8b0bd7dfa80691b3cb92ee4f1fa93
SHA512837c81ce60bb364e4a0ed7d946942afbe9c1c9d87d3d281d93fdf9844617dee84894dbd94b97d2114ca86475240226161ae59e107af6b20ba0e3e3ba0cbc50c5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5485ca026e8c323b9a7d56e57af4f79f3
SHA13344575b72bde6020636efa6aef58195ad48072c
SHA256f145826116c64b6f237b2ecd8e0e8b2a302d2d04d7bf9d504f5ca7e531b92051
SHA5121d8a3d3518a612476ffca011447b682dcf466c054a282ac96d96edfd72928b663fd5c529cf059a2908d933abee51b9bac82b8306d99a7d4e6c4623d93d3da814
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ff9a90b5c7e58daac1a61876136f0745
SHA1d95600a03036bf5ae71e80f8a874167f789fdd8b
SHA25685a6893fc4627da3819385e89092837480ffcbe29c2f4c357c45b0d0d4bc5056
SHA512ce1c5fc7165f37d720d02ac24b4f41dd236ff4a825e32d42d80ccd41bcff75b250fb9e92322e94de7c5244afb4d694077a981fcda1f3dcb401eafde5b19f870c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5079908dfbb9a7cbb8966a66d7a704c8b
SHA12de0972f5155314c8f0d03e96bcf88df57f68e2c
SHA256a06c4b41092e6088c2137c74931897576ac2276475d55ab190522af33c1db2de
SHA512010c5dcd4d24aaf33c79bc9228478fd09d12b3a645813208c1860f0ea17ea3171180ec2bd878e7d3476f6619d2bf77bf44520843cca9cf6a491216c60cd8c82a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD541e90020d8c00cb50656a51a26fcedf1
SHA192462447f17d6d1a74da16e942667df2ed7320b3
SHA256d99222a525cb8b7326111681abde903e165b3ba5a2d7b0b0f28124ffb6fa9fab
SHA51286bde81d80b554b1bba8fdd7141f516cb68bb796566bc1b25bff4e8f933b584ca13b2e83c74a742737e772f145c8471bfd0602d662c81f0ac3d40002efbd92be
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e9cd743cdcd022e44784fa501e9a6091
SHA1464220c72e672b9a59f503c223bf0933e5783c56
SHA2564e3c64b813f0399ccb1f2f301467d4294176c7473a29131f3ac0c8d650ae2e87
SHA5124b93f8a9bf9c39e0042244ea3ef881eea63de861895f5a14a0cb2480acb6e5e86522d6ef9baafb268262741209cafdc6295b9c480118ec1dd5a7fb1c02e747d6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5cccfab00d87db0cc75abcb01e92202d6
SHA1ede833eece52b771389fb94c763a0aa179b7cd21
SHA25675dbc31fd39fcc2d3a65ac262d61db2915cb21ce7786b69f62ab5fa7353ca962
SHA512232fc1fe99ac03ac364f6e1de67befea14a20c5a6bf116c2bd9813358f842f5d979df9d27b1bd81a38c02d841912f118e4e52af77eb03a22e0569cbad4809748
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD563c96a1b817d20a70cc45753312b054f
SHA1dc2bc26e4e0fff83e822463de5947bd19b179df0
SHA256ca9fa6f66dac48da5cf21f473b416ffabd3d8142a9d61a30d856f90b2d2e9ca5
SHA51286976a20c9974f33a9be92450f6a273940f797496295c4dfdc97f759710be5d3ad6f036013485ea2a6ff8395fc2f9dc75b3c6c34add676d962b38d7071a17561
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
109B
MD5c724b0b9b13ae8c19f365c59d2a563cc
SHA1d4757c1fcbea9c179a6179d378ade56db0e1b481
SHA25621092fa4e0997f1d87a35cae5ed3202bb32cb67fcb83ad17fb7f1ed23e51276c
SHA512fd4f472144f9ba360d929d8ca49847214a28b54d0e8b92356994cc963b7f5509f6e15e16fafbacb00703e36751b1ad992496bf12b794d538cf7d416110a834d8
-
Filesize
14KB
MD557038ea9149800946dd082a877c26ba7
SHA116cf8027bec62fb8a2b113bf1e659daaa6748e67
SHA256537df1abb8da984d0de852a82f27a0b7d05f4f706060eaac828b52c99910020b
SHA512dee9cd4134a48060494c9e0b90aff73e7417a22ac88efbcee5f566685b557d7ae1d1e5dcaecd23240a5c2d846830e241bfa81decf5c27e857f93f061b7fee2e2
-
Filesize
21B
MD58bb001ad1da746851b6724de8c78d37e
SHA1ce718e040a87289b21a254df474b2da9d8cb8c9c
SHA25668c368f677aa42a63a8a7a2865a31b6359db76179667814867bef528d99e94f3
SHA5125904bd71d89bfa5b81a9d303ad90421d7d5bfe875cf107329053b1650243cde752689b824984eb87c00b696d091c02ba62e3fc082ea45385240f69ad0c62eb26
-
Filesize
39B
MD5e32ed45d5c9ba06833b1be67a9783cb3
SHA1ab61b6b00775901d3b95e8c9b712fefd8585373f
SHA25629e327941bf9bad590f9c59c3e0c6f45ff7649b50ca356d25ca5d795d5beb0f6
SHA512d8ea64463c7369debc21d5bc6c80dd90fbbe747b338edf1ee06e5f4a344fd7e643f6e3f6a56aafb5ea17332f66153b25163d9ff4e9f05af0e864fbfcfdcf0e71
-
Filesize
1KB
MD55ca5183cec59a4343a0506fea83e9544
SHA18077218ade1e5c282f740e2c34f65773fd7e5c14
SHA25644f1bd4318e54fecc9484ce80952ef9823c8d509d6eb5ea0733d9e6d08f90d14
SHA512096594c8ae66419bd13435a9ec4ff5ec5f08c12faed29108e61d9fbeee596b40f6aecb5927d33cd2f5478aaa9e993b49d3829b25bf08fe2b66dd72f424e8f675
-
Filesize
322KB
MD50b5469b69a0d2e205640b78157ca225a
SHA1b2d7079a39fe7bbb835090ec74512d4bfa5c44cf
SHA2564179a1bff4c698ea6958bacb1f1734b9ab804cef35ecaf0e2a2b4b2eadf8e935
SHA512d6f2bf2a03a274df9034aeed0c4dfaa09c0d005a827cd782a67aef8b8f91a66fa9636d5ddbf8cf569ae392ef3a250c86314620f818f42c1be4a50e5645e43ca2
-
Filesize
1.8MB
MD55d74e736c5c4224b813bea351093c27f
SHA1740e59ec36ebec339f9245071f366cf601edbad7
SHA2567f5f134fd3ec2c14956acd7362c76e66759b8ecc51f986ef80bbf9f7f94b89fe
SHA5120628bf7d60b8e6428a0a5203fab8084788a6cafac159eff0f866a6b2b3934c44cee94b8a6f6f6f293b758384dbea3cca083df2131cc2d3e8ccf58c5769975524
-
Filesize
328KB
MD5dd2e5fd5109c54cc90b30b88ec0c585a
SHA1927dc541fd29ef6341b041321fe06bf04b0efcd7
SHA256a3dabb63f11e208a0d1d9b43b3d2575e2dc2a7d87c14eb654d3062f3bc0ad12d
SHA51220b19f742daf20de510b0232fb5f5bb231487d5e9da05b8e7037df79b7110c53b4db2e7969a6b978606e8dfd15b6d40eeae84e64b289f2b0f68dddbc8061441e
-
Filesize
363KB
MD52d2e3b0d8a9723eb49bd6f817cbe2e22
SHA10de80d21c389061e69dd3a0c61ac3ba225b9bb44
SHA256db995430707d2d34de8e5ce5fb4b22a87422f5a7b4d38960ed6615d4ea3d9495
SHA5121cc074eb26526b5572b1b1013a0330ed68ba130e95943d22d9f429d0cfa878e6b5fd48aa970af493f2f92908714cff278b921de96864be42285c43438f261bf3