Resubmissions
16/03/2023, 17:23
230316-vyej5aec8t 10Analysis
-
max time kernel
141s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
16/03/2023, 17:23
General
-
Target
Asras.rar
-
Size
1.3MB
-
MD5
dbbc0d7f0ac1d363548616251b0c8f6c
-
SHA1
a6d28f3d947cf26f88b20ac032ea7e3b754fe508
-
SHA256
4833bb58b17418b134e3eca5b84cbfaef464748131213b173bf8472b94af9eb9
-
SHA512
637d0622985d3b6ed5579be8bda55f3eac9bcc279dae84bf03f7a2d8efc4f87c4f4c88d2d0e2a49191b7069764a41002975175b86e1ba530b13b3387e1fb6173
-
SSDEEP
24576:sMFh/yFzJkYJVQ2h515lhteOws053r0Fu+xZBWYYsYK1aHQahW/Ji6SGEwtEkHhb:sMirbh93tnd02U8RYst0ThW/JiEJtEkN
Score
10/10
Malware Config
Extracted
Path
C:\Program Files\WinRAR\WhatsNew.txt
Ransom Note
WinRAR - What's new in the latest version
Version 6.21
1. Both file and folder modification timestamps are restored
when unpacking TAR and TAR based archives like tar.gz and tar.bz2.
Previously only file modification timestamps were set
for these archive formats.
2. Added decompression of .tar.zst archives with dictionary
exceeding 128 MB. WinRAR 6.20 allowed such dictionary for .zst,
but not for .tar.zst.
3. Switches -ed and -e+d are also supported by ZIP archives.
Previously they worked only for RAR archives.
4. Bugs fixed:
a) if unencrypted file was stored after encrypted in the same
RAR archive and both files had been unpacked in the same extraction
command, WinRAR 6.20 failed to unpack the unencrypted file;
b) in some cases a wrong detailed reason of file open error could be
displayed in the second line of open error message.
Version 6.20
1. If "Autodetect passwords" option in "Organizer passwords" dialog
is enabled and password matching a processing archive is present
among saved passwords, it is applied automatically. This option
is applicable only for archives in RAR 5.0 and ZIP formats,
which allow to verify the password validity quickly.
There is a minor chance of incorrect password detection
for ZIP archives if stored passwords do not include a proper one.
If encrypted ZIP archive extraction fails, you can try to disable
this option, repeat extraction and enter a valid password manually.
2. If extraction command involves only a part of files in RAR archive,
the additional archive analysis is performed when starting extraction.
It helps to properly unpack file references even if reference source
is not selected. It works for most of RAR archives except for volumes
on multiple removable media and archives containing a very large
number of references.
Also in some cases such analysis may help to optimize the amount
of processing data when extracting individual files from
semi-solid archives created with -s<N> and -se switches.
3. "Save original archive name and time" option on "Options" page
of archiving dialog allows to save the original archive name
and creation time. If archive includes such saved name and time,
they are displayed on "Info" page of "Show information" command
and can be restored on "Options" page of same command.
Restoring involves renaming an archive to original name and setting
the saved time as the archive creation and modification time.
Switch -ams or just -am together with archive modification commands
can be used to save the archive name and time in the command line mode.
These saved parameters are displayed in header of "l" and "v" commands
output and can be restored with -amr switch combined with "ch" command,
such as "rar ch -amr arc.rar". If -amr is specified, "ch" ignores
other archive modification switches.
4. Faster RAR5 compression of poorly compressible data on modern CPUs
with 8 or more execution threads. This applies to all methods
except "Fastest", which performance remains the same.
5. "Repair" command efficiency is improved for shuffled data blocks
in recovery record protected RAR5 archives.
6. If file size has grown after archiving when creating non-solid
RAR volumes, such file is stored without compression regardless of
volume number, provided that file isn't split between volumes.
Previously it worked only for files in the first volume.
7. Added decompression of .zipx archives containing file references,
provided that both reference source and target are selected
and reference source precedes the target inside of archive.
Typically, if .zipx archive includes file references, it is necessary
to unpack the entire archive to extract references successfully.
8. Added decompression of .zst long range mode archives with dictionary
exceeding 128 MB. Previously it was possible to decompress them only
if dictionary was 128 MB or less.
9. If "Turn PC off", "Hibernate", "Sleep" or "Restart PC" archiving
options are enabled in WinRAR, a prompt to confirm or cancel
such power management action is displayed directly before starting it.
If no selection was made by user for 30 seconds, the proposed action
is confirmed and started automatically.
This prompt is also displayed for -ioff switch in WinRAR command line,
but not in console RAR command line.
10. Context menu in WinRAR file list provides "Open in internal viewer"
command for archive files. It can be helpful if you wish to view
the archive raw data in internal viewer. For example, to read
an email archive with UUE attachments included.
Usual "View" command always displays the archive contents.
If file is recognized as UUE archive, "View" would show UUE attachments.
11. Recovery record size is displayed on "Archive" page of file properties
invoked from Explorer context menu for archives in RAR5 format.
Previously there was only "Present" instead of exact size
for RAR5 archives.
12. When archiving from stdin with -si switch, RAR displays the current
amount of read bytes as the progress indicator.
13. If wrong password is specified when adding files to encrypted
solid RAR5 archive, a password will be requested again.
Previous versions cancelled archiving in this case.
14. If both options "Test archived files" and "Clear attribute "Archive"
after compressing" or their command line -t -ac equivalents are
enabled when archiving, "Archive" attribute will be cleared only
if test was completed successfully. Previously it was cleared even
when test reported errors.
15. NoDrives value containing the bit mask to hide drives can be now
read from "HKEY_CURRENT_USER\Software\WinRAR\Policy" Registry key,
which allows to include it to winrar.ini if necessary.
Its "Software\Microsoft\Windows\CurrentVersion\Policies" locations
in HKEY_CURRENT_USER and HKEY_LOCAL_MACHINE are also supported.
Previously only "Software\Microsoft\Windows\CurrentVersion\Policies"
in HKEY_CURRENT_USER was recognized.
16. Bugs fixed:
a) archive modification commands could fail for some ZIP archives
with file comments;
b) fixed a memory leak when reading contents of .tar.bz2 archives;
c) if source and resulting archive format is the same, the archive
conversion command didn't set the original archive time
to a newly created archive even if "Original archive time" option
was selected in archiving parameters;
d) if "Merge volumes contents" option in "Settings/File list" was
turned on, the folder packed size in WinRAR file list could be
less than expected when browsing a multivolume archive contents.
It didn't include the packed size of file parts continuing from
previous volume into calculation;
e) even if "Set file security" extraction option was turned off
by default, extraction commands in Explorer context menu still
attempted to restore NTFS file security data;
f) WinRAR could read data beyond the end of buffer and crash
when unpacking files from specially crafted ZIP archive.
We are thankful to Bakker working with Trend Micro Zero Day
Initiative for letting us know about this bug.
Version 6.11
1. Added support for Gz archives with large archive comments.
Previously the extraction command failed to unpack gz archives
if comment size exceeded 16 KB.
2. Archive comments in gz archives are displayed in the comment window
and recognized by "Show information" command. Large comments are
shown partially.
Previous versions didn't display Gzip comments.
3. Reserved device names followed by file extension, such as aux.txt,
are extracted as is in Windows 11 even without "Allow potentially
incompatible names" option or -oni command line switch.
Unlike previous Windows versions, Windows 11 treats such names
as usual files.
Device names without extension, such as aux, still require these
options to be unpacked as is regardless of Windows version.
4. Switch -mes can be also used to suppress the password prompt
and abort when adding files to encrypted solid archive.
5. Additional measures to prevent extracting insecure links are
implemented.
6. Bugs fixed:
a) if password exceeding 127 characters was entered when unpacking
an encrypted archive with console RAR, text after 127th character
could be erroneously recognized as user's input by different
prompts issued later;
b) wrong archived file time could be displayed in overwrite prompt
when extracting a file from ZIP archive. It happened if such
archive included extended file times and was created in another
time zone. It didn't affect the actual file time, which was set
properly upon extraction.
Version 6.10
1. WinRAR can unpack contents of .zst and .zipx archives utilizing
Zstandard algorithm.
2. Added support of Windows 11 Explorer context menus.
Beginning from Windows 11, an application can add only a single top
level command or submenu to Explorer context menu.
If "Cascaded context menus" in "Integration settings" dialog is on,
this single item is a submenu storing all necessary WinRAR commands.
If this option is off, only one extraction command for archives
and one archiving command for usual files are available.
You can select these commands with "Context menu items..." button
in "Integration settings" dialog.
3. "Legacy context menus" option in "Settings/Integration" dialog
can be used in Windows 11 if WinRAR commands are missing in
"Show more options" Windows legacy context menu or in context menus
of third party file managers. If WinRAR commands are already present
here, keep "Legacy context menus" option turned off to prevent
duplicating them.
This option is not available in Windows 10 and older.
4. Windows XP is not supported anymore. Minimum required operating
system version is Windows Vista.
5. "Close" item is added to "When done" list on "Advanced" page of
archiving dialog. It closes WinRAR window, when archiving is done.
6. "When done" list is added to "Options" page of extraction dialog.
It allows to select an action like turning a computer off
or closing WinRAR after completing extraction.
7. Switch -si can be used when extracting or testing to read archive
data from stdin, such as:
type docs.rar | rar x -si -o+ -pmypwd dummy docs\
Even though the archive name is ignored with this switch,
an arbitrary dummy archive name has to specified in the command line.
Operations requiring backward seeks are unavailable in this mode.
It includes displaying archive comments, testing the recovery record,
utilizing the quick open information, processing multivolume archives.
Prompts requiring user interaction are not allowed.
Use -o[+|-|r], -p<pwd> or -mes switches to suppress such prompts.
8. New -ep4<path> switch excludes the path prefix when archiving
or extracting if this path is found in the beginning of archived name.
Path is compared with names already prepared to store in archive,
without drive letters and leading path separators. For example:
rar a -ep4texts\books archive c:\texts\books\technical
removes "text\books" from archived names, so they start
from 'technical'.
9. New -mes switch skips encrypted files when extracting or testing.
It replaces the former -p- switch.
10. New -op<path> switch sets the destination folder for 'x' and 'e'
extraction commands. Unlike <path_to_extract\> command line parameter,
this switch also accepts paths without trailing path separator
character.
11. If 'p' command is used to print a file to stdout, informational
messages are suppressed automatically to prevent them mixing
with file data.
12. "Generate archive name by mask" option and switch -ag treat only
first two 'M' characters after 'H' as minutes. Previously any
amount of such characters was considered as minutes.
It makes possible to place the time field before the date,
like -agHHMM-DDMMYY. Previous versions considered all 'M'
in this string as minutes.
13. Maximum allowed size of RAR5 recovery record is increased to 1000%
of protected data size. Maximum number of RAR5 recovery volumes
can be 10 times larger than protected RAR volumes.
Previous WinRAR versions are not able to use the recovery record
to repair broken archives if recovery record size exceeds 99%.
Similarly, previous versions cannot use recovery volumes
if their number is equal or larger than number of RAR volumes.
14. Warning is issued if entered password exceeds the allowed limit
of 127 characters and is truncated. Previously such passwords
had been truncated silently.
15. If archive includes reserved device names, the underscore character
is inserted in the beginning of such names when extracting.
For example, aux.txt is converted to _aux.txt. It is done to prevent
compatibility problems with software unable to process such names.
You can use "Allow potentially incompatible names" option
in "Advanced" part of extraction dialog or command line -oni switch
to avoid this conversion.
16. WinRAR attempts to reset the file cache before testing an archive.
It helps to verify actual data written to disk instead of reading
a cached copy.
17. Multiple -v<size> switches specifying different sizes for different
volumes are now allowed also for ZIP archives:
WinRAR a -v100k -v200k -v300k arcname.zip
Previously multiple -v<size> switches were supported only for
RAR archives.
18. Switches -sl<size> and -sm<size> can be used in WinRAR.exe command
line mode when extracting archives in any supported formats,
provided that such archive includes unpacked file sizes.
Previously these switches could filter files by size only in RAR
and ZIP archives.
19. Newer folder selection dialog is invoked when pressing "Browse" button
in WinRAR "Settings/Paths" page, "Repair" and "Convert" commands,
also as in few other similar places. Previously a simpler XP style
folder selection dialog was opened.
20. When restoring from tray after completing an operation,
WinRAR window is positioned under other opened windows,
to not interfere with current user activities.
21. "650 MB CD" is removed and "2 GB volumes" is added to the list of
predefined volume sizes in "Define volume sizes" dialog invoked
from WinRAR "Settings/Compression".
22. "Rename" command selects the file name part up to the final dot.
Previously it selected the entire name.
23. If SFX archive size exceeds 4 GB, an error message is issued
during compression, immediately after exceeding this threshold.
Previously this error was reported only after completing compression.
Executables of such size cannot be started by Windows.
24. Command line -en switch is not supported anymore.
It created RAR4 archives without the end of archive record.
End of archive record permits to gr
URLs
https
http
http://weirdsgn.com
http://icondesignlab.com
https://rarlab.com/themes/WinRAR_Classic_48x36.theme.rar
https://technet.microsoft.com/en-us/library/security/ms14-064.aspx
http://rarlab.com/vuln_sfx_html2.htm
https://blake2.net
Extracted
Path
C:\Program Files\WinRAR\Rar.txt
Ransom Note
User's Manual
~~~~~~~~~~~~~
RAR 6.21 console version
~~~~~~~~~~~~~~~~~~~~~~~~
=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Welcome to the RAR Archiver!
-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Introduction
~~~~~~~~~~~~
RAR is a console application allowing to manage archive files
in command line mode. RAR provides compression, encryption,
data recovery and many other functions described in this manual.
RAR supports only RAR format archives, which have .rar file name
extension by default. ZIP and other formats are not supported.
Even if you specify .zip extension when creating an archive, it will
still be in RAR format. Windows users may install WinRAR, which supports
more archive types including RAR and ZIP formats.
WinRAR provides both graphical user interface and command line mode.
While console RAR and GUI WinRAR have the similar command line syntax,
some differences exist. So it is recommended to use this rar.txt manual
for console RAR (rar.exe in case of Windows version) and winrar.chm
WinRAR help file for GUI WinRAR (winrar.exe).
Configuration file
~~~~~~~~~~~~~~~~~~
RAR and UnRAR for Unix read configuration information from .rarrc file
in a user's home directory (stored in HOME environment variable)
or in /etc directory.
RAR and UnRAR for Windows read configuration information from rar.ini file,
placed in the same directory as the rar.exe file.
This file can contain the following string:
switches=<any RAR switches separated by spaces>
For example:
switches=-m5 -s
It is also possible to specify separate switch sets for individual
RAR commands using the following syntax:
switches_<command>=<any RAR switches separated by spaces>
For example:
switches_a=-m5 -s
switches_x=-o+
Environment variable
~~~~~~~~~~~~~~~~~~~~
Default parameters may be added to the RAR command line by establishing
an environment variable "RAR".
For instance, in Unix following lines may be added to your profile:
RAR='-s -md1024'
export RAR
RAR will use this string as default parameters in the command line and
will create "solid" archives with 1024 MB sliding dictionary size.
RAR handles options with priority as following:
command line switches highest priority
switches in the RAR variable lower priority
switches saved in configuration file lowest priority
Log file
~~~~~~~~
If switch -ilog is specified in the command line or configuration file,
RAR will write informational messages about errors encountered while
processing archives into a log file. Read the switch -ilog description
for more details.
The file order list for solid archiving - rarfiles.lst
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
rarfiles.lst contains a user-defined file list, which tells RAR
the order in which to add files to a solid archive. It may contain
file names, wildcards and special entry - $default. The default
entry defines the place in order list for files not matched
with other entries in this file. The comment character is ';'.
In Windows this file should be placed in the same directory as RAR
or in %APPDATA%\WinRAR directory, in Unix - to the user's home directory
or in /etc.
Tips to provide improved compression and speed of operation:
- similar files should be grouped together in the archive;
- frequently accessed files should be placed at the beginning.
Normally masks placed nearer to the top of list have a higher priority,
but there is an exception from this rule. If rarfiles.lst contains such
two masks that all files matched by one mask are also matched by another,
that mask which matches a smaller subset of file names will have higher
priority regardless of its position in the list. For example, if you have
*.cpp and f*.cpp masks, f*.cpp has a higher priority, so the position of
'filename.cpp' will be chosen according to 'f*.cpp', not '*.cpp'.
RAR command line syntax
~~~~~~~~~~~~~~~~~~~~~~~
Syntax
RAR <command> [ -<switches> ] <archive> [ <@listfiles...> ]
[ <files...> ] [ <path_to_extract\> ]
Description
Command is a single character or string specifying an action to be
performed by RAR. Switches are designed to modify the way RAR performs
such action. Other parameters are archive name and files to be archived
or extracted.
Listfiles are plain text files containing names of files to process.
File names must start at the first column. It is possible to
put comments to the listfile after // characters. For example,
you can create backup.lst containing the following strings:
c:\work\doc\*.txt //backup text documents
c:\work\image\*.bmp //backup pictures
c:\work\misc
and then run:
rar a backup @backup.lst
If you wish to read file names from stdin (standard input),
specify the empty listfile name (just @).
By default, console RAR uses the single byte encoding in list files,
but it can be redefined with -sc<charset>l switch.
You can specify both usual file names and list files in the same
command line. If neither files nor listfiles are specified,
then *.* is implied and RAR will process all files.
path_to_extract includes the destination directory name followed by
a path separator character. For example, it can be c:\dest\ in Windows
or data/ in Unix. It specifies the directory to place extracted files
in 'x' and 'e' commands. This directory is created by RAR if it does not
exist yet. Alternatively it can be set with -op<path> switch.
Many RAR commands, such as extraction, test or list, allow to use
wildcards in archive name. If no extension is specified in archive
mask, RAR assumes .rar, so * means all archives with .rar extension.
If you need to process all archives without extension, use *. mask.
*.* mask selects all files. Wildcards in archive name are not allowed
when archiving and deleting.
In Unix you need to enclose RAR command line parameters containing
wildcards in single or double quotes to prevent their expansion
by Unix shell. For example, this command will extract *.asm files
from all *.rar archives in current directory:
rar e '*.rar' '*.asm'
Command could be any of the following:
a Add files to archive.
Examples:
1) add all *.hlp files from the current directory to
the archive help.rar:
rar a help *.hlp
2) archive all files from the current directory and subdirectories
to 362000 bytes size solid, self-extracting volumes
and add the recovery record to each volume:
rar a -r -v362 -s -sfx -rr save
Because no file names are specified, all files (*) are assumed.
3) as a special exception, if directory name is specified as
an argument and if directory name does not include file masks
and trailing path separator, the entire contents of the directory
and all subdirectories will be added to the archive even
if switch -r is not specified.
The following command will add all files from the directory
Bitmaps and its subdirectories to the RAR archive Pictures.rar:
rar a Pictures.rar Bitmaps
4) if directory name includes the trailing path separator,
normal rules apply and you need to specify switch -r to process
its subdirectories.
The following command will add all files from directory Bitmaps,
but not from its subdirectories, because switch -r is not
specified:
rar a Pictures.rar Bitmaps\*
c Add archive comment. Comments are displayed while the archive is
being processed. Comment length is limited to 256 KB.
Examples:
rar c distrib.rar
Also comments may be added from a file using -z[file] switch.
The following command adds a comment from info.txt file:
rar c -zinfo.txt dummy
ch Change archive parameters.
This command can be used with most of archive modification
switches to modify archive parameters. It is especially
convenient for switches like -cl, -cu, -tl, which do not
have a dedicated command.
It is not able to recompress, encrypt or decrypt archive data
and it cannot merge or create volumes. If no switches are
specified, 'ch' command just copies the archive data without
modification.
If used with -amr switch to restore the saved archive name
and time, other archive modification switches are ignored.
Example:
Set archive time to latest file:
rar ch -tl files.rar
cw Write archive comment to specified file.
Format of output file depends on -sc switch.
If output file name is not specified, comment data will be
sent to stdout.
Examples:
1) rar cw arc comment.txt
2) rar cw -scuc arc unicode.txt
3) rar cw arc
d Delete files from archive. If this command removes all files
from archive, the empty archive is removed.
e Extract files without archived paths.
Extract files excluding their path component, so all files
are created in the same destination directory.
Use 'x' command if you wish to extract full pathnames.
Example:
rar e -or html.rar *.css css\
extract all *.css files from html.rar archive to 'css' directory
excluding archived paths. Rename extracted files automatically
in case several files have the same name.
f Freshen files in archive. Updates archived files older
than files to add. This command will not add new files
to the archive.
i[i|c|h|t]=<string>
Find string in archives.
Supports following optional parameters:
i - case insensitive search (default);
c - case sensitive search;
h - hexadecimal search;
t - use ANSI, UTF-8, UTF-16 and OEM (Windows only)
character tables;
If no parameters are specified, it is possible to use
the simplified command syntax i<string> instead of i=<string>
It is allowed to specify 't' modifier with other parameters,
for example, ict=string performs case sensitive search
using all mentioned above character tables.
Examples:
1) rar "ic=first level" -r c:\*.rar *.txt
Perform case sensitive search of "first level" string
in *.txt files in *.rar archives on the disk c:
2) rar ih=f0e0aeaeab2d83e3a9 -r e:\texts\*.rar
Search for hex string f0 e0 ae ae ab 2d 83 e3 a9
in rar archives in e:\texts directory.
k Lock archive.
RAR cannot modify locked archives, so locking important archives
prevents their accidental modification by RAR. Such protection
might be especially useful in case of RAR commands processing
archives in groups.
This command is not intended or able to prevent modification
by other tools or willful third party. It implements a safety
measure only for accidental data change by RAR.
Example:
rar k final.rar
l[t[a],b]
List archive contents [technical [all], bare].
'l' command lists archived file attributes, size, date,
time and name, one file per line. If file is encrypted,
line starts from '*' character.
'lt' displays the detailed file information in multiline mode.
This information includes file checksum value, host OS,
compression options and other parameters.
'lta' provide the detailed information not only for files,
but also for service headers like NTFS streams
or file security data.
'lb' lists bare file names with path, one per line,
without any additional information.
You can use -v switch to list contents of all volumes
in volume set: rar l -v vol.part1.rar
Commands 'lt', 'lta' and 'lb' are equal to 'vt', 'vta'
and 'vb' correspondingly.
m[f] Move to archive [files only]. Moving files and directories
results in the files and directories being erased upon
successful completion of the packing operation. Directories will
not be removed if 'f' modifier is used and/or '-ed' switch is
applied.
p Print file to stdout.
Send unpacked file data to stdout. Informational messages
are suppressed with this command, so they are not mixed
with file data.
r Repair archive. Archive repairing is performed in two stages.
First, the damaged archive is searched for a recovery record
(see 'rr' command). If archive contains the previously added
recovery record and if damaged data area is continuous
and smaller than error correction code size in recovery record,
chance of successful archive reconstruction is high.
When this stage has been completed, a new archive is created,
named as fixed.arcname.rar, where 'arcname' is the original
(damaged) archive name.
If broken archive does not contain a recovery record or if
archive is not completely recovered due to major damage,
second stage is performed. During this stage only the archive
structure is reconstructed and it is impossible to recover
files which fail checksum validation, it is still possible,
however, to recover undamaged files, which were inaccessible
due to the broken archive structure. Mostly this is useful
for non-solid archives. This stage is never efficient
for archives with encrypted file headers, which can be repaired
only if recovery record is present.
When the second stage is completed, the reconstructed archive
is saved as rebuilt.arcname.rar, where 'arcname' is
the original archive name.
By default, repaired archives are created in the current
directory, but you can append an optional destpath\ parameter
to specify another destination directory.
Example:
rar r buggy.rar c:\fixed\
repair buggy.rar and place the result to 'c:\fixed' directory.
rc Reconstruct missing and damaged volumes using recovery volumes
(.rev files). You need to specify any existing .rar or .rev
volume as the archive name.
Example:
rar rc backup.part03.rar
Read 'rv' command description for information about
recovery volumes.
rn Rename archived files.
The command syntax is:
rar rn <arcname> <srcname1> <destname1> ... <srcnameN> <destnameN>
For example, the following command:
rar rn data.rar readme.txt readme.bak info.txt info.bak
will rename readme.txt to readme.bak and info.txt to info.bak
in the
Signatures
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Modifies system executable filetype association 2 TTPs 8 IoCs
-
Registers COM server for autorun 1 TTPs 3 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 60 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
Modifies registry class 64 IoCs
-
NTFS ADS 1 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 21 IoCs
-
Suspicious use of FindShellTrayWindow 4 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of SetWindowsHookEx 35 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Asras.rar1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Asras.rar"2⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140433⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=E0DD52AD5C2EDA75195381A0AD54F8D9 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=E0DD52AD5C2EDA75195381A0AD54F8D9 --renderer-client-id=2 --mojo-platform-channel-handle=1724 --allow-no-sandbox-job /prefetch:14⤵
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=31856AB790B2E122BABB0C1ECE7F6B8C --mojo-platform-channel-handle=1732 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵
-
-
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3108.0.22313372\931135907" -parentBuildID 20221007134813 -prefsHandle 1852 -prefMapHandle 1844 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1c5dd393-9b85-4235-9204-57e8a833500d} 3108 "\\.\pipe\gecko-crash-server-pipe.3108" 1932 1d23a0ed458 gpu3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3108.1.1419537449\1275349330" -parentBuildID 20221007134813 -prefsHandle 2320 -prefMapHandle 2316 -prefsLen 20926 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fbbb4b73-be24-4264-8846-f6f2e5dd1c32} 3108 "\\.\pipe\gecko-crash-server-pipe.3108" 2332 1d22d172858 socket3⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3108.2.1284792719\592371390" -childID 1 -isForBrowser -prefsHandle 2900 -prefMapHandle 3124 -prefsLen 21074 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f975597d-d609-4eac-b358-07360608a3a2} 3108 "\\.\pipe\gecko-crash-server-pipe.3108" 3088 1d23a069c58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3108.3.1936988285\1313568038" -childID 2 -isForBrowser -prefsHandle 3528 -prefMapHandle 3524 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2aa0de0c-d7af-450c-b551-f92317fa250c} 3108 "\\.\pipe\gecko-crash-server-pipe.3108" 3540 1d23dd09158 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3108.4.374407827\1345012447" -childID 3 -isForBrowser -prefsHandle 4040 -prefMapHandle 4036 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cf41848c-9084-4388-bed2-1c552e2d0f8f} 3108 "\\.\pipe\gecko-crash-server-pipe.3108" 4052 1d23f3bbe58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3108.5.1276006321\1509636423" -childID 4 -isForBrowser -prefsHandle 4904 -prefMapHandle 4912 -prefsLen 26659 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7fbe0312-15bd-43b6-a8eb-a15957432a34} 3108 "\\.\pipe\gecko-crash-server-pipe.3108" 4916 1d240288258 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3108.6.1315817849\1553664536" -childID 5 -isForBrowser -prefsHandle 5060 -prefMapHandle 5064 -prefsLen 26659 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6fea22d6-fef5-4fa8-b05c-857c5c4495d6} 3108 "\\.\pipe\gecko-crash-server-pipe.3108" 5048 1d240797258 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3108.7.1322911426\2041461448" -childID 6 -isForBrowser -prefsHandle 5256 -prefMapHandle 5260 -prefsLen 26659 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {01f2df37-2252-431a-b580-4470fb8b6312} 3108 "\\.\pipe\gecko-crash-server-pipe.3108" 5244 1d240794e58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3108.8.170553212\1939290439" -childID 7 -isForBrowser -prefsHandle 5644 -prefMapHandle 5652 -prefsLen 26930 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7fb08704-d62a-449d-87d5-b5070d109381} 3108 "\\.\pipe\gecko-crash-server-pipe.3108" 5636 1d240cd4558 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3108.9.761450231\957955798" -childID 8 -isForBrowser -prefsHandle 4908 -prefMapHandle 4952 -prefsLen 27195 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d3d130c8-e768-4930-b011-143d1970dd6c} 3108 "\\.\pipe\gecko-crash-server-pipe.3108" 5024 1d240781258 tab3⤵
-
-
C:\Users\Admin\Downloads\winrar-x64-621.exe"C:\Users\Admin\Downloads\winrar-x64-621.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\WinRAR\uninstall.exe"C:\Program Files\WinRAR\uninstall.exe" /setup4⤵
- Executes dropped EXE
- Modifies system executable filetype association
- Registers COM server for autorun
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
109KB
MD5e51d9ff73c65b76ccd7cd09aeea99c3c
SHA1d4789310e9b7a4628154f21af9803e88e89e9b1b
SHA2567456f489100ec876062d68d152081167ac00d45194b17af4a8dd53680acfc9bd
SHA51257ab82d4a95d3b5d181c0ec1a1a1de56a4d6c83af5644032ff3af71e9bd8e13051ae274609bda8b336d70a99f2fba17331773694d7e98d4a7635f7b59651b77c
-
Filesize
437KB
MD5cac9723066062383778f37e9d64fd94e
SHA11cd78fc041d733f7eacdd447371c9dec25c7ef2c
SHA256e187e1119350caa3aec9d531989f60452d0198368f19cf65ffd2194a8a4003ad
SHA5122b3dc50fb5006f1f3beec1774d0927a0533b49d20122e49a0b4b41840f83c494376c8e61da735aa58d27453c44450203d5c2bb4f03fdd37b648ee0f51f925c59
-
Filesize
437KB
MD5cac9723066062383778f37e9d64fd94e
SHA11cd78fc041d733f7eacdd447371c9dec25c7ef2c
SHA256e187e1119350caa3aec9d531989f60452d0198368f19cf65ffd2194a8a4003ad
SHA5122b3dc50fb5006f1f3beec1774d0927a0533b49d20122e49a0b4b41840f83c494376c8e61da735aa58d27453c44450203d5c2bb4f03fdd37b648ee0f51f925c59
-
Filesize
103KB
MD54c88a040b31c4d144b44b0dc68fb2cc8
SHA1bf473f5a5d3d8be6e5870a398212450580f8b37b
SHA2566f1a005a0e5c765fcc68fe15f7ccd18667a6e583980e001ba7181aaaeed442b8
SHA512e7f224a21d7c111b83775c778e6d9fa447e53809e0efd4f3ba99c7d6206036aa3dde9484248b244fb26789467559a40516c8e163d379e84dcf31ac84b4c5d2a8
-
Filesize
317KB
MD5381eae01a2241b8a4738b3c64649fbc0
SHA1cc5944fde68ed622ebee2da9412534e5a44a7c9a
SHA256ad58f39f5d429b5a3726c4a8ee5ccada86d24273eebf2f6072ad1fb61ea82d6e
SHA512f7a8903ea38f2b62d6fa2cc755e0d972a14d00a2e1047e6e983902eff1d3a6bca98327c2b8ed47e46435d1156816e4b0d494726fce87b6cbe7722f5249889b88
-
Filesize
2.4MB
MD546d15a70619d5e68415c8f22d5c81555
SHA112ec96e89b0fd38c469546042e30452b070e337f
SHA2562e503ad5a9c800f2dac2fed2b3e8698d96d25b219ed86ed1a54896232cbe4781
SHA51209446dc9d0c768844213f7f71ba65ee4e86b61d7a61610b63892d1b142952bdd346d14d27d878c026362e012e22fcb49c6746912d5e02db6b40223cafa6d01fb
-
Filesize
437KB
MD5cac9723066062383778f37e9d64fd94e
SHA11cd78fc041d733f7eacdd447371c9dec25c7ef2c
SHA256e187e1119350caa3aec9d531989f60452d0198368f19cf65ffd2194a8a4003ad
SHA5122b3dc50fb5006f1f3beec1774d0927a0533b49d20122e49a0b4b41840f83c494376c8e61da735aa58d27453c44450203d5c2bb4f03fdd37b648ee0f51f925c59
-
Filesize
145KB
MD5fb6f03982ca03cdfbf5f93fdf8882ba1
SHA19a8e0da8ca93feb01f387ae04735c8f382676d66
SHA25622d7f83da2a72f4c3965470b32689a63bda03710c4a1b08cad276b293ecf837c
SHA51246e2ef626377e4aa365251e24ed54dbc01bed39c3323f568ff38ef70033e8b077dbf8d43ce28c7004502d5adf509be6e785159ba6f4ca93902a0608f2b7d0168
-
Filesize
169KB
MD5ebb82a974e2cfc1b2f47f2eca19e2caf
SHA1dcac989bf84192c3d5ca8e129aa8378a90042d08
SHA2560d01b110fec9fe95d4f663b6441f3ff424e73556fabb458c0107712372e5acc3
SHA51293b61823cdaba0f932d53f039604a89b7c0667111da35f0e9c8fcaa75b475bf797d659a16b6ef55ecf81f109535b2799d312783c289a18a76ebc07f015ae8bf0
-
Filesize
6KB
MD542651acfdfc177476b50b50a3e677e83
SHA1411a262afa20d5ba23ac5e40b08731d252547734
SHA256422b977640a9932b7aa7054d2d7f12c7eda97400eccb95f871b07efa74cdd95d
SHA5122f21ceb7ef91880e9a28c19a44c7daec8040e90748e5632daa983cf1cac43dc51405daeb298f593d6f41201a3f15ce89adc275e00c10a7ac234768f29d1950fd
-
Filesize
7KB
MD58ea231442867a9673d9bf4dc5fb4f5b4
SHA175aacff7518921256d3eb6af90bbe97755658f34
SHA25644fe11dd938f1d3a3cec8f9405bcf530de60f8044948df0989cb6eee3a7b3200
SHA512794ab9aaf5a9c788f360054e666db41122b705d55671f4649c9c25db0917ebeaf335a174441801ec8a8854800c8be2ed001357d01780458c58afeb935547555a
-
Filesize
7KB
MD5e77af81742663259255355e4ad631c42
SHA1ee8f29f687724013e02ce98cdd0abe9daf2c5bc5
SHA256bb0f971679113918b42b57eaa99237e155f64016ecd95b4ab80a7438e9e90be0
SHA51216789e3cd0b270f0ff2deca782197c19a015fe7d2ac62563b7a1ed56cd2305363093f0c7f06ff4a80517d3218e9492932f748647067725613e0a2ce29c95fb46
-
Filesize
7KB
MD552e98b7380001afda13017fd97e168c6
SHA162e69e1fbc82a33daf69b5a0296bad04ae2ad67d
SHA25646fbbcbe639a5a3e4b8efad871f43b63a2b529a8cb1edc63acf3b954b8d43454
SHA512818acfa53ae84dd8aa2834a1565927f01ee8ec5a3c0c06898bb8bd8fc4bb27cc171aae4f26647fb147b471479ec04b4f4940753a7d1784084bec0b6c6cc6aa7b
-
Filesize
7KB
MD5283165ece93e7d60ba483b40a4ddf1f9
SHA1a36ba6158d63b085073fac9d845a7dc9ac83d2d9
SHA25652ae0338f0655690ccd2b70e776b32f1314e6a69b5ab7c90a930765a8389c132
SHA512c8bcf51be74cb3c7490b0f7cd15496699dce5e6543729af1ca592c76ede2872e8f4942d89c42f1dbcdc59c34b89d06c29c9ef97ac605702d8506a29528618f21
-
Filesize
6KB
MD59695fbf31b25eaf028c00f1f50fbb310
SHA1d93889634579181ec74f7f0609ca4347237a73d0
SHA25675c5ac01e06bbe6f57927f010a125f3ca06aba5856240aeceb3718860db7bb08
SHA512beb27cc7882e382b283e52e2d11180fbef8d778ccc907c6c5f128bb28910fa45a16eafabfccc201b5f6cc8136b746c98d3405e89f841efa162bb1dbbb55fdbae
-
Filesize
6KB
MD5f73e52d124620d05267ba934f3b312d3
SHA134121aa291d9f88b3e8e3a2fa37cb1c06cac2d30
SHA256fc898a91ae8ce9d241c586f5dee2e60450dcdc5a31f1a7015d6dc2f4fefe4ac7
SHA5124ef67626a2ba584817d707c71ddf7e7ce75a780921c3fcdfa8a03de0de9303c4b548ce3c3b493f1c4876d511271978bcd3cdbc2d1003b23c2459847180045d46
-
Filesize
259B
MD5e6c20f53d6714067f2b49d0e9ba8030e
SHA1f516dc1084cdd8302b3e7f7167b905e603b6f04f
SHA25650a670fb78ff2712aae2c16d9499e01c15fddf24e229330d02a69b0527a38092
SHA512462415b8295c1cdcac0a7cb16bb8a027ef36ae2ce0b061071074ac3209332a7eae71de843af4b96bbbd6158ca8fd5c18147bf9a79b8a7768a9a35edce8b784bf
-
Filesize
1KB
MD5d7fc76d6cf62b9f9327fe9be4e4e7a4c
SHA10c8746e997e206767dc90bc054296887e17b7b25
SHA256e797085f3700043288eaff2af5237a36b55eeec8b543e8f2338d041c5b53f98b
SHA512085375628eacd47e5337414e6796c661ac32bd1e43d422c5e7497cebfd7acdf497734af9a7224189af8fae62736a0300b54a3e922fab8a9d05330a791204620b
-
Filesize
1KB
MD5e78d4106a0aae51291d35b816eb7b22c
SHA176ca5e35c169b647305a764faa7db03f4b8bbcb9
SHA256043bbae886af87830e82fe1685205b9be9c91f05c3d7e71cebc9b4eb7ee88f41
SHA5124df1845cf423bf49eca7ee97f3512d863adad7086195bd239de58d2c2d58afb45ff5caccbf60095b7351cacdf8224068c92c637fe86150114373538233aa876b
-
Filesize
6KB
MD568a6e14da81ce16a442bec6a05b292aa
SHA1bd94417f6bc36e6802a4d0a4e7e9e63e78e82618
SHA25699e678b7296db918f69f4c9c2e263d1e3019285536d04a4dff3a6d7825ec5b08
SHA512607c8829ed034faf0317a0689d2b31b8714d19220e79f5f1d59bde75b2708b2fce9a9d58e86ba03134852894bfe725106ed4e63323a06a4b19a492a7eb05072b
-
Filesize
3.4MB
MD5766ac70b840c029689d3c065712cf46e
SHA1e54f4628076d81b36de97b01c098a2e7ba123663
SHA25606d6ecc5f9d88636b0bac62218c296bfa1b2222f734c9cbed5575bd9f634e219
SHA51249064dc2c30eecd7320a6431abfee49d250ea7cda5e8ae630d2c55325f5bdf338355ae8d7a3246b4036afce5c100b8b30599baf19ab64d20190392d2d9a28608
-
Filesize
3.4MB
MD5766ac70b840c029689d3c065712cf46e
SHA1e54f4628076d81b36de97b01c098a2e7ba123663
SHA25606d6ecc5f9d88636b0bac62218c296bfa1b2222f734c9cbed5575bd9f634e219
SHA51249064dc2c30eecd7320a6431abfee49d250ea7cda5e8ae630d2c55325f5bdf338355ae8d7a3246b4036afce5c100b8b30599baf19ab64d20190392d2d9a28608
-
Filesize
100KB
MD50bc71f20f87286bf5a2e566b0e43696f
SHA153b5e46022db9ba1ef964965609597f0e7f4bf2b
SHA256bf6e52fe4c9ce2fb7d0e40fbc8d75e26c8053995bcbfc4be46ba363a4838ab86
SHA512ce98749522fa5a1b072f822feff85edca53eb0d61354e8af548a21bafe99fc32e8c816563d165e13d990964c8c790bd41f45e77a27aa58b6abfb6d272a5e5a7c