Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
91s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
04/01/2023, 11:56
Static task
static1
Behavioral task
behavioral1
Sample
HEUR-Trojan.MSIL.Generic-b12fbaf6b6ba8add5b7d.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
HEUR-Trojan.MSIL.Generic-b12fbaf6b6ba8add5b7d.exe
Resource
win10v2004-20221111-en
General
-
Target
HEUR-Trojan.MSIL.Generic-b12fbaf6b6ba8add5b7d.exe
-
Size
768KB
-
MD5
ca77b734327afb186e37d78d948034e8
-
SHA1
73d0f64044802166bf6c3ca982a3f5ba5405c81e
-
SHA256
b12fbaf6b6ba8add5b7d2f86c8dc9020e087a164b7a022c0058dd397754352f4
-
SHA512
d03b22bca2262f4acd8054c419dac9af28f33b90950104bed89cf2e35419f373f0d306e8a08532eab2c99e2d11bec0093c38fd1040a78e063225948b4add7050
-
SSDEEP
12288:kr9okJ1XGTNrrxqFcT7K2p+CMWOvE+LKxPSRwqTqHjgL2NdLwQmhJSGwHDkP:C9rqJS2AxZWp5Hj8oOFQD8
Malware Config
Signatures
-
DcRat 17 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
description ioc pid Process 3508 schtasks.exe 2980 schtasks.exe Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation HEUR-Trojan.MSIL.Generic-b12fbaf6b6ba8add5b7d.exe 5096 schtasks.exe 8 schtasks.exe 372 schtasks.exe 4284 schtasks.exe 4420 schtasks.exe 1148 schtasks.exe 1884 schtasks.exe 4788 schtasks.exe 5064 schtasks.exe 3352 schtasks.exe 4980 schtasks.exe 4176 schtasks.exe 4684 schtasks.exe 4032 schtasks.exe -
resource yara_rule behavioral2/files/0x000a000000022e3b-135.dat dcrat behavioral2/files/0x000a000000022e3b-137.dat dcrat behavioral2/files/0x0006000000022e42-143.dat dcrat behavioral2/files/0x0006000000022e42-144.dat dcrat behavioral2/memory/2580-145-0x0000000000B50000-0x0000000000C70000-memory.dmp dcrat behavioral2/files/0x0006000000022e42-154.dat dcrat behavioral2/files/0x0006000000022e70-175.dat dcrat behavioral2/files/0x0006000000022e70-174.dat dcrat -
Executes dropped EXE 4 IoCs
pid Process 2040 Adobe_Premiere_Pro_2020.exe 2580 security.exe 3704 security.exe 2336 lsass.exe -
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation HEUR-Trojan.MSIL.Generic-b12fbaf6b6ba8add5b7d.exe Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation Adobe_Premiere_Pro_2020.exe Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation security.exe Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation security.exe -
Drops file in System32 directory 16 IoCs
description ioc Process File created C:\Windows\System32\WinOpcIrmProtector\lsass.exe security.exe File created C:\Windows\System32\srrstr\5b884080fd4f94e2695da25c503f9e33b9605b83 security.exe File opened for modification C:\Windows\System32\mapstoasttask\spoolsv.exe security.exe File created C:\Windows\System32\mapstoasttask\spoolsv.exe security.exe File created C:\Windows\System32\PnPUnattend\9e8d7a4ca61bd92aff00cc37a7a4d62a2cac998d security.exe File opened for modification C:\Windows\System32\Windows.Mirage.Internal\SppExtComObj.exe security.exe File created C:\Windows\System32\Windows.Mirage.Internal\e1ef82546f0b02b7e974f28047f3788b1128cce1 security.exe File created C:\Windows\System32\KBDTURME\fontdrvhost.exe security.exe File created C:\Windows\System32\mapstoasttask\f3b6ecef712a24f33798f5d2fb3790c3d9b894c4 security.exe File created C:\Windows\System32\Windows.Mirage.Internal\SppExtComObj.exe security.exe File created C:\Windows\SysWOW64\Windows.Web\ebf1f9fa8afd6d1932bd65bc4cc3af89a4c8e228 security.exe File created C:\Windows\System32\KBDTURME\5b884080fd4f94e2695da25c503f9e33b9605b83 security.exe File created C:\Windows\System32\WinOpcIrmProtector\6203df4a6bafc7c328ee7f6f8ca0a8a838a8a1b9 security.exe File created C:\Windows\System32\PnPUnattend\RuntimeBroker.exe security.exe File created C:\Windows\System32\srrstr\fontdrvhost.exe security.exe File created C:\Windows\SysWOW64\Windows.Web\cmd.exe security.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Google\csrss.exe security.exe File created C:\Program Files (x86)\Google\886983d96e3d3e31032c679b2d4ea91b6c05afef security.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\DtcInstall\explorer.exe security.exe File created C:\Windows\DtcInstall\7a0fd90576e08807bde2cc57bcf9854bbce05fe3 security.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 16 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1148 schtasks.exe 372 schtasks.exe 5064 schtasks.exe 8 schtasks.exe 4684 schtasks.exe 3352 schtasks.exe 2980 schtasks.exe 4420 schtasks.exe 4284 schtasks.exe 4788 schtasks.exe 4176 schtasks.exe 4980 schtasks.exe 5096 schtasks.exe 4032 schtasks.exe 3508 schtasks.exe 1884 schtasks.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings security.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings Adobe_Premiere_Pro_2020.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 4360 PING.EXE -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 2580 security.exe 2580 security.exe 2580 security.exe 3704 security.exe 3704 security.exe 3704 security.exe 2336 lsass.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2580 security.exe Token: SeDebugPrivilege 3704 security.exe Token: SeDebugPrivilege 2336 lsass.exe -
Suspicious use of WriteProcessMemory 53 IoCs
description pid Process procid_target PID 2876 wrote to memory of 2040 2876 HEUR-Trojan.MSIL.Generic-b12fbaf6b6ba8add5b7d.exe 82 PID 2876 wrote to memory of 2040 2876 HEUR-Trojan.MSIL.Generic-b12fbaf6b6ba8add5b7d.exe 82 PID 2876 wrote to memory of 2040 2876 HEUR-Trojan.MSIL.Generic-b12fbaf6b6ba8add5b7d.exe 82 PID 2040 wrote to memory of 2492 2040 Adobe_Premiere_Pro_2020.exe 83 PID 2040 wrote to memory of 2492 2040 Adobe_Premiere_Pro_2020.exe 83 PID 2040 wrote to memory of 2492 2040 Adobe_Premiere_Pro_2020.exe 83 PID 2492 wrote to memory of 2096 2492 WScript.exe 88 PID 2492 wrote to memory of 2096 2492 WScript.exe 88 PID 2492 wrote to memory of 2096 2492 WScript.exe 88 PID 2096 wrote to memory of 2580 2096 cmd.exe 90 PID 2096 wrote to memory of 2580 2096 cmd.exe 90 PID 2580 wrote to memory of 4980 2580 security.exe 93 PID 2580 wrote to memory of 4980 2580 security.exe 93 PID 2580 wrote to memory of 2980 2580 security.exe 95 PID 2580 wrote to memory of 2980 2580 security.exe 95 PID 2580 wrote to memory of 1148 2580 security.exe 97 PID 2580 wrote to memory of 1148 2580 security.exe 97 PID 2580 wrote to memory of 4420 2580 security.exe 99 PID 2580 wrote to memory of 4420 2580 security.exe 99 PID 2580 wrote to memory of 372 2580 security.exe 101 PID 2580 wrote to memory of 372 2580 security.exe 101 PID 2580 wrote to memory of 4284 2580 security.exe 103 PID 2580 wrote to memory of 4284 2580 security.exe 103 PID 2580 wrote to memory of 3704 2580 security.exe 105 PID 2580 wrote to memory of 3704 2580 security.exe 105 PID 3704 wrote to memory of 1884 3704 security.exe 106 PID 3704 wrote to memory of 1884 3704 security.exe 106 PID 3704 wrote to memory of 4788 3704 security.exe 108 PID 3704 wrote to memory of 4788 3704 security.exe 108 PID 3704 wrote to memory of 5064 3704 security.exe 110 PID 3704 wrote to memory of 5064 3704 security.exe 110 PID 3704 wrote to memory of 4176 3704 security.exe 112 PID 3704 wrote to memory of 4176 3704 security.exe 112 PID 3704 wrote to memory of 5096 3704 security.exe 114 PID 3704 wrote to memory of 5096 3704 security.exe 114 PID 3704 wrote to memory of 8 3704 security.exe 116 PID 3704 wrote to memory of 8 3704 security.exe 116 PID 3704 wrote to memory of 4684 3704 security.exe 118 PID 3704 wrote to memory of 4684 3704 security.exe 118 PID 3704 wrote to memory of 4032 3704 security.exe 120 PID 3704 wrote to memory of 4032 3704 security.exe 120 PID 3704 wrote to memory of 3352 3704 security.exe 122 PID 3704 wrote to memory of 3352 3704 security.exe 122 PID 3704 wrote to memory of 3508 3704 security.exe 124 PID 3704 wrote to memory of 3508 3704 security.exe 124 PID 3704 wrote to memory of 3404 3704 security.exe 126 PID 3704 wrote to memory of 3404 3704 security.exe 126 PID 3404 wrote to memory of 2092 3404 cmd.exe 128 PID 3404 wrote to memory of 2092 3404 cmd.exe 128 PID 3404 wrote to memory of 4360 3404 cmd.exe 129 PID 3404 wrote to memory of 4360 3404 cmd.exe 129 PID 3404 wrote to memory of 2336 3404 cmd.exe 130 PID 3404 wrote to memory of 2336 3404 cmd.exe 130
Processes
-
C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Generic-b12fbaf6b6ba8add5b7d.exe"C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Generic-b12fbaf6b6ba8add5b7d.exe"1⤵
- DcRat
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Users\Admin\AppData\Local\Temp\Adobe_Premiere_Pro_2020.exe"C:\Users\Admin\AppData\Local\Temp\Adobe_Premiere_Pro_2020.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Adobe\FUJZXaGbfikh3OCtrxlc1i.vbe"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Adobe\HrklzIU7CdwrqnHUZC.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Users\Admin\AppData\Roaming\Adobe\security.exe"C:\Users\Admin\AppData\Roaming\Adobe\security.exe"5⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\System32\Windows.Mirage.Internal\SppExtComObj.exe'" /rl HIGHEST /f6⤵
- DcRat
- Creates scheduled task(s)
PID:4980
-
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\System32\srrstr\fontdrvhost.exe'" /rl HIGHEST /f6⤵
- DcRat
- Creates scheduled task(s)
PID:2980
-
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\DtcInstall\explorer.exe'" /rl HIGHEST /f6⤵
- DcRat
- Creates scheduled task(s)
PID:1148
-
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\SysWOW64\Windows.Web\cmd.exe'" /rl HIGHEST /f6⤵
- DcRat
- Creates scheduled task(s)
PID:4420
-
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\System32\KBDTURME\fontdrvhost.exe'" /rl HIGHEST /f6⤵
- DcRat
- Creates scheduled task(s)
PID:372
-
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Documents and Settings\RuntimeBroker.exe'" /rl HIGHEST /f6⤵
- DcRat
- Creates scheduled task(s)
PID:4284
-
-
C:\Users\Admin\AppData\Roaming\Adobe\security.exe"C:\Users\Admin\AppData\Roaming\Adobe\security.exe"6⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3704 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\System32\mapstoasttask\spoolsv.exe'" /rl HIGHEST /f7⤵
- DcRat
- Creates scheduled task(s)
PID:1884
-
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "winlogon" /sc ONLOGON /tr "'C:\PerfLogs\winlogon.exe'" /rl HIGHEST /f7⤵
- DcRat
- Creates scheduled task(s)
PID:4788
-
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\csrss.exe'" /rl HIGHEST /f7⤵
- DcRat
- Creates scheduled task(s)
PID:5064
-
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\System32\WinOpcIrmProtector\lsass.exe'" /rl HIGHEST /f7⤵
- DcRat
- Creates scheduled task(s)
PID:4176
-
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Public\Downloads\dwm.exe'" /rl HIGHEST /f7⤵
- DcRat
- Creates scheduled task(s)
PID:5096
-
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "upfc" /sc ONLOGON /tr "'C:\Documents and Settings\upfc.exe'" /rl HIGHEST /f7⤵
- DcRat
- Creates scheduled task(s)
PID:8
-
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\PnPUnattend\RuntimeBroker.exe'" /rl HIGHEST /f7⤵
- DcRat
- Creates scheduled task(s)
PID:4684
-
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "csrss" /sc ONLOGON /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f7⤵
- DcRat
- Creates scheduled task(s)
PID:4032
-
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "taskhostw" /sc ONLOGON /tr "'C:\ProgramData\WindowsHolographicDevices\SpatialStore\taskhostw.exe'" /rl HIGHEST /f7⤵
- DcRat
- Creates scheduled task(s)
PID:3352
-
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "dllhost" /sc ONLOGON /tr "'C:\Documents and Settings\dllhost.exe'" /rl HIGHEST /f7⤵
- DcRat
- Creates scheduled task(s)
PID:3508
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7LaJCF5Wk3.bat"7⤵
- Suspicious use of WriteProcessMemory
PID:3404 -
C:\Windows\system32\chcp.comchcp 650018⤵PID:2092
-
-
C:\Windows\system32\PING.EXEping -n 5 localhost8⤵
- Runs ping.exe
PID:4360
-
-
C:\Windows\System32\WinOpcIrmProtector\lsass.exe"C:\Windows\System32\WinOpcIrmProtector\lsass.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2336
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD529901c9eca42ea66eacb5b816d7dc106
SHA169683b3029b7b086002e3cbecced9bf64f031e01
SHA25696c09cd40aca8463fd210b8b66856d3e38c0a0f7ca54a8b797f97ebca3d4ea63
SHA512e7e17297f9b14b3dae0aa8abf01cffe4353a65fb73b851ced178efb29df858bbacdcf5e75642b9806b4b09dc2eba337cfe28459694911b2f1c4dfdeabab13e0b
-
Filesize
214B
MD5a4009de1172a678024b1f7f6bf8c7fed
SHA15765d8b09684bb9d0fef62595bb98a9c00fdc954
SHA2562461b846afc817bc425b15a3e470d994fb3296971d914e9ab039df6fdd6b92bd
SHA512f3d446e866dc0ad2d8f5674d438db40774bfa8e0e3f752825501b33fe7f2e88379384d10fc229ef72893e9e47ee7ab5d764636b7e8864a19bf4ff9e628bc1712
-
Filesize
1.4MB
MD5153febc7dc9b8e2841a3a4c0c3ac3205
SHA138528c2c7e19b1246f4f9a420f05d8be3477876e
SHA256cba167b92f87576189504d235e3681496e01fe2a1f090e071a932fda99cb6a5c
SHA512022a6e7c0adeccace5b87ca7d87ba9b695903c5e9a754b9f493991a6c23de1e284c14137fbf266b2a8a50a667025b10b2c4288d6a4d43a064ff006d6984cfbc3
-
Filesize
1.4MB
MD5153febc7dc9b8e2841a3a4c0c3ac3205
SHA138528c2c7e19b1246f4f9a420f05d8be3477876e
SHA256cba167b92f87576189504d235e3681496e01fe2a1f090e071a932fda99cb6a5c
SHA512022a6e7c0adeccace5b87ca7d87ba9b695903c5e9a754b9f493991a6c23de1e284c14137fbf266b2a8a50a667025b10b2c4288d6a4d43a064ff006d6984cfbc3
-
Filesize
207B
MD5a2902a89edcfaefd1cf9464f23264397
SHA14e452cd28c8b743d0b927f6d8103fed171a549d5
SHA256abd9ed2ebc502da8269778d3b45dd29d2c4ef78fcc5e3e8dd232905cb9625c68
SHA5120db2e9d21164cdb4e824686f39cb4850fdbc8f72dcfd3f3bf73353074e4694a70c04356ce9ffea21e37381388c07943cd489c49a23738ae9a32e4473884dcd55
-
Filesize
30B
MD5987b91a43f4d58b9931af8a8d2d60532
SHA1290b57275dc95a8244d3aab2e76ef5944e64c5d6
SHA2562dafbed48a9bd344ee01d84d4ed7c5e9bc6e271f616e6b16aa0e858ef551472c
SHA512a217b91040d8f1eb67c3092292a6db5da21214b04b8e2d2d5bd13677f84d5552b4fc42710a40915f71db54983b33d83d74e4e1144c6a60cf56d08391c351ceb1
-
Filesize
1.1MB
MD51fe77d2dfb4e5fa383357b76151e6863
SHA1f4d111e26144d496f75ed22139a65513112b125c
SHA2567bb8413b750f8fdd1a58122e11c3fda79b71593f6081f59209981f120180f0b2
SHA512a3829d3683ed5afa341777531e8c24e73d8e506af1eee0904c44404d5d6bb7008b5b1d595af93ab7d9d75e8360fa46eff000621c43c6259364c5653b6f70b4ac
-
Filesize
1.1MB
MD51fe77d2dfb4e5fa383357b76151e6863
SHA1f4d111e26144d496f75ed22139a65513112b125c
SHA2567bb8413b750f8fdd1a58122e11c3fda79b71593f6081f59209981f120180f0b2
SHA512a3829d3683ed5afa341777531e8c24e73d8e506af1eee0904c44404d5d6bb7008b5b1d595af93ab7d9d75e8360fa46eff000621c43c6259364c5653b6f70b4ac
-
Filesize
1.1MB
MD51fe77d2dfb4e5fa383357b76151e6863
SHA1f4d111e26144d496f75ed22139a65513112b125c
SHA2567bb8413b750f8fdd1a58122e11c3fda79b71593f6081f59209981f120180f0b2
SHA512a3829d3683ed5afa341777531e8c24e73d8e506af1eee0904c44404d5d6bb7008b5b1d595af93ab7d9d75e8360fa46eff000621c43c6259364c5653b6f70b4ac
-
Filesize
1.1MB
MD51fe77d2dfb4e5fa383357b76151e6863
SHA1f4d111e26144d496f75ed22139a65513112b125c
SHA2567bb8413b750f8fdd1a58122e11c3fda79b71593f6081f59209981f120180f0b2
SHA512a3829d3683ed5afa341777531e8c24e73d8e506af1eee0904c44404d5d6bb7008b5b1d595af93ab7d9d75e8360fa46eff000621c43c6259364c5653b6f70b4ac
-
Filesize
1.1MB
MD51fe77d2dfb4e5fa383357b76151e6863
SHA1f4d111e26144d496f75ed22139a65513112b125c
SHA2567bb8413b750f8fdd1a58122e11c3fda79b71593f6081f59209981f120180f0b2
SHA512a3829d3683ed5afa341777531e8c24e73d8e506af1eee0904c44404d5d6bb7008b5b1d595af93ab7d9d75e8360fa46eff000621c43c6259364c5653b6f70b4ac