Analysis
-
max time kernel
121s -
max time network
143s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
17-06-2023 03:24
Static task
static1
General
-
Target
4ab28a84b438dfeeffef8481c849ed4d7ce0f5bc94e4f0c467aa9469e28ca859.exe
-
Size
583KB
-
MD5
422419c327691cff180055bf4c0c6f36
-
SHA1
0ce358f262f16ab03cf4bb08bc550184e611b8fa
-
SHA256
4ab28a84b438dfeeffef8481c849ed4d7ce0f5bc94e4f0c467aa9469e28ca859
-
SHA512
7f4c491a71227be6aae84e7e971eaaa2a6bfbd3e570a907f5f941a5f0781875f7827a4e4b65bfcc445aef0e4220875564de927f34cfa592a744b6a8276236d7e
-
SSDEEP
12288:mMr8y90RcoNw/Y62TTupfLrcLWLhrcKTn0Tby9AUN0iEdFt:Oymco0Yp3uYENnTn0C0iC
Malware Config
Extracted
redline
dedo
83.97.73.130:19061
-
auth_value
ac76f7438fbe49011f900c651cb85e26
Extracted
amadey
3.84
77.91.68.63/doma/net/index.php
Extracted
redline
grega
83.97.73.130:19061
-
auth_value
16e2fbc2847b2270b3f0679e2dd76c8d
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" g9446527.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" g9446527.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" g9446527.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" g9446527.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" g9446527.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 9 IoCs
pid Process 1008 x2697643.exe 4280 x4566063.exe 3656 f6727466.exe 2832 g9446527.exe 5080 h3654296.exe 788 rugen.exe 728 i1110490.exe 4808 rugen.exe 4120 rugen.exe -
Loads dropped DLL 1 IoCs
pid Process 3024 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" g9446527.exe -
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x2697643.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce x4566063.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" x4566063.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 4ab28a84b438dfeeffef8481c849ed4d7ce0f5bc94e4f0c467aa9469e28ca859.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 4ab28a84b438dfeeffef8481c849ed4d7ce0f5bc94e4f0c467aa9469e28ca859.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce x2697643.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3508 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3656 f6727466.exe 3656 f6727466.exe 2832 g9446527.exe 2832 g9446527.exe 728 i1110490.exe 728 i1110490.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3656 f6727466.exe Token: SeDebugPrivilege 2832 g9446527.exe Token: SeDebugPrivilege 728 i1110490.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 5080 h3654296.exe -
Suspicious use of WriteProcessMemory 47 IoCs
description pid Process procid_target PID 2868 wrote to memory of 1008 2868 4ab28a84b438dfeeffef8481c849ed4d7ce0f5bc94e4f0c467aa9469e28ca859.exe 66 PID 2868 wrote to memory of 1008 2868 4ab28a84b438dfeeffef8481c849ed4d7ce0f5bc94e4f0c467aa9469e28ca859.exe 66 PID 2868 wrote to memory of 1008 2868 4ab28a84b438dfeeffef8481c849ed4d7ce0f5bc94e4f0c467aa9469e28ca859.exe 66 PID 1008 wrote to memory of 4280 1008 x2697643.exe 67 PID 1008 wrote to memory of 4280 1008 x2697643.exe 67 PID 1008 wrote to memory of 4280 1008 x2697643.exe 67 PID 4280 wrote to memory of 3656 4280 x4566063.exe 68 PID 4280 wrote to memory of 3656 4280 x4566063.exe 68 PID 4280 wrote to memory of 3656 4280 x4566063.exe 68 PID 4280 wrote to memory of 2832 4280 x4566063.exe 70 PID 4280 wrote to memory of 2832 4280 x4566063.exe 70 PID 1008 wrote to memory of 5080 1008 x2697643.exe 71 PID 1008 wrote to memory of 5080 1008 x2697643.exe 71 PID 1008 wrote to memory of 5080 1008 x2697643.exe 71 PID 5080 wrote to memory of 788 5080 h3654296.exe 72 PID 5080 wrote to memory of 788 5080 h3654296.exe 72 PID 5080 wrote to memory of 788 5080 h3654296.exe 72 PID 2868 wrote to memory of 728 2868 4ab28a84b438dfeeffef8481c849ed4d7ce0f5bc94e4f0c467aa9469e28ca859.exe 73 PID 2868 wrote to memory of 728 2868 4ab28a84b438dfeeffef8481c849ed4d7ce0f5bc94e4f0c467aa9469e28ca859.exe 73 PID 2868 wrote to memory of 728 2868 4ab28a84b438dfeeffef8481c849ed4d7ce0f5bc94e4f0c467aa9469e28ca859.exe 73 PID 788 wrote to memory of 3508 788 rugen.exe 75 PID 788 wrote to memory of 3508 788 rugen.exe 75 PID 788 wrote to memory of 3508 788 rugen.exe 75 PID 788 wrote to memory of 1284 788 rugen.exe 77 PID 788 wrote to memory of 1284 788 rugen.exe 77 PID 788 wrote to memory of 1284 788 rugen.exe 77 PID 1284 wrote to memory of 4564 1284 cmd.exe 79 PID 1284 wrote to memory of 4564 1284 cmd.exe 79 PID 1284 wrote to memory of 4564 1284 cmd.exe 79 PID 1284 wrote to memory of 4496 1284 cmd.exe 80 PID 1284 wrote to memory of 4496 1284 cmd.exe 80 PID 1284 wrote to memory of 4496 1284 cmd.exe 80 PID 1284 wrote to memory of 3400 1284 cmd.exe 81 PID 1284 wrote to memory of 3400 1284 cmd.exe 81 PID 1284 wrote to memory of 3400 1284 cmd.exe 81 PID 1284 wrote to memory of 4140 1284 cmd.exe 82 PID 1284 wrote to memory of 4140 1284 cmd.exe 82 PID 1284 wrote to memory of 4140 1284 cmd.exe 82 PID 1284 wrote to memory of 4708 1284 cmd.exe 83 PID 1284 wrote to memory of 4708 1284 cmd.exe 83 PID 1284 wrote to memory of 4708 1284 cmd.exe 83 PID 1284 wrote to memory of 3388 1284 cmd.exe 84 PID 1284 wrote to memory of 3388 1284 cmd.exe 84 PID 1284 wrote to memory of 3388 1284 cmd.exe 84 PID 788 wrote to memory of 3024 788 rugen.exe 86 PID 788 wrote to memory of 3024 788 rugen.exe 86 PID 788 wrote to memory of 3024 788 rugen.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\4ab28a84b438dfeeffef8481c849ed4d7ce0f5bc94e4f0c467aa9469e28ca859.exe"C:\Users\Admin\AppData\Local\Temp\4ab28a84b438dfeeffef8481c849ed4d7ce0f5bc94e4f0c467aa9469e28ca859.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2697643.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2697643.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1008 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4566063.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4566063.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4280 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f6727466.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f6727466.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3656
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g9446527.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g9446527.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2832
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h3654296.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h3654296.exe3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:5080 -
C:\Users\Admin\AppData\Local\Temp\200f691d32\rugen.exe"C:\Users\Admin\AppData\Local\Temp\200f691d32\rugen.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:788 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rugen.exe /TR "C:\Users\Admin\AppData\Local\Temp\200f691d32\rugen.exe" /F5⤵
- Creates scheduled task(s)
PID:3508
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "rugen.exe" /P "Admin:N"&&CACLS "rugen.exe" /P "Admin:R" /E&&echo Y|CACLS "..\200f691d32" /P "Admin:N"&&CACLS "..\200f691d32" /P "Admin:R" /E&&Exit5⤵
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵PID:4564
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "rugen.exe" /P "Admin:N"6⤵PID:4496
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "rugen.exe" /P "Admin:R" /E6⤵PID:3400
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵PID:4140
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\200f691d32" /P "Admin:N"6⤵PID:4708
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\200f691d32" /P "Admin:R" /E6⤵PID:3388
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main5⤵
- Loads dropped DLL
PID:3024
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i1110490.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i1110490.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:728
-
-
C:\Users\Admin\AppData\Local\Temp\200f691d32\rugen.exeC:\Users\Admin\AppData\Local\Temp\200f691d32\rugen.exe1⤵
- Executes dropped EXE
PID:4808
-
C:\Users\Admin\AppData\Local\Temp\200f691d32\rugen.exeC:\Users\Admin\AppData\Local\Temp\200f691d32\rugen.exe1⤵
- Executes dropped EXE
PID:4120
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
205KB
MD5835f1373b125353f2b0615a2f105d3dd
SHA11aae6edfedcfe6d6828b98b114c581d9f15db807
SHA25600f972eb3d4d2fac05c10c0e6e212cf096b4142b5b5075b29c6c100d51432cd4
SHA5128826d5ff3ab691094eabf4cec3444752ed46714705dae25bc48b5c9ee36c7c9b9cf8606460e71df519dd26a91798ab8be3415e7465df82d362d602e96ebb25e5
-
Filesize
205KB
MD5835f1373b125353f2b0615a2f105d3dd
SHA11aae6edfedcfe6d6828b98b114c581d9f15db807
SHA25600f972eb3d4d2fac05c10c0e6e212cf096b4142b5b5075b29c6c100d51432cd4
SHA5128826d5ff3ab691094eabf4cec3444752ed46714705dae25bc48b5c9ee36c7c9b9cf8606460e71df519dd26a91798ab8be3415e7465df82d362d602e96ebb25e5
-
Filesize
205KB
MD5835f1373b125353f2b0615a2f105d3dd
SHA11aae6edfedcfe6d6828b98b114c581d9f15db807
SHA25600f972eb3d4d2fac05c10c0e6e212cf096b4142b5b5075b29c6c100d51432cd4
SHA5128826d5ff3ab691094eabf4cec3444752ed46714705dae25bc48b5c9ee36c7c9b9cf8606460e71df519dd26a91798ab8be3415e7465df82d362d602e96ebb25e5
-
Filesize
205KB
MD5835f1373b125353f2b0615a2f105d3dd
SHA11aae6edfedcfe6d6828b98b114c581d9f15db807
SHA25600f972eb3d4d2fac05c10c0e6e212cf096b4142b5b5075b29c6c100d51432cd4
SHA5128826d5ff3ab691094eabf4cec3444752ed46714705dae25bc48b5c9ee36c7c9b9cf8606460e71df519dd26a91798ab8be3415e7465df82d362d602e96ebb25e5
-
Filesize
205KB
MD5835f1373b125353f2b0615a2f105d3dd
SHA11aae6edfedcfe6d6828b98b114c581d9f15db807
SHA25600f972eb3d4d2fac05c10c0e6e212cf096b4142b5b5075b29c6c100d51432cd4
SHA5128826d5ff3ab691094eabf4cec3444752ed46714705dae25bc48b5c9ee36c7c9b9cf8606460e71df519dd26a91798ab8be3415e7465df82d362d602e96ebb25e5
-
Filesize
267KB
MD5a2f15d2ba00817f1df889f76618f845c
SHA17665104d4cfb2130d25e8bd1b9216b8ab6e96dc0
SHA25639fa7e1565645de68be313f6a164846caf86bf411efa496029c87018454ac9a6
SHA512e4fb2e2f1001dbf3cc6ad437fb76fbae579498529404713614170be0b3156698a72d6b1a3afff320d7fb6aa52d62984f8f033ba57e0dd1feebcf0575f4ad6c92
-
Filesize
267KB
MD5a2f15d2ba00817f1df889f76618f845c
SHA17665104d4cfb2130d25e8bd1b9216b8ab6e96dc0
SHA25639fa7e1565645de68be313f6a164846caf86bf411efa496029c87018454ac9a6
SHA512e4fb2e2f1001dbf3cc6ad437fb76fbae579498529404713614170be0b3156698a72d6b1a3afff320d7fb6aa52d62984f8f033ba57e0dd1feebcf0575f4ad6c92
-
Filesize
377KB
MD50b2802b2db1455fc651c16a7994ece12
SHA194f82e8bd953b0f48a7d07e2cb3f1f3f1e4ebfc9
SHA2560d9880293be47e4a0d3f444419c20377a94c5f694fa20863f5d3112571a23e9b
SHA512d7b896651136402bf316ce2c2fe40106d716a59a34839e40c083c1c785cfc0db15df2ef923e3c1857fab375c7ecee37b56254aee8759c870638cb26f6a9dece4
-
Filesize
377KB
MD50b2802b2db1455fc651c16a7994ece12
SHA194f82e8bd953b0f48a7d07e2cb3f1f3f1e4ebfc9
SHA2560d9880293be47e4a0d3f444419c20377a94c5f694fa20863f5d3112571a23e9b
SHA512d7b896651136402bf316ce2c2fe40106d716a59a34839e40c083c1c785cfc0db15df2ef923e3c1857fab375c7ecee37b56254aee8759c870638cb26f6a9dece4
-
Filesize
205KB
MD5835f1373b125353f2b0615a2f105d3dd
SHA11aae6edfedcfe6d6828b98b114c581d9f15db807
SHA25600f972eb3d4d2fac05c10c0e6e212cf096b4142b5b5075b29c6c100d51432cd4
SHA5128826d5ff3ab691094eabf4cec3444752ed46714705dae25bc48b5c9ee36c7c9b9cf8606460e71df519dd26a91798ab8be3415e7465df82d362d602e96ebb25e5
-
Filesize
205KB
MD5835f1373b125353f2b0615a2f105d3dd
SHA11aae6edfedcfe6d6828b98b114c581d9f15db807
SHA25600f972eb3d4d2fac05c10c0e6e212cf096b4142b5b5075b29c6c100d51432cd4
SHA5128826d5ff3ab691094eabf4cec3444752ed46714705dae25bc48b5c9ee36c7c9b9cf8606460e71df519dd26a91798ab8be3415e7465df82d362d602e96ebb25e5
-
Filesize
205KB
MD5cb8f48e0ad65d3f3f425a3b510a756e8
SHA1bae1d209698939f4284597301d82d490cac9ad82
SHA2560cb6da15bd9f1fde0a86c67fd55acd5a03e6737c0c16e9ceae7d24e8c0fde8c5
SHA512d7b7823a8f933b86e4088a02eb211c706fa3a8d646a1d510a21134118e4d7e8902476cd3cf946ad50c3f1b30da338c23e5581ec2560ad4931332cc017a40b9a1
-
Filesize
205KB
MD5cb8f48e0ad65d3f3f425a3b510a756e8
SHA1bae1d209698939f4284597301d82d490cac9ad82
SHA2560cb6da15bd9f1fde0a86c67fd55acd5a03e6737c0c16e9ceae7d24e8c0fde8c5
SHA512d7b7823a8f933b86e4088a02eb211c706fa3a8d646a1d510a21134118e4d7e8902476cd3cf946ad50c3f1b30da338c23e5581ec2560ad4931332cc017a40b9a1
-
Filesize
172KB
MD507d7d62d2007d21e8b6215fc9fd6fec3
SHA1116726e13919ccb0ff1a7115b61ed05d309d81f2
SHA256bdcd966a78666f337371968d26f6aba94fd1af8126c769a86bd28fac8b25acb9
SHA5128668456a06bb61d657d6a07a0baad251fcde188a892780b06f2843517cdf1bc050f5f1eb685eb0a0d529ba2150f2fc4b8030f015ee234ce6a228afbc4e0d25a4
-
Filesize
172KB
MD507d7d62d2007d21e8b6215fc9fd6fec3
SHA1116726e13919ccb0ff1a7115b61ed05d309d81f2
SHA256bdcd966a78666f337371968d26f6aba94fd1af8126c769a86bd28fac8b25acb9
SHA5128668456a06bb61d657d6a07a0baad251fcde188a892780b06f2843517cdf1bc050f5f1eb685eb0a0d529ba2150f2fc4b8030f015ee234ce6a228afbc4e0d25a4
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
89KB
MD583fc14fb36516facb19e0e96286f7f48
SHA140082ca06de4c377585cd164fb521bacadb673da
SHA25608dabdd0b0fb13d5d748daf1173f392aa27eb9943eef78bd29e6a8fa61007a6e
SHA512ba60d28195b8ce60fd6f4cd57919a190c910af3e71e2858ed266a958314798ed51323d3c870c572d2fb873aae34387afa0dd8c7624e5f5cf51e586aafb76efcf
-
Filesize
89KB
MD583fc14fb36516facb19e0e96286f7f48
SHA140082ca06de4c377585cd164fb521bacadb673da
SHA25608dabdd0b0fb13d5d748daf1173f392aa27eb9943eef78bd29e6a8fa61007a6e
SHA512ba60d28195b8ce60fd6f4cd57919a190c910af3e71e2858ed266a958314798ed51323d3c870c572d2fb873aae34387afa0dd8c7624e5f5cf51e586aafb76efcf
-
Filesize
162B
MD51b7c22a214949975556626d7217e9a39
SHA1d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5
-
Filesize
89KB
MD583fc14fb36516facb19e0e96286f7f48
SHA140082ca06de4c377585cd164fb521bacadb673da
SHA25608dabdd0b0fb13d5d748daf1173f392aa27eb9943eef78bd29e6a8fa61007a6e
SHA512ba60d28195b8ce60fd6f4cd57919a190c910af3e71e2858ed266a958314798ed51323d3c870c572d2fb873aae34387afa0dd8c7624e5f5cf51e586aafb76efcf