Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
18-07-2023 17:59
Static task
static1
Behavioral task
behavioral1
Sample
Fortnitenls.scr
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
Fortnitenls.scr
Resource
win10v2004-20230703-en
General
-
Target
Fortnitenls.scr
-
Size
149KB
-
MD5
141bf998683fbd8da1dd106562844695
-
SHA1
37e11fe2d414045d3c315029eaa26da4793530e2
-
SHA256
ca488f8b7b1918330e11260aff4fc2b353413f10b7390bb6f8d5437f4d5bf2d2
-
SHA512
66269b42a3b1eae9c963a0d97df1759fa29576ac3be8cb4b82c78b5e1eb255cfa69070afd58aeb72f07c80a62acf83fd85b94f1fd9fa5f3e6b76d8e03fd9f110
-
SSDEEP
768:sQ51nPEgDGJ61ktbP13fGrfX+9wqmE/q5/Vj/iF//hKGk4HU3rgJNIIaKTvqXF0x:bDnV261C6X4NmoFEgJycuoGs
Malware Config
Extracted
stealerium
https://discord.com/api/webhooks/1130093797292900402/tYB3leEFtzF4RkxtyISBBD8JoyElTZ84y-J-gnLkl0c03Bo__qhxshnX3-NkcqxMwsJv
Extracted
njrat
0.7d
ffg
runtimebroker.ddns.net:8080
9cd48799f48622358d39e92cf2b76213
-
reg_key
9cd48799f48622358d39e92cf2b76213
-
splitter
Y262SUCZ4UJJ
Signatures
-
Stealerium
An open source info stealer written in C# first seen in May 2022.
-
Downloads MZ/PE file
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Fortnitenls.scrPerfWatson (2).exePerfWatson.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Control Panel\International\Geo\Nation Fortnitenls.scr Key value queried \REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Control Panel\International\Geo\Nation PerfWatson (2).exe Key value queried \REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Control Panel\International\Geo\Nation PerfWatson.exe -
Drops startup file 2 IoCs
Processes:
NtUserRuntime.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9cd48799f48622358d39e92cf2b76213.exe NtUserRuntime.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9cd48799f48622358d39e92cf2b76213.exe NtUserRuntime.exe -
Executes dropped EXE 3 IoCs
Processes:
PerfWatson.exePerfWatson (2).exeNtUserRuntime.exepid process 1300 PerfWatson.exe 3952 PerfWatson (2).exe 3516 NtUserRuntime.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
PerfWatson.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PerfWatson.exe Key opened \REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PerfWatson.exe Key opened \REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PerfWatson.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
NtUserRuntime.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\9cd48799f48622358d39e92cf2b76213 = "\"C:\\Users\\Admin\\NtUserRuntime.exe\" .." NtUserRuntime.exe Set value (str) \REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\9cd48799f48622358d39e92cf2b76213 = "\"C:\\Users\\Admin\\NtUserRuntime.exe\" .." NtUserRuntime.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 36 icanhazip.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
PerfWatson.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 PerfWatson.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier PerfWatson.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1324 timeout.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 2200 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 31 IoCs
Processes:
PerfWatson.exepid process 1300 PerfWatson.exe 1300 PerfWatson.exe 1300 PerfWatson.exe 1300 PerfWatson.exe 1300 PerfWatson.exe 1300 PerfWatson.exe 1300 PerfWatson.exe 1300 PerfWatson.exe 1300 PerfWatson.exe 1300 PerfWatson.exe 1300 PerfWatson.exe 1300 PerfWatson.exe 1300 PerfWatson.exe 1300 PerfWatson.exe 1300 PerfWatson.exe 1300 PerfWatson.exe 1300 PerfWatson.exe 1300 PerfWatson.exe 1300 PerfWatson.exe 1300 PerfWatson.exe 1300 PerfWatson.exe 1300 PerfWatson.exe 1300 PerfWatson.exe 1300 PerfWatson.exe 1300 PerfWatson.exe 1300 PerfWatson.exe 1300 PerfWatson.exe 1300 PerfWatson.exe 1300 PerfWatson.exe 1300 PerfWatson.exe 1300 PerfWatson.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
Processes:
PerfWatson.exemsiexec.exeNtUserRuntime.exetaskkill.exedescription pid process Token: SeDebugPrivilege 1300 PerfWatson.exe Token: SeSecurityPrivilege 1928 msiexec.exe Token: SeDebugPrivilege 3516 NtUserRuntime.exe Token: 33 3516 NtUserRuntime.exe Token: SeIncBasePriorityPrivilege 3516 NtUserRuntime.exe Token: 33 3516 NtUserRuntime.exe Token: SeIncBasePriorityPrivilege 3516 NtUserRuntime.exe Token: SeDebugPrivilege 2200 taskkill.exe Token: 33 3516 NtUserRuntime.exe Token: SeIncBasePriorityPrivilege 3516 NtUserRuntime.exe Token: 33 3516 NtUserRuntime.exe Token: SeIncBasePriorityPrivilege 3516 NtUserRuntime.exe Token: 33 3516 NtUserRuntime.exe Token: SeIncBasePriorityPrivilege 3516 NtUserRuntime.exe Token: 33 3516 NtUserRuntime.exe Token: SeIncBasePriorityPrivilege 3516 NtUserRuntime.exe Token: 33 3516 NtUserRuntime.exe Token: SeIncBasePriorityPrivilege 3516 NtUserRuntime.exe Token: 33 3516 NtUserRuntime.exe Token: SeIncBasePriorityPrivilege 3516 NtUserRuntime.exe Token: 33 3516 NtUserRuntime.exe Token: SeIncBasePriorityPrivilege 3516 NtUserRuntime.exe Token: 33 3516 NtUserRuntime.exe Token: SeIncBasePriorityPrivilege 3516 NtUserRuntime.exe Token: 33 3516 NtUserRuntime.exe Token: SeIncBasePriorityPrivilege 3516 NtUserRuntime.exe Token: 33 3516 NtUserRuntime.exe Token: SeIncBasePriorityPrivilege 3516 NtUserRuntime.exe Token: 33 3516 NtUserRuntime.exe Token: SeIncBasePriorityPrivilege 3516 NtUserRuntime.exe Token: 33 3516 NtUserRuntime.exe Token: SeIncBasePriorityPrivilege 3516 NtUserRuntime.exe Token: 33 3516 NtUserRuntime.exe Token: SeIncBasePriorityPrivilege 3516 NtUserRuntime.exe Token: 33 3516 NtUserRuntime.exe Token: SeIncBasePriorityPrivilege 3516 NtUserRuntime.exe -
Suspicious use of WriteProcessMemory 47 IoCs
Processes:
Fortnitenls.scrPerfWatson (2).exePerfWatson.execmd.execmd.exeNtUserRuntime.execmd.exedescription pid process target process PID 3676 wrote to memory of 2880 3676 Fortnitenls.scr cmd.exe PID 3676 wrote to memory of 2880 3676 Fortnitenls.scr cmd.exe PID 3676 wrote to memory of 1300 3676 Fortnitenls.scr PerfWatson.exe PID 3676 wrote to memory of 1300 3676 Fortnitenls.scr PerfWatson.exe PID 3676 wrote to memory of 1300 3676 Fortnitenls.scr PerfWatson.exe PID 3676 wrote to memory of 3952 3676 Fortnitenls.scr PerfWatson (2).exe PID 3676 wrote to memory of 3952 3676 Fortnitenls.scr PerfWatson (2).exe PID 3676 wrote to memory of 3952 3676 Fortnitenls.scr PerfWatson (2).exe PID 3952 wrote to memory of 3516 3952 PerfWatson (2).exe NtUserRuntime.exe PID 3952 wrote to memory of 3516 3952 PerfWatson (2).exe NtUserRuntime.exe PID 3952 wrote to memory of 3516 3952 PerfWatson (2).exe NtUserRuntime.exe PID 1300 wrote to memory of 1076 1300 PerfWatson.exe cmd.exe PID 1300 wrote to memory of 1076 1300 PerfWatson.exe cmd.exe PID 1300 wrote to memory of 1076 1300 PerfWatson.exe cmd.exe PID 1076 wrote to memory of 2396 1076 cmd.exe chcp.com PID 1076 wrote to memory of 2396 1076 cmd.exe chcp.com PID 1076 wrote to memory of 2396 1076 cmd.exe chcp.com PID 1076 wrote to memory of 3748 1076 cmd.exe netsh.exe PID 1076 wrote to memory of 3748 1076 cmd.exe netsh.exe PID 1076 wrote to memory of 3748 1076 cmd.exe netsh.exe PID 1076 wrote to memory of 1072 1076 cmd.exe findstr.exe PID 1076 wrote to memory of 1072 1076 cmd.exe findstr.exe PID 1076 wrote to memory of 1072 1076 cmd.exe findstr.exe PID 1300 wrote to memory of 3980 1300 PerfWatson.exe cmd.exe PID 1300 wrote to memory of 3980 1300 PerfWatson.exe cmd.exe PID 1300 wrote to memory of 3980 1300 PerfWatson.exe cmd.exe PID 3980 wrote to memory of 3804 3980 cmd.exe chcp.com PID 3980 wrote to memory of 3804 3980 cmd.exe chcp.com PID 3980 wrote to memory of 3804 3980 cmd.exe chcp.com PID 3980 wrote to memory of 1056 3980 cmd.exe netsh.exe PID 3980 wrote to memory of 1056 3980 cmd.exe netsh.exe PID 3980 wrote to memory of 1056 3980 cmd.exe netsh.exe PID 3516 wrote to memory of 5004 3516 NtUserRuntime.exe netsh.exe PID 3516 wrote to memory of 5004 3516 NtUserRuntime.exe netsh.exe PID 3516 wrote to memory of 5004 3516 NtUserRuntime.exe netsh.exe PID 1300 wrote to memory of 1416 1300 PerfWatson.exe cmd.exe PID 1300 wrote to memory of 1416 1300 PerfWatson.exe cmd.exe PID 1300 wrote to memory of 1416 1300 PerfWatson.exe cmd.exe PID 1416 wrote to memory of 1592 1416 cmd.exe chcp.com PID 1416 wrote to memory of 1592 1416 cmd.exe chcp.com PID 1416 wrote to memory of 1592 1416 cmd.exe chcp.com PID 1416 wrote to memory of 2200 1416 cmd.exe taskkill.exe PID 1416 wrote to memory of 2200 1416 cmd.exe taskkill.exe PID 1416 wrote to memory of 2200 1416 cmd.exe taskkill.exe PID 1416 wrote to memory of 1324 1416 cmd.exe timeout.exe PID 1416 wrote to memory of 1324 1416 cmd.exe timeout.exe PID 1416 wrote to memory of 1324 1416 cmd.exe timeout.exe -
outlook_office_path 1 IoCs
Processes:
PerfWatson.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PerfWatson.exe -
outlook_win_path 1 IoCs
Processes:
PerfWatson.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PerfWatson.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Fortnitenls.scr"C:\Users\Admin\AppData\Local\Temp\Fortnitenls.scr" /S1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3676 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C ImGui\FortniterCS.vcxproj2⤵PID:2880
-
C:\Users\Admin\PerfWatson.exe"C:\Users\Admin\PerfWatson.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:1300 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All3⤵
- Suspicious use of WriteProcessMemory
PID:1076 -
C:\Windows\SysWOW64\chcp.comchcp 650014⤵PID:2396
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile4⤵PID:3748
-
C:\Windows\SysWOW64\findstr.exefindstr All4⤵PID:1072
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid3⤵
- Suspicious use of WriteProcessMemory
PID:3980 -
C:\Windows\SysWOW64\chcp.comchcp 650014⤵PID:3804
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid4⤵PID:1056
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp66.tmp.bat3⤵
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Windows\SysWOW64\chcp.comchcp 650014⤵PID:1592
-
C:\Windows\SysWOW64\taskkill.exeTaskKill /F /IM 13004⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2200 -
C:\Windows\SysWOW64\timeout.exeTimeout /T 2 /Nobreak4⤵
- Delays execution with timeout.exe
PID:1324 -
C:\Users\Admin\PerfWatson (2).exe"C:\Users\Admin\PerfWatson (2).exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3952 -
C:\Users\Admin\NtUserRuntime.exe"C:\Users\Admin\NtUserRuntime.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3516 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\NtUserRuntime.exe" "NtUserRuntime.exe" ENABLE4⤵
- Modifies Windows Firewall
PID:5004
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1928
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
57B
MD507987ffa17211c48e18bc6ebae327e2e
SHA1a199769974ead549eda9dfe389a1f5ce1cdde765
SHA25674e5944571c40686d82be0eb99b9add1ca48cde0dc42c651dd92c055e41418b0
SHA512ccdb98422bf4471f851e82ae142ab6869b2f045db3342eb204c6db61ee5278352d125251c8e5364e978c9adb19c162e18a109f84225cdd1bd1f813eafb42130f
-
C:\Users\Admin\AppData\Local\e04c609c5fb995a9b2ae374f111ac5ed\Admin@HISXQJCD_en-US\Browsers\Firefox\Bookmarks.txt
Filesize105B
MD52e9d094dda5cdc3ce6519f75943a4ff4
SHA15d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7
-
C:\Users\Admin\AppData\Local\e04c609c5fb995a9b2ae374f111ac5ed\Admin@HISXQJCD_en-US\Directories\OneDrive.txt
Filesize25B
MD5966247eb3ee749e21597d73c4176bd52
SHA11e9e63c2872cef8f015d4b888eb9f81b00a35c79
SHA2568ddfc481b1b6ae30815ecce8a73755862f24b3bb7fdebdbf099e037d53eb082e
SHA512bd30aec68c070e86e3dec787ed26dd3d6b7d33d83e43cb2d50f9e2cff779fee4c96afbbe170443bd62874073a844beb29a69b10c72c54d7d444a8d86cfd7b5aa
-
C:\Users\Admin\AppData\Local\e04c609c5fb995a9b2ae374f111ac5ed\Admin@HISXQJCD_en-US\Directories\Startup.txt
Filesize24B
MD568c93da4981d591704cea7b71cebfb97
SHA1fd0f8d97463cd33892cc828b4ad04e03fc014fa6
SHA256889ed51f9c16a4b989bda57957d3e132b1a9c117ee84e208207f2fa208a59483
SHA51263455c726b55f2d4de87147a75ff04f2daa35278183969ccf185d23707840dd84363bec20d4e8c56252196ce555001ca0e61b3f4887d27577081fdef9e946402
-
C:\Users\Admin\AppData\Local\e04c609c5fb995a9b2ae374f111ac5ed\Admin@HISXQJCD_en-US\Directories\Videos.txt
Filesize23B
MD51fddbf1169b6c75898b86e7e24bc7c1f
SHA1d2091060cb5191ff70eb99c0088c182e80c20f8c
SHA256a67aa329b7d878de61671e18cd2f4b011d11cbac67ea779818c6dafad2d70733
SHA51220bfeafde7fec1753fef59de467bd4a3dd7fe627e8c44e95fe62b065a5768c4508e886ec5d898e911a28cf6365f455c9ab1ebe2386d17a76f53037f99061fd4d
-
Filesize
4KB
MD562ee0b1f7549e906822d2248d68d7638
SHA1ad68d9cf72770e50eff6bc648dba15a8baa509cf
SHA2560226948b660e2dd6e3f3488f7fa67d9dac5f55277bad2ca2a2c1e7791e010cce
SHA5125722804de47c5cc4e1f43312bcd3677550821c83c376a6540a37db1f473dafb50fdc6164230d380985b553f7c59c9aff0e1f21c67803b4d5eb53108779035146
-
C:\Users\Admin\AppData\Local\e04c609c5fb995a9b2ae374f111ac5ed\Admin@HISXQJCD_en-US\System\Process.txt
Filesize4KB
MD5b62532261dae8f92b2406d4e70b4365e
SHA1e0c55242a64fa3651be580d074f3c1ed5530abed
SHA256340a5a2f976b2435ac4582a03886cc7570d4c2201d2d743515527fef314ea977
SHA5125b0f338581ae38cd34395caed4edcf371f350596f9b7b282fcb69b5ed6641509fc7d73da90949fe30e3e53b235629e217b0006ae791d4bce80b13c9c4c4e5ea6
-
C:\Users\Admin\AppData\Local\e04c609c5fb995a9b2ae374f111ac5ed\Admin@HISXQJCD_en-US\System\ProductKey.txt
Filesize29B
MD571eb5479298c7afc6d126fa04d2a9bde
SHA1a9b3d5505cf9f84bb6c2be2acece53cb40075113
SHA256f6cadfd4e4c25ff3b8cffe54a2af24a757a349abbf4e1142ec4c9789347fe8b3
SHA5127c6687e21d31ec1d6d2eff04b07b465f875fd80df26677f1506b14158444cf55044eb6674880bd5bd44f04ff73023b26cb19b8837427a1d6655c96df52f140bd
-
Filesize
19B
MD575d026ff91f2db5bdb485ecc1b4ba46d
SHA1f1e9c9569bd089482480836aef8bb255669ead13
SHA256be248d7a8d894a36a9f0adcb9936c6c1d300cc77f57835cb0d0694be3852406a
SHA512b029b12580e9515d030b62df08365e802a9ef5aa2e30177176387ebb6d361d2b3147f8441e46b84e31a59a85b5d3f604e6c29c578fe0d7c8ed989c81f70b2403
-
Filesize
31KB
MD5ffedb9454cd970240628f9a65ba440e1
SHA190e7557bac4789101f7d53a7823623714f16e740
SHA2563801c296dab5e58d5609634c40648b2cd7927d106b08966450629ee261e46ca4
SHA5129ab7fa0fb2161eea6e23ee8dd3289c50c5dea00edd7122ca3e081a6c3b195b71ce2853dd8182481aeeb1f9b0dbe7355b5fdf97684ba6eff9933f4f516fb53c41
-
Filesize
31KB
MD5ffedb9454cd970240628f9a65ba440e1
SHA190e7557bac4789101f7d53a7823623714f16e740
SHA2563801c296dab5e58d5609634c40648b2cd7927d106b08966450629ee261e46ca4
SHA5129ab7fa0fb2161eea6e23ee8dd3289c50c5dea00edd7122ca3e081a6c3b195b71ce2853dd8182481aeeb1f9b0dbe7355b5fdf97684ba6eff9933f4f516fb53c41
-
Filesize
31KB
MD5ffedb9454cd970240628f9a65ba440e1
SHA190e7557bac4789101f7d53a7823623714f16e740
SHA2563801c296dab5e58d5609634c40648b2cd7927d106b08966450629ee261e46ca4
SHA5129ab7fa0fb2161eea6e23ee8dd3289c50c5dea00edd7122ca3e081a6c3b195b71ce2853dd8182481aeeb1f9b0dbe7355b5fdf97684ba6eff9933f4f516fb53c41
-
Filesize
31KB
MD5ffedb9454cd970240628f9a65ba440e1
SHA190e7557bac4789101f7d53a7823623714f16e740
SHA2563801c296dab5e58d5609634c40648b2cd7927d106b08966450629ee261e46ca4
SHA5129ab7fa0fb2161eea6e23ee8dd3289c50c5dea00edd7122ca3e081a6c3b195b71ce2853dd8182481aeeb1f9b0dbe7355b5fdf97684ba6eff9933f4f516fb53c41
-
Filesize
31KB
MD5ffedb9454cd970240628f9a65ba440e1
SHA190e7557bac4789101f7d53a7823623714f16e740
SHA2563801c296dab5e58d5609634c40648b2cd7927d106b08966450629ee261e46ca4
SHA5129ab7fa0fb2161eea6e23ee8dd3289c50c5dea00edd7122ca3e081a6c3b195b71ce2853dd8182481aeeb1f9b0dbe7355b5fdf97684ba6eff9933f4f516fb53c41
-
Filesize
2.9MB
MD51d1da22273bc54c1e9d1c5f94b79655d
SHA191ecd916e9f178468a73bdf7b1dbc79fc6eba929
SHA25667dd4aaad52ce3f19f177ab41004a583dc082c1b068408a53c0533540e687833
SHA51228d01ce3b1ae0eb3da11191604e890b5f5008305778d5957bc5a2c70425c4d874f5c4db6ede34c99926bf52695de33a8e4e2afa12545982fd15a3e7afed8b524
-
Filesize
2.9MB
MD51d1da22273bc54c1e9d1c5f94b79655d
SHA191ecd916e9f178468a73bdf7b1dbc79fc6eba929
SHA25667dd4aaad52ce3f19f177ab41004a583dc082c1b068408a53c0533540e687833
SHA51228d01ce3b1ae0eb3da11191604e890b5f5008305778d5957bc5a2c70425c4d874f5c4db6ede34c99926bf52695de33a8e4e2afa12545982fd15a3e7afed8b524
-
Filesize
2.9MB
MD51d1da22273bc54c1e9d1c5f94b79655d
SHA191ecd916e9f178468a73bdf7b1dbc79fc6eba929
SHA25667dd4aaad52ce3f19f177ab41004a583dc082c1b068408a53c0533540e687833
SHA51228d01ce3b1ae0eb3da11191604e890b5f5008305778d5957bc5a2c70425c4d874f5c4db6ede34c99926bf52695de33a8e4e2afa12545982fd15a3e7afed8b524