Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
11/10/2023, 10:40
Behavioral task
behavioral1
Sample
36f66b4a07a3e1caadb2935a51db3284bca379fac7d4d24abc39994949a8bef9.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
36f66b4a07a3e1caadb2935a51db3284bca379fac7d4d24abc39994949a8bef9.exe
Resource
win10v2004-20230915-en
General
-
Target
36f66b4a07a3e1caadb2935a51db3284bca379fac7d4d24abc39994949a8bef9.exe
-
Size
1.4MB
-
MD5
c3a778773d111438753b04f1fdd1c015
-
SHA1
178ed102913cb579e567aa3e80ed1638e37b93d0
-
SHA256
36f66b4a07a3e1caadb2935a51db3284bca379fac7d4d24abc39994949a8bef9
-
SHA512
a8b081ef60acb557e9973b26f7e7e999421283c3008770c67128400cec0fb819999e9e0aad9a494eea8bda8121fa9d8b5a24a1372ffa6d06f1c22d11f1edc6bd
-
SSDEEP
12288:DSvO2x9mONvKRhLSFROkx2LIaCy+Bg0tmyyyI:2vO2xJKRh2bOkx2LFV+Bg6M
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 3096 created 612 3096 Explorer.EXE 6 -
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\System32\drivers\ReDXagLP6.sys bthudtask.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation 36f66b4a07a3e1caadb2935a51db3284bca379fac7d4d24abc39994949a8bef9.exe -
Executes dropped EXE 2 IoCs
pid Process 5004 bfaca392 3488 bthudtask.exe -
resource yara_rule behavioral2/memory/2788-0-0x00000000000F0000-0x000000000017C000-memory.dmp upx behavioral2/files/0x0007000000023243-2.dat upx behavioral2/files/0x0007000000023243-4.dat upx behavioral2/memory/5004-3-0x0000000000950000-0x00000000009DC000-memory.dmp upx behavioral2/memory/5004-25-0x0000000000950000-0x00000000009DC000-memory.dmp upx behavioral2/memory/2788-24-0x00000000000F0000-0x000000000017C000-memory.dmp upx behavioral2/memory/2788-38-0x00000000000F0000-0x000000000017C000-memory.dmp upx behavioral2/memory/5004-67-0x0000000000950000-0x00000000009DC000-memory.dmp upx -
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 114.114.114.114 -
Drops file in System32 directory 26 IoCs
description ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B bthudtask.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3 bthudtask.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_DD02D25E799024F48A93E8EE3BDDA41A bfaca392 File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DED9969D7ED2C6E555C5C9254A43EDE4 bfaca392 File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData bfaca392 File created C:\Windows\SysWOW64\bfaca392 36f66b4a07a3e1caadb2935a51db3284bca379fac7d4d24abc39994949a8bef9.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 bfaca392 File created C:\Windows\system32\ \Windows\System32\6uNCOT2WX.sys bthudtask.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C bthudtask.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AD5F118F7897046E8CA970AE6A6AB70B_ADB601E2C381343DA1163E5F08582475 bthudtask.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B bthudtask.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft bfaca392 File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3 bthudtask.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\349D186F1CB5682FA0194D4F3754EF36_CE21678B3713ACF5F5ED4AAA700C6173 bthudtask.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E bfaca392 File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_DD02D25E799024F48A93E8EE3BDDA41A bfaca392 File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E bfaca392 File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 bfaca392 File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE bfaca392 File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies bfaca392 File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C bthudtask.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AD5F118F7897046E8CA970AE6A6AB70B_ADB601E2C381343DA1163E5F08582475 bthudtask.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\349D186F1CB5682FA0194D4F3754EF36_CE21678B3713ACF5F5ED4AAA700C6173 bthudtask.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache bfaca392 File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content bfaca392 File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DED9969D7ED2C6E555C5C9254A43EDE4 bfaca392 -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\Logs\bthudtask.exe Explorer.EXE File opened for modification C:\Windows\Logs\bthudtask.exe Explorer.EXE File created C:\Windows\OAgsxu.sys bthudtask.exe File opened for modification C:\Windows\55ab98 bfaca392 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName bthudtask.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 bthudtask.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 bthudtask.exe -
Delays execution with timeout.exe 2 IoCs
pid Process 4428 timeout.exe 916 timeout.exe -
Modifies data under HKEY_USERS 18 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix bfaca392 Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing bfaca392 Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix bthudtask.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing bthudtask.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" bfaca392 Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" bthudtask.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" bthudtask.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" bfaca392 Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ bfaca392 Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" bfaca392 Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" bfaca392 Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" bthudtask.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" bthudtask.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" bfaca392 Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ bthudtask.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" bthudtask.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" bthudtask.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" bfaca392 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5004 bfaca392 5004 bfaca392 5004 bfaca392 5004 bfaca392 5004 bfaca392 5004 bfaca392 5004 bfaca392 5004 bfaca392 5004 bfaca392 5004 bfaca392 3096 Explorer.EXE 3096 Explorer.EXE 3096 Explorer.EXE 3096 Explorer.EXE 5004 bfaca392 5004 bfaca392 3488 bthudtask.exe 3488 bthudtask.exe 3488 bthudtask.exe 3488 bthudtask.exe 3488 bthudtask.exe 3488 bthudtask.exe 3488 bthudtask.exe 3488 bthudtask.exe 3488 bthudtask.exe 3488 bthudtask.exe 3488 bthudtask.exe 3488 bthudtask.exe 3488 bthudtask.exe 3488 bthudtask.exe 3488 bthudtask.exe 3488 bthudtask.exe 3488 bthudtask.exe 3488 bthudtask.exe 3488 bthudtask.exe 3488 bthudtask.exe 3488 bthudtask.exe 3488 bthudtask.exe 3488 bthudtask.exe 3488 bthudtask.exe 3488 bthudtask.exe 3488 bthudtask.exe 3488 bthudtask.exe 3488 bthudtask.exe 3488 bthudtask.exe 3488 bthudtask.exe 3488 bthudtask.exe 3488 bthudtask.exe 3488 bthudtask.exe 3488 bthudtask.exe 3488 bthudtask.exe 3488 bthudtask.exe 3488 bthudtask.exe 3488 bthudtask.exe 3488 bthudtask.exe 3488 bthudtask.exe 3488 bthudtask.exe 3488 bthudtask.exe 3488 bthudtask.exe 3488 bthudtask.exe 3488 bthudtask.exe 3488 bthudtask.exe 3488 bthudtask.exe 3488 bthudtask.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3096 Explorer.EXE -
Suspicious behavior: LoadsDriver 3 IoCs
pid Process 664 Process not Found 664 Process not Found 664 Process not Found -
Suspicious use of AdjustPrivilegeToken 17 IoCs
description pid Process Token: SeDebugPrivilege 2788 36f66b4a07a3e1caadb2935a51db3284bca379fac7d4d24abc39994949a8bef9.exe Token: SeTcbPrivilege 2788 36f66b4a07a3e1caadb2935a51db3284bca379fac7d4d24abc39994949a8bef9.exe Token: SeDebugPrivilege 5004 bfaca392 Token: SeTcbPrivilege 5004 bfaca392 Token: SeDebugPrivilege 5004 bfaca392 Token: SeDebugPrivilege 3096 Explorer.EXE Token: SeDebugPrivilege 3096 Explorer.EXE Token: SeIncBasePriorityPrivilege 2788 36f66b4a07a3e1caadb2935a51db3284bca379fac7d4d24abc39994949a8bef9.exe Token: SeDebugPrivilege 5004 bfaca392 Token: SeDebugPrivilege 3488 bthudtask.exe Token: SeDebugPrivilege 3488 bthudtask.exe Token: SeDebugPrivilege 3488 bthudtask.exe Token: SeShutdownPrivilege 3096 Explorer.EXE Token: SeCreatePagefilePrivilege 3096 Explorer.EXE Token: SeIncBasePriorityPrivilege 5004 bfaca392 Token: SeShutdownPrivilege 3096 Explorer.EXE Token: SeCreatePagefilePrivilege 3096 Explorer.EXE -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3096 Explorer.EXE -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 5004 wrote to memory of 3096 5004 bfaca392 40 PID 5004 wrote to memory of 3096 5004 bfaca392 40 PID 5004 wrote to memory of 3096 5004 bfaca392 40 PID 5004 wrote to memory of 3096 5004 bfaca392 40 PID 5004 wrote to memory of 3096 5004 bfaca392 40 PID 3096 wrote to memory of 3488 3096 Explorer.EXE 87 PID 3096 wrote to memory of 3488 3096 Explorer.EXE 87 PID 3096 wrote to memory of 3488 3096 Explorer.EXE 87 PID 3096 wrote to memory of 3488 3096 Explorer.EXE 87 PID 3096 wrote to memory of 3488 3096 Explorer.EXE 87 PID 3096 wrote to memory of 3488 3096 Explorer.EXE 87 PID 3096 wrote to memory of 3488 3096 Explorer.EXE 87 PID 5004 wrote to memory of 612 5004 bfaca392 6 PID 5004 wrote to memory of 612 5004 bfaca392 6 PID 5004 wrote to memory of 612 5004 bfaca392 6 PID 5004 wrote to memory of 612 5004 bfaca392 6 PID 5004 wrote to memory of 612 5004 bfaca392 6 PID 2788 wrote to memory of 4496 2788 36f66b4a07a3e1caadb2935a51db3284bca379fac7d4d24abc39994949a8bef9.exe 91 PID 2788 wrote to memory of 4496 2788 36f66b4a07a3e1caadb2935a51db3284bca379fac7d4d24abc39994949a8bef9.exe 91 PID 2788 wrote to memory of 4496 2788 36f66b4a07a3e1caadb2935a51db3284bca379fac7d4d24abc39994949a8bef9.exe 91 PID 4496 wrote to memory of 916 4496 cmd.exe 93 PID 4496 wrote to memory of 916 4496 cmd.exe 93 PID 4496 wrote to memory of 916 4496 cmd.exe 93 PID 5004 wrote to memory of 3992 5004 bfaca392 95 PID 5004 wrote to memory of 3992 5004 bfaca392 95 PID 5004 wrote to memory of 3992 5004 bfaca392 95 PID 3992 wrote to memory of 4428 3992 cmd.exe 97 PID 3992 wrote to memory of 4428 3992 cmd.exe 97 PID 3992 wrote to memory of 4428 3992 cmd.exe 97
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:612
-
C:\Windows\Logs\bthudtask.exe"C:\Windows\Logs\bthudtask.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3488
-
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3096 -
C:\Users\Admin\AppData\Local\Temp\36f66b4a07a3e1caadb2935a51db3284bca379fac7d4d24abc39994949a8bef9.exe"C:\Users\Admin\AppData\Local\Temp\36f66b4a07a3e1caadb2935a51db3284bca379fac7d4d24abc39994949a8bef9.exe"2⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Users\Admin\AppData\Local\Temp\36f66b4a07a3e1caadb2935a51db3284bca379fac7d4d24abc39994949a8bef9.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:4496 -
C:\Windows\SysWOW64\timeout.exetimeout /t 14⤵
- Delays execution with timeout.exe
PID:916
-
-
-
-
C:\Windows\Syswow64\bfaca392C:\Windows\Syswow64\bfaca3921⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Windows\Syswow64\bfaca392"2⤵
- Suspicious use of WriteProcessMemory
PID:3992 -
C:\Windows\SysWOW64\timeout.exetimeout /t 13⤵
- Delays execution with timeout.exe
PID:4428
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11.6MB
MD55244c87dbafa1f764b258766005dea73
SHA184cb8b4fb3e0910cfecfb31b6fa54c16d940e703
SHA256077035f93ddc3ac5a8b5631d43826baf7722256eb1c4716b3c2567f07379bc40
SHA51254d64d32e73e2752cdf9a110db17ad64574eb072df0ed0dc34a7e4bc469c03aa79ef7d45465e279ef85d5fc6b33a1b750b181476cdea7ea98898ddba9aa60438
-
Filesize
14.8MB
MD5b1057fccc9bf7a0976c173bed8c7e2a0
SHA1fa7023b9e81f80adf10721ae995ec07ba0edd2f2
SHA2563ee17398c1784dac54e2a218aacf3e64819dab2e809040ffc261d0444e768582
SHA51204d4e64b137163ff9ffa8692495a2f91d80340ee6470c987e4413be3774ca5b344db8ea69d110642e10017e7868a086086f297441f3bc91038dee942d2b84a12
-
Filesize
39KB
MD54dcd6fcabf20fbc8bfb11a9f6e4b77f0
SHA1233eac2bed59b8fe167c1501ac3fda48b32a1b0c
SHA256cf5ae95c9fdafe5f0cc9d7010412e84502fe66ad60f57dfdf68735b9315ff444
SHA512b4293a438ba9d41e446bfb1bca3a4df4ab009882b7df2eda61607cfef77a397f6ae3c3532dc1addaa9553a0bc9f3e756d3ac377a69cf1ae537638f618e666ea3
-
Filesize
39KB
MD54dcd6fcabf20fbc8bfb11a9f6e4b77f0
SHA1233eac2bed59b8fe167c1501ac3fda48b32a1b0c
SHA256cf5ae95c9fdafe5f0cc9d7010412e84502fe66ad60f57dfdf68735b9315ff444
SHA512b4293a438ba9d41e446bfb1bca3a4df4ab009882b7df2eda61607cfef77a397f6ae3c3532dc1addaa9553a0bc9f3e756d3ac377a69cf1ae537638f618e666ea3
-
Filesize
1.4MB
MD5066619ca99a6c0b4dda60111aecc1fec
SHA1852e4d240187835029d3b2086256553f249d9b25
SHA2565f2a20bfcd6b14b4dcabac8f10df9bf768bfd7bcc0f62be314a1e57c3b75eb3b
SHA5125004f11d39dcf5a2cf132d78f9325041c4148ab4d2192e43f3e8ea6a479569a4fae99e083490e635deddac995147ec75b71355c73f514f32cc928dcb40491855
-
Filesize
1.4MB
MD5066619ca99a6c0b4dda60111aecc1fec
SHA1852e4d240187835029d3b2086256553f249d9b25
SHA2565f2a20bfcd6b14b4dcabac8f10df9bf768bfd7bcc0f62be314a1e57c3b75eb3b
SHA5125004f11d39dcf5a2cf132d78f9325041c4148ab4d2192e43f3e8ea6a479569a4fae99e083490e635deddac995147ec75b71355c73f514f32cc928dcb40491855