Analysis
-
max time kernel
122s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
31-10-2023 02:49
Static task
static1
Behavioral task
behavioral1
Sample
af64b568501ce3d7e43ace3dca1183e2.msi
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
af64b568501ce3d7e43ace3dca1183e2.msi
Resource
win10v2004-20231023-en
General
-
Target
af64b568501ce3d7e43ace3dca1183e2.msi
-
Size
496KB
-
MD5
af64b568501ce3d7e43ace3dca1183e2
-
SHA1
88d52d7ebe72415d1ee1ff16ffe8afda0b052df0
-
SHA256
bff478766c3a3962228a15fcaae1fbf8c31ec337a83496c4670cd3e704ead735
-
SHA512
b949b3cb7c80c38c38493b20c8e96e40343f79e265a5a1f73ecc9f1f34966e13079dcfc7b554ef67de5ab4e00f45b1dda5802f90084f5a64de8431d2d8f0943d
-
SSDEEP
12288:2sUSmjkJmRAp8QbNeSAt8wCz7JIXybzHI+c0zVH:nekURQzbNeSug3JIXybzxh
Malware Config
Extracted
C:\$Recycle.Bin\DECRYPT-FILES.txt
maze
http://aoacugmutagkwctu.onion/6dc90cd941a81769
https://mazedecrypt.top/6dc90cd941a81769
Signatures
-
Maze
Ransomware family also known as ChaCha.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.txt MsiExec.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6dc90cd941a81769.tmp MsiExec.exe -
Loads dropped DLL 1 IoCs
pid Process 2592 MsiExec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\P: msiexec.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\111.bmp" MsiExec.exe -
Drops file in Program Files directory 36 IoCs
description ioc Process File opened for modification C:\Program Files\ClearMount.eps MsiExec.exe File opened for modification C:\Program Files\ConfirmSwitch.cab MsiExec.exe File opened for modification C:\Program Files\ImportRead.xml MsiExec.exe File opened for modification C:\Program Files\SwitchClose.asx MsiExec.exe File opened for modification C:\Program Files\FormatResume.ocx MsiExec.exe File opened for modification C:\Program Files\RedoMerge.dwfx MsiExec.exe File opened for modification C:\Program Files\AddConnect.au MsiExec.exe File opened for modification C:\Program Files\AssertEnter.ico MsiExec.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\DECRYPT-FILES.txt MsiExec.exe File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\6dc90cd941a81769.tmp MsiExec.exe File opened for modification C:\Program Files\DisableRestore.mp4v MsiExec.exe File opened for modification C:\Program Files (x86)\6dc90cd941a81769.tmp MsiExec.exe File opened for modification C:\Program Files\JoinUse.rtf MsiExec.exe File opened for modification C:\Program Files\PingUndo.mhtml MsiExec.exe File created C:\Program Files\DECRYPT-FILES.txt MsiExec.exe File opened for modification C:\Program Files\ConnectResume.jpeg MsiExec.exe File opened for modification C:\Program Files\DismountWrite.mpa MsiExec.exe File opened for modification C:\Program Files\EnableInitialize.7z MsiExec.exe File opened for modification C:\Program Files\ExitResume.asp MsiExec.exe File opened for modification C:\Program Files\FindGroup.vdw MsiExec.exe File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\6dc90cd941a81769.tmp MsiExec.exe File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\6dc90cd941a81769.tmp MsiExec.exe File opened for modification C:\Program Files\SplitConvert.3g2 MsiExec.exe File opened for modification C:\Program Files\StepUndo.ram MsiExec.exe File opened for modification C:\Program Files\SyncDeny.emf MsiExec.exe File opened for modification C:\Program Files\UnprotectUnlock.midi MsiExec.exe File opened for modification C:\Program Files\UseRead.cab MsiExec.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\DECRYPT-FILES.txt MsiExec.exe File created C:\Program Files (x86)\pawufefu\ReadMe.txt msiexec.exe File opened for modification C:\Program Files\RemoveCopy.7z MsiExec.exe File created C:\Program Files (x86)\DECRYPT-FILES.txt MsiExec.exe File opened for modification C:\Program Files\6dc90cd941a81769.tmp MsiExec.exe File opened for modification C:\Program Files\ExportTest.mpp MsiExec.exe File opened for modification C:\Program Files\OpenFind.odt MsiExec.exe File opened for modification C:\Program Files\CompleteRemove.mpeg MsiExec.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\DECRYPT-FILES.txt MsiExec.exe -
Drops file in Windows directory 9 IoCs
description ioc Process File created C:\Windows\Installer\f7683a2.ipi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI85A4.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI8603.tmp msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File created C:\Windows\Installer\f7683a1.msi msiexec.exe File opened for modification C:\Windows\Installer\f7683a1.msi msiexec.exe -
Modifies data under HKEY_USERS 43 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2124 msiexec.exe 2124 msiexec.exe 2592 MsiExec.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2160 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2160 msiexec.exe Token: SeIncreaseQuotaPrivilege 2160 msiexec.exe Token: SeRestorePrivilege 2124 msiexec.exe Token: SeTakeOwnershipPrivilege 2124 msiexec.exe Token: SeSecurityPrivilege 2124 msiexec.exe Token: SeCreateTokenPrivilege 2160 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2160 msiexec.exe Token: SeLockMemoryPrivilege 2160 msiexec.exe Token: SeIncreaseQuotaPrivilege 2160 msiexec.exe Token: SeMachineAccountPrivilege 2160 msiexec.exe Token: SeTcbPrivilege 2160 msiexec.exe Token: SeSecurityPrivilege 2160 msiexec.exe Token: SeTakeOwnershipPrivilege 2160 msiexec.exe Token: SeLoadDriverPrivilege 2160 msiexec.exe Token: SeSystemProfilePrivilege 2160 msiexec.exe Token: SeSystemtimePrivilege 2160 msiexec.exe Token: SeProfSingleProcessPrivilege 2160 msiexec.exe Token: SeIncBasePriorityPrivilege 2160 msiexec.exe Token: SeCreatePagefilePrivilege 2160 msiexec.exe Token: SeCreatePermanentPrivilege 2160 msiexec.exe Token: SeBackupPrivilege 2160 msiexec.exe Token: SeRestorePrivilege 2160 msiexec.exe Token: SeShutdownPrivilege 2160 msiexec.exe Token: SeDebugPrivilege 2160 msiexec.exe Token: SeAuditPrivilege 2160 msiexec.exe Token: SeSystemEnvironmentPrivilege 2160 msiexec.exe Token: SeChangeNotifyPrivilege 2160 msiexec.exe Token: SeRemoteShutdownPrivilege 2160 msiexec.exe Token: SeUndockPrivilege 2160 msiexec.exe Token: SeSyncAgentPrivilege 2160 msiexec.exe Token: SeEnableDelegationPrivilege 2160 msiexec.exe Token: SeManageVolumePrivilege 2160 msiexec.exe Token: SeImpersonatePrivilege 2160 msiexec.exe Token: SeCreateGlobalPrivilege 2160 msiexec.exe Token: SeBackupPrivilege 2464 vssvc.exe Token: SeRestorePrivilege 2464 vssvc.exe Token: SeAuditPrivilege 2464 vssvc.exe Token: SeBackupPrivilege 2124 msiexec.exe Token: SeRestorePrivilege 2124 msiexec.exe Token: SeRestorePrivilege 2820 DrvInst.exe Token: SeRestorePrivilege 2820 DrvInst.exe Token: SeRestorePrivilege 2820 DrvInst.exe Token: SeRestorePrivilege 2820 DrvInst.exe Token: SeRestorePrivilege 2820 DrvInst.exe Token: SeRestorePrivilege 2820 DrvInst.exe Token: SeRestorePrivilege 2820 DrvInst.exe Token: SeLoadDriverPrivilege 2820 DrvInst.exe Token: SeLoadDriverPrivilege 2820 DrvInst.exe Token: SeLoadDriverPrivilege 2820 DrvInst.exe Token: SeRestorePrivilege 2124 msiexec.exe Token: SeTakeOwnershipPrivilege 2124 msiexec.exe Token: SeRestorePrivilege 2124 msiexec.exe Token: SeTakeOwnershipPrivilege 2124 msiexec.exe Token: SeRestorePrivilege 2124 msiexec.exe Token: SeTakeOwnershipPrivilege 2124 msiexec.exe Token: SeRestorePrivilege 2124 msiexec.exe Token: SeTakeOwnershipPrivilege 2124 msiexec.exe Token: SeIncreaseQuotaPrivilege 1956 wmic.exe Token: SeSecurityPrivilege 1956 wmic.exe Token: SeTakeOwnershipPrivilege 1956 wmic.exe Token: SeLoadDriverPrivilege 1956 wmic.exe Token: SeSystemProfilePrivilege 1956 wmic.exe Token: SeSystemtimePrivilege 1956 wmic.exe Token: SeProfSingleProcessPrivilege 1956 wmic.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2160 msiexec.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2124 wrote to memory of 2592 2124 msiexec.exe 32 PID 2124 wrote to memory of 2592 2124 msiexec.exe 32 PID 2124 wrote to memory of 2592 2124 msiexec.exe 32 PID 2124 wrote to memory of 2592 2124 msiexec.exe 32 PID 2124 wrote to memory of 2592 2124 msiexec.exe 32 PID 2124 wrote to memory of 2592 2124 msiexec.exe 32 PID 2124 wrote to memory of 2592 2124 msiexec.exe 32 PID 2592 wrote to memory of 1956 2592 MsiExec.exe 35 PID 2592 wrote to memory of 1956 2592 MsiExec.exe 35 PID 2592 wrote to memory of 1956 2592 MsiExec.exe 35 PID 2592 wrote to memory of 1956 2592 MsiExec.exe 35 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\af64b568501ce3d7e43ace3dca1183e2.msi1⤵
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2160
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding A58EC127D954BA3C811C961BB65C90F52⤵
- Drops startup file
- Loads dropped DLL
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\system32\wbem\wmic.exe"C:\nrxv\a\..\..\Windows\c\opw\ynl\..\..\..\system32\snk\a\..\..\wbem\lxsei\ecdjh\..\..\wmic.exe" shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1956
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2464
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003A8" "00000000000005AC"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2820
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}1⤵PID:1188
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10KB
MD5fb782ce8aaf2eee1839a6ccd42cc1d37
SHA1179d3fb8a1690314a520129a0704399cfe355d6f
SHA2561300f288f0f36f534ccc2897a0653a5e7f2655487f6d66aae7c93895e1892388
SHA512d3083e6901d9845d14472db33d4e53d0db7adce42d48b50941678a08b84014327ec9902a019615ca6aef90d06d147cfa53be5152ccebe280671ba4fa96b313c8
-
Filesize
770B
MD5ad73565c3a021e7afc57b2be3df8ef01
SHA1d13bf86e286520c30eaf5fd21a57564903924d68
SHA2560eafc10378df64d9ca5223f10e482a23b534b5de8890f95d9d96205115dab224
SHA512645b62cf20b09d40535a59805f781fadbe252234c4b5be5bddca88c8b6ae52e9ed84446394997e20643cbc8d009de80b3f5c8ade1c67c47253e381957329ed58
-
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_2BFC39EC52024679BD3781D4359B334F.dat
Filesize940B
MD5663fdb249d342d3f0fffec117cdfa382
SHA16dd43fceb2908949bf1d2a4538ffe7a550862c0c
SHA256a08023d0a806a85aa75b507297db1fc5c363410d98b8c4fc2145c7889552c9e8
SHA5121f99aac77e8d39e444214ce379957bbc4b8acb3a56f6fbb47c2c67520f4f0c493a896b8ca06888cf41bdff7e9bced117a09a331c233c1e623dbf8210c86024fc
-
Filesize
462KB
MD5718d001ca0e953c5f52f8a4ae2697411
SHA14e5727a404418663b228fedba2007de26f830b07
SHA25653a21f26abc617eda7de86aaad08a2e6df7be31ab529a2f906951baedefe47fd
SHA5123f8b80969e38af1138404f05bcab313f8167acc14dc7c905f9bd25e244e4a4d5bca61c601f5a50a5e8bf57668c4100adb08c4fc31668c88814a12c86f36784fc
-
Filesize
462KB
MD5718d001ca0e953c5f52f8a4ae2697411
SHA14e5727a404418663b228fedba2007de26f830b07
SHA25653a21f26abc617eda7de86aaad08a2e6df7be31ab529a2f906951baedefe47fd
SHA5123f8b80969e38af1138404f05bcab313f8167acc14dc7c905f9bd25e244e4a4d5bca61c601f5a50a5e8bf57668c4100adb08c4fc31668c88814a12c86f36784fc