Analysis
-
max time kernel
118s -
max time network
133s -
platform
windows7_x64 -
resource
win7-20231025-en -
resource tags
arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system -
submitted
18/11/2023, 02:37
Behavioral task
behavioral1
Sample
NEAS.d316c5acd7974aaa1cab464245b38ac0.exe
Resource
win7-20231025-en
Behavioral task
behavioral2
Sample
NEAS.d316c5acd7974aaa1cab464245b38ac0.exe
Resource
win10v2004-20231025-en
General
-
Target
NEAS.d316c5acd7974aaa1cab464245b38ac0.exe
-
Size
783KB
-
MD5
d316c5acd7974aaa1cab464245b38ac0
-
SHA1
9c7636717bb1063e0801a769aeef01bf15af1bb4
-
SHA256
b55e235214350f8fe2b3e870aa318e1eefc3cbf7c29f4109e7944e32bb99d43d
-
SHA512
c1251f6f48c716f167842262de085290f8aaff08ee4f676f8d47424ca2020326bf0b49a0c700e6b373c4200c5a4b4ca8b2f0105c2dccab74c4a4308b46d59a4b
-
SSDEEP
12288:GqnOYxdAgpoNeF91rg5iFdr0yQ9gYx+EIpakCYJRU7Q9bWoFzqK:G+OQbpbgsFdAyQvzSqaq8q
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 4 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2536 2896 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2508 2896 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2984 2896 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2476 2896 schtasks.exe 28 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" NEAS.d316c5acd7974aaa1cab464245b38ac0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" spoolsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" spoolsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" spoolsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NEAS.d316c5acd7974aaa1cab464245b38ac0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" NEAS.d316c5acd7974aaa1cab464245b38ac0.exe -
resource yara_rule behavioral1/memory/2172-0-0x0000000000DE0000-0x0000000000EAA000-memory.dmp dcrat behavioral1/files/0x000b000000012264-37.dat dcrat behavioral1/files/0x0008000000015c5f-50.dat dcrat behavioral1/files/0x0008000000015c5f-68.dat dcrat behavioral1/files/0x0008000000015c5f-70.dat dcrat behavioral1/memory/2140-71-0x0000000000960000-0x0000000000A2A000-memory.dmp dcrat behavioral1/memory/2140-73-0x000000001B130000-0x000000001B1B0000-memory.dmp dcrat -
Executes dropped EXE 1 IoCs
pid Process 2140 spoolsv.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\System32\\KBDMAC\\winlogon.exe\"" NEAS.d316c5acd7974aaa1cab464245b38ac0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\System32\\l_intl\\spoolsv.exe\"" NEAS.d316c5acd7974aaa1cab464245b38ac0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\System32\\Groupinghc\\csrss.exe\"" NEAS.d316c5acd7974aaa1cab464245b38ac0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Recovery\\73725a82-739a-11ee-b301-ca9cbbc363d2\\spoolsv.exe\"" NEAS.d316c5acd7974aaa1cab464245b38ac0.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA NEAS.d316c5acd7974aaa1cab464245b38ac0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NEAS.d316c5acd7974aaa1cab464245b38ac0.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA spoolsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" spoolsv.exe -
Drops file in System32 directory 12 IoCs
description ioc Process File opened for modification C:\Windows\System32\KBDMAC\winlogon.exe NEAS.d316c5acd7974aaa1cab464245b38ac0.exe File created C:\Windows\System32\l_intl\spoolsv.exe NEAS.d316c5acd7974aaa1cab464245b38ac0.exe File created C:\Windows\System32\Groupinghc\csrss.exe NEAS.d316c5acd7974aaa1cab464245b38ac0.exe File opened for modification C:\Windows\System32\l_intl\spoolsv.exe NEAS.d316c5acd7974aaa1cab464245b38ac0.exe File opened for modification C:\Windows\System32\Groupinghc\RCX81C0.tmp NEAS.d316c5acd7974aaa1cab464245b38ac0.exe File opened for modification C:\Windows\System32\l_intl\RCX7F11.tmp NEAS.d316c5acd7974aaa1cab464245b38ac0.exe File opened for modification C:\Windows\System32\Groupinghc\csrss.exe NEAS.d316c5acd7974aaa1cab464245b38ac0.exe File created C:\Windows\System32\KBDMAC\winlogon.exe NEAS.d316c5acd7974aaa1cab464245b38ac0.exe File created C:\Windows\System32\KBDMAC\cc11b995f2a76da408ea6a601e682e64743153ad NEAS.d316c5acd7974aaa1cab464245b38ac0.exe File created C:\Windows\System32\l_intl\f3b6ecef712a24f33798f5d2fb3790c3d9b894c4 NEAS.d316c5acd7974aaa1cab464245b38ac0.exe File created C:\Windows\System32\Groupinghc\886983d96e3d3e31032c679b2d4ea91b6c05afef NEAS.d316c5acd7974aaa1cab464245b38ac0.exe File opened for modification C:\Windows\System32\KBDMAC\RCX7CFE.tmp NEAS.d316c5acd7974aaa1cab464245b38ac0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2476 schtasks.exe 2536 schtasks.exe 2508 schtasks.exe 2984 schtasks.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 spoolsv.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 spoolsv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 spoolsv.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 spoolsv.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 2172 NEAS.d316c5acd7974aaa1cab464245b38ac0.exe 2172 NEAS.d316c5acd7974aaa1cab464245b38ac0.exe 2172 NEAS.d316c5acd7974aaa1cab464245b38ac0.exe 2172 NEAS.d316c5acd7974aaa1cab464245b38ac0.exe 2172 NEAS.d316c5acd7974aaa1cab464245b38ac0.exe 2172 NEAS.d316c5acd7974aaa1cab464245b38ac0.exe 2172 NEAS.d316c5acd7974aaa1cab464245b38ac0.exe 2172 NEAS.d316c5acd7974aaa1cab464245b38ac0.exe 2172 NEAS.d316c5acd7974aaa1cab464245b38ac0.exe 2172 NEAS.d316c5acd7974aaa1cab464245b38ac0.exe 2172 NEAS.d316c5acd7974aaa1cab464245b38ac0.exe 2140 spoolsv.exe 2140 spoolsv.exe 2140 spoolsv.exe 2140 spoolsv.exe 2140 spoolsv.exe 2140 spoolsv.exe 2140 spoolsv.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2172 NEAS.d316c5acd7974aaa1cab464245b38ac0.exe Token: SeDebugPrivilege 2140 spoolsv.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2172 wrote to memory of 2140 2172 NEAS.d316c5acd7974aaa1cab464245b38ac0.exe 33 PID 2172 wrote to memory of 2140 2172 NEAS.d316c5acd7974aaa1cab464245b38ac0.exe 33 PID 2172 wrote to memory of 2140 2172 NEAS.d316c5acd7974aaa1cab464245b38ac0.exe 33 -
System policy modification 1 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" spoolsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" spoolsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NEAS.d316c5acd7974aaa1cab464245b38ac0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" NEAS.d316c5acd7974aaa1cab464245b38ac0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" NEAS.d316c5acd7974aaa1cab464245b38ac0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" spoolsv.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.d316c5acd7974aaa1cab464245b38ac0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.d316c5acd7974aaa1cab464245b38ac0.exe"1⤵
- UAC bypass
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2172 -
C:\Windows\System32\l_intl\spoolsv.exe"C:\Windows\System32\l_intl\spoolsv.exe"2⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2140
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\System32\KBDMAC\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\System32\l_intl\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2508
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\Groupinghc\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\73725a82-739a-11ee-b301-ca9cbbc363d2\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2476
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5f01e350e566149df05621aa227fb2f52
SHA132f5b2eda5c27cf2291b548d40534b91cb8a908d
SHA256d167d8873aa83d7a67493803a08cde3d7e4cc8f573f1bb883323f34233c59bb0
SHA51243a58a68c97e10733f734f7c2177795f0730598a86bbb32510410612cfae4a320cb00f55a3ec7a093a268874874e046f65471e8eb688cc05703576930a77b061
-
Filesize
61KB
MD5f3441b8572aae8801c04f3060b550443
SHA14ef0a35436125d6821831ef36c28ffaf196cda15
SHA2566720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA5125ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9
-
Filesize
163KB
MD59441737383d21192400eca82fda910ec
SHA1725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA5127608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf
-
Filesize
783KB
MD5d316c5acd7974aaa1cab464245b38ac0
SHA19c7636717bb1063e0801a769aeef01bf15af1bb4
SHA256b55e235214350f8fe2b3e870aa318e1eefc3cbf7c29f4109e7944e32bb99d43d
SHA512c1251f6f48c716f167842262de085290f8aaff08ee4f676f8d47424ca2020326bf0b49a0c700e6b373c4200c5a4b4ca8b2f0105c2dccab74c4a4308b46d59a4b
-
Filesize
783KB
MD5fcbdf31839b54fa1f1d745db24c485ab
SHA122bed2c4fee7ad87303f79741a15a8b3b4c98388
SHA2563f86495e050f5bf16c59feea3146c5cf69a1aa77768ade06672f4d6ec6ec4112
SHA5125c8a084029745262fb624bdea8498f8fa86c503a06db34da4996dc36c0ffd13f82f958e68eabd25e241f691e5a91df90941c66e1ab9f790dfe32b403e053fed2
-
Filesize
783KB
MD5fcbdf31839b54fa1f1d745db24c485ab
SHA122bed2c4fee7ad87303f79741a15a8b3b4c98388
SHA2563f86495e050f5bf16c59feea3146c5cf69a1aa77768ade06672f4d6ec6ec4112
SHA5125c8a084029745262fb624bdea8498f8fa86c503a06db34da4996dc36c0ffd13f82f958e68eabd25e241f691e5a91df90941c66e1ab9f790dfe32b403e053fed2
-
Filesize
783KB
MD5fcbdf31839b54fa1f1d745db24c485ab
SHA122bed2c4fee7ad87303f79741a15a8b3b4c98388
SHA2563f86495e050f5bf16c59feea3146c5cf69a1aa77768ade06672f4d6ec6ec4112
SHA5125c8a084029745262fb624bdea8498f8fa86c503a06db34da4996dc36c0ffd13f82f958e68eabd25e241f691e5a91df90941c66e1ab9f790dfe32b403e053fed2