Analysis
-
max time kernel
153s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
03-12-2023 16:29
Static task
static1
Behavioral task
behavioral1
Sample
c963942b7b60bf1352d07f136ce4d5f0.exe
Resource
win7-20231201-en
General
-
Target
c963942b7b60bf1352d07f136ce4d5f0.exe
-
Size
453KB
-
MD5
c963942b7b60bf1352d07f136ce4d5f0
-
SHA1
7bafedd3874b3f1ebc6d668ee90fa8f58a020370
-
SHA256
29b841e7b3965ad49e90253946da782bd0c82c42691f3d02811c75ae08df76f3
-
SHA512
ff1673b3a8df1a25c8dafc1b21ff3ac72b917d51497d447992e3143f58c5df2815fcc89d506a0af6cca7f92b8f065d4e3143bc423f17feae26d68b527e977ccb
-
SSDEEP
6144:JWithdJ7T88JJdDkELkbO+IAGkqOjIHROoSvdZ1m4TzzWCB/ZiaM:Mi1JfbJJd4O+IAGFcSROZZ1lD7B8aM
Malware Config
Extracted
amadey
http://77.91.76.37
-
strings_key
c736fd5bdd26ef77013837dee2004742
-
url_paths
/g8samsA2/index.php
Extracted
amadey
4.13
http://77.91.76.37
-
install_dir
c508585d38
-
install_file
Utsysc.exe
-
strings_key
c736fd5bdd26ef77013837dee2004742
-
url_paths
/g8samsA2/index.php
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exerundll32.exeflow pid process 50 1876 rundll32.exe 51 4276 rundll32.exe -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
c963942b7b60bf1352d07f136ce4d5f0.exeUtsysc.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\Control Panel\International\Geo\Nation c963942b7b60bf1352d07f136ce4d5f0.exe Key value queried \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\Control Panel\International\Geo\Nation Utsysc.exe -
Executes dropped EXE 3 IoCs
Processes:
Utsysc.exeUtsysc.exeUtsysc.exepid process 4812 Utsysc.exe 1632 Utsysc.exe 2556 Utsysc.exe -
Loads dropped DLL 3 IoCs
Processes:
rundll32.exerundll32.exerundll32.exepid process 4624 rundll32.exe 1876 rundll32.exe 4276 rundll32.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 30 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 5024 3876 WerFault.exe c963942b7b60bf1352d07f136ce4d5f0.exe 4732 3876 WerFault.exe c963942b7b60bf1352d07f136ce4d5f0.exe 4852 3876 WerFault.exe c963942b7b60bf1352d07f136ce4d5f0.exe 4144 3876 WerFault.exe c963942b7b60bf1352d07f136ce4d5f0.exe 2524 3876 WerFault.exe c963942b7b60bf1352d07f136ce4d5f0.exe 4108 3876 WerFault.exe c963942b7b60bf1352d07f136ce4d5f0.exe 2692 3876 WerFault.exe c963942b7b60bf1352d07f136ce4d5f0.exe 2164 3876 WerFault.exe c963942b7b60bf1352d07f136ce4d5f0.exe 2588 3876 WerFault.exe c963942b7b60bf1352d07f136ce4d5f0.exe 1252 3876 WerFault.exe c963942b7b60bf1352d07f136ce4d5f0.exe 3920 4812 WerFault.exe Utsysc.exe 2120 4812 WerFault.exe Utsysc.exe 1872 4812 WerFault.exe Utsysc.exe 4904 4812 WerFault.exe Utsysc.exe 3524 4812 WerFault.exe Utsysc.exe 2032 4812 WerFault.exe Utsysc.exe 5076 4812 WerFault.exe Utsysc.exe 2896 4812 WerFault.exe Utsysc.exe 1140 4812 WerFault.exe Utsysc.exe 3328 4812 WerFault.exe Utsysc.exe 3608 4812 WerFault.exe Utsysc.exe 3296 4812 WerFault.exe Utsysc.exe 1184 4812 WerFault.exe Utsysc.exe 2784 4812 WerFault.exe Utsysc.exe 4184 4812 WerFault.exe Utsysc.exe 3876 4812 WerFault.exe Utsysc.exe 4632 1632 WerFault.exe Utsysc.exe 3780 4812 WerFault.exe Utsysc.exe 2860 2556 WerFault.exe Utsysc.exe 828 4812 WerFault.exe Utsysc.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
rundll32.exepid process 1876 rundll32.exe 1876 rundll32.exe 1876 rundll32.exe 1876 rundll32.exe 1876 rundll32.exe 1876 rundll32.exe 1876 rundll32.exe 1876 rundll32.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
c963942b7b60bf1352d07f136ce4d5f0.exepid process 3876 c963942b7b60bf1352d07f136ce4d5f0.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
c963942b7b60bf1352d07f136ce4d5f0.exeUtsysc.exerundll32.exerundll32.exedescription pid process target process PID 3876 wrote to memory of 4812 3876 c963942b7b60bf1352d07f136ce4d5f0.exe Utsysc.exe PID 3876 wrote to memory of 4812 3876 c963942b7b60bf1352d07f136ce4d5f0.exe Utsysc.exe PID 3876 wrote to memory of 4812 3876 c963942b7b60bf1352d07f136ce4d5f0.exe Utsysc.exe PID 4812 wrote to memory of 700 4812 Utsysc.exe schtasks.exe PID 4812 wrote to memory of 700 4812 Utsysc.exe schtasks.exe PID 4812 wrote to memory of 700 4812 Utsysc.exe schtasks.exe PID 4812 wrote to memory of 4624 4812 Utsysc.exe rundll32.exe PID 4812 wrote to memory of 4624 4812 Utsysc.exe rundll32.exe PID 4812 wrote to memory of 4624 4812 Utsysc.exe rundll32.exe PID 4624 wrote to memory of 1876 4624 rundll32.exe rundll32.exe PID 4624 wrote to memory of 1876 4624 rundll32.exe rundll32.exe PID 1876 wrote to memory of 4636 1876 rundll32.exe netsh.exe PID 1876 wrote to memory of 4636 1876 rundll32.exe netsh.exe PID 1876 wrote to memory of 2668 1876 rundll32.exe tar.exe PID 1876 wrote to memory of 2668 1876 rundll32.exe tar.exe PID 4812 wrote to memory of 4276 4812 Utsysc.exe rundll32.exe PID 4812 wrote to memory of 4276 4812 Utsysc.exe rundll32.exe PID 4812 wrote to memory of 4276 4812 Utsysc.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c963942b7b60bf1352d07f136ce4d5f0.exe"C:\Users\Admin\AppData\Local\Temp\c963942b7b60bf1352d07f136ce4d5f0.exe"1⤵
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3876 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3876 -s 5922⤵
- Program crash
PID:5024 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3876 -s 6642⤵
- Program crash
PID:4732 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3876 -s 7322⤵
- Program crash
PID:4852 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3876 -s 7402⤵
- Program crash
PID:4144 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3876 -s 7362⤵
- Program crash
PID:2524 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3876 -s 8682⤵
- Program crash
PID:4108 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3876 -s 11122⤵
- Program crash
PID:2692 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3876 -s 11282⤵
- Program crash
PID:2164 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3876 -s 11442⤵
- Program crash
PID:2588 -
C:\Users\Admin\AppData\Local\Temp\c508585d38\Utsysc.exe"C:\Users\Admin\AppData\Local\Temp\c508585d38\Utsysc.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4812 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4812 -s 6043⤵
- Program crash
PID:3920 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4812 -s 7003⤵
- Program crash
PID:2120 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4812 -s 7003⤵
- Program crash
PID:1872 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4812 -s 8483⤵
- Program crash
PID:4904 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4812 -s 8403⤵
- Program crash
PID:3524 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4812 -s 8403⤵
- Program crash
PID:2032 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4812 -s 7483⤵
- Program crash
PID:5076 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\Admin\AppData\Local\Temp\c508585d38\Utsysc.exe" /F3⤵
- Creates scheduled task(s)
PID:700 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4812 -s 9483⤵
- Program crash
PID:2896 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4812 -s 6403⤵
- Program crash
PID:1140 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4812 -s 6563⤵
- Program crash
PID:3328 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4812 -s 11163⤵
- Program crash
PID:3608 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4812 -s 12003⤵
- Program crash
PID:3296 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4812 -s 12723⤵
- Program crash
PID:1184 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4812 -s 14243⤵
- Program crash
PID:2784 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4812 -s 15643⤵
- Program crash
PID:4184 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\90f693c571f58a\cred64.dll, Main3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4624 -
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\90f693c571f58a\cred64.dll, Main4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1876 -
C:\Windows\system32\netsh.exenetsh wlan show profiles5⤵PID:4636
-
C:\Windows\system32\tar.exetar.exe -cf "C:\Users\Admin\AppData\Local\Temp\067295379148_Desktop.tar" "C:\Users\Admin\AppData\Local\Temp\_Files_\*.*"5⤵PID:2668
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\90f693c571f58a\clip64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:4276 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4812 -s 12003⤵
- Program crash
PID:3876 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4812 -s 10123⤵
- Program crash
PID:3780 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4812 -s 13763⤵
- Program crash
PID:828 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3876 -s 6722⤵
- Program crash
PID:1252
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3876 -ip 38761⤵PID:4408
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3876 -ip 38761⤵PID:4316
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3876 -ip 38761⤵PID:2064
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3876 -ip 38761⤵PID:3452
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3876 -ip 38761⤵PID:3372
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3876 -ip 38761⤵PID:4168
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3876 -ip 38761⤵PID:1616
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3876 -ip 38761⤵PID:4260
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3876 -ip 38761⤵PID:5036
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3876 -ip 38761⤵PID:1512
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4812 -ip 48121⤵PID:5052
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4812 -ip 48121⤵PID:3052
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 4812 -ip 48121⤵PID:3424
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 4812 -ip 48121⤵PID:2300
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4812 -ip 48121⤵PID:1564
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4812 -ip 48121⤵PID:876
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4812 -ip 48121⤵PID:2956
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4812 -ip 48121⤵PID:3460
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 4812 -ip 48121⤵PID:2064
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 4812 -ip 48121⤵PID:1868
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 4812 -ip 48121⤵PID:2508
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 4812 -ip 48121⤵PID:3376
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 4812 -ip 48121⤵PID:2860
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 4812 -ip 48121⤵PID:1456
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 4812 -ip 48121⤵PID:928
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 4812 -ip 48121⤵PID:1164
-
C:\Users\Admin\AppData\Local\Temp\c508585d38\Utsysc.exeC:\Users\Admin\AppData\Local\Temp\c508585d38\Utsysc.exe1⤵
- Executes dropped EXE
PID:1632 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1632 -s 4362⤵
- Program crash
PID:4632
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 744 -p 1632 -ip 16321⤵PID:2152
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4812 -ip 48121⤵PID:896
-
C:\Users\Admin\AppData\Local\Temp\c508585d38\Utsysc.exeC:\Users\Admin\AppData\Local\Temp\c508585d38\Utsysc.exe1⤵
- Executes dropped EXE
PID:2556 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2556 -s 4282⤵
- Program crash
PID:2860
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 2556 -ip 25561⤵PID:1376
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 4812 -ip 48121⤵PID:2244
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
79KB
MD5d841fc2298b68bb21a2b23400cb6cd53
SHA1ca0a0ff59b3afec8e0b85ef295512305efa795c9
SHA2567c277eae2f89ee1fda50a02f3e57f454456586c48451ca279dc06045e3979e6d
SHA51222aaed539cc6251393ae80aae941ec7e346ff544552bdb61d5306fd4e1c9403f7c36197284530e251757176d7c18d6c96157a0f02cbcdafd01c254982d630b55
-
Filesize
1024B
MD50f343b0931126a20f133d67c2b018a3b
SHA160cacbf3d72e1e7834203da608037b1bf83b40e8
SHA2565f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef
SHA5128efb4f73c5655351c444eb109230c556d39e2c7624e9c11abc9e3fb4b9b9254218cc5085b454a9698d085cfa92198491f07a723be4574adc70617b73eb0b6461
-
Filesize
453KB
MD5c963942b7b60bf1352d07f136ce4d5f0
SHA17bafedd3874b3f1ebc6d668ee90fa8f58a020370
SHA25629b841e7b3965ad49e90253946da782bd0c82c42691f3d02811c75ae08df76f3
SHA512ff1673b3a8df1a25c8dafc1b21ff3ac72b917d51497d447992e3143f58c5df2815fcc89d506a0af6cca7f92b8f065d4e3143bc423f17feae26d68b527e977ccb
-
Filesize
453KB
MD5c963942b7b60bf1352d07f136ce4d5f0
SHA17bafedd3874b3f1ebc6d668ee90fa8f58a020370
SHA25629b841e7b3965ad49e90253946da782bd0c82c42691f3d02811c75ae08df76f3
SHA512ff1673b3a8df1a25c8dafc1b21ff3ac72b917d51497d447992e3143f58c5df2815fcc89d506a0af6cca7f92b8f065d4e3143bc423f17feae26d68b527e977ccb
-
Filesize
453KB
MD5c963942b7b60bf1352d07f136ce4d5f0
SHA17bafedd3874b3f1ebc6d668ee90fa8f58a020370
SHA25629b841e7b3965ad49e90253946da782bd0c82c42691f3d02811c75ae08df76f3
SHA512ff1673b3a8df1a25c8dafc1b21ff3ac72b917d51497d447992e3143f58c5df2815fcc89d506a0af6cca7f92b8f065d4e3143bc423f17feae26d68b527e977ccb
-
Filesize
453KB
MD5c963942b7b60bf1352d07f136ce4d5f0
SHA17bafedd3874b3f1ebc6d668ee90fa8f58a020370
SHA25629b841e7b3965ad49e90253946da782bd0c82c42691f3d02811c75ae08df76f3
SHA512ff1673b3a8df1a25c8dafc1b21ff3ac72b917d51497d447992e3143f58c5df2815fcc89d506a0af6cca7f92b8f065d4e3143bc423f17feae26d68b527e977ccb
-
Filesize
453KB
MD5c963942b7b60bf1352d07f136ce4d5f0
SHA17bafedd3874b3f1ebc6d668ee90fa8f58a020370
SHA25629b841e7b3965ad49e90253946da782bd0c82c42691f3d02811c75ae08df76f3
SHA512ff1673b3a8df1a25c8dafc1b21ff3ac72b917d51497d447992e3143f58c5df2815fcc89d506a0af6cca7f92b8f065d4e3143bc423f17feae26d68b527e977ccb
-
Filesize
102KB
MD53727880831612b8461cf81cc4e05d2a3
SHA1cba779d2e241202cb36bc1cc508d281dde503a27
SHA2564660227f0b71547871b4f33ff2b92b55b2563138c257f0c361270587b2a420ef
SHA5128d7959c13672d5c17535aaa5056e35d515cd918d0196e61c842bd10a1664b4abc9a71977494b14f813bd6d912828d41eb01d8ca021f0666ddadec0072d6930f6
-
Filesize
102KB
MD53727880831612b8461cf81cc4e05d2a3
SHA1cba779d2e241202cb36bc1cc508d281dde503a27
SHA2564660227f0b71547871b4f33ff2b92b55b2563138c257f0c361270587b2a420ef
SHA5128d7959c13672d5c17535aaa5056e35d515cd918d0196e61c842bd10a1664b4abc9a71977494b14f813bd6d912828d41eb01d8ca021f0666ddadec0072d6930f6
-
Filesize
102KB
MD53727880831612b8461cf81cc4e05d2a3
SHA1cba779d2e241202cb36bc1cc508d281dde503a27
SHA2564660227f0b71547871b4f33ff2b92b55b2563138c257f0c361270587b2a420ef
SHA5128d7959c13672d5c17535aaa5056e35d515cd918d0196e61c842bd10a1664b4abc9a71977494b14f813bd6d912828d41eb01d8ca021f0666ddadec0072d6930f6
-
Filesize
1.2MB
MD5a17a5ab2d131cd9eefcece4f1d22e531
SHA1e418791abf05d490df0c009b8f7d79c2eea2d147
SHA256fd607c65470433fd57bad5fa9b30a46bbfc5dfd918f56327e243646c9548681e
SHA5129bf1ecaf6d711e4ce727da70a21b6e8b69fa86ed89c20e8c36907e7c8e01de821d06f77e40017f843bd0d4343ac7d258327543a7cd2639f8db47bb51016ee9fc
-
Filesize
1.2MB
MD5a17a5ab2d131cd9eefcece4f1d22e531
SHA1e418791abf05d490df0c009b8f7d79c2eea2d147
SHA256fd607c65470433fd57bad5fa9b30a46bbfc5dfd918f56327e243646c9548681e
SHA5129bf1ecaf6d711e4ce727da70a21b6e8b69fa86ed89c20e8c36907e7c8e01de821d06f77e40017f843bd0d4343ac7d258327543a7cd2639f8db47bb51016ee9fc
-
Filesize
1.2MB
MD5a17a5ab2d131cd9eefcece4f1d22e531
SHA1e418791abf05d490df0c009b8f7d79c2eea2d147
SHA256fd607c65470433fd57bad5fa9b30a46bbfc5dfd918f56327e243646c9548681e
SHA5129bf1ecaf6d711e4ce727da70a21b6e8b69fa86ed89c20e8c36907e7c8e01de821d06f77e40017f843bd0d4343ac7d258327543a7cd2639f8db47bb51016ee9fc
-
Filesize
1.2MB
MD5a17a5ab2d131cd9eefcece4f1d22e531
SHA1e418791abf05d490df0c009b8f7d79c2eea2d147
SHA256fd607c65470433fd57bad5fa9b30a46bbfc5dfd918f56327e243646c9548681e
SHA5129bf1ecaf6d711e4ce727da70a21b6e8b69fa86ed89c20e8c36907e7c8e01de821d06f77e40017f843bd0d4343ac7d258327543a7cd2639f8db47bb51016ee9fc