Analysis
-
max time kernel
146s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231130-en -
resource tags
arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system -
submitted
04-12-2023 09:00
Behavioral task
behavioral1
Sample
Roblox-UWP-Executor-main/Execution.dll
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
Roblox-UWP-Executor-main/Execution.dll
Resource
win10v2004-20231127-en
Behavioral task
behavioral3
Sample
Roblox-UWP-Executor-main/XYZ.dll
Resource
win7-20231023-en
Behavioral task
behavioral4
Sample
Roblox-UWP-Executor-main/XYZ.dll
Resource
win10v2004-20231130-en
Behavioral task
behavioral5
Sample
Roblox-UWP-Executor-main/XYZ.exe
Resource
win7-20231129-en
General
-
Target
Roblox-UWP-Executor-main/XYZ.exe
-
Size
3.1MB
-
MD5
6798986718c9d923ae747ff1bed1a16f
-
SHA1
dbf6ebb0b412286ec6007409f15d20c90038528b
-
SHA256
aa820cb29814aa7a79e6016c8d5a3b1a0bcf13fdea5b9625c7939095f37848d9
-
SHA512
07f0b0de77bc63492033e7fa5891286fe52597913d353b48fc97d6ed99116a729a2154ce0e32a11679c212b058daa0c8b299cff9a7c7506ee9d47fbf4eabedf7
-
SSDEEP
49152:yvdt62XlaSFNWPjljiFa2RoUYI8lCtBeiLoG/pTHHB72eh2NT:yvf62XlaSFNWPjljiFXRoUYIuCF
Malware Config
Extracted
quasar
1.4.1
Office04
smirkdns.ddns.net:4782
45259779-0dcb-4afe-a014-ae49cf73286e
-
encryption_key
38F8A837013773F52CA41CD4456A32A9B17A9557
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
AustiBlox
-
subdirectory
SubDir
Signatures
-
Quasar payload 10 IoCs
resource yara_rule behavioral6/memory/4272-0-0x0000000000480000-0x00000000007A4000-memory.dmp family_quasar behavioral6/files/0x000700000002320c-8.dat family_quasar behavioral6/files/0x000700000002320c-6.dat family_quasar behavioral6/files/0x000700000002320c-20.dat family_quasar behavioral6/files/0x000700000002320c-29.dat family_quasar behavioral6/files/0x000700000002320c-37.dat family_quasar behavioral6/files/0x000700000002320c-45.dat family_quasar behavioral6/files/0x000700000002320c-53.dat family_quasar behavioral6/files/0x000700000002320c-61.dat family_quasar behavioral6/files/0x000700000002320c-69.dat family_quasar -
Checks computer location settings 2 TTPs 7 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-423100829-2271632622-1028104103-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-423100829-2271632622-1028104103-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-423100829-2271632622-1028104103-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-423100829-2271632622-1028104103-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-423100829-2271632622-1028104103-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-423100829-2271632622-1028104103-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-423100829-2271632622-1028104103-1000\Control Panel\International\Geo\Nation Client.exe -
Executes dropped EXE 8 IoCs
pid Process 2392 Client.exe 3628 Client.exe 2176 Client.exe 4780 Client.exe 3856 Client.exe 1072 Client.exe 1580 Client.exe 3908 Client.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 7 IoCs
pid Process 3412 PING.EXE 4256 PING.EXE 3324 PING.EXE 4376 PING.EXE 4896 PING.EXE 1964 PING.EXE 4636 PING.EXE -
Suspicious use of AdjustPrivilegeToken 9 IoCs
description pid Process Token: SeDebugPrivilege 4272 XYZ.exe Token: SeDebugPrivilege 2392 Client.exe Token: SeDebugPrivilege 3628 Client.exe Token: SeDebugPrivilege 2176 Client.exe Token: SeDebugPrivilege 4780 Client.exe Token: SeDebugPrivilege 3856 Client.exe Token: SeDebugPrivilege 1072 Client.exe Token: SeDebugPrivilege 1580 Client.exe Token: SeDebugPrivilege 3908 Client.exe -
Suspicious use of FindShellTrayWindow 8 IoCs
pid Process 2392 Client.exe 3628 Client.exe 2176 Client.exe 4780 Client.exe 3856 Client.exe 1072 Client.exe 1580 Client.exe 3908 Client.exe -
Suspicious use of SendNotifyMessage 8 IoCs
pid Process 2392 Client.exe 3628 Client.exe 2176 Client.exe 4780 Client.exe 3856 Client.exe 1072 Client.exe 1580 Client.exe 3908 Client.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 2392 Client.exe 3628 Client.exe 4780 Client.exe 3856 Client.exe 1072 Client.exe 1580 Client.exe 3908 Client.exe -
Suspicious use of WriteProcessMemory 58 IoCs
description pid Process procid_target PID 4272 wrote to memory of 2392 4272 XYZ.exe 88 PID 4272 wrote to memory of 2392 4272 XYZ.exe 88 PID 2392 wrote to memory of 544 2392 Client.exe 89 PID 2392 wrote to memory of 544 2392 Client.exe 89 PID 544 wrote to memory of 3048 544 cmd.exe 91 PID 544 wrote to memory of 3048 544 cmd.exe 91 PID 544 wrote to memory of 4636 544 cmd.exe 92 PID 544 wrote to memory of 4636 544 cmd.exe 92 PID 544 wrote to memory of 3628 544 cmd.exe 93 PID 544 wrote to memory of 3628 544 cmd.exe 93 PID 3628 wrote to memory of 4432 3628 Client.exe 96 PID 3628 wrote to memory of 4432 3628 Client.exe 96 PID 4432 wrote to memory of 4652 4432 cmd.exe 98 PID 4432 wrote to memory of 4652 4432 cmd.exe 98 PID 4432 wrote to memory of 3412 4432 cmd.exe 99 PID 4432 wrote to memory of 3412 4432 cmd.exe 99 PID 4432 wrote to memory of 2176 4432 cmd.exe 100 PID 4432 wrote to memory of 2176 4432 cmd.exe 100 PID 2176 wrote to memory of 992 2176 Client.exe 101 PID 2176 wrote to memory of 992 2176 Client.exe 101 PID 992 wrote to memory of 2144 992 cmd.exe 103 PID 992 wrote to memory of 2144 992 cmd.exe 103 PID 992 wrote to memory of 4256 992 cmd.exe 104 PID 992 wrote to memory of 4256 992 cmd.exe 104 PID 992 wrote to memory of 4780 992 cmd.exe 105 PID 992 wrote to memory of 4780 992 cmd.exe 105 PID 4780 wrote to memory of 1688 4780 Client.exe 107 PID 4780 wrote to memory of 1688 4780 Client.exe 107 PID 1688 wrote to memory of 4436 1688 cmd.exe 109 PID 1688 wrote to memory of 4436 1688 cmd.exe 109 PID 1688 wrote to memory of 3324 1688 cmd.exe 110 PID 1688 wrote to memory of 3324 1688 cmd.exe 110 PID 1688 wrote to memory of 3856 1688 cmd.exe 111 PID 1688 wrote to memory of 3856 1688 cmd.exe 111 PID 3856 wrote to memory of 4236 3856 Client.exe 112 PID 3856 wrote to memory of 4236 3856 Client.exe 112 PID 4236 wrote to memory of 1492 4236 cmd.exe 114 PID 4236 wrote to memory of 1492 4236 cmd.exe 114 PID 4236 wrote to memory of 4376 4236 cmd.exe 115 PID 4236 wrote to memory of 4376 4236 cmd.exe 115 PID 4236 wrote to memory of 1072 4236 cmd.exe 116 PID 4236 wrote to memory of 1072 4236 cmd.exe 116 PID 1072 wrote to memory of 2240 1072 Client.exe 117 PID 1072 wrote to memory of 2240 1072 Client.exe 117 PID 2240 wrote to memory of 4908 2240 cmd.exe 119 PID 2240 wrote to memory of 4908 2240 cmd.exe 119 PID 2240 wrote to memory of 4896 2240 cmd.exe 120 PID 2240 wrote to memory of 4896 2240 cmd.exe 120 PID 2240 wrote to memory of 1580 2240 cmd.exe 121 PID 2240 wrote to memory of 1580 2240 cmd.exe 121 PID 1580 wrote to memory of 3044 1580 Client.exe 126 PID 1580 wrote to memory of 3044 1580 Client.exe 126 PID 3044 wrote to memory of 4940 3044 cmd.exe 128 PID 3044 wrote to memory of 4940 3044 cmd.exe 128 PID 3044 wrote to memory of 1964 3044 cmd.exe 129 PID 3044 wrote to memory of 1964 3044 cmd.exe 129 PID 3044 wrote to memory of 3908 3044 cmd.exe 130 PID 3044 wrote to memory of 3908 3044 cmd.exe 130
Processes
-
C:\Users\Admin\AppData\Local\Temp\Roblox-UWP-Executor-main\XYZ.exe"C:\Users\Admin\AppData\Local\Temp\Roblox-UWP-Executor-main\XYZ.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4272 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VslMXHUFP8MW.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:544 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:3048
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- Runs ping.exe
PID:4636
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3628 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EUbZr62u4fH8.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:4432 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:4652
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- Runs ping.exe
PID:3412
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\95DwxjQWzS6q.bat" "7⤵
- Suspicious use of WriteProcessMemory
PID:992 -
C:\Windows\system32\chcp.comchcp 650018⤵PID:2144
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- Runs ping.exe
PID:4256
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4780 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ASx26qw3YFNg.bat" "9⤵
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\system32\chcp.comchcp 6500110⤵PID:4436
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- Runs ping.exe
PID:3324
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3856 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OitPqrQhFpMK.bat" "11⤵
- Suspicious use of WriteProcessMemory
PID:4236 -
C:\Windows\system32\chcp.comchcp 6500112⤵PID:1492
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- Runs ping.exe
PID:4376
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RrBrvqLsSyD1.bat" "13⤵
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\system32\chcp.comchcp 6500114⤵PID:4908
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- Runs ping.exe
PID:4896
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3f0T6kqnoMvV.bat" "15⤵
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\system32\chcp.comchcp 6500116⤵PID:4940
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- Runs ping.exe
PID:1964
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"16⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3908
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD58f0271a63446aef01cf2bfc7b7c7976b
SHA1b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7
SHA256da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c
SHA51278a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5
-
Filesize
207B
MD54a3d96d1f424657969e3f606b8f3c7ab
SHA12b7f6bc7b313025fa7568e3903f5329edd74e4f9
SHA2569ce5f5c5c9d724cdd06f05342705bbc4ba4ffca832d4ac6702c52074e42479f6
SHA512cc5bf92eed12fef5d89074210f71ae75e25c85f0780d346d4fe09fd50324bce510d62deb9a31c88b4d057914048d81be833e5bc050dabada9b570c6966f9cb08
-
Filesize
207B
MD595b07f5fbf1e1ae8cadac796da712432
SHA10995664a15117df4b65397dd3b549802a26d0d7c
SHA256dd0375528450e7f74e9b59d7d38a96ad4f4ded5b0d4818c709918a83ef67459c
SHA512215917246780cbbdf48cc946e4f3962ff1a65e724e84bd7cb4899874fc7f23ccca924bb20bd9bc975d29d1a2dc9202cf4b86727e488e9a17b46f9e50918d3d65
-
Filesize
207B
MD50df84c4484bfb7ed859ecd548fdf2a37
SHA1c9a3a7c8098a65bac5164fecee61b350b94672c4
SHA2564af39f934da9b54cbc077db29b736295fd1e936491e91dbcad48ecd2da4506c2
SHA512b59967431a5b5cb8d998f981840d44e5aec54c690b76e9b5b845cca2606836273e9c4887469d7f8b9e79bc0bfe03811cc95ec6cba704a6be279f43021f420374
-
Filesize
207B
MD5da315cfd7b6dda98000aaaf06b85b37d
SHA18b181aba949be8d5ea62c1e53a892c62e824b129
SHA2565f84929f55ce11edb4583f1a9de3ab4f44feaf43344bc5b5fec102592775e02a
SHA5128702c92357f3368a3c95676fb5da6415fafbf7f5a56380b728aea728c9b81d727a24bf1937692599142d277b33bcaca23b0205cd748797a1f2fda0e5d9f463b2
-
Filesize
207B
MD50b1a4d8b04d511216c5ea2e9c72a0e7d
SHA1741fa51a0e066a053d3e540a5f3a230cf77e6c3f
SHA256803654c3a4fa3de2207737ecf610d0153d7f069f8f37de0d046bdc537a85a33e
SHA51211462002d9881b0de5262a409333bcdb9c8e7c27b9faa9867a9f9f4591344846e470caeadb450ee68899ad70ed012d00ade15bc9503ffd152f2da4934f5b7262
-
Filesize
207B
MD5dcab9d1b117db7ea162f0a5c4f7e8dcf
SHA1e19504546b6696e74933c70f1df8f4fc2a370ec9
SHA25649b0707b145c6ea652026092613e59e5dacf7e333414c2ab81bb97833e41fc37
SHA512937fc316dd7ba08c28bfbf2dbe70b5fa133cc3a98a0ca1ec0591a8ad35e552c9156c96d5051909a3d3ef93d0fc0bf3954a328023f62d9e22a9f1854c4d7d175f
-
Filesize
207B
MD5373a71ac3eb4d183a9cf55209df4972e
SHA14629cddbddf39236f9c1d3c84e44f72cc78d75db
SHA256a999556e9ee454cbd6893f86f99d02f77266fb9d874187df5ff0e3ee7994f6b2
SHA512e9e5213e044b305a931731c5b5359f2830f79e5891ea410c84338cc6aa20d6b95bd2dd65557cf9b76471eeff16064a377a1ff4a29ed38f3cceee1f1d67c27cab
-
Filesize
3.1MB
MD56798986718c9d923ae747ff1bed1a16f
SHA1dbf6ebb0b412286ec6007409f15d20c90038528b
SHA256aa820cb29814aa7a79e6016c8d5a3b1a0bcf13fdea5b9625c7939095f37848d9
SHA51207f0b0de77bc63492033e7fa5891286fe52597913d353b48fc97d6ed99116a729a2154ce0e32a11679c212b058daa0c8b299cff9a7c7506ee9d47fbf4eabedf7
-
Filesize
3.1MB
MD56798986718c9d923ae747ff1bed1a16f
SHA1dbf6ebb0b412286ec6007409f15d20c90038528b
SHA256aa820cb29814aa7a79e6016c8d5a3b1a0bcf13fdea5b9625c7939095f37848d9
SHA51207f0b0de77bc63492033e7fa5891286fe52597913d353b48fc97d6ed99116a729a2154ce0e32a11679c212b058daa0c8b299cff9a7c7506ee9d47fbf4eabedf7
-
Filesize
3.1MB
MD56798986718c9d923ae747ff1bed1a16f
SHA1dbf6ebb0b412286ec6007409f15d20c90038528b
SHA256aa820cb29814aa7a79e6016c8d5a3b1a0bcf13fdea5b9625c7939095f37848d9
SHA51207f0b0de77bc63492033e7fa5891286fe52597913d353b48fc97d6ed99116a729a2154ce0e32a11679c212b058daa0c8b299cff9a7c7506ee9d47fbf4eabedf7
-
Filesize
3.1MB
MD56798986718c9d923ae747ff1bed1a16f
SHA1dbf6ebb0b412286ec6007409f15d20c90038528b
SHA256aa820cb29814aa7a79e6016c8d5a3b1a0bcf13fdea5b9625c7939095f37848d9
SHA51207f0b0de77bc63492033e7fa5891286fe52597913d353b48fc97d6ed99116a729a2154ce0e32a11679c212b058daa0c8b299cff9a7c7506ee9d47fbf4eabedf7
-
Filesize
3.1MB
MD56798986718c9d923ae747ff1bed1a16f
SHA1dbf6ebb0b412286ec6007409f15d20c90038528b
SHA256aa820cb29814aa7a79e6016c8d5a3b1a0bcf13fdea5b9625c7939095f37848d9
SHA51207f0b0de77bc63492033e7fa5891286fe52597913d353b48fc97d6ed99116a729a2154ce0e32a11679c212b058daa0c8b299cff9a7c7506ee9d47fbf4eabedf7
-
Filesize
3.1MB
MD56798986718c9d923ae747ff1bed1a16f
SHA1dbf6ebb0b412286ec6007409f15d20c90038528b
SHA256aa820cb29814aa7a79e6016c8d5a3b1a0bcf13fdea5b9625c7939095f37848d9
SHA51207f0b0de77bc63492033e7fa5891286fe52597913d353b48fc97d6ed99116a729a2154ce0e32a11679c212b058daa0c8b299cff9a7c7506ee9d47fbf4eabedf7
-
Filesize
3.1MB
MD56798986718c9d923ae747ff1bed1a16f
SHA1dbf6ebb0b412286ec6007409f15d20c90038528b
SHA256aa820cb29814aa7a79e6016c8d5a3b1a0bcf13fdea5b9625c7939095f37848d9
SHA51207f0b0de77bc63492033e7fa5891286fe52597913d353b48fc97d6ed99116a729a2154ce0e32a11679c212b058daa0c8b299cff9a7c7506ee9d47fbf4eabedf7
-
Filesize
3.1MB
MD56798986718c9d923ae747ff1bed1a16f
SHA1dbf6ebb0b412286ec6007409f15d20c90038528b
SHA256aa820cb29814aa7a79e6016c8d5a3b1a0bcf13fdea5b9625c7939095f37848d9
SHA51207f0b0de77bc63492033e7fa5891286fe52597913d353b48fc97d6ed99116a729a2154ce0e32a11679c212b058daa0c8b299cff9a7c7506ee9d47fbf4eabedf7
-
Filesize
3.1MB
MD56798986718c9d923ae747ff1bed1a16f
SHA1dbf6ebb0b412286ec6007409f15d20c90038528b
SHA256aa820cb29814aa7a79e6016c8d5a3b1a0bcf13fdea5b9625c7939095f37848d9
SHA51207f0b0de77bc63492033e7fa5891286fe52597913d353b48fc97d6ed99116a729a2154ce0e32a11679c212b058daa0c8b299cff9a7c7506ee9d47fbf4eabedf7