Analysis
-
max time kernel
155s -
max time network
166s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
06/01/2024, 18:17
Static task
static1
Behavioral task
behavioral1
Sample
80C6039DC12399E3F771632F0A44C4C3.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
80C6039DC12399E3F771632F0A44C4C3.exe
Resource
win10v2004-20231215-en
General
-
Target
80C6039DC12399E3F771632F0A44C4C3.exe
-
Size
1.6MB
-
MD5
80c6039dc12399e3f771632f0a44c4c3
-
SHA1
f609ba2e8bc0d4b395b83f38a4867fcdb9b6bfdd
-
SHA256
f6b10c59c9ce33c5c8f6b02c3293fe5d479e59542698c91b15af74bcce50ab8f
-
SHA512
83b8fb0f9943c11012a82049d7861a3b7ec9753036de402c82ac433a5235cb95a104dd69b29ed110cd9dfe3b8ab062d916956f6f66864bf79876e926c2c5a6a5
-
SSDEEP
49152:2dh0Omwse7edN51glfneOTS9rFJMkn4Rli/Ea:2dcwN25efeIS9rF6k4RQM
Malware Config
Signatures
-
NirSoft MailPassView 3 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral2/memory/2308-192-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/2308-194-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/2308-198-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView -
Nirsoft 3 IoCs
resource yara_rule behavioral2/memory/2308-192-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/2308-194-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/2308-198-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation shadowscripts fixed.exe Key value queried \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation sanas.scr -
Executes dropped EXE 8 IoCs
pid Process 384 shadowscripts fixed.exe 1588 microsofts.exe 4676 sanas.scr 1304 wuapihost.exe 4288 svchost.exe 3204 Server2223.exe 4548 Server.exe 2112 Server.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ARP Manager = "C:\\Program Files (x86)\\ARP Manager\\arpmgr.exe" microsofts.exe Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Server = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Server.exe" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Server = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sanas.scr" sanas.scr Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Server = "C:\\Users\\Admin\\AppData\\Roaming\\VanToM Folder\\Server.exe" Server.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA microsofts.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1588 set thread context of 2308 1588 microsofts.exe 113 PID 1588 set thread context of 844 1588 microsofts.exe 115 -
Drops file in Program Files directory 2 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\ARP Manager\arpmgr.exe microsofts.exe File created C:\Program Files (x86)\ARP Manager\arpmgr.exe microsofts.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000_Classes\Local Settings sanas.scr Key created \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000_Classes\Local Settings Server.exe Key created \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000_Classes\Local Settings OpenWith.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1588 microsofts.exe 1588 microsofts.exe 1588 microsofts.exe 1588 microsofts.exe 3076 powershell.exe 3076 powershell.exe 4420 powershell.exe 4420 powershell.exe 3076 powershell.exe 1588 microsofts.exe 1588 microsofts.exe 1588 microsofts.exe 1588 microsofts.exe 4420 powershell.exe 1588 microsofts.exe 1588 microsofts.exe 1588 microsofts.exe 1588 microsofts.exe 1588 microsofts.exe 1588 microsofts.exe 1588 microsofts.exe 1588 microsofts.exe 1588 microsofts.exe 1588 microsofts.exe 1588 microsofts.exe 1588 microsofts.exe 1588 microsofts.exe 1588 microsofts.exe 1588 microsofts.exe 1588 microsofts.exe 1588 microsofts.exe 1588 microsofts.exe 1588 microsofts.exe 1588 microsofts.exe 1588 microsofts.exe 1588 microsofts.exe 1588 microsofts.exe 1588 microsofts.exe 1588 microsofts.exe 1588 microsofts.exe 1588 microsofts.exe 1588 microsofts.exe 1588 microsofts.exe 1588 microsofts.exe 1588 microsofts.exe 1588 microsofts.exe 1588 microsofts.exe 1588 microsofts.exe 1588 microsofts.exe 1588 microsofts.exe 1588 microsofts.exe 1588 microsofts.exe 1588 microsofts.exe 1588 microsofts.exe 1588 microsofts.exe 1588 microsofts.exe 1588 microsofts.exe 1588 microsofts.exe 1588 microsofts.exe 1588 microsofts.exe 1588 microsofts.exe 1588 microsofts.exe 1588 microsofts.exe 1588 microsofts.exe -
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
pid Process 1588 microsofts.exe 2112 Server.exe 4548 Server.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1588 microsofts.exe Token: SeDebugPrivilege 4420 powershell.exe Token: SeDebugPrivilege 3076 powershell.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 4288 svchost.exe 4676 sanas.scr 4548 Server.exe 2112 Server.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 4288 svchost.exe 4676 sanas.scr 2112 Server.exe 1564 OpenWith.exe 3424 OpenWith.exe -
Suspicious use of WriteProcessMemory 43 IoCs
description pid Process procid_target PID 844 wrote to memory of 384 844 vbc.exe 91 PID 844 wrote to memory of 384 844 vbc.exe 91 PID 844 wrote to memory of 384 844 vbc.exe 91 PID 844 wrote to memory of 1588 844 vbc.exe 92 PID 844 wrote to memory of 1588 844 vbc.exe 92 PID 844 wrote to memory of 1588 844 vbc.exe 92 PID 844 wrote to memory of 4676 844 vbc.exe 93 PID 844 wrote to memory of 4676 844 vbc.exe 93 PID 384 wrote to memory of 3076 384 shadowscripts fixed.exe 94 PID 384 wrote to memory of 3076 384 shadowscripts fixed.exe 94 PID 384 wrote to memory of 3076 384 shadowscripts fixed.exe 94 PID 384 wrote to memory of 4420 384 shadowscripts fixed.exe 101 PID 384 wrote to memory of 4420 384 shadowscripts fixed.exe 101 PID 384 wrote to memory of 4420 384 shadowscripts fixed.exe 101 PID 384 wrote to memory of 1304 384 shadowscripts fixed.exe 106 PID 384 wrote to memory of 1304 384 shadowscripts fixed.exe 106 PID 384 wrote to memory of 4288 384 shadowscripts fixed.exe 109 PID 384 wrote to memory of 4288 384 shadowscripts fixed.exe 109 PID 384 wrote to memory of 3204 384 shadowscripts fixed.exe 99 PID 384 wrote to memory of 3204 384 shadowscripts fixed.exe 99 PID 384 wrote to memory of 3204 384 shadowscripts fixed.exe 99 PID 4676 wrote to memory of 4548 4676 sanas.scr 103 PID 4676 wrote to memory of 4548 4676 sanas.scr 103 PID 4288 wrote to memory of 2112 4288 svchost.exe 102 PID 4288 wrote to memory of 2112 4288 svchost.exe 102 PID 1588 wrote to memory of 2308 1588 microsofts.exe 113 PID 1588 wrote to memory of 2308 1588 microsofts.exe 113 PID 1588 wrote to memory of 2308 1588 microsofts.exe 113 PID 1588 wrote to memory of 2308 1588 microsofts.exe 113 PID 1588 wrote to memory of 2308 1588 microsofts.exe 113 PID 1588 wrote to memory of 2308 1588 microsofts.exe 113 PID 1588 wrote to memory of 2308 1588 microsofts.exe 113 PID 1588 wrote to memory of 2308 1588 microsofts.exe 113 PID 1588 wrote to memory of 2308 1588 microsofts.exe 113 PID 1588 wrote to memory of 844 1588 microsofts.exe 115 PID 1588 wrote to memory of 844 1588 microsofts.exe 115 PID 1588 wrote to memory of 844 1588 microsofts.exe 115 PID 1588 wrote to memory of 844 1588 microsofts.exe 115 PID 1588 wrote to memory of 844 1588 microsofts.exe 115 PID 1588 wrote to memory of 844 1588 microsofts.exe 115 PID 1588 wrote to memory of 844 1588 microsofts.exe 115 PID 1588 wrote to memory of 844 1588 microsofts.exe 115 PID 1588 wrote to memory of 844 1588 microsofts.exe 115
Processes
-
C:\Users\Admin\AppData\Local\Temp\80C6039DC12399E3F771632F0A44C4C3.exe"C:\Users\Admin\AppData\Local\Temp\80C6039DC12399E3F771632F0A44C4C3.exe"1⤵PID:844
-
C:\Users\Admin\AppData\Local\Temp\shadowscripts fixed.exe"C:\Users\Admin\AppData\Local\Temp\shadowscripts fixed.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:384 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGsAZQBlACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGoAcQB3ACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAaQBmACAAZQByAHIAbwByAHMAIABjAG8AbgB0AGEAYwB0ACAAbQBlACAAbQBhAGkAawBrAGkANAAyADAAJwAsACcAJwAsACcATwBLACcALAAnAEkAbgBmAG8AcgBtAGEAdABpAG8AbgAnACkAPAAjAHMAbABwACMAPgA="3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3076
-
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"3⤵PID:4288
-
C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe"C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2112
-
-
-
C:\Users\Admin\AppData\Local\Temp\FreeScript.exe"C:\Users\Admin\AppData\Local\Temp\FreeScript.exe"3⤵PID:1304
-
-
C:\Users\Admin\AppData\Local\Temp\Server2223.exe"C:\Users\Admin\AppData\Local\Temp\Server2223.exe"3⤵
- Executes dropped EXE
PID:3204
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcABiACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG0AcAB4ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGUAZQBtACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHAAeQBqACMAPgA="3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4420
-
-
-
C:\Users\Admin\AppData\Local\Temp\microsofts.exe"C:\Users\Admin\AppData\Local\Temp\microsofts.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1588 -
\??\c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe"c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe" /shtml "C:\Users\Admin\AppData\Local\Temp\fltbew5y.yr1"3⤵
- Accesses Microsoft Outlook accounts
PID:2308
-
-
\??\c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe"c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe" /shtml "C:\Users\Admin\AppData\Local\Temp\ytmrj20j.erj"3⤵
- Suspicious use of WriteProcessMemory
PID:844
-
-
-
C:\Users\Admin\AppData\Local\Temp\sanas.scr"C:\Users\Admin\AppData\Local\Temp\sanas.scr" /S2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4676 -
C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe"C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:4548
-
-
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1564
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3424
-
C:\Windows\System32\wuapihost.exeC:\Windows\System32\wuapihost.exe -Embedding1⤵
- Executes dropped EXE
PID:1304
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4288
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
905KB
MD5ea8cd5a2fc982a586ca1bdc96f877758
SHA1dda1ea30c49d90608ee25b9a310cc3d7fe73b784
SHA2565d447bce28be94ee602d4e4d0056ac1d2224d2c1a42f91fab4198b51bbeaa81e
SHA5121d5f227f366a0c5036637d31e16fe2bc939af37659dec7e2854c341391b6cc572c8f1c6dcb7b2b3245ed012547a01bb620b15afa42c45854eba5e3d60daf51cd
-
Filesize
913KB
MD5799c188cf6df366f4c0f98b8800a4977
SHA1161d6006518879ecba6cf45b29599992d8eadfce
SHA25632e96ac5e9d2f869ad11ca48401ca8eaeb520027751427145ddb5ab43bce1841
SHA51232a3749f4ef40e9345644c84666207a7c4f0369274cc18f71eecd1eeb6ea22733bc4cc6751f7281bbdff7e0a2187209a6c00653a95d6d39adb4dab06f355e1b1
-
Filesize
183KB
MD5b9d1be8ae4f4a7a77f309b032a914564
SHA13b9da974e959adbb0f12705c64fd58e0c8ec5b18
SHA2565f9c9f9af0dc5779d63ea334443d512d675b99c588f2505b652d49d02650c3ba
SHA512dfadf27f176fe700df9dd9a979e030d362e906a25815eccb1a40c09d8dfee542a75ababbc361833742891fd5d0358233ad68cac05c12aedca1e5d93ae370fc14
-
Filesize
93KB
MD586757f6c08b6cb698250cc9fc1816a8e
SHA1fa8a2fbc982943a031ad202b3e4b1cdb11bcff6a
SHA25698fa9c5139362be3e25333a7c48229ed220cc61c0dc41b8270e66d2886aa7dff
SHA512cb87cf73deda4299561af9e7c4d65a82816ca5f82890edd76cfec258dbf973b197cd6c40bca2f8643d39f451072e71c5f9529864689cc68097a4382bec97a7dc
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
523B
MD569b2a2e17e78d24abee9f1de2f04811a
SHA1d19c109704e83876ab3527457f9418a7d053aa33
SHA2561b1491f21e64681f8fdc27b2265e2274fb7813eecb6ad8b446d2e431f6300edd
SHA512eb7269979bc4187520636fe3d7b3089f2c7c02e81c4ce2a738ade680f72c61c67fe9577eeaa09d3ca93f34b60be8c434d2cfbfed6566e783f6611279f056150f
-
Filesize
44B
MD55389b11510f65424863e2e9724bd65e4
SHA1071102005e3217b50283b71ee33858bb15606549
SHA256fecb0cdb9664c0c83a84dff897fecff3773df1d4d5a6fc5c84e2187027315fa7
SHA512ba78a6c2619bd7a4d4428a5b0b739e109dfa9ddb8925a005067f8b7091744bd9e16e007d32f62ae42768f3f45fb8aefe496f5a3ef617862127b53a88f86514ff
-
Filesize
43B
MD5fba0a770926236f6ba95be6e970e6b84
SHA16706c0cf9ce59152c17b887d454c877a9579bd1d
SHA25610f09dcc6b21f03ab4293d302475f90c96ccc4b746bb3dcdc1b241bcac03aca6
SHA512700016be260852b8909b69e0fbf26ffc24d3ebfe40604e8f5d8a0bc76dcef861c11b269047ec5b68177dd7f29b8836f92c38864a5a42568f8a1ac8f360fcf252
-
Filesize
202KB
MD55fdd418baf9c0d789e67758ad9f2dd1a
SHA1c0be3be193af670cfe01a64aef7c5b0a0b9d091a
SHA25682f59d1a1a65c0651ae7a965bb6481ba1351ea9efc9f9457de372043709e5a47
SHA5129ace7aed4e4db6f2df7a8df22227079acf176cb7b7e90a0d2638dfd44296653fae6194531a7335fb10fd9396f3cd4f11621715b2a2e4f948209055a809b00c50
-
Filesize
183KB
MD5b7cedaa564e3fb095f94aef59f7ed0da
SHA13f93a84f2d290840cfb5418e15c47dda39ab967d
SHA256526a5aae8d6af5d4af48bef2bf37f6a79b1584b7b48d32bef6a2f6f4ee69ccfc
SHA51218d274dba047179d7cc6b2bb14ede76618bf5c93d8a4b4d1a32bbcf2f6494c9ecc4a601a5a4eae5d7672967be5c3a0c5bfc402f97626638ba7825d6412538f7d
-
Filesize
1.2MB
MD54c624867a94fee20d81b9e14755165de
SHA16f5afb06ff6278616f8fb0cd81ad1e164b0fee24
SHA2569a1ef7b5af62c005df90a75846e390e1695ecd18c7727b8e039e4b5842d6f388
SHA5120a40dc67d116b9726c3129a88e82c536273b4ad42f850ca78828b042dc5d20313caf1ee8a8a7136efab6027fa2f7bcf1551fac61f239c10d865f5664a8006064
-
Filesize
3KB
MD502524418240369b25b988e9884cd1c54
SHA142a33322d952edf6d8431d4cd788bbc863d2b890
SHA25680b2a0874c2f734dfe1196d7ae2a7bc6ccb30df2d9281513ac33edc529a71a37
SHA5127c5bbe911f7f0b072d6fdb89ea5759655c2b5cf9ebfddff8f2f67f956141b8ed3697ab0504f60c3992849afbbc79434043a6c04d7cf6ddd958e23354fd3a698f
-
Filesize
25KB
MD50d0aeada15a7006b4bf0cff69abd6dad
SHA10cdb1ad92197a50f16712389f0de7582cd73533c
SHA256901678e85e472014f4772e98e608de1b825d2c706af276463d455b4f9336e863
SHA5121eaade55ecab10180ca7e7cd038ceba39598bd63baa048d6e4ec871259cca21bc163c256d92c38a574595d06f6abe87a413788979aea26255a1b5f474a8f0d65