Analysis
-
max time kernel
132s -
max time network
137s -
platform
windows10-1703_x64 -
resource
win10-20240221-en -
resource tags
arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system -
submitted
01-03-2024 16:49
Behavioral task
behavioral1
Sample
Aurora_V2/Aurora.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Aurora_V2/Aurora.exe
Resource
win10-20240221-en
Behavioral task
behavioral3
Sample
Aurora_V2/scripts/scripts.dll
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
Aurora_V2/scripts/scripts.dll
Resource
win10-20240221-en
General
-
Target
Aurora_V2/Aurora.exe
-
Size
620KB
-
MD5
403c733d425c072e88fc4a61595519dc
-
SHA1
ad25c881299ef6ac612ea36cdd40884caa479ba4
-
SHA256
96666cb323337b2fc5e3b87369639e637df2bb864a18422fd115c0f8f198b879
-
SHA512
1a30c2be85ec14cb644f3a81062a05b2759c09b6e29245a6856320f47865cd207b694feac6951e1d91c2350cfbe0bdbca2b302d02e92e3286de7bd2b9aafcf3e
-
SSDEEP
12288:vSIl566+QljEifBxARfzH5tCe7xChZZ8F39YaLFWlrSpKKIul5:Z5qUEi0RfzF7cH8waLQlaIul5
Malware Config
Extracted
redline
@dxrkl0rd
45.15.156.167:80
Signatures
-
Detect ZGRat V1 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\svchost.exe family_zgrat_v1 C:\Users\Admin\AppData\Local\Temp\svchost.exe family_zgrat_v1 behavioral2/memory/2788-66-0x0000000000690000-0x0000000000D18000-memory.dmp family_zgrat_v1 -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2364-0-0x00000000007B0000-0x0000000000800000-memory.dmp family_redline -
Downloads MZ/PE file
-
Executes dropped EXE 6 IoCs
Processes:
conhost.exe7z.exe7z.exe7z.exeInstaller.exesvchost.exepid process 3092 conhost.exe 5112 7z.exe 2516 7z.exe 3464 7z.exe 1872 Installer.exe 2788 svchost.exe -
Loads dropped DLL 4 IoCs
Processes:
7z.exe7z.exe7z.exesvchost.exepid process 5112 7z.exe 2516 7z.exe 3464 7z.exe 2788 svchost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1104443672-3570440473-4052989528-1000\Software\Microsoft\Windows\CurrentVersion\Run\kwweifjdskdv = "C:\\Users\\Admin\\AppData\\Local\\kwweifjdskdv\\kwweifjdskdv.exe" powershell.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
Processes:
svchost.exeInstaller.exedescription pid process target process PID 2788 set thread context of 776 2788 svchost.exe RegSvcs.exe PID 1872 set thread context of 4252 1872 Installer.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 4200 schtasks.exe 4768 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
Aurora.exeRegSvcs.exepowershell.exepowershell.exepid process 2364 Aurora.exe 2364 Aurora.exe 2364 Aurora.exe 4252 RegSvcs.exe 208 powershell.exe 208 powershell.exe 208 powershell.exe 1492 powershell.exe 1492 powershell.exe 4252 RegSvcs.exe 1492 powershell.exe 4252 RegSvcs.exe 4252 RegSvcs.exe 4252 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 17 IoCs
Processes:
Aurora.exe7z.exe7z.exe7z.exeRegSvcs.exeRegSvcs.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2364 Aurora.exe Token: SeRestorePrivilege 5112 7z.exe Token: 35 5112 7z.exe Token: SeSecurityPrivilege 5112 7z.exe Token: SeSecurityPrivilege 5112 7z.exe Token: SeRestorePrivilege 2516 7z.exe Token: 35 2516 7z.exe Token: SeSecurityPrivilege 2516 7z.exe Token: SeSecurityPrivilege 2516 7z.exe Token: SeRestorePrivilege 3464 7z.exe Token: 35 3464 7z.exe Token: SeSecurityPrivilege 3464 7z.exe Token: SeSecurityPrivilege 3464 7z.exe Token: SeDebugPrivilege 776 RegSvcs.exe Token: SeDebugPrivilege 4252 RegSvcs.exe Token: SeDebugPrivilege 208 powershell.exe Token: SeDebugPrivilege 1492 powershell.exe -
Suspicious use of WriteProcessMemory 58 IoCs
Processes:
Aurora.execonhost.execmd.exesvchost.exeInstaller.exeRegSvcs.execmd.execmd.execmd.exedescription pid process target process PID 2364 wrote to memory of 3092 2364 Aurora.exe conhost.exe PID 2364 wrote to memory of 3092 2364 Aurora.exe conhost.exe PID 2364 wrote to memory of 3092 2364 Aurora.exe conhost.exe PID 3092 wrote to memory of 4012 3092 conhost.exe cmd.exe PID 3092 wrote to memory of 4012 3092 conhost.exe cmd.exe PID 4012 wrote to memory of 984 4012 cmd.exe mode.com PID 4012 wrote to memory of 984 4012 cmd.exe mode.com PID 4012 wrote to memory of 5112 4012 cmd.exe 7z.exe PID 4012 wrote to memory of 5112 4012 cmd.exe 7z.exe PID 4012 wrote to memory of 2516 4012 cmd.exe 7z.exe PID 4012 wrote to memory of 2516 4012 cmd.exe 7z.exe PID 4012 wrote to memory of 3464 4012 cmd.exe 7z.exe PID 4012 wrote to memory of 3464 4012 cmd.exe 7z.exe PID 4012 wrote to memory of 1712 4012 cmd.exe attrib.exe PID 4012 wrote to memory of 1712 4012 cmd.exe attrib.exe PID 4012 wrote to memory of 1872 4012 cmd.exe Installer.exe PID 4012 wrote to memory of 1872 4012 cmd.exe Installer.exe PID 4012 wrote to memory of 1872 4012 cmd.exe Installer.exe PID 2364 wrote to memory of 2788 2364 Aurora.exe svchost.exe PID 2364 wrote to memory of 2788 2364 Aurora.exe svchost.exe PID 2364 wrote to memory of 2788 2364 Aurora.exe svchost.exe PID 2788 wrote to memory of 3628 2788 svchost.exe RegSvcs.exe PID 2788 wrote to memory of 3628 2788 svchost.exe RegSvcs.exe PID 2788 wrote to memory of 3628 2788 svchost.exe RegSvcs.exe PID 2788 wrote to memory of 776 2788 svchost.exe RegSvcs.exe PID 2788 wrote to memory of 776 2788 svchost.exe RegSvcs.exe PID 2788 wrote to memory of 776 2788 svchost.exe RegSvcs.exe PID 2788 wrote to memory of 776 2788 svchost.exe RegSvcs.exe PID 2788 wrote to memory of 776 2788 svchost.exe RegSvcs.exe PID 2788 wrote to memory of 776 2788 svchost.exe RegSvcs.exe PID 2788 wrote to memory of 776 2788 svchost.exe RegSvcs.exe PID 2788 wrote to memory of 776 2788 svchost.exe RegSvcs.exe PID 1872 wrote to memory of 4252 1872 Installer.exe RegSvcs.exe PID 1872 wrote to memory of 4252 1872 Installer.exe RegSvcs.exe PID 1872 wrote to memory of 4252 1872 Installer.exe RegSvcs.exe PID 1872 wrote to memory of 4252 1872 Installer.exe RegSvcs.exe PID 1872 wrote to memory of 4252 1872 Installer.exe RegSvcs.exe PID 4252 wrote to memory of 1124 4252 RegSvcs.exe cmd.exe PID 4252 wrote to memory of 1124 4252 RegSvcs.exe cmd.exe PID 4252 wrote to memory of 1124 4252 RegSvcs.exe cmd.exe PID 1124 wrote to memory of 208 1124 cmd.exe powershell.exe PID 1124 wrote to memory of 208 1124 cmd.exe powershell.exe PID 1124 wrote to memory of 208 1124 cmd.exe powershell.exe PID 2788 wrote to memory of 1492 2788 svchost.exe powershell.exe PID 2788 wrote to memory of 1492 2788 svchost.exe powershell.exe PID 2788 wrote to memory of 1492 2788 svchost.exe powershell.exe PID 4252 wrote to memory of 1712 4252 RegSvcs.exe cmd.exe PID 4252 wrote to memory of 1712 4252 RegSvcs.exe cmd.exe PID 4252 wrote to memory of 1712 4252 RegSvcs.exe cmd.exe PID 4252 wrote to memory of 1224 4252 RegSvcs.exe cmd.exe PID 4252 wrote to memory of 1224 4252 RegSvcs.exe cmd.exe PID 4252 wrote to memory of 1224 4252 RegSvcs.exe cmd.exe PID 1712 wrote to memory of 4200 1712 cmd.exe schtasks.exe PID 1712 wrote to memory of 4200 1712 cmd.exe schtasks.exe PID 1712 wrote to memory of 4200 1712 cmd.exe schtasks.exe PID 1224 wrote to memory of 4768 1224 cmd.exe schtasks.exe PID 1224 wrote to memory of 4768 1224 cmd.exe schtasks.exe PID 1224 wrote to memory of 4768 1224 cmd.exe schtasks.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Aurora_V2\Aurora.exe"C:\Users\Admin\AppData\Local\Temp\Aurora_V2\Aurora.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Users\Admin\AppData\Local\Temp\conhost.exe"C:\Users\Admin\AppData\Local\Temp\conhost.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3092 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"3⤵
- Suspicious use of WriteProcessMemory
PID:4012 -
C:\Windows\system32\mode.commode 65,104⤵PID:984
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e file.zip -p146312891125116171371883110193 -oextracted4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:5112 -
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_2.zip -oextracted4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2516 -
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_1.zip -oextracted4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3464 -
C:\Windows\system32\attrib.exeattrib +H "Installer.exe"4⤵
- Views/modifies file attributes
PID:1712 -
C:\Users\Admin\AppData\Local\Temp\main\Installer.exe"Installer.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4252 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C powershell -EncodedCommand "PAAjAFUAYQB2ADUAcQBkAFQAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBLAEgAOQBLACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAcAA3AFYAZgBWAFkAVwAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwA3AGIAYgBDADkAMQBhADUAIwA+AA==" & powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off6⤵
- Suspicious use of WriteProcessMemory
PID:1124 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -EncodedCommand "PAAjAFUAYQB2ADUAcQBkAFQAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBLAEgAOQBLACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAcAA3AFYAZgBWAFkAVwAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwA3AGIAYgBDADkAMQBhADUAIwA+AA=="7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:208 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"6⤵
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"7⤵
- Creates scheduled task(s)
PID:4200 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk648" /TR "C:\ProgramData\Dllhost\dllhost.exe"6⤵
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk648" /TR "C:\ProgramData\Dllhost\dllhost.exe"7⤵
- Creates scheduled task(s)
PID:4768 -
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe3⤵PID:3628
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:776 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'kwweifjdskdv';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'kwweifjdskdv' -Value '"C:\Users\Admin\AppData\Local\kwweifjdskdv\kwweifjdskdv.exe"' -PropertyType 'String'3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1492
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5db01a2c1c7e70b2b038edf8ad5ad9826
SHA1540217c647a73bad8d8a79e3a0f3998b5abd199b
SHA256413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d
SHA512c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6
-
Filesize
19KB
MD599c90c326481f56c85dd35d84c79adf2
SHA1abae424259d56d1d724ad4c22812576f466a3bc5
SHA256217c98f50549795fccb4bbc2f8cf9bfc31bce93ce300e1c16fbc3b31d6282ece
SHA512a128ecfcdf9e5348edc2b879d9f4428d693ba4a80b7339c4ee45ee15a31c1e7f4f3d1e6c09e424e3ba65ecc8a0a9d72075ef7a00fbcf249539c3dceab68719ab
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
2.9MB
MD58340b7602e82921aa8d72ae4f8ea11cc
SHA1a49524d26639130bc09acb4a0187917fbc5ec003
SHA256efee38133480e7ccaa11424d49bb3d8ebdb89ffb1d81a10f6c405337e7d3a737
SHA512eab92e881f24d6fdcb061540c3ee96f4d4fa9e26a7ef1ea82743ebca3e64821f94467cc65a2c3e83ee4c9091cc4e714e938b9f583c3dc9f88938555322e04f10
-
Filesize
1.6MB
MD572491c7b87a7c2dd350b727444f13bb4
SHA11e9338d56db7ded386878eab7bb44b8934ab1bc7
SHA25634ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891
SHA512583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511
-
Filesize
458KB
MD5619f7135621b50fd1900ff24aade1524
SHA16c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA5122c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628
-
Filesize
2.2MB
MD5b5e813efd092c823e641722e0e721cf2
SHA1e381b6fc4a362091a4b09e6e366d15efdb6820d3
SHA256fe75fd8c297d1d223ba238caa95e2d3bd9436538d125c8b87f62a297aeb11b42
SHA512be677d3811cd2a3f6b187ac53e7086307776abc9fef39165c4b0a54aceaa332a88da84e4ce4234a653c12a2a57dabd77ddf74b40ae9e709436b8ac6ef7d96283
-
Filesize
610KB
MD56141fcd89a442521fabada983b07696a
SHA1c884d75aa3df2ab52ad128146e45825466db257e
SHA2565a4414a62987d89c24f62ba447cb25b3310a4e543dcb505a807e62a77d8d1426
SHA5125f482678d7c71127d67f9b52d3e4c4e99111a4a2bbcbf36e299f57c6fffb354a490d573ee565b99483ac9b3ff015fc9337dffdb5d739a94d1994662a5dde0107
-
Filesize
499KB
MD5ca8acb796044d922702f2fedd039c718
SHA145b997cc60b4875eec3f462006f1605dcb16c984
SHA256710634857b5c70a6b6f014da45b0e1705a180aca3f2c1d53c39aa179d2451671
SHA512591c1da7c720500440aa47bc52423457d0963eca381451a6163a144c0168ed863b45872020a2a6fa645b97db397e93060265f7c150616a039c2aed25cd0607da
-
Filesize
2.1MB
MD57f93db1b1ba5dd798ee0fb7ac1ee5b5a
SHA1b68db4bdb7ad77c720a1861ec9158b49b99c3473
SHA25650806e50951c2ab080a1ad10873349940355d49cbecf564bdc4d3ca65516dff2
SHA51241e7df8738ef3f549d20c3943d0a4b2aa34e91675604d0bec62fa6633d7fb262a38adcde70b8c08639cbf9d62cf043b4220b8fc20483f061687815da22faef5a
-
Filesize
2.1MB
MD5fc7c63ffa72326c3641efbdf507ab046
SHA1a65964ee890eabc1e09d16ad4a36fa0530290435
SHA2563bac3a7196c4e1f347bbfc4bb7319c14a60155edadb246cc41f3a251b76f3bf6
SHA51239168751411ceff6b44013bb3eb2ca4a59c6b11f119d3fac72fcf85d401113170dd056d8dcdce29f0f60b38feedc0cb4bc72461ed32c17d6a616c446eacd62e8
-
Filesize
476B
MD54edd28bf306d37273a4b30ef3f75d92f
SHA1db8fbd39931f0faaa160c700435279210bf97cc3
SHA256e49d849e2a89613a493a07ee4f15f56cde89073e1dc527a4881846dd03eaa130
SHA512b05fb8ff44ce032d09f096de855d99d64f64c03dead392863aa186edd05809fc99825862432dc7b826447b5880fe7b1eeb6135502df35d0227c16691665530df
-
Filesize
3.4MB
MD52c1b47e61eea814395d12967f51eedba
SHA185593a9de1515caad975be4ec2e95d2451cb8246
SHA256cad7a1b429d70e52ee7d52b474e30318c7196fb9f12400e030387e48316e6373
SHA51277e7e5314095f77dc8c7c0b3b20d485e4e30f85dc2c8536bc56fc00f5ac23bd1a8d1a7bf2a6249f03a9daa55cf222e049058d8375e3c60de72406cdaefff02be
-
Filesize
1.1MB
MD5995201bd2171b22a161c689db920afa6
SHA109871ed7f73b9a80b3e2a8771afffdec7fbf663c
SHA256ff5bf4791c645ee863365f11206d2fb3188343f141624b35779c52816e27a13e
SHA51268fd5796bff605ef0864ac25699db76cfd9dc7e3a6141bfb0902aa2977373cf66607294787635b83a2c0b29dcba39a11863b97982a6f26a05288b0551e9f822e
-
Filesize
742KB
MD5544cd51a596619b78e9b54b70088307d
SHA14769ddd2dbc1dc44b758964ed0bd231b85880b65
SHA256dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd
SHA512f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719